Kentucky Consumer Data Protection Act
The Kentucky Consumer Data Protection Act mirrors Virginia's law, granting access, correction, deletion, and opt-out rights and requiring consent for sensitive data. It took effect January 1, 2026 and is enforced by the Kentucky Attorney General with a permanent cure period.
Kentucky Consumer Data Protection Act
The Kentucky Consumer Data Protection Act (KCDPA), enacted as House Bill 15, is Kentucky's comprehensive consumer privacy statute. It took effect on January 1, 2026. The KCDPA is closely modeled on Virginia's Consumer Data Protection Act, sharing its thresholds, consumer rights, and enforcement structure.
Who It Applies To
The KCDPA applies to persons that conduct business in Kentucky or produce products or services targeted to Kentucky residents and that, during a calendar year, control or process the personal data of either 100,000 or more consumers, or 25,000 or more consumers while deriving more than 50 percent of gross revenue from the sale of personal data. The law exempts entities and data covered by HIPAA and the Gramm-Leach-Bliley Act, government entities, and nonprofits.
Key Requirements
Controllers must provide a clear privacy notice, practice data minimization, and maintain reasonable security. Consumers have rights to confirm processing, access, correct, delete, obtain a portable copy, and opt out of targeted advertising, the sale of personal data, and profiling that produces legal or similarly significant effects. Opt-in consent is required for sensitive data. Controllers must conduct and document data protection assessments for higher-risk processing. The KCDPA does not require recognition of universal opt-out mechanisms.
Penalties for Non-Compliance
The Kentucky Attorney General has exclusive enforcement authority; there is no private right of action. Civil penalties reach up to 7,500 dollars per violation. The law provides a 30-day cure period that does not sunset, after which the Attorney General may sue.
How to Comply
Confirm whether the thresholds apply. Publish an accurate privacy notice and implement consumer-request workflows with a 45-day response window. Build opt-in consent flows for sensitive data and maintain documented data protection assessments for targeted advertising, data sales, sensitive data, and significant profiling. Review processor agreements to ensure required contractual terms are present.
Relationship to Other Laws
Kentucky is a near-copy of Virginia, so the marginal compliance effort for organizations already meeting Virginia is small. It does not require universal opt-out recognition and offers a permanent 30-day cure period. The main Kentucky-specific work is confirming response handling and updating privacy notices to reference Kentucky consumers where the organization enumerates jurisdictions.
Operational Mechanics
Like its sibling state statutes, this law sets concrete operational requirements that engineering and operations teams must implement. Controllers must respond to a verified consumer rights request without undue delay and within 45 days of receipt, with a single 45-day extension permitted where reasonably necessary given the complexity and volume of requests, provided the consumer is notified of the extension and the reason. Where a controller declines to act, it must inform the consumer of the reason and provide instructions for appealing the decision; the law requires an internal appeal process, and if an appeal is denied the controller must give the consumer a method to contact the state Attorney General to submit a complaint. Controllers may not charge a fee for the first request in a defined period and must establish a secure, reliable means for consumers to submit requests, taking into account the ways consumers normally interact with the controller. Relationships with processors must be governed by a binding contract that sets out processing instructions, confidentiality duties, deletion or return of data at the end of the engagement, and the duty to assist the controller with security, breach response, and assessments. Treating these mechanics as shared platform services, rather than rebuilding them per state, is the most efficient path to durable, multistate compliance.