The Kentucky Consumer Data Protection Act (KCDPA) officially went into effect on January 1, 2026, making Kentucky the fifteenth state to enact comprehensive consumer data privacy legislation. Signed into law by Governor Andy Beshear on April 4, 2024, the KCDPA grants Kentucky residents new rights over their personal data while establishing clear obligations for businesses operating in the Bluegrass State.

Understanding the KCDPA Framework

The KCDPA closely mirrors Virginia’s Consumer Data Protection Act (VCDPA), positioning itself among the more business-friendly state privacy laws. Unlike California’s complex CCPA framework, Kentucky’s approach emphasizes practical compliance pathways while maintaining robust consumer protections.

The law applies to any person or business conducting operations in Kentucky or targeting products and services to Kentucky residents, provided they meet specific thresholds during a calendar year:

  • Control or process personal data of at least 100,000 Kentucky consumers, OR- Control or process personal data of at least 25,000 Kentucky consumers while deriving more than 50% of gross revenue from the sale of personal data

Notably, the KCDPA contains no revenue threshold requirement, meaning businesses of varying sizes may fall under its purview based solely on their data processing activities with Kentucky residents.

Kentucky Becomes First State to Prosecute AI Chatbot Under New Data Privacy Law

Consumer Rights Under the KCDPA

Kentucky residents acting in individual or household contexts gain seven fundamental privacy rights:

Right to Confirmation and Access: Consumers can confirm whether a business is processing their personal data and access that data without revealing trade secrets.

Right to Correction: Consumers may correct inaccuracies in their personal data held by businesses.

Right to Deletion: Consumers can request deletion of personal data they provided or that was obtained about them.

Right to Data Portability: Consumers may obtain portable copies of their personal data in a readily usable format, facilitating transfers to other services.

Right to Opt-Out: Consumers can opt out of processing for targeted advertising, sale of personal data, or profiling that produces legal or similarly significant effects.

Sensitive Data Protection: Businesses cannot process sensitive data without explicit consumer consent. Sensitive data includes racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship status, genetic or biometric data for identification, precise geolocation, and data collected from children under 13.

Right to Non-Discrimination: Businesses cannot discriminate against consumers exercising their privacy rights by denying services, charging different prices, or providing inferior quality.

Controllers must respond to consumer rights requests within 45 days and establish appeal processes for denied requests.

Business Obligations and Compliance Requirements

Privacy Notices and Transparency

Controllers must provide reasonably accessible, clear, and meaningful privacy notices that include:

  • Categories of personal data being processed- Purposes for processing personal data- Procedures for consumers to exercise their rights- Categories of personal data shared with third parties- Categories of third parties receiving consumer data

Data Minimization and Purpose Limitation

Businesses must limit personal data collection to what is adequate, relevant, and reasonably necessary for disclosed purposes. Processing data for undisclosed purposes requires additional consumer consent.

Data Security Requirements

Controllers must establish, implement, and maintain reasonable administrative, technical, and physical security practices appropriate to the volume and nature of personal data processed.

Unlike the general opt-out model for most personal data, processing sensitive data requires affirmative opt-in consent. This consent must be freely given, specific, informed, and unambiguous through clear affirmative action.

Data Protection Impact Assessments

The KCDPA requires controllers to conduct and document Data Protection Impact Assessments (DPIAs) for certain high-risk processing activities. Importantly, these requirements apply only to processing activities created or generated on or after June 1, 2026.

DPIAs are required for:

  • Targeted advertising- Sale of personal data- Profiling that creates risk of unlawful disparate impact or harm to consumers- Processing of sensitive data- Any processing activities presenting heightened risk of harm to consumers

A single DPIA may address comparable sets of processing operations involving similar activities, reducing administrative burden for businesses with standardized processes.

