Kentucky Data Privacy Laws: Consumer Rights Guide (2026)

Kentucky enacted one of the most significant data privacy laws in the nation when Governor Andy Beshear signed the Kentucky Consumer Data Protection Act into law on April 4, 2024. The KCDPA, originally filed as House Bill 15, made Kentucky the fifteenth state to adopt a comprehensive consumer data privacy statute. It took effect on January 1, 2026.

This guide covers the full scope of Kentucky's data privacy framework, including the KCDPA, the state's data breach notification law, consumer rights, business obligations, and enforcement provisions.

Kentucky Consumer Data Protection Act (KCDPA)

The Kentucky Consumer Data Protection Act is codified in KRS 367.3611 through 367.3629. It governs how businesses collect, use, process, and store personal data belonging to Kentucky consumers.

The KCDPA closely resembles Virginia's Consumer Data Protection Act and Connecticut's Data Privacy Act. It establishes an opt-out framework for general personal data processing while requiring opt-in consent for sensitive data categories.

Who the KCDPA Applies To

The KCDPA applies to any person or entity that conducts business in the Commonwealth of Kentucky or produces products or services targeted to Kentucky residents, and that during a calendar year meets either of these thresholds:

Threshold one. Controls or processes the personal data of at least 100,000 Kentucky consumers.

Threshold two. Controls or processes the personal data of at least 25,000 Kentucky consumers while deriving over 50% of gross revenue from the sale of personal data.

Unlike some state privacy laws, the KCDPA does not include a separate revenue threshold. A business of any size can fall under the law if it meets one of the two processing thresholds above.

The law defines a "consumer" as a natural person who is a Kentucky resident acting in an individual context. People acting in a commercial or employment context are not considered consumers under the KCDPA.

Exempt Entities

The KCDPA exempts several categories of organizations from its requirements entirely:

• State agencies, city governments, and political subdivisions of the Commonwealth
• Financial institutions and their affiliates subject to the Gramm-Leach-Bliley Act (GLBA)
• Covered entities and business associates governed by the Health Insurance Portability and Accountability Act (HIPAA)
• Nonprofit organizations
• Institutions of higher education
• Organizations that assist law enforcement with insurance fraud investigations
• Organizations assisting first responders during catastrophic events
• Certain small telephone utilities and Tier III CMRS providers
• Municipal utilities that do not sell or share consumer data with third-party processors

Data-Level Exemptions

Beyond entity-level exemptions, the KCDPA also exempts specific categories of data from its coverage, regardless of who holds the data:

• Publicly available information and de-identified data
• Data processed under the Fair Credit Reporting Act (FCRA)
• Data regulated under GLBA or HIPAA
• Data protected under the Driver's Privacy Protection Act (DPPA)
• Education records covered by the Family Educational Rights and Privacy Act (FERPA)
• Employment and independent contractor data
• Emergency contact information
• Farm Credit Act data
• Health care quality improvement and patient safety activity data

Consumer Rights Under the KCDPA

The KCDPA grants Kentucky residents five core rights over their personal data. These rights are detailed in KRS 367.3615.

Right to confirm and access. You can request that a business confirm whether it processes your personal data and obtain access to that data, provided the disclosure does not reveal trade secrets.

Right to correct. You can request that a business correct inaccurate personal data it holds about you.

Right to delete. You can request deletion of personal data you provided or that the business obtained about you.

Right to data portability. You can request a copy of your personal data in a portable and readily usable format, again subject to trade secret protections.

Right to opt out. You can opt out of the processing of your personal data for three specific purposes: targeted advertising, the sale of personal data, and profiling that produces legal or similarly significant effects.

How to Exercise Your Rights

Controllers must respond to consumer rights requests without undue delay and no later than 45 days after receiving the request. This window can be extended by an additional 45 days if reasonably necessary, as long as the controller notifies the consumer of the extension and explains the reason.

If a controller denies a request, it must provide an appeals process. Consumers who are dissatisfied with the outcome of an appeal can file a complaint with the Kentucky Attorney General's Office of Data Privacy.

No Authorized Agent or Universal Opt-Out

One notable limitation of the KCDPA is that it does not require controllers to recognize universal opt-out mechanisms such as Global Privacy Control (GPC). Consumers must submit individual opt-out requests directly to each business.

The KCDPA also does not provide a mechanism for authorized agents to submit requests on behalf of consumers. This stands in contrast to laws in California, Colorado, Connecticut, and several other states that require recognition of these tools.

Personal Data and Sensitive Data Definitions

The KCDPA defines "personal data" as any information that is linked or reasonably linkable to an identified or identifiable natural person. De-identified data and publicly available information are excluded from this definition.

