On January 1, 2026, three more state comprehensive privacy laws came into force: Indiana's Consumer Data Protection Act (INCDPA), Kentucky's Consumer Data Protection Act (KYCDPA), and Rhode Island's Data Transparency and Privacy Protection Act (DTPPA). Their arrival pushes the count of US states with comprehensive privacy regimes to nearly twenty — a milestone that should be celebrated as bipartisan momentum on consumer rights, but which in practice underscores a problem Washington has refused to solve: the United States now has the most fragmented privacy regulatory environment of any major economy.
Another year, another three statutes
The three new laws mostly track the Virginia Consumer Data Protection Act template that has become the dominant model among Republican-led and centrist states. Indiana and Kentucky are near-clones of Virginia's framework: consumer rights to access, delete, correct, and port data; opt-out rights for targeted advertising, sale, and certain profiling; data protection assessments for high-risk processing; and exclusive enforcement by the state attorney general with a 30- or 60-day cure period.
Rhode Island's DTPPA, the most novel of the three, layers on a public-facing transparency obligation: controllers that sell personal data or process it for targeted advertising must publicly list the categories of data sold and the categories of third parties to whom it is sold. It also notably lacks an explicit private right of action but allows the attorney general to seek civil penalties under the state's Deceptive Trade Practices Act.
The patchwork is now the policy
For a company doing business nationally, the practical compliance picture is daunting. According to the International Association of Privacy Professionals (IAPP), nearly twenty states now have comprehensive laws, with variations on definitions of "sensitive data," thresholds for applicability, cure periods, consent standards for minors, and the scope of consumer rights. California's CCPA/CPRA remains the strictest. Colorado, Connecticut, and now Maryland (effective October 2025) impose tighter data minimization duties. Texas (TDPSA) has unusually broad applicability with no revenue threshold. Washington's My Health My Data Act creates a sui generis regime for health data with a private right of action.
For small and mid-sized firms, the cumulative cost is real. A 2022 ITIF analysis projected that a 50-state patchwork could impose between $98 billion and $112 billion annually in out-of-state compliance costs, with small businesses bearing a disproportionate share. Even acknowledging the wide bands inherent in such modeling, the directional point holds: every additional state regime adds legal review, vendor diligence, notice updates, data-mapping refresh cycles, and DSAR handling — costs that scale poorly for firms without a dedicated privacy team.
APRA: stalled, but still the right idea
The American Privacy Rights Act (APRA), reintroduced in 2024 by then-Chairs Cathy McMorris Rodgers and Maria Cantwell, was the most serious bipartisan, bicameral attempt at federal preemption in a generation. It would have created a national baseline of consumer rights, data minimization duties, and limited private enforcement — while preempting most state comprehensive privacy laws (with carve-outs for biometric, health, and student data regimes).
APRA stalled in 2024 over familiar fault lines: California's delegation objected to ceiling preemption that would weaken CCPA; civil society split on the scope of the private right of action; and the AI provisions in earlier drafts drew industry opposition. As of early 2026, no successor bill has cleared committee. The 119th Congress has shown more appetite for sector-specific AI and child-safety legislation than for a comprehensive privacy framework.
Why proportionate federal preemption matters
The growing patchwork is not, on the whole, producing better outcomes for consumers. The substantive rights granted in Indiana, Kentucky, Iowa, Tennessee, and most other red and purple state laws are broadly similar; the differences are largely procedural — cure periods, notice formats, threshold definitions, opt-out mechanics. Consumers in Indianapolis do not meaningfully benefit from having a regime that differs from Kentucky's in technical detail. They do, however, bear the indirect cost: fewer free services, slower product launches, and reduced competition as compliance overhead favors incumbents.
The best argument for a federal privacy law in 2026 is not that consumers lack protection — they increasingly have it — but that the cumulative compliance friction is now a tax on innovation without a corresponding privacy dividend.
A proportionate federal framework should:
- Preempt state comprehensive laws with a robust baseline at roughly the Virginia/Connecticut level, while preserving state authority over health, biometric, and children's data;
- Codify a clear data minimization principle tied to articulated processing purposes, replacing the notice-and-consent fiction with substantive limits;
- Provide a narrow, well-defined private right of action limited to concrete harms — not statutory damages bonanzas that drive defensive over-collection of consent;
- Create a single federal regulator (the FTC, with rulemaking authority) rather than fifty AGs interpreting fifty statutes; and
- Include a small-business safe harbor with proportionate obligations scaled to data volume and sensitivity.
The path forward
The 2026 patchwork is the predictable consequence of a decade of Congressional inaction. State legislators have done what they were elected to do: respond to constituent concerns. But the cumulative result is a regulatory environment that protects consumers unevenly while taxing the firms most likely to invest in new products and services. APRA, or a successor framework, deserves another serious push — not because state legislators have failed, but because privacy is one of the few remaining areas where federal preemption would unambiguously reduce friction without weakening rights. The longer Washington waits, the harder the patchwork becomes to undo.