As the calendar flipped to 2026, a fresh layer of regulatory complexity landed on the desks of B2B ecommerce leaders across the United States. Three states — Indiana, Kentucky, and Rhode Island — ushered in comprehensive consumer data privacy laws, marking the latest chapter in a fast-evolving state-level privacy landscape that now covers two dozen jurisdictions.
These laws extend and align with frameworks pioneered in states like California and Virginia, but carry their own nuances that sellers, platforms and marketplaces need to understand and operate.
Across these new statutes, the common thread is familiar: expanded rights for residents around personal data and new duties for businesses that collect, process or share that data. For ecommerce sellers that service other businesses — from manufacturers and distributors to wholesalers and SaaS platforms supporting order management — the changes underscore that even B2B digital commerce operations are not immune from consumer-focused regulation.
New privacy laws affecting B2B ecommerce
1. Indiana’s Consumer Data Protection Act
Riding into effect with the new year, Indiana’s statute (the ICDPA) places obligations on organizations that process the personal data of at least 100,000 Indiana residents annually, or at least 25,000 residents if over half of revenue comes from selling personal information. Residents gain rights to access, delete, correct and opt out of:
- Targeted advertising
- Data sales
- Automated profiling
Meanwhile, covered businesses must adhere to controller and processor duties, including data minimization and purpose limitation. Enforcement authority sits with the Indiana Attorney General.
For B2B sellers, the implications reach beyond consumer-facing storefronts. Many B2B sites collect data ubiquitous to ecommerce. That includes email addresses, IP identifiers, device signals and usage telemetry. Each can become subject to these protections when tied to identifiable individuals who are Indiana residents. Moreover, when that data feeds retargeting, lookalike modeling or cross-channel marketing efforts, the expanded opt-out rights require operational hooks that most enterprise stacks are only now building.
2. Kentucky’s Consumer Data Protection Act
Kentucky’s law mirrors much of Indiana’s framework, including similar thresholds for coverage and a comparable suite of consumer rights. It too went into effect on Jan. 1. While both laws reflect what privacy practitioners describe as the evolving “Virginia model,” Kentucky’s statute includes subtle differences. Notably, those differences are in how it defines biometric data and addresses procedural requirements. Enforcement, again, is centralized with the state’s Attorney General.
For B2B ecommerce operators selling into or through the state, the practical takeaway is the same. Any system that collects or acts on personal data tied to human contacts likely triggers compliance. That could be a procurement officer’s profile on a portal, usage analytics from a support chatbot or hashed email lists used in ad campaigns.
3. Rhode Island’s Data Transparency and Privacy Protection Act
Rhode Island completes the trio of new laws effective Jan. 1, 2026. It codified its statute under Title 6, Chapter 48.1. The act also grants residents expanded rights and erects duties for controllers and processors doing business in the state. One notable twist in Rhode Island’s law is its broad definition of “sale,” which encompasses not only direct monetary transactions but potentially analytics and advertising service data sharing, making it more expansive in scope than some counterparts.
For sellers whose ecommerce infrastructure feeds data to third-party ad networks or analytics partners, this provision introduces an added dimension: transparency obligations around third parties that receive personal data. Ecommerce platforms and data governance tools will need to document, disclose, and manage these relationships in ways that satisfy the statute’s requirements.
These statutes are consumer privacy laws, but the operational footprint extends well into modern B2B ecommerce environments. That’s because contemporary B2B platforms rarely differentiate between “commercial” and “personal” data within their digital experiences. A procurement manager’s work email and a sole proprietor’s personal email often live in the same CRM; behavioral analytics tools track both kinds of users; and digital advertising efforts do not cleanly separate audiences based on business vs. consumer intent.
5 key areas where the new privacy laws intersect with B2B ecommerce
- Data inventory and mapping. Companies must know where personal data resides across systems. That’s a prerequisite for honoring rights requests and demonstrating compliance.
- Consent and opt-out mechanisms. Universal mechanisms for opting out of targeted advertising and data sales must be offered where residents of these states are involved, including in business contexts.
- Customer-facing disclosures. Privacy notices need updating to include explicit state-by-state rights and processing bases, even if the audience is a professional user group.
- Vendor contracts. Agreements with processors require revision to reflect controller/processor roles and security expectations. That can include ecommerce platforms like Shopify Plus or Salesforce Commerce Cloud to analytics/CDP vendors.
- Rights request workflows. Systems and service desks must be prepared to intake and fulfill rights requests (access, delete, correct), which can touch systems across the sales, support and marketing tech stack.
What privacy laws could mean for B2B ecommerce in 2026
In short, privacy compliance can no longer live solely in legal or IT silos; it must be embedded into product, marketing, analytics and support processes. Automation and orchestration tools that special-purpose privacy programs increasingly offer — such as data discovery, governance and rights request automation — are becoming strategic enablers rather than back-office cost centers.
These Jan. 1 changes arrive amid a broader wave of state technology regulation. Alongside privacy laws rolling out in 2026, other states are advancing legislation on AI transparency, consumer protection and digital design standards, while some privacy statutes in early adopter states like California continue evolving with new regulatory requirements going into effect later this year.
For digital commerce leaders, the headline is clear: Regulatory risk is no longer confined to the federal level or traditional consumer markets. Compliance, governance and customer trust are now competitive differentiators — and for B2B sellers operating across state lines, understanding the nuances of these new privacy laws is essential to both legal adherence and customer experience excellence.
Sign up
Sign up for a complimentary subscription to Digital Commerce 360 B2B News. It covers technology and business trends in the growing B2B ecommerce industry. Contact Mark Brohan, senior vice president of B2B and Market Research, at mark@digitalcommerce360.com. Follow him on Twitter @markbrohan. Follow us on LinkedIn, X (formerly Twitter), Facebook and YouTube.