Sensitive Data Categories

"Sensitive data" receives heightened protections under the KCDPA and includes:

• Personal data revealing racial or ethnic origin
• Religious beliefs
• Mental or physical health diagnosis
• Sexual orientation
• Citizenship or immigration status
• Genetic data processed for the purpose of uniquely identifying a natural person
• Biometric data used to identify a specific individual
• Personal data collected from a known child
• Precise geolocation data

Controllers must obtain the consumer's opt-in consent before processing any category of sensitive data. That consent must be freely given, specific, informed, and unambiguous.

Children's Data Protections

The KCDPA treats personal data collected from a known child as sensitive data, requiring opt-in consent. Controllers that comply with the verifiable parental consent requirements of the federal Children's Online Privacy Protection Act (COPPA) are deemed compliant with the KCDPA's requirements for children's data.

The Kentucky Attorney General demonstrated early commitment to enforcing children's data protections. On January 8, 2026, just eight days after the KCDPA took effect, the AG's office filed its first enforcement action against Character Technologies, the operator of the Character.AI chatbot platform, alleging the company failed to obtain parental consent before collecting and processing children's data.

Sale of Personal Data

The KCDPA defines the "sale" of personal data narrowly, covering only exchanges of personal data for monetary consideration. This is a business-friendly definition that mirrors the approach used in Virginia and Utah, and excludes data exchanges made for other types of valuable consideration such as improved services or analytics.

Controller and Processor Obligations

Controller Duties

Businesses that qualify as data controllers under the KCDPA must meet several core obligations outlined in KRS 367.3617:

Data minimization. Controllers must limit data collection to what is adequate, relevant, and reasonably necessary for the disclosed processing purpose.

Purpose limitation. Controllers must not process personal data for purposes that are not reasonably necessary to or compatible with the purposes they disclosed to consumers.

Security practices. Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.

Nondiscrimination. Controllers must not discriminate against consumers who exercise their data privacy rights, though reasonable differences related to loyalty, rewards, or premium programs are permitted.

Privacy notice. Controllers must provide a clear, accessible privacy notice that discloses the categories of personal data processed, the purposes of processing, how consumers can exercise their rights, the categories of data shared with third parties, and the categories of those third parties.

Disclosure of sales and targeted advertising. If a controller sells personal data or processes it for targeted advertising, it must clearly and conspicuously disclose that practice.

Processor Duties

Data processors acting on behalf of controllers must enter into binding contracts that include provisions outlined in KRS 367.3619. These contracts must require the processor to:

• Follow the controller's instructions regarding data processing
• Maintain confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist the controller in responding to consumer rights requests
• Cooperate with data protection assessments
• Delete or return personal data at the end of the contract relationship
• Allow the controller to conduct compliance audits or designate a qualified assessor

Data Protection Assessments

The KCDPA requires controllers to conduct and document data protection assessments for processing activities that present a heightened risk to consumers. These assessments apply to processing activities created or generated on or after June 1, 2026.

Assessments are required for the following activities:

• Processing personal data for targeted advertising
• Selling personal data
• Profiling that presents a foreseeable risk of unfair or deceptive treatment, disparate impact, financial or physical or reputational injury, or intrusion on solitude or seclusion
• Processing sensitive data
• Any processing activity that presents a heightened risk of harm to consumers

Each assessment must identify and weigh the benefits of the processing activity to the controller, the consumer, other stakeholders, and the public against the potential risks to consumer rights. The Attorney General can request these assessments during investigations.

Controllers may use data protection assessments conducted under other reasonably comparable laws, including the European Union's General Data Protection Regulation (GDPR), to satisfy the KCDPA requirement.

Enforcement and Penalties

Attorney General Authority

The Kentucky Attorney General has exclusive enforcement authority over the KCDPA. The law does not create a private right of action, meaning individual consumers cannot sue businesses directly for KCDPA violations.

The AG's Office of Data Privacy was created specifically to enforce the KCDPA. This office has the authority to seek injunctive relief, civil penalties, and reasonable attorneys' fees and investigative costs.

30-Day Cure Period

Before filing a formal enforcement action, the Attorney General must provide the business with a written notice identifying the specific alleged violation and allow 30 days to cure the violation.

If the business cures the violation within 30 days and provides a written statement with supporting documentation that the violation has been remedied and will not recur, the AG cannot pursue enforcement for that specific violation.

This 30-day cure period is permanent. Unlike the cure periods in New Hampshire, New Jersey, and several other state privacy laws, the KCDPA's cure provision does not include a sunset date. Businesses will always have the opportunity to cure violations before facing penalties.

Civil Penalties

If a business fails to cure a violation within the 30-day window, or if it breaches its written compliance commitment, the Attorney General can pursue civil penalties of up to $7,500 per violation. The AG can also seek injunctive relief and recover attorneys' fees and investigation costs.

Consumer Privacy Fund

The KCDPA established a Consumer Privacy Fund (KRS 367.3629) to receive any penalties collected through enforcement actions. These funds support ongoing privacy enforcement efforts.

