Kentucky
Kentucky Data Privacy Laws: Consumer Rights Guide (2026)
The Kentucky Consumer Data Protection Act, codified at KRS 367.3611 through 367.3629, took effect January 1, 2026, granting Kentucky residents the right to access, correct, delete, and opt out of personal data processing. Qualifying businesses must comply, and the Kentucky Attorney General enforces the law with civil penalties up to $7,500 per violation.
Kentucky enacted one of the most significant data privacy laws in the nation when Governor Andy Beshear signed the Kentucky Consumer Data Protection Act into law on April 4, 2024. The KCDPA, codified at KRS 367.3611 through 367.3629, made Kentucky the fifteenth state to adopt a comprehensive consumer data privacy statute. It took effect January 1, 2026.
This guide covers the full scope of Kentucky's data privacy framework, including the KCDPA, the state's data breach notification law, the first enforcement action under the new law, federal overlay statutes, and practical steps for consumers and businesses.
Kentucky Consumer Data Protection Act (KCDPA)
The Kentucky Consumer Data Protection Act is codified in KRS 367.3611 through 367.3629. It governs how businesses collect, use, process, and store personal data belonging to Kentucky consumers.
The KCDPA closely resembles Virginia's Consumer Data Protection Act and Connecticut's Data Privacy Act. It establishes an opt-out framework for general personal data processing while requiring opt-in consent for sensitive data categories.
Who the KCDPA Applies To
The KCDPA applies to any person or entity that conducts business in the Commonwealth of Kentucky or produces products or services targeted to Kentucky residents, and that during a calendar year meets either of these thresholds:
Threshold one. Controls or processes the personal data of at least 100,000 Kentucky consumers.
Threshold two. Controls or processes the personal data of at least 25,000 Kentucky consumers while deriving over 50% of gross revenue from the sale of personal data.
Unlike some state privacy laws, the KCDPA does not include a separate revenue threshold. A business of any size can fall under the law if it meets one of the two processing thresholds above.
The law defines a "consumer" as a natural person who is a Kentucky resident acting in an individual context. People acting in a commercial or employment context are not considered consumers under the KCDPA.
Exempt Entities
The KCDPA exempts several categories of organizations from its requirements entirely:
- State agencies, city governments, and political subdivisions of the Commonwealth
- Financial institutions and their affiliates subject to the Gramm-Leach-Bliley Act (GLBA)
- Covered entities and business associates governed by the Health Insurance Portability and Accountability Act (HIPAA)
- Nonprofit organizations
- Institutions of higher education
- Organizations that assist law enforcement with insurance fraud investigations
- Organizations assisting first responders during catastrophic events
- Certain small telephone utilities and Tier III CMRS providers
- Municipal utilities that do not sell or share consumer data with third-party processors
Data-Level Exemptions
Beyond entity-level exemptions, the KCDPA also exempts specific categories of data from its coverage, regardless of who holds the data:
- Publicly available information and de-identified data
- Data processed under the Fair Credit Reporting Act (FCRA)
- Data regulated under GLBA or HIPAA
- Data protected under the Driver's Privacy Protection Act (DPPA)
- Education records covered by the Family Educational Rights and Privacy Act (FERPA)
- Employment and independent contractor data
- Emergency contact information
- Farm Credit Act data
- Health care quality improvement and patient safety activity data
Consumer Rights Under the KCDPA
The KCDPA grants Kentucky residents five core rights over their personal data. These rights are detailed in KRS 367.3615.
Right to confirm and access. You can request that a business confirm whether it processes your personal data and obtain access to that data, provided the disclosure does not reveal trade secrets.
Right to correct. You can request that a business correct inaccurate personal data it holds about you.
Right to delete. You can request deletion of personal data you provided or that the business obtained about you.
Right to data portability. You can request a copy of your personal data in a portable and readily usable format, again subject to trade secret protections.
Right to opt out. You can opt out of the processing of your personal data for three specific purposes: targeted advertising, the sale of personal data, and profiling that produces legal or similarly significant effects.
How to Exercise Your Rights
Controllers must respond to consumer rights requests without undue delay and no later than 45 days after receiving the request. This window can be extended by an additional 45 days if reasonably necessary, as long as the controller notifies the consumer of the extension and explains the reason.
If a controller denies a request, it must provide an appeals process. Consumers who are dissatisfied with the outcome of an appeal can file a complaint with the Kentucky Attorney General's Office of Data Privacy.
No Authorized Agent or Universal Opt-Out
One notable limitation of the KCDPA is that it does not require controllers to recognize universal opt-out mechanisms such as Global Privacy Control (GPC). Consumers must submit individual opt-out requests directly to each business.
The KCDPA also does not provide a mechanism for authorized agents to submit requests on behalf of consumers. This stands in contrast to laws in California, Colorado, Connecticut, and several other states that require recognition of these tools.
Personal Data and Sensitive Data Definitions
The KCDPA defines "personal data" as any information that is linked or reasonably linkable to an identified or identifiable natural person. De-identified data and publicly available information are excluded from this definition.
Sensitive Data Categories
"Sensitive data" receives heightened protections under the KCDPA and includes:
- Personal data revealing racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnosis
- Sexual orientation
- Citizenship or immigration status
- Genetic data processed for the purpose of uniquely identifying a natural person
- Biometric data used to identify a specific individual
- Personal data collected from a known child
- Precise geolocation data
Controllers must obtain the consumer's opt-in consent before processing any category of sensitive data. That consent must be freely given, specific, informed, and unambiguous.
Children's Data Protections
The KCDPA treats personal data collected from a known child as sensitive data, requiring opt-in consent. Controllers that comply with the verifiable parental consent requirements of the federal Children's Online Privacy Protection Act (COPPA) are deemed compliant with the KCDPA's requirements for children's data.
The Kentucky Attorney General demonstrated immediate commitment to enforcing children's data protections. On January 8, 2026, just eight days after the KCDPA took effect, AG Russell Coleman filed suit in Franklin Circuit Court against Character Technologies, the operator of the Character.AI chatbot platform. The complaint alleged the company failed to obtain parental consent before collecting and processing children's sensitive data, exposed minors to harmful content, and repurposed private emotional disclosures and health statements to train AI models without consent. The AG sought $2,000 per count in civil relief, plus injunctive relief.
Notably, the AG filed without first issuing the 30-day cure notice the KCDPA ordinarily requires. The complaint pursued claims under both the KCDPA and the Kentucky Consumer Protection Act, a consumer-protection statute that does not carry a statutory cure-period requirement. This enforcement approach signals that the AG's office will pursue children's data violations aggressively, potentially pairing KCDPA claims with other statutes to work around the cure period when sensitive data is involved.
Sale of Personal Data
The KCDPA defines the "sale" of personal data narrowly, covering only exchanges of personal data for monetary consideration. This is a business-friendly definition that mirrors the approach used in Virginia and Utah, and excludes data exchanges made for other types of valuable consideration such as improved services or analytics.
Controller and Processor Obligations
Controller Duties
Businesses that qualify as data controllers under the KCDPA must meet several core obligations outlined in KRS 367.3617:
Data minimization. Controllers must limit data collection to what is adequate, relevant, and reasonably necessary for the disclosed processing purpose.
Purpose limitation. Controllers must not process personal data for purposes that are not reasonably necessary to or compatible with the purposes they disclosed to consumers.
Security practices. Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
Nondiscrimination. Controllers must not discriminate against consumers who exercise their data privacy rights, though reasonable differences related to loyalty, rewards, or premium programs are permitted.
Privacy notice. Controllers must provide a clear, accessible privacy notice that discloses the categories of personal data processed, the purposes of processing, how consumers can exercise their rights, the categories of data shared with third parties, and the categories of those third parties.
Disclosure of sales and targeted advertising. If a controller sells personal data or processes it for targeted advertising, it must clearly and conspicuously disclose that practice.
Processor Duties
Data processors acting on behalf of controllers must enter into binding contracts that include provisions outlined in KRS 367.3619. These contracts must require the processor to:
- Follow the controller's instructions regarding data processing
- Maintain confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist the controller in responding to consumer rights requests
- Cooperate with data protection assessments
- Delete or return personal data at the end of the contract relationship
- Allow the controller to conduct compliance audits or designate a qualified assessor
Data Protection Assessments
The KCDPA requires controllers to conduct and document data protection assessments for processing activities that present a heightened risk to consumers. These assessment requirements apply to processing activities created or generated on or after June 1, 2026.
Compliance note: June 1, 2026 is less than two weeks away. Controllers that have not yet established assessment procedures for targeted advertising, data sales, sensitive data processing, and high-risk profiling activities should treat this as an urgent deadline.
Assessments are required for the following activities:
- Processing personal data for targeted advertising
- Selling personal data
- Profiling that presents a foreseeable risk of unfair or deceptive treatment, disparate impact, financial or physical or reputational injury, or intrusion on solitude or seclusion
- Processing sensitive data
- Any processing activity that presents a heightened risk of harm to consumers
Each assessment must identify and weigh the benefits of the processing activity to the controller, the consumer, other stakeholders, and the public against the potential risks to consumer rights. The Attorney General can request these assessments during investigations.
Controllers may use data protection assessments conducted under other reasonably comparable laws, including the European Union's General Data Protection Regulation (GDPR), to satisfy the KCDPA requirement.
Enforcement and Penalties
Attorney General Authority
The Kentucky Attorney General has exclusive enforcement authority over the KCDPA. The law does not create a private right of action, meaning individual consumers cannot sue businesses directly for KCDPA violations.
The AG's Office of Data Privacy was created specifically to enforce the KCDPA. This office has the authority to seek injunctive relief, civil penalties, and reasonable attorneys' fees and investigative costs.
30-Day Cure Period
Before filing a formal enforcement action, the Attorney General must ordinarily provide the business with a written notice identifying the specific alleged violation and allow 30 days to cure the violation. If the business cures the violation within 30 days and provides a written statement with supporting documentation that the violation has been remedied and will not recur, the AG cannot pursue enforcement for that specific violation.
This 30-day cure period is permanent. Unlike the cure periods in New Hampshire, New Jersey, and several other state privacy laws, the KCDPA's cure provision does not include a sunset date. Businesses will always have the opportunity to cure violations before facing penalties, as long as the AG issues a cure notice.
However, the first KCDPA enforcement action, filed January 8, 2026 against Character Technologies, showed that the AG can bypass the cure period by pairing KCDPA claims with other statutes, such as the Kentucky Consumer Protection Act, that do not carry a cure-notice requirement. Hunton and Williams noted that this dual-statute approach is a significant development for businesses assessing their KCDPA risk exposure.
Civil Penalties
If a business fails to cure a violation within the 30-day window, or if it breaches its written compliance commitment, the Attorney General can pursue civil penalties of up to $7,500 per violation. The AG can also seek injunctive relief and recover attorneys' fees and investigation costs.
Consumer Privacy Fund
The KCDPA established a Consumer Privacy Fund (KRS 367.3629) to receive any penalties collected through enforcement actions. These funds support ongoing privacy enforcement efforts.
First Enforcement Action: Character.AI (January 2026)
On January 8, 2026, AG Russell Coleman announced suit against Character Technologies in Franklin Circuit Court. The complaint alleged the company's platform preyed on children by failing to implement meaningful protections for minors, including unauthorized processing of minors' sensitive data without parental consent, failure to implement age verification, exposure of children to harmful AI-generated content, and use of private emotional disclosures and health statements to train AI models. The AG sought $2,000 per count in civil relief plus injunctive relief. The case remains ongoing as of May 2026.
Penalty Summary Table
| Law | Statute | Penalty Per Violation | Cure Period | Enforced By |
|---|---|---|---|---|
| KCDPA | KRS 367.3611-367.3629 | Up to $7,500 | 30 days (permanent) | Attorney General |
| Data Breach Notification | KRS 365.732 | Damages under KRS 446.070 | None | Private action via KRS 446.070 |
Kentucky Data Breach Notification Law (KRS 365.732)
Kentucky's data breach notification law, KRS 365.732, has been in effect since 2014 and operates independently of the KCDPA. It applies to any person or business entity that conducts business in Kentucky and owns, licenses, or maintains computerized personal information.
What Triggers a Notification
A notification obligation arises when there is an unauthorized acquisition of unencrypted, unredacted computerized data that compromises the security, confidentiality, or integrity of personal information, and the breach actually causes or is reasonably believed to have caused or will cause identity theft or fraud against a Kentucky resident.
Protected Personal Information
Under KRS 365.732, personal information is defined as an individual's first name or first initial and last name combined with one or more of these data elements:
- Social Security number
- Driver's license number or state identification card number
- Account number, credit card number, or debit card number combined with any required security code, access code, or password
The information must be unencrypted and unredacted to trigger notification obligations. If the compromised data was encrypted or redacted, notification is not required.
Notification Timeline and Methods
Kentucky does not set a specific number of days for breach notification. Instead, the law requires notification in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and measures necessary to determine the scope of the breach.
Notification may be provided through:
- Written notice sent to the affected individual
- Electronic notice (consistent with the federal E-SIGN Act)
- Telephone notice
- Substitute notice (when specific conditions are met)
Substitute Notice
A business may use substitute notice if the cost of direct notification would exceed $250,000, the number of affected individuals exceeds 500,000, or the business does not have sufficient contact information. Substitute notice requires all three of the following:
- Email notice to affected individuals for whom email addresses are available
- Conspicuous posting on the business's website
- Notification to major statewide media outlets
Large-Scale Breach Reporting
When a breach affects more than 1,000 individuals at one time, the business must also notify all nationwide consumer reporting agencies about the timing, distribution, and content of the breach notices.
Exemptions from Breach Notification
The breach notification law does not apply to entities already subject to the Gramm-Leach-Bliley Act or HIPAA, as those entities follow separate federal breach notification requirements. State and local government bodies follow separate breach notification provisions under KRS 61.931 through 61.934.
Breach Notification Enforcement
KRS 365.732 does not contain a specific penalty provision or direct enforcement mechanism. However, injured individuals may seek damages under KRS 446.070, Kentucky's general statute allowing private actions for violations of state law. A good-faith acquisition of personal information by an employee or agent of the business entity is not considered a breach, provided there is no further unauthorized disclosure.
Federal Privacy Laws That Apply in Kentucky
Several federal statutes create data privacy and security obligations that apply alongside the KCDPA. Businesses operating in Kentucky must account for all applicable layers.
TAKE IT DOWN Act (Pub. L. 119-12, effective May 19, 2026). The FTC began enforcing the TAKE IT DOWN Act on May 19, 2026. The law requires covered online platforms to establish a process for victims to request removal of nonconsensual intimate images, including AI-generated deepfakes, and to remove that content and known identical copies within 48 hours of a valid request. Civil penalties for platform violations can reach $53,088 per violation. The criminal prohibition on publishing such images took effect when the law was signed on May 19, 2025.
HIPAA. The Health Insurance Portability and Accountability Act governs how covered entities (health plans, providers, and clearinghouses) and their business associates collect, use, and disclose protected health information. HIPAA-regulated entities are exempt from the KCDPA's scope entirely.
Gramm-Leach-Bliley Act (GLBA). The GLBA requires financial institutions to explain their information-sharing practices to customers and to protect sensitive data. GLBA-regulated institutions are exempt from the KCDPA.
FCRA and FACTA. The Fair Credit Reporting Act governs consumer reporting agencies and the use of consumer report information. FCRA-covered data is exempt from the KCDPA.
COPPA. The Children's Online Privacy Protection Act requires verifiable parental consent before collecting personal information from children under 13. The KCDPA treats COPPA compliance as satisfying the KCDPA's children's data consent requirements.
FTC Act Section 5. The FTC's general authority to prohibit deceptive or unfair business practices applies to any entity subject to FTC jurisdiction, regardless of whether a state privacy law covers it.
How the KCDPA Compares to Other State Privacy Laws
The KCDPA is widely regarded as one of the more business-friendly comprehensive state privacy laws enacted through 2026. Several provisions distinguish it from stricter frameworks.
Kentucky took effect January 1, 2026, alongside two other state privacy laws: Indiana's Consumer Data Protection Act (INCDPA) and Rhode Island's Data Transparency and Privacy Protection Act (RIDTPPA). Privacy practitioners refer to this group as the "2026 trinity." All three share similar consumer-rights frameworks, but Kentucky is the most business-friendly of the three because of its permanent cure period and its narrow "sale" definition covering only monetary exchanges.
| Feature | Kentucky KCDPA | Indiana INCDPA | Rhode Island RIDTPPA |
|---|---|---|---|
| Effective date | Jan 1, 2026 | Jan 1, 2026 | Jan 1, 2026 |
| Consumer threshold | 100,000 / 25,000 + 50% | 100,000 / 25,000 + 50% | 35,000 / 10,000 + 20% |
| Universal opt-out (GPC) | Not required | Not required | Required |
| Private right of action | No | No | No |
| Cure period | 30 days (permanent) | 30 days (permanent) | 30 days (sunsets Jan 2028) |
| Max penalty per violation | $7,500 | $7,500 | $10,000 |
| Enforced by | AG | AG | AG |
No universal opt-out requirement. Unlike California, Colorado, Connecticut, Montana, Delaware, and several other states, Kentucky does not require businesses to honor Global Privacy Control or similar universal opt-out signals.
Permanent cure period. The 30-day cure period never expires. In New Hampshire, New Jersey, and Rhode Island, the right to cure sunsets after an initial period. Kentucky gives businesses a permanent opportunity to fix violations before facing penalties, subject to the AG's discretion in enforcement strategy.
Narrow sale definition. The KCDPA only covers data exchanges made for monetary consideration. States like California and Colorado define "sale" more broadly to include exchanges for other valuable consideration.
No authorized agent provisions. Consumers cannot designate a third party to submit data rights requests on their behalf.
Broad entity exemptions. The KCDPA exempts nonprofits and higher education institutions, which are covered under some other state laws.
Practical Compliance Steps for Businesses
Businesses that fall within the KCDPA's thresholds and are not fully exempt should address the following before June 1, 2026:
1. Confirm scope. Determine whether you meet either the 100,000-consumer or the 25,000-consumer-plus-50%-revenue threshold. Document your determination.
2. Update your privacy notice. Your public-facing privacy notice must disclose the categories of personal data you process, the purposes, how consumers exercise their five KCDPA rights, and which third parties receive your data.
3. Build a rights-request process. You need a mechanism for consumers to submit and track requests to access, correct, delete, and port their data, and to opt out of data sales, targeted advertising, and profiling. You must respond within 45 days.
4. Audit your sensitive data processing. If you process any sensitive data categories (health diagnoses, biometrics, children's data, precise geolocation, and others listed above), verify you have opt-in consent in place before June 1, 2026.
5. Complete data protection assessments by June 1, 2026. For all processing activities in categories covered by KRS 367.3621 that are initiated on or after June 1, 2026, you must document a formal assessment weighing benefits against consumer risks. Prior-initiated activities are grandfathered.
6. Review processor contracts. Any data processing agreement with a vendor must include the provisions required by KRS 367.3619, including the right to audit, instructions on return or deletion of data, and confidentiality obligations.
7. Assess TAKE IT DOWN Act obligations. If you operate an online platform that hosts user-generated content, review whether the TAKE IT DOWN Act's takedown-request process requirements apply to your platform beginning May 19, 2026.
Filing a Data Privacy Complaint in Kentucky
If you believe a business has violated your rights under the KCDPA, you can contact the Kentucky Attorney General's Office of Data Privacy. This office was established specifically to handle KCDPA enforcement and consumer complaints.
You can also file a general consumer protection complaint through the Attorney General's Consumer Protection Division.
More Kentucky Laws
Looking for information on other Kentucky laws? Visit our Data Privacy Laws by State hub to compare Kentucky with other states. You can also explore related topics:
- Kentucky AI Meeting Recording Laws
- Kentucky Alimony Laws
- Kentucky At-Will Employment Laws
- Kentucky Car Accident Laws
- Kentucky Car Seat Laws
- Kentucky Child Custody Laws
- Kentucky Child Support Laws
- Kentucky Common Law Marriage Laws
- Kentucky Deepfake Laws
- Kentucky Divorce Laws
- Kentucky Dog Bite Laws
- Kentucky Emancipation Laws
- Kentucky Expungement Laws
- Kentucky Hit and Run Laws
- Kentucky Landlord-Tenant Laws
- Kentucky Lemon Laws
In-depth guides
Sources and References
- Kentucky Revised Statutes Chapter 367 - Consumer Data Protection (KCDPA)(apps.legislature.ky.gov).gov
- KRS 367.3611 - KCDPA Definitions(apps.legislature.ky.gov).gov
- KRS 367.3615 - Consumer Rights Under KCDPA(apps.legislature.ky.gov).gov
- KRS 367.3619 - Processor Contract Requirements(apps.legislature.ky.gov).gov
- Chapter 72 (HB 15) - KCDPA Enrolled Act Text(apps.legislature.ky.gov).gov
- 24RS HB 15 - Bill Record(apps.legislature.ky.gov).gov
- Kentucky Attorney General - Office of Data Privacy(ag.ky.gov).gov
- Kentucky Attorney General - KCDPA Consumer Rights(ag.ky.gov).gov
- AG Coleman - Character AI Enforcement Press Release(kentucky.gov).gov
- KRS 365.732 - Data Breach Notification(apps.legislature.ky.gov).gov
- KRS 61.931-61.934 - Government Entity Breach Notification(apps.legislature.ky.gov).gov
- FTC - TAKE IT DOWN Act Enforcement Begins May 19, 2026(ftc.gov).gov
- FTC - Complying With the Take It Down Act(ftc.gov).gov
- Federal Trade Commission - Gramm-Leach-Bliley Act(ftc.gov).gov
- U.S. Department of Health and Human Services - HIPAA(hhs.gov).gov
- Federal Trade Commission - COPPA Rule(ftc.gov).gov
- U.S. Department of Education - FERPA(ed.gov).gov
- Hunton Andrews Kurth - Kentucky AG First Enforcement Action Under KCDPