A MoFo Privacy Minute Q&A: 2026 Updates to State Consumer Privacy Disclosures

Question: I’m aware that there are new state consumer privacy laws coming into effect on January 1, 2026, along with recently approved CCPA regulations. Do I need to update my business’s privacy policy and other privacy-related disclosures before year end?

Answer: Yes, you will want to update your privacy policy and develop or modify other consumer-facing privacy disclosures by January 1, 2026, if the CCPA and/or the new consumer privacy laws in Indiana, Kentucky, and Rhode Island apply to your business. Here are key points to keep in mind:

• First off, the good news – there are many similarities among the new and existing laws, which should make compliance with the new laws’ disclosure requirements a relatively light lift for businesses. Specifically, the new laws in Indiana, Kentucky, and Rhode Island largely mirror existing consumer privacy laws in states such as Colorado, Connecticut, Montana, Oregon, and Virginia, in that they contain similar requirements for disclosures and offer similar consumer rights. Furthermore, the laws in Kentucky and Indiana include a cure period, and none of the laws provide a private right of action.
  
  Similar to existing state laws, the laws in Indiana, Kentucky, and Rhode Island include comparable exceptions to their applicability. In particular, they do not apply to personal information of individuals acting in a commercial or employment context. As a result, these laws should not require businesses to expand the scope of their existing privacy disclosures to individuals who were not previously covered.

• But take note – the Rhode Island law contains some key differences that may impact a business’s disclosure obligations. Uniquely, Rhode Island requires businesses to disclose to consumers “all third parties” to whom they “have sold or may sell customers’ personally identifiable information,” whether in a privacy policy or elsewhere conspicuously presented to consumers. This requirement may prove challenging given the evolving nature of data-sharing relationships and the absence of an explicit cure period under the law.
• Don’t forget about the CCPA. The CCPA’s updated regulations, which come into effect on January 1, 2026, will impact the information that businesses need to provide in their privacy policies and may require additional disclosures in connection with certain processing activities. For example:
• Sensitive information: The CCPA regulations update the definition of “sensitive personal information” to include personal information of consumers that a business has actual knowledge are less than 16 years old, meaning businesses will need to characterize such minors’ information as “sensitive personal information” in their privacy policy.
• Opt-out confirmation and links: It will be mandatory (1) to display to the consumer whether the business has successfully processed the consumer’s opt-out preference signal, and (2) for opt-out requests submitted through other means, to provide a mechanism by which a consumer can confirm that their request to opt out has been processed by the business. The regulations will also require businesses to provide an opt-out link directly within their mobile applications, such as through the app’s settings menu. 
• Requests to know: For personal information collected on or after January 1, 2022, businesses must provide consumers with a way to request access to their information collected earlier than the 12-month period preceding the request, such as by allowing the consumer to select a date range. This may require businesses to update their privacy policy to inform consumers of additional access request options.
• ADMT disclosures: A business that uses automated decision-making technology (ADMT) to make a “significant decision” must comply with the CCPA’s ADMT requirements, including, but not limited to, providing a Pre-use Notice and two or more mechanisms to opt out of ADMT. Please view MoFo’s client alert on the CCPA’s ADMT regulations for more information.

Finally, we note that the CCPA continues to require that businesses update their privacy policies every 12 months. As a result, notwithstanding additional disclosure obligations taking effect in 2026, businesses should already be reviewing and updating their policies and disclosures as needed.

You can track updates on state consumer privacy laws at MoFo’s U.S. State Privacy Laws Resource Center.