Penalty Summary Table

Law	Statute	Penalty Per Violation	Cure Period	Enforced By
KCDPA	KRS 367.3611-367.3629	Up to $7,500	30 days (permanent)	Attorney General
Data Breach Notification	KRS 365.732	Damages under KRS 446.070	None	Private action via KRS 446.070

Kentucky Data Breach Notification Law (KRS 365.732)

Kentucky's data breach notification law, KRS 365.732, has been in effect since 2014 and operates independently of the KCDPA. It applies to any person or business entity that conducts business in Kentucky and owns, licenses, or maintains computerized personal information.

What Triggers a Notification

A notification obligation arises when there is an unauthorized acquisition of unencrypted, unredacted computerized data that compromises the security, confidentiality, or integrity of personal information, and the breach actually causes or is reasonably believed to have caused or will cause identity theft or fraud against a Kentucky resident.

Protected Personal Information

Under KRS 365.732, personal information is defined as an individual's first name or first initial and last name combined with one or more of these data elements:

• Social Security number
• Driver's license number or state identification card number
• Account number, credit card number, or debit card number combined with any required security code, access code, or password

The information must be unencrypted and unredacted to trigger notification obligations. If the compromised data was encrypted or redacted, notification is not required.

Notification Timeline and Methods

Kentucky does not set a specific number of days for breach notification. Instead, the law requires notification in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and measures necessary to determine the scope of the breach.

Notification may be provided through:

• Written notice sent to the affected individual
• Electronic notice (consistent with the federal E-SIGN Act)
• Telephone notice
• Substitute notice (when specific conditions are met)

Substitute Notice

A business may use substitute notice if the cost of direct notification would exceed $250,000, the number of affected individuals exceeds 500,000, or the business does not have sufficient contact information. Substitute notice requires all three of the following:

• Email notice to affected individuals for whom email addresses are available
• Conspicuous posting on the business's website
• Notification to major statewide media outlets

Large-Scale Breach Reporting

When a breach affects more than 1,000 individuals at one time, the business must also notify all nationwide consumer reporting agencies about the timing, distribution, and content of the breach notices.

Exemptions from Breach Notification

The breach notification law does not apply to entities already subject to the Gramm-Leach-Bliley Act or HIPAA, as those entities follow separate federal breach notification requirements. State and local government bodies follow separate breach notification provisions under KRS 61.931 through 61.934.

Breach Notification Enforcement

KRS 365.732 does not contain a specific penalty provision or direct enforcement mechanism. However, injured individuals may seek damages under KRS 446.070, Kentucky's general statute allowing private actions for violations of state law. A good-faith acquisition of personal information by an employee or agent of the business entity is not considered a breach, provided there is no further unauthorized disclosure.

How the KCDPA Compares to Other State Privacy Laws

The KCDPA is widely regarded as one of the more business-friendly comprehensive state privacy laws. Several provisions distinguish it from stricter frameworks in California, Colorado, and other states.

No universal opt-out requirement. Unlike California, Colorado, Connecticut, Montana, Delaware, and several other states, Kentucky does not require businesses to honor Global Privacy Control or similar universal opt-out signals.

Permanent cure period. The 30-day cure period never expires. In New Hampshire and New Jersey, the right to cure sunsets after an initial period. Kentucky gives businesses a permanent opportunity to fix violations before facing penalties.

Narrow sale definition. The KCDPA only covers data exchanges made for monetary consideration. States like California and Colorado define "sale" more broadly to include exchanges for other valuable consideration.

No authorized agent provisions. Consumers cannot designate a third party to submit data rights requests on their behalf.

Broad entity exemptions. The KCDPA exempts nonprofits and higher education institutions, which are covered under some other state laws.

Filing a Data Privacy Complaint in Kentucky

If you believe a business has violated your rights under the KCDPA, you can contact the Kentucky Attorney General's Office of Data Privacy. This office was established specifically to handle KCDPA enforcement and consumer complaints.

You can also file a general consumer protection complaint through the Attorney General's Consumer Protection Division.

More Kentucky Laws

Looking for information on other Kentucky laws? Visit our Data Privacy Laws by State hub to compare Kentucky with other states. You can also explore related topics:

• Indiana Data Privacy Laws for comparison with another January 2026 effective date
• Virginia Data Privacy Laws for the model the KCDPA was based on
• Texas Data Privacy Laws for another comprehensive state approach
• California Data Privacy Laws for comparison with the CCPA/CPRA
• Kentucky Recording Laws for Kentucky's wiretapping and recording consent rules
• Kentucky Background Check Laws for Kentucky employment screening rules

This article is for informational purposes only and does not constitute legal advice. Data privacy laws change frequently, and enforcement interpretations evolve over time. Consult a licensed attorney in Kentucky for advice about your specific situation. Last reviewed: March 2026.