Kentucky became the fifteenth US state to enact consumer privacy legislation when Governor Andy Beshear signed the Kentucky Consumer Data Protection Act in April 2024. The law takes effect on January 1 2026.
What Is the KCDPA?
The Kentucky Consumer Data Protection Act (KCDPA) grants Kentucky residents rights over their personal data and establishes obligations for businesses that collect and process that data. The law follows a similar structure to other state privacy laws like Virginia’s VCDPA.
Enforcement is handled by the Kentucky Attorney General. There is no private right of action.
Does It Apply to Your Business?
The KCDPA applies to businesses that conduct business in Kentucky or produce products or services targeted to Kentucky residents. To be covered, a business must also meet at least one of two thresholds during a calendar year:
Threshold 1: Control or process the personal data of at least 100,000 Kentucky consumers.
Threshold 2: Control or process the personal data of at least 25,000 Kentucky consumers AND derive more than 50% of gross revenue from selling personal data.
The law does not include a revenue threshold, meaning smaller businesses meeting the data volume requirements are covered.
Exemptions
Several categories are exempt from the KCDPA:
- Government entities
- Nonprofit organizations
- Financial institutions regulated by the Gramm-Leach-Bliley Act
- Higher education institutions
- HIPAA-covered entities and certain protected health information (expanded by 2025 amendment)
- Data subject to the Fair Credit Reporting Act
- Data covered by FERPA
2025 HIPAA Amendment
In March 2025, Kentucky amended the KCDPA to add exemptions for information collected by healthcare providers acting as HIPAA covered entities, and for information maintained in HIPAA limited data sets.
Key Consumer Rights
Kentucky residents have the following rights:
- Right to confirm whether a business is processing their personal data
- Right to access their personal data
- Right to correct inaccuracies
- Right to delete their personal data
- Right to obtain a portable copy of their data
- Right to opt out of targeted advertising
- Right to opt out of the sale of personal data
- Right to opt out of profiling for automated decisions with legal or significant effects
Business Obligations
Covered entities must:
- Limit data collection to what is adequate, relevant, and reasonably necessary
- Implement reasonable data security measures
- Obtain consent before processing sensitive data
- Provide clear privacy notices
- Respond to consumer requests within 45 days
- Establish appeal processes for denied requests
- Conduct data protection assessments for high-risk processing (from June 2026)
- Not discriminate against consumers for exercising their rights
Data protection assessment requirements apply to processing activities created or generated on or after June 1 2026.
Sensitive Data
The KCDPA requires consent before processing sensitive data, which includes:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnosis
- Sexual orientation
- Citizenship or immigration status
- Genetic data
- Biometric data
- Personal data of known children
- Precise geolocation data
Enforcement and Penalties
The Kentucky Attorney General has exclusive enforcement authority.
The law includes a 30-day cure period. When a violation is identified, the controller or processor has 30 days to remedy the issue and provide a written statement that violations have been cured and no further violations will occur.
Penalties can reach up to $7,500 per violation. Penalties collected go to a fund the Attorney General can use for ongoing enforcement.
Key Dates
- April 4 2024: KCDPA signed into law
- March 15 2025: HIPAA exemption amendment signed
- January 1 2026: KCDPA takes effect
- June 1 2026: Data protection assessment requirements apply to new processing
Where to Find Official Resources
- Full legal text: apps.legislature.ky.gov/record/24rs/hb15.html
- Kentucky Attorney General: ag.ky.gov
Getting Started
Kentucky’s KCDPA takes effect on January 1 2026, providing businesses time to prepare. The law follows a similar structure to Virginia and other states, so businesses already compliant with those laws will find many familiar requirements.
Review your data collection practices against the minimization standard, implement consent mechanisms for sensitive data, and prepare documentation for data protection assessments that will be required from June 2026.