Processor Agreements

Controllers must enter into binding contracts with processors that govern data processing procedures. These contracts must specify:

  • Clear instructions on data processing scope and purpose- The nature and duration of processing- Obligations for both parties- Duties of confidentiality for personnel handling data- Subcontractor management requirements

Kentucky’s Digital Identity Convergence: When Mobile IDs Meet Mandatory Age Verification

Notable Exemptions and Carve-Outs

The KCDPA provides extensive exemptions to avoid conflicts with existing federal regulations and to protect certain entities:

Exempt Entities:

  • State agencies, cities, and political subdivisions of Kentucky- Financial institutions regulated under the Gramm-Leach-Bliley Act (GLBA)- HIPAA-covered entities and business associates- Nonprofit organizations- Higher education institutions- Small telephone utilities and municipal utilities that don’t sell or share personal data with third-party processors

Exempt Data Categories:

  • Protected Health Information (PHI) under HIPAA- Health records and patient identifying information- Data subject to the Fair Credit Reporting Act (FCRA)- Data regulated by the Family Educational Rights and Privacy Act (FERPA)- Driver’s Privacy Protection Act data- Farm Credit Act data- Emergency contact information and employment-related data

Amendments passed in March 2025 via House Bill 473 expanded healthcare exemptions to include Limited Data Sets held by HIPAA-compliant entities and clarified protections for public health reporting and fraud prevention activities.

Enforcement Mechanism and Penalties

The Kentucky Attorney General holds exclusive enforcement authority for KCDPA violations. Notably, the law does not provide a private right of action, meaning consumers cannot directly sue businesses for violations.

The Permanent 30-Day Cure Period

One of the KCDPA’s most business-friendly features is its permanent cure provision. Before pursuing penalties, the Attorney General must provide written notice of alleged violations and grant businesses 30 days to cure them. If a business remedies the violation and provides written confirmation of compliance within this period, the AG cannot proceed with enforcement action.

Critically, this cure period does not sunset—it remains available throughout the law’s existence, unlike some other state privacy laws where cure provisions expire after initial implementation periods.

Penalties

Businesses that fail to cure violations within the 30-day window face civil penalties of up to $7,500 per violation. Penalties collected fund a Consumer Privacy Fund administered by the Attorney General’s office to support ongoing enforcement activities.

Key Differences from Other State Laws

No Universal Opt-Out Requirement

Unlike California, Colorado, Connecticut, and several other states, Kentucky does not require businesses to honor universal opt-out mechanisms (UOOMs) or global privacy control signals. Businesses must provide opt-out methods but can implement them through their own systems rather than recognizing browser-based signals.

Narrow Definition of “Sale”

The KCDPA defines “sale of personal data” as exchanges for monetary consideration only. This narrower definition differs from states like California, where “sale” encompasses any data sharing with third parties for valuable consideration, including advertising exchanges.

No Rulemaking Authority

The law does not authorize the Kentucky Attorney General to promulgate regulations or detailed rules for implementation. This provides regulatory stability but means businesses must interpret the statutory language directly.

Practical Compliance Strategies

For Businesses Already Compliant with Other State Laws

If your organization already complies with Virginia’s VCDPA or similar frameworks like those in Connecticut, Indiana, or Tennessee, you’re well-positioned for KCDPA compliance. The laws share substantial overlap in consumer rights, controller obligations, and structural approaches.

Key steps include:

  1. Review and Update Privacy Notices: Ensure your privacy policy explicitly addresses Kentucky consumers and meets KCDPA disclosure requirements.2. Verify Consent Mechanisms: Confirm your sensitive data consent processes meet Kentucky’s opt-in standards.3. Assess Data Processing Activities: Conduct a gap analysis between existing state law compliance and KCDPA-specific requirements.4. Prepare for DPIA Requirements: For processing activities initiated after June 1, 2026, develop templates and workflows for conducting and documenting impact assessments.

For Businesses New to State Privacy Laws

Organizations without existing state privacy law compliance programs should take a methodical approach:

  1. Determine Applicability: Calculate whether your Kentucky consumer data processing meets the 100,000 or 25,000 consumer thresholds.2. Conduct Data Mapping: Inventory what personal data you collect, from what sources, for what purposes, how it’s stored, and with whom it’s shared.3. Implement Consumer Rights Infrastructure: Establish accessible mechanisms for consumers to submit data requests—toll-free numbers, dedicated email addresses, or web forms that don’t require account creation.4. Review Third-Party Relationships: Audit vendor contracts to ensure they include required processor agreement provisions.5. Develop Internal Training: Educate teams on KCDPA requirements, timelines for responding to consumer requests, and appeal procedures.6. Establish Data Security Baselines: Implement reasonable administrative, technical, and physical safeguards proportionate to the sensitivity and volume of data processed.

