2026 Privacy Readiness: Kentucky & Indiana Compliance Checklist
Effective January 1, 2026, both Kentucky and Indiana will enforce comprehensive consumer data privacy laws. Use this checklist to assess your readiness and identify key compliance gaps:
Determine If the Laws Apply to You
We process the personal data of 100,000+ KY or IN residents annually
OR we process data of 25,000+ KY or IN residents and derive 50%+ revenue from data sales
We’ve confirmed we are not exempt (e.g., nonprofit, HIPAA/GLBA-covered entity, utility, higher education)
Review and Update Privacy Notices
Our privacy policies are accessible, clear, and reflect current data practices
Notices include categories of data collected, purposes, consumer rights, and third-party disclosures
We specify how consumers can exercise their rights and opt out of certain data uses
Map and Classify Your Data
We’ve inventoried all personal data collected, stored, and processed
We’ve identified sensitive data (e.g., health, biometric, race/ethnicity, children’s data)
We track how and where data flows, including vendors and third parties
Ensure You Can Support Consumer Rights Requests
We have a process to confirm and respond to access, correction, and deletion requests
We can provide personal data in a portable format
We offer opt-outs for:
Data sales
Targeted advertising
Profiling that affects legal or significant decisions
Get Consent Where Required
We collect opt-in consent before processing sensitive data
For known children under 13, we comply with parental consent under COPPA
We have records of when and how consent was obtained
Assess Vendor and Processor Relationships
Contracts clearly define roles, responsibilities, and data handling practices
We ensure processors assist with compliance, security, and consumer rights
We’ve reviewed and updated contracts to reflect new legal requirements
Prepare for Data Protection Assessments (DPAs)
We understand when DPAs are required (e.g., for targeted ads, sensitive data, profiling)
We’ve started or scheduled assessments for high-risk processing activities
We can document our risk-benefit analysis for processing activities
We are prepared to share DPAs with the Attorney General if requested
Train Your Team
Staff understand consumer privacy rights and how to respond
We provide role-specific training for those who handle personal data
Training covers new policy updates and ongoing compliance responsibilities
Plan for Enforcement & Deadlines
We’re tracking key dates:
January 1, 2026 – Laws go into effect
June 1, 2026 – Kentucky DPIA requirements begin
We understand enforcement will be led by the Attorney General and includes a 30-day cure window
Need Help With Compliance?
Clark Schaefer Consulting can guide you through the entire compliance process—from data mapping and DPIAs to policy updates and team training. Let’s build a proactive privacy strategy that protects your business and earns customer trust. Connect with us to get started.
Expert Contributors
