Overview
The Kentucky Consumer Data Protection Act (KCDPA) is a comprehensive state privacy law that grants Kentucky residents new rights over their personal data while setting clear compliance requirements for businesses. Signed into law on April 4, 2024, the KCDPA takes effect on January 1, 2026.
Kentuckyโs law follows the Virginia CDPA model, making it business-friendly while still providing strong consumer protections.
Who Must Comply?
The KCDPA applies to businesses that operate in Kentucky or target Kentucky residents and meet one of the following criteria:
โ Process personal data of at least 100,000 Kentucky consumers annually
โ Process personal data of at least 25,000 Kentucky consumers and derive over 50% of gross revenue from selling personal data
Exemptions:
The law does not apply to:
๐ซ Government agencies
๐ซ Nonprofits
๐ซ Financial institutions subject to GLBA
๐ซ HIPAA-covered entities
๐ซ Higher education institutions
Key Consumer Rights Under KCDPA
โ Right to Access โ Consumers can request a copy of their personal data.
โ Right to Correct โ Consumers can request corrections to inaccurate personal data.
โ Right to Delete โ Consumers can request the deletion of personal data.
โ Right to Data Portability โ Consumers can receive their data in a portable format.
โ Right to Opt-Out โ Consumers can opt out of:
- Targeted advertising
- Sale of personal data
- Automated profiling that affects legal or financial decisions
๐ No Private Right of Action โ Unlike Californiaโs CPRA, consumers cannot sue businesses directly for violations.
Business Compliance Requirements
โ Universal Opt-Out Mechanism (Starting January 1, 2026) โ Businesses must recognize Global Privacy Control (GPC) signals.
โ Opt-In Consent for Sensitive Data โ Businesses must obtain explicit consumer consent before processing:
๐ Racial/ethnic origin
๐ Religious beliefs
๐ Biometric data
๐ Health conditions
๐ Childrenโs data
โ Privacy Policy & Transparency โ Companies must provide clear privacy policies explaining data collection and use.
โ Data Protection & Security โ Businesses must implement reasonable safeguards to protect consumer data.
โ Risk Assessments for High-Risk Processing โ Companies must conduct Data Protection Assessments (DPA) for:
๐ Targeted advertising
๐ Data sales
๐ AI-driven automated decision-making
Real-World Enforcement Cases
The Kentucky Attorney General enforces the KCDPA, with penalties of up to $7,500 per violation.
๐ 30-Day Cure Period for Violations โ Businesses have 30 days to fix compliance issues before fines are imposed.
Since KCDPA does not take effect until January 1, 2026, major enforcement cases have not yet occurred, but companies failing to provide opt-out mechanisms are expected to be early enforcement targets.
๐ Comparison with Other State Privacy Laws
The Kentucky KCDPA is more flexible for businesses than Californiaโs CPRA but closely resembles Virginiaโs CDPA:
โ
No Private Right of Action โ Consumers cannot sue companies directly.
โ
Stronger Opt-Out Requirements โ Businesses must honor universal opt-out signals in 2026.
โ
Less Strict Than CPRA โ Kentuckyโs law has fewer compliance obligations than Californiaโs CPRA.
Future of KCDPA Regulation
๐ Stronger enforcement expected in 2026, particularly for AI-driven profiling.
๐ Possible expansion of consumer rights in future amendments.
๐ Potential updates to align with federal privacy laws if enacted.Kentuckyโs KCDPA is a consumer-friendly but business-oriented privacy law, balancing consumer rights with clear compliance measures.
