January 1, 2026 was a busy day for privacy lawyers. Indiana, Kentucky, and Rhode Island all added comprehensive consumer privacy laws, bringing the total number of US states with active privacy legislation to 20. On the same date, California's CPRA amendments made opt-out confirmation and Global Privacy Control (GPC) signal honoring mandatory — not optional — for every business subject to CCPA.
That's a lot of new compliance surface area to absorb in a single morning. And it comes on top of GDPR enforcement that continues to hit US-based companies — TikTok paid €530M in May 2025, Meta's enforcement actions are ongoing, and the EDPB made transparency obligations its top 2026 enforcement priority.
This checklist covers what your website actually needs in 2026: privacy policy requirements, cookie consent mechanics, data subject rights, security controls, and the specific gaps that catch companies off guard when a regulator comes looking. It's not exhaustive of every jurisdiction — that would require a book — but it covers the requirements that apply to most websites operating in the US and serving EU residents.
What Changed January 1, 2026
The three new state laws follow a familiar pattern — they're modeled closely on Virginia's Consumer Data Protection Act — but each has wrinkles worth knowing.
Indiana and Kentucky cover businesses that control or process personal data on 100,000 or more consumers, or that derive more than 50% of gross revenue from selling personal data of more than 25,000 consumers. Violations carry penalties up to $7,500 per violation, with a 30-day cure period before penalties can be imposed. Both laws give consumers rights to access, correct, delete, and port their data, plus opt-out rights for targeted advertising and sale of personal information.
Rhode Island has a notably lower threshold: any business processing data on 35,000 or more Rhode Island residents (or 10,000+ if more than 20% of revenue comes from selling personal data). Penalties reach $10,000 per violation, and there is no cure period — violations can be actioned immediately by the state Attorney General.
On the California side, the California Privacy Protection Agency's 2025 regulatory amendments mean businesses must now display a visible confirmation when they honor a GPC opt-out signal — something like "Opt-Out Request Honored" — and they must actually honor that signal automatically. Manual opt-out forms aren't a substitute for browser-level signal detection.
The Website Compliance Checklist
1. Privacy Policy Requirements
Your privacy policy has to do two jobs: satisfy regulators (who check for specific required disclosures) and be actually readable by users (who regulators increasingly check for too). Most policies fail at least one of these.
- Categories of personal data collected — list them specifically, not generically ("device identifiers, IP addresses, browsing history" not just "usage data")
- Purposes for collection and processing — for each category of data, state why you collect it
- Legal basis for processing — required under GDPR; either consent, legitimate interest, contract performance, or legal obligation
- Third parties you share data with — list categories of recipients; GDPR requires this, CCPA requires disclosing whether you "sell or share" personal information
- Retention periods — how long you keep each category of data, or the criteria used to determine that period
- Consumer rights and how to exercise them — access, deletion, correction, portability, and opt-out (see below)
- Contact information for privacy requests — a functional email or web form; most laws require a response within 45 days
- Date last updated — regulators check whether your policy reflects current practices
One thing GDPR and the US state laws share: vague language doesn't satisfy disclosure requirements. "We may share your data with trusted partners" is the kind of language that gets cited in enforcement actions. Be specific about what you collect and who gets it.
2. Cookie Consent and Tracking
This is where GDPR and CCPA diverge significantly, and where most websites get it wrong by trying to use a single implementation for both.
Under GDPR: you need affirmative opt-in consent before setting non-essential cookies (analytics, advertising, personalization). The consent must be freely given, specific, informed, and unambiguous — which means pre-ticked boxes don't count, "legitimate interest" doesn't apply to most marketing cookies, and "agree to all" can't be the only obvious button. You must also make it as easy to withdraw consent as to give it.
Under CCPA/CPRA: the framework is opt-out, not opt-in. You can set cookies and process data by default, but you must provide a clear "Do Not Sell or Share My Personal Information" link, and you must honor Global Privacy Control signals. As of January 1, 2026, that GPC requirement is enforceable — if a California resident's browser sends a GPC signal and your site ignores it, that's a violation.
- Cookie consent banner with granular categories — necessary, preferences, analytics, marketing — not just accept/decline all
- No pre-ticked non-essential cookies (GDPR)
- GPC signal detection and automatic opt-out (CCPA/CPRA, mandatory January 2026)
- Opt-out confirmation displayed when GPC signal is detected (new CPRA requirement)
- "Do Not Sell or Share" link visible on homepage and privacy policy (CCPA)
- Cookie inventory up to date — every cookie set by your site, including third-party scripts, should be documented in your policy
- Consent records retained for at least three years (GDPR enforcement expects this)
Many sites implement a GDPR consent banner that also handles CCPA by adding a "Do Not Sell" link to the footer — and then never implement GPC signal detection. The banner satisfies GDPR optically, but California's mandatory GPC requirement is an entirely separate technical implementation. Check that your consent management platform supports GPC, and verify it's actually firing on your site.