Managing the DPIA Requirement

With DPIA requirements taking effect June 1, 2026 for new processing activities, businesses should:

  • Create standardized DPIA templates addressing required elements (benefits, risks, mitigation measures)- Establish triggers in project planning processes to identify when DPIAs are needed- Document assessments comprehensively and maintain confidentiality- Review and update DPIAs periodically as processing activities evolve

Industry-Specific Considerations

Healthcare Organizations

The expanded HIPAA exemptions in the 2025 amendments provide significant relief for healthcare entities. Organizations already compliant with HIPAA’s Privacy and Security Rules can rely on those frameworks for PHI and Limited Data Sets. However, healthcare organizations must still address non-HIPAA-covered data under KCDPA requirements.

Retail and E-Commerce

The narrow “sale” definition limited to monetary consideration eases compliance for loyalty programs and customer data sharing arrangements that don’t involve direct payments. However, businesses must still provide opt-outs for targeted advertising and profiling activities.

Advertising Technology Companies

High applicability thresholds and the permanent cure period reduce immediate risk, but ad tech firms should closely monitor Attorney General enforcement priorities as case law develops. The lack of universal opt-out requirements provides operational flexibility compared to California and Colorado.

Small Businesses

Most small businesses will fall below the 100,000 consumer threshold, exempting them from KCDPA requirements. However, organizations approaching these thresholds should implement monitoring systems to ensure compliance when they cross applicability lines.

Looking Ahead: The Expanding State Privacy Landscape

Kentucky joins Indiana and Rhode Island in implementing comprehensive privacy laws on January 1, 2026, marking a significant milestone in the U.S. privacy landscape. With 20 states now having enacted comprehensive privacy legislation, businesses must navigate an increasingly complex patchwork of requirements.

The trend toward Virginia-model frameworks like Kentucky’s suggests some standardization in state approaches, but meaningful differences remain. Organizations operating across multiple states should consider:

  • Multi-state compliance platforms that manage consumer rights requests across jurisdictions- Flexible consent management systems adaptable to varying state requirements- Centralized data governance programs providing consistent foundations for state-specific implementations- Ongoing monitoring of new state legislation and Attorney General guidance

Consumer Privacy Office and Complaint Process

The Kentucky Attorney General has established the Kentucky Office of Data Privacy to handle KCDPA enforcement. Consumers can file complaints through the official portal if businesses decline appeals or violate consumer rights.

Businesses should monitor the Office of Data Privacy website for guidance documents, FAQs, and enforcement priorities as the Attorney General develops its implementation approach.

Final Recommendations

The KCDPA represents a balanced approach to consumer privacy, providing meaningful rights to Kentucky residents while incorporating business-friendly features like the permanent cure period and narrow sale definition. Organizations subject to the law should:

  • Act now if not already compliant: The law is in effect, and while the permanent cure provision provides a safety net, proactive compliance avoids enforcement actions altogether.- Document everything: Maintain detailed records of data processing activities, DPIAs, consumer request responses, and security measures.- Stay informed: Monitor Kentucky Attorney General announcements and early enforcement actions to understand interpretation of ambiguous provisions.- Consider federal developments: With comprehensive federal privacy legislation periodically under consideration, state law compliance programs should be designed with adaptability in mind.- Leverage existing investments: If you’ve built compliance programs for other state laws, capitalize on those investments by efficiently extending them to Kentucky requirements.

The KCDPA joins a growing wave of state privacy legislation reshaping how businesses handle personal data. While compliance requires investment in systems, processes, and training, organizations that approach privacy as a fundamental business practice rather than merely a legal obligation will build stronger customer trust and competitive advantages in an increasingly privacy-conscious marketplace.

For specific legal guidance on KCDPA compliance for your organization, consult with qualified privacy counsel familiar with Kentucky law and your industry’s unique requirements.