Kentucky and Indiana’s New Privacy Laws: What You Need to Know Before 2026

May 16, 2025

On January 1, 2026, both Kentucky and Indiana will enact new consumer privacy laws designed to strengthen personal data protections and hold businesses accountable for responsible data practices. These laws, Kentucky's HB 15 and Indiana’s Consumer Data Protection Act (SEA 5), signal a growing wave of state-level privacy regulation, especially for businesses operating across the Midwest.

Who Needs to Comply?

These laws apply to organizations that operate in or target residents of Kentucky or Indiana. They also must meet data volume thresholds, including: • 100,000+ residents’ data processed annually, or • 25,000+ residents’ data processed and derive 50%+ revenue from data sales

Exemptions in both states include:
Nonprofits
Institutions of higher education
Utilities
Entities already governed by HIPAA, GLBA, or other federal frameworks

What Do These Laws Require?

Consumer Rights

Both Kentucky and Indiana grant residents several key rights under their respective privacy laws. They are given the right to access their personal data and confirm whether it is being processed. Consumers can also request corrections to inaccurate data, and they have the right to delete personal information held by businesses. The laws also require companies to provide data in a portable format upon request. Additionally, consumers can opt out of the sale of their personal data, targeted advertising, and profiling that is used in making significant decisions about them.

Enforcement and Penalties

Enforcement is handled by each state’s Attorney General. Organizations found to be in violation will have a 30-day window to correct issues before facing penalties. If noncompliance persists, fines of up to $7,500 per violation may be imposed.

To support enforcement efforts, Kentucky established a dedicated Consumer Privacy Fund where civil penalties will be deposited and used to sustain ongoing oversight.

What Should Businesses Do Now?

Industries Most Affected

Retailers, software vendors, financial services, healthcare providers, and manufacturers that process large amounts of consumer data, but may not have dealt with General Data Protection Regulation (GDPR) or California Consumer Privacy Act (CCPA), should treat these laws as a wake-up call.

How We Can Help

Organizations doing business in these states or serving their residents should begin preparing now. The new laws are comprehensive and bring a range of responsibilities, particularly around transparency, data protection, and consumer engagement.

Clark Schaefer Consulting can help your organization interpret the requirements of these laws and implement a practical, compliant privacy strategy ahead of the 2026 deadline. Contact us to schedule a privacy readiness consultation and make sure your business is prepared.

Copyright Clark Schaefer Consulting. All content provided is for informational purposes only. Matters discussed are subject to change. For up-to-date information on this subject please contact a Clark Schaefer Consulting professional. Clark Schaefer Consulting will not be held responsible for any claim, loss, damage or inconvenience caused as a result of any information within these pages or any information accessed through this site.