3. Data Subject Rights
GDPR, CCPA, and the new 2026 state laws all give individuals rights over their personal data. Having these rights listed in your privacy policy isn't enough — you need operational processes to fulfill them within required timeframes.
| Right | GDPR | CCPA/CPRA | Indiana / Kentucky / Rhode Island |
|---|---|---|---|
| Access | 30 days | 45 days | 45 days |
| Deletion | 30 days | 45 days | 45 days |
| Correction | 30 days | 45 days | 45 days |
| Portability | 30 days | 45 days | 45 days |
| Opt-out (targeted ads / sale) | N/A (consent-based) | 15 days to confirm | 15 days to confirm |
- Functional data request form or email address — requests via your general contact form don't count unless someone is actually routing them to the right team
- Identity verification process — you need to verify the requester is who they say they are, without requiring excessive information that itself becomes a privacy problem
- Response tracking system — documented evidence that requests were received and fulfilled within the required window, in case a regulator asks
- Deletion actually propagates to third parties — if you share data with vendors, they need to honor deletion requests too; this requires contractual commitments and a process to notify them
4. Third-Party Scripts and Vendor Disclosures
The data leaving your website through third-party scripts is often more extensive than the data you're actively collecting. Analytics pixels, chat widgets, A/B testing tools, embedded social content, advertising tags — every one of these may be collecting personal data from your users independently of anything you're doing.
- Inventory of all third-party scripts on your site — use a privacy scanner or your browser's network tab to find everything actually loading
- Disclosure in privacy policy of third-party tools that collect data, with links to their privacy policies
- Data Processing Agreements with each vendor — mandatory under GDPR for any processor handling EU personal data; without a DPA you have no lawful basis for that processing
- Third-party scripts blocked until consent is given (GDPR) — analytics and advertising tags should not fire before consent; most consent management platforms handle this if configured correctly
- Sub-processor list maintained and kept current — GDPR requires you to inform users if sub-processors change; your DPA with vendors should give you advance notice of changes
Find out what your privacy policy is actually missing
PolicyAudit scans your privacy policy against GDPR, CCPA, HIPAA, and 10 other frameworks — and tells you exactly which required disclosures are absent. Free tier available, no card required.
Check your privacy policy with PolicyAudit →5. Security Requirements
Privacy laws don't just regulate what you disclose — they require you to secure the data you collect. GDPR Article 32 mandates "appropriate technical and organisational measures." State laws in Indiana, Kentucky, Rhode Island, and others have similar reasonable security requirements. What "appropriate" and "reasonable" look like in practice:
- HTTPS enforced site-wide — TLS 1.2 minimum, TLS 1.3 preferred; HTTP redirected to HTTPS everywhere, including subdomain assets
- No mixed content — resources loaded over HTTP on an HTTPS page undermine security and are flagged by regulators and browsers alike
- Security headers in place — Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy; check yours at securityheaders.com
- Vulnerability management process — CMS, plugins, and libraries patched regularly; known CVEs addressed within a reasonable window
- Breach notification procedures documented — GDPR requires notification to supervisory authorities within 72 hours of discovering a breach; most US state laws require notification within 30-90 days
- Access controls on admin interfaces — MFA on CMS logins, no shared credentials, principle of least privilege for staff access
Which Laws Apply to Your Website?
The honest answer: probably more than you think. The common misunderstanding is that these laws only apply if you're based in a given state. They don't. They apply if you collect personal data from residents of that state, regardless of where your company is incorporated or where your servers sit.
