Twenty States, One Patchwork: The New Reality of US Privacy Compliance
On January 1, 2026, comprehensive consumer privacy laws took effect in Indiana, Kentucky, and Rhode Island, bringing the number of US states with comprehensive privacy laws to twenty. If your marketing operation relies on personal data - and whose does not - you are now operating inside a legal landscape that looks less like a national standard and more like a quilt stitched from different fabrics, each with its own pattern of consumer rights, opt-out mechanisms, and enforcement postures.
This is not a drill, and it is not a future problem. These laws are in force now. The question for most marketing teams is not whether to comply but how to build compliance processes that do not require a full legal review every time you launch a new campaign.
What the Three New Laws Share
While each state law has its own texture, Indiana, Kentucky, and Rhode Island align on a core set of consumer rights that will feel familiar if you have already worked through California, Virginia, or Colorado compliance:
- Right to access: Consumers can request to know what personal data a business holds about them.
- Right to deletion: Consumers can request that their data be deleted, with carve-outs for legal and operational necessity.
- Right to opt out of targeted advertising and sale: This is the right that most directly affects digital marketers. If you are passing personal data to ad platforms for targeting, consumers in these states can tell you to stop.
- Right to correct: Consumers can request correction of inaccurate data.
- Data protection assessments: Businesses processing high-risk data - which includes targeted advertising - may be required to document their processing purposes and risk analysis.
Where the Laws Diverge
The details matter. Thresholds for which businesses must comply, cure periods before enforcement actions can proceed, and the specific definition of sensitive data categories vary across all three laws. Rhode Island's law, for instance, has particular nuances around how universal opt-out mechanisms must be honored. Kentucky and Indiana share closer lineage with the Virginia model but are not identical to it.
The practical implication: a single privacy policy template and a single consent banner configuration will not get you cleanly across all twenty state frameworks. You need a compliance architecture that is modular enough to honor state-specific requirements without requiring bespoke engineering for each jurisdiction.
What This Means for Your Ad Stack
The part of these laws that hits marketing operations hardest is the opt-out of targeted advertising requirement. In practical terms, when a consumer exercises that right, you are obligated to stop passing their data to third parties - including ad platforms - for targeting purposes.
That means your data flow needs to be auditable. You need to know, at the user level, whether a consent or opt-out signal has been received, and you need that signal to suppress data transmission downstream. If your current setup passes every user's data to Google, Meta, and others via client-side pixels without checking consent state first, you have a compliance gap.
Steps to close the gap:
- Map your data flows: Document exactly what personal data is collected, where it is sent, and under what conditions. This is the data protection assessment work that several of these laws anticipate.
- Implement a consent management platform (CMP): A CMP that supports universal opt-out signals (Global Privacy Control is the emerging standard for automated opt-outs) and that gates tag firing based on consent state is the foundation of operational compliance.
- Update your privacy notice: Indiana, Kentucky, and Rhode Island consumers have specific disclosure rights. Your privacy policy must accurately reflect what you collect and how it is used for targeted advertising.
- Build a data subject request (DSR) workflow: When access, deletion, or correction requests come in, you need a process to fulfill them within the statutory timeframes. Manual handling does not scale across twenty states.
Server-Side Tracking as a Compliance Tool
One underappreciated aspect of server-side tracking is that it gives you a single, controlled choke point where you can enforce consent decisions before any data leaves your environment. When a user opts out, your server-side logic suppresses the event before it is forwarded to ad platforms - no pixel fires, no data transmitted. This is architecturally cleaner than trying to manage consent across a sprawl of client-side tags. It is also easier to audit when a regulator asks how you enforce opt-outs.
A well-built first-party data tracking infrastructure is not just a measurement tool - it is increasingly a compliance infrastructure. The teams that invested in server-side tagging and consent architecture over the past two years are meaningfully better positioned to handle the twenty-state patchwork than those still running purely client-side stacks.
The Patchwork Is Not Getting Simpler
There is no federal privacy law on the immediate horizon that would preempt and simplify state-level requirements. The number of state frameworks is more likely to grow than to shrink over the next few years. Building for compliance as a one-time project is a losing strategy. Building the infrastructure once - modular, auditable, consent-signal-aware - and maintaining it as law evolves is the only approach that makes sense at scale.
AdStack™ helps marketing teams build and maintain first-party data and server-side tracking stacks that are designed with consent compliance built in. Book a call to assess where your current data infrastructure stands against the twenty-state framework and what work is actually required to close the gaps.

Article imagery is illustrative. Product names, logos, and brands that may appear in images or text are the property of their respective owners and are used for identification and commentary only; their appearance does not imply any affiliation with, or endorsement by, those owners.



