What You Need to Know About the New Indiana & Kentucky Privacy Laws Going Into Effect January 2026

The Chaos Started With Strange Emails

If you've never been part of a data breach, consider yourself lucky. One winter day, I suddenly started receiving a bunch of “thanks for subscribing” emails from random stores all over the world. Okay, weird. Then an email from Walmart popped up saying my pickup order would be ready soon. I definitely hadn’t placed a pickup order.

I didn’t click any links in the email (hello phishing scam). Instead, I called the Walmart listed in the message, which was in Louisville. They confirmed someone got into my account and ordered groceries, some electronics, and a big-screen TV. Aw, heck no. I canceled the order and called my local sheriff’s office. He told me there wasn’t much time to set up any kind of sting, and thieves like this often get away with it, which really burns my biscuits.

Get our free mobile app

Turns out my passwords were part of a data breach that had been leaked on the dark web. Most people don’t have separate passwords for every account, so hackers try your password on different shopping sites and can order til the cows come home until you notice. I can only assume they sent me that barrage of shopping emails so I wouldn’t notice the Walmart one coming through.

My password was a simple fix. And even if they had gotten away with their big heist, I could just call my credit card and get a refund. But for those who lose their entire identity to hackers, life can be complete hell.

Your Data Lives Everywhere

Whether you realize it or not, businesses, medical companies, organizations, and even schools store data about you. And that data is valuable.

Hackers want you for your credit card number and your good credit. But you are an even bigger prize to big business. Your personal data and everything you do online is tracked and sold.

What Indiana Officials Are Saying

“Every click, every purchase, every search, every doctor visit, every dollar you spend, is tracked, packaged and sold, often without you even knowing,” Rokita said at a news conference in Indianapolis. “Your personal data is your personal property, and for years now, decades now, it’s been taken from you.”

What The Consumer Data Protection Act Will Do

The Consumer Data Protection Act was passed in 2023 and goes into effect on January 1, 2026. The goal of the laws is to give Hoosiers and Kentuckians more control over their personal information and push businesses to tighten up their data practices so they’re less vulnerable to breaches or legal trouble.

The laws lay out protections for Indiana and Kentucky consumers. You can ask a company to delete your personal data, opt out of targeted advertising and data sales, and even download the information they’ve collected about you. Companies also can’t process a child’s data or sensitive details like your health info, biometrics, religious affiliation, or precise location without getting clear permission. And they’re not allowed to punish you for using any of these rights.

The law focuses on businesses that control or process large amounts of data and businesses that sell personal data. It does not apply to government agencies, banks, hospitals or HIPAA-covered healthcare providers, nonprofits, colleges, or public utilities. Companies are allowed to refuse certain requests if a user is being abusive, repetitive, or unreasonable, though some lawmakers are looking to tighten that language in 2026.

For a deeper dive, you can read more about the Indiana law and Kentucky’s similar legislation.