| Law | Applies to you if... | Key obligation | Max penalty |
|---|---|---|---|
| GDPR | You have users in the EU/EEA | Consent before non-essential cookies; DPAs with vendors | €20M or 4% global revenue |
| CCPA/CPRA | You serve California residents and meet size thresholds | Do Not Sell link; GPC honoring (now mandatory) | $7,500 per intentional violation |
| Indiana (IDCPA) | 100K+ Indiana residents' data, or 25K+ if 50%+ revenue from selling data | Privacy notice; data subject rights; opt-out | $7,500 per violation (30-day cure) |
| Kentucky (KCDPA) | 100K+ Kentucky residents' data, or 25K+ if 50%+ revenue from selling data | Privacy notice; data subject rights; opt-out | $7,500 per violation (30-day cure) |
| Rhode Island (RICDPA) | 35K+ Rhode Island residents' data, or 10K+ if 20%+ revenue from selling data | Privacy notice; data subject rights; opt-out | $10,000 per violation (no cure period) |
If you're a mid-sized B2C business with national reach, you very likely fall under CCPA, at least a few of the new 2026 state laws, and potentially GDPR if you have any EU traffic. That's not a reason to panic — these laws have substantial overlap in what they require — but it is a reason to stop treating privacy compliance as a one-time policy-writing exercise and start treating it as an ongoing program.
The Gaps That Actually Get Companies In Trouble
Regulatory enforcement rarely comes from companies having no privacy policy at all. It comes from specific, identifiable gaps. These are the ones that come up most often:
GPC not implemented. California's January 2026 mandate is new and many sites haven't caught up. If your site doesn't detect and honor GPC signals, that's now a clean CCPA violation. Check your consent management platform's documentation — not all CMPs implement GPC by default even when they claim to.
Privacy policy written once, never updated. You added a new analytics tool, switched email providers, integrated a chat widget. None of those changes made it into the privacy policy. Regulators look at the delta between what a policy says and what a site actually does — and they're increasingly using automated scanners to find it.
Data subject rights requests hitting a dead end. The form on your privacy policy page goes to a general inbox that nobody monitors. A user requests deletion and gets no response within 45 days. That's an enforcement risk. In Rhode Island, there's no cure period — that $10,000 per violation exposure is immediate once a complaint is filed.
Third-party scripts firing before consent. Google Analytics, Meta Pixel, LinkedIn Insight Tag — these run by default on a lot of sites, before any consent interaction. Under GDPR that's unlawful processing. The EDPB's 2026 enforcement focus on transparency means these are exactly the kinds of issues they're actively scanning for.
No DPA with vendors processing EU data. If you use a US-based CRM, email platform, or chat tool that processes data from EU users, you need a Data Processing Agreement in place. Most major vendors have DPAs available — but you often have to request them, and they don't apply automatically when you sign up.
How Often to Update This
Website compliance isn't an annual checkbox. Three situations should trigger a review:
- When you add a new tool that touches user data — any new analytics, chat, CRM, or marketing integration means updating your cookie inventory, privacy policy disclosures, and potentially your third-party vendor list
- When a new law takes effect in a jurisdiction where you have users — the 2026 state law additions are a recent example; two more states take effect in mid-2026
- After a product change that alters what data you collect — new signup flow, new feature, new data field — your disclosures need to reflect current reality
At minimum, do a full review annually. Lock it to a specific date on the calendar so it actually happens.
The most efficient way to audit a privacy policy against multiple frameworks isn't reading regulations side by side — it's running the document through a tool that maps your current disclosures to specific requirements and tells you what's missing. That's exactly what PolicyAudit does: upload your policy and get a gap analysis against GDPR, CCPA, HIPAA, and other frameworks in one pass. Free tier covers the basics.
Start With What You Can Verify Today
If you've read this far and realized your site has gaps, here's the order to work through them:
- Check your cookie consent implementation for GPC — this is a new mandatory requirement and the easiest to verify (enable GPC in your browser settings and visit your own site)
- Audit what third-party scripts are actually running on your site vs. what your privacy policy discloses
- Verify your data subject rights request process actually works end-to-end — not just that the form exists
- Run your privacy policy through a compliance checker to identify specific missing disclosures — reading the policy yourself makes it hard to spot gaps that aren't there
- Request DPAs from any vendors handling EU user data — most will have one; many just don't send it automatically
Twenty US states with active privacy laws, new CCPA requirements that kicked in January 1, and GDPR enforcement showing no signs of slowing down — 2026 is not the year to have "update privacy policy" sitting in the backlog. The cure periods that make Indiana and Kentucky relatively forgiving don't apply if you haven't built a process to respond to them in the first place. Rhode Island doesn't have a cure period at all.
The gap between having a privacy policy and being compliant is often just a few specific missing items. Find them before someone else does.
Know exactly where your privacy policy falls short
PolicyAudit checks your documents against GDPR, CCPA, HIPAA, SOC 2, and 9 other frameworks simultaneously — and gives you a specific list of what needs to be added or fixed. Start with the free tier.
Run a free privacy policy audit →