Privacy Law Expansion Continues: Indiana, Kentucky, Rhode Island Go Live as FTC Finalizes Disney COPPA Settlement

Want to receive these privacy recaps in your inbox each week? Subscribe here.

January 1, 2026 brought significant privacy law changes as Indiana, Kentucky and Rhode Island enacted comprehensive privacy legislation, California implemented new CCPA regulation updates including mandatory opt-out status displays, and three additional states began requiring recognition of universal opt-out mechanisms. 

Meanwhile, the FTC finalized a $10 million COPPA settlement against Disney over improper YouTube configuration that enabled targeted advertising to children, part of a broader intensification of children’s privacy enforcement.

Keep reading to learn more and discover my takeaways.

United States

New State Laws / Regulations Take Effect

January 1, 2026, marked the effective date of three new comprehensive privacy laws in Indiana, Kentucky, and Rhode Island, updated California regulations, and a requirement to respect universal opt-out mechanisms in three additional states. 

TAKEAWAY

The following are the most notable new requirements that companies should be aware of:

• The Rhode Island Data Transparency and Privacy Protection Act requires public disclosure (for example, on the controller’s website or in customer agreements) of all third parties to whom PII is sold or may be sold. This is a new requirement that doesn’t appear in any other comprehensive privacy law. Minnesota and Oregon both require disclosure of third parties upon the consumer’s request, but this new Rhode Island requirement now mandates that controllers make that list public. 
• New updates to the California CCPA Regulations require that businesses display the status of a consumer’s opt-out preference (for example, through a toggle or radio button indicating the consumer has opted out of the sale/sharing of their personal information) and whether the business has processed the consumer’s opt-out preference signal as a valid request to opt out (for example, by displaying “Opt-Out Request Honored” when a consumer using an opt-out preference signal visits the website). 
• Risk assessments must now be completed under California regulations for activities presenting a “significant risk” to consumer privacy. 
• Consistent with the January 1 deadline for CalPrivacy to establish a deletion mechanism under the Delete Act, CalPrivacy DROP is now available for consumers to submit deletion requests. Data brokers will be required to start processing any submitted deletion requests beginning August 1, 2026. 
• Delaware, Oregon, and Texas now require recognition of universal opt-out mechanisms like Global Privacy Control. This brings the total to 12 states that require such recognition. 

United states

Disney COPPA Settlement Finalized

A federal court entered a final stipulated order approving a $10 million FTC settlement over allegations that Disney failed to properly configure YouTube settings to indicate its videos were “Made for Kids”, resulting in the collection of personal information for targeted advertising from children under 13 without parental consent. 

In addition to the monetary settlement, the order requires Disney to implement a program to review videos for their appropriate designation before uploading them to YouTube. 

TAKEAWAY

This was the second of two proposed settlements under COPPA that the FTC announced in September 2025. The other settlement, finalized in late September 2025, involved allegations that toy maker Apitor Technology enabled a third-party SDK integrated in the robot toy’s companion app to collect geolocation information from children without parental consent. 

The FTC also filed a complaint against the operator of the Sendit anonymous messaging app in September over alleged COPPA violations and will hold a workshop on January 28 to discuss a range of issues related to age verification and estimation technologies, including the interplay between age verification and COPPA. 

This concentration of activity signals an intensifying FTC focus on children’s privacy, as well as exploration of advances in emerging tech to set future expectations for children’s privacy compliance. 

A LITTLE MORE PRIVACY, IF YOU PLEASE

• Didomi 2025 rewind with our CEO
• Top 10 data privacy webinars for 2026
• The best data privacy resources for 2026

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.