With three new state privacy laws that took effect on January 1, 2026 (Indiana, Kentucky, and Rhode Island), adding to an extensive list of others, many organizations are discovering that their website privacy practices haven’t kept pace. Even those that updated their websites recently are finding hidden gaps, often due to unnoticed changes in technological tools and files, such as first and third-party cookies, third-party analytics software, and/or third-party scripts, tags, and pixels. A website audit can prevent enforcement issues and potential litigation or arbitration demands.

• Align Disclosures with Reality

Privacy notices and cookie banners often fall out of sync with actual practices. Marketing teams might add tracking pixels, analytics tools might be replaced or upgraded, or vendor scripts might change, but disclosures don’t always get updated.

Indiana, Kentucky, and Rhode Island now join 16 other states with comprehensive privacy laws that require clear disclosures about what personal information is collected, how it’s used, and whether targeted advertising occurs.

To avoid unpleasant surprises, it’s important to regularly validate that your organization’s compliance measures are functioning as intended. Confirm whether your website and direct marketing opt-outs are working and whether your website privacy notice reflects reality. Mismatches can surface during M&A due diligence, while defending against threatened litigation or arbitration, or when responding to government inquiries. Audit before third parties do.

• Make Consumer Rights Actually Work

State privacy laws now require access, deletion, correction, and opt-out rights, but many organizations’ privacy rights request processes don’t function end-to-end. When these workflows are tested by website visitors, gaps that were missed in technical reviews can surface.

With enforcement ramping up across multiple states, functional consumer rights processes are crucial. Effective compliance means having a dedicated webpage with a functional online request form (not just an email address), verification steps tailored to each request type, and internal processes that meet legal requirements, including deadlines for responding.

• Understand New Technology Requirements

Several state laws now regulate the use of automated website tools that impact consumers, from chatbots to fraud scoring to personalization engines. California and Colorado laws have the most detailed requirements, such as mandatory disclosures for automated decision-making, risk assessments for high-risk processing, and accessible opt-out mechanisms.

If you’re unsure whether your website is using automated decision-making tools or AI-driven personalization, start by conducting an inventory of all website features and third-party technologies that process user data or influence user experience. This includes chatbots, recommendation engines, fraud detection tools, and personalization scripts. Mapping these features now creates a foundation for future compliance.

Website Privacy Checklist

• Audit the language in cookie banners against the actual tracking tools deployed on your website.
• Test your privacy rights request processes as if you were an individual submitting a request.
• Update privacy notices to reflect the complex, multi-jurisdictional legal landscape.
• Review mechanisms that allow people to opt out of targeted advertising and the sale of their personal information.
• Inventory AI/automated tools that score or filter website visitors or personalize content.

A targeted compliance review now can mitigate the risk that gaps will result in enforcement actions, litigation, or deal blockers later.