Kentucky Consumer Data Protection Act Takes Effect: What Businesses Need to Know in 2026

The Kentucky Consumer Data Protection Act (KCDPA) officially went into effect on January 1, 2026, making Kentucky the fifteenth state to enact comprehensive consumer data privacy legislation. Signed into law by Governor Andy Beshear on April 4, 2024, the KCDPA grants Kentucky residents new rights over their personal data while establishing clear obligations for businesses operating in the Bluegrass State.

Understanding the KCDPA Framework

The KCDPA closely mirrors Virginia's Consumer Data Protection Act (VCDPA), positioning itself among the more business-friendly state privacy laws. Unlike California's complex CCPA framework, Kentucky's approach emphasizes practical compliance pathways while maintaining robust consumer protections.

The law applies to any person or business conducting operations in Kentucky or targeting products and services to Kentucky residents, provided they meet specific thresholds during a calendar year:

• Control or process personal data of at least 100,000 Kentucky consumers, OR
• Control or process personal data of at least 25,000 Kentucky consumers while deriving more than 50% of gross revenue from the sale of personal data

Notably, the KCDPA contains no revenue threshold requirement, meaning businesses of varying sizes may fall under its purview based solely on their data processing activities with Kentucky residents.

Kentucky Becomes First State to Prosecute AI Chatbot Under New Data Privacy Law

Eight days after landmark privacy legislation took effect, Kentucky AG targets Character.AI for child safety violations Executive Summary On January 8, 2026, Kentucky Attorney General Russell Coleman filed the nation’s first enforcement action combining consumer protection claims with violations of a comprehensive state data privacy law against an AI

Compliance Hub WikiCompliance Hub

Consumer Rights Under the KCDPA

Kentucky residents acting in individual or household contexts gain seven fundamental privacy rights:

Right to Confirmation and Access: Consumers can confirm whether a business is processing their personal data and access that data without revealing trade secrets.

Right to Correction: Consumers may correct inaccuracies in their personal data held by businesses.

Right to Deletion: Consumers can request deletion of personal data they provided or that was obtained about them.

Right to Data Portability: Consumers may obtain portable copies of their personal data in a readily usable format, facilitating transfers to other services.

Right to Opt-Out: Consumers can opt out of processing for targeted advertising, sale of personal data, or profiling that produces legal or similarly significant effects.

Sensitive Data Protection: Businesses cannot process sensitive data without explicit consumer consent. Sensitive data includes racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship status, genetic or biometric data for identification, precise geolocation, and data collected from children under 13.

Right to Non-Discrimination: Businesses cannot discriminate against consumers exercising their privacy rights by denying services, charging different prices, or providing inferior quality.

Controllers must respond to consumer rights requests within 45 days and establish appeal processes for denied requests.

Business Obligations and Compliance Requirements

Privacy Notices and Transparency

Controllers must provide reasonably accessible, clear, and meaningful privacy notices that include:

• Categories of personal data being processed
• Purposes for processing personal data
• Procedures for consumers to exercise their rights
• Categories of personal data shared with third parties
• Categories of third parties receiving consumer data

Data Minimization and Purpose Limitation

Businesses must limit personal data collection to what is adequate, relevant, and reasonably necessary for disclosed purposes. Processing data for undisclosed purposes requires additional consumer consent.

Data Security Requirements

Controllers must establish, implement, and maintain reasonable administrative, technical, and physical security practices appropriate to the volume and nature of personal data processed.

Consent for Sensitive Data

Unlike the general opt-out model for most personal data, processing sensitive data requires affirmative opt-in consent. This consent must be freely given, specific, informed, and unambiguous through clear affirmative action.

Data Protection Impact Assessments

The KCDPA requires controllers to conduct and document Data Protection Impact Assessments (DPIAs) for certain high-risk processing activities. Importantly, these requirements apply only to processing activities created or generated on or after June 1, 2026.

DPIAs are required for:

• Targeted advertising
• Sale of personal data
• Profiling that creates risk of unlawful disparate impact or harm to consumers
• Processing of sensitive data
• Any processing activities presenting heightened risk of harm to consumers

A single DPIA may address comparable sets of processing operations involving similar activities, reducing administrative burden for businesses with standardized processes.

Processor Agreements

Controllers must enter into binding contracts with processors that govern data processing procedures. These contracts must specify:

• Clear instructions on data processing scope and purpose
• The nature and duration of processing
• Obligations for both parties
• Duties of confidentiality for personnel handling data
• Subcontractor management requirements

Kentucky’s Digital Identity Convergence: When Mobile IDs Meet Mandatory Age Verification

The Bluegrass State just became a testing ground for America’s digital identity future On January 6, 2026, Kentucky launched its Mobile ID app, allowing residents to carry digital driver’s licenses on their smartphones. Governor Andy Beshear framed it as a convenience measure for air travel, describing how the app uses

My Privacy BlogMy Privacy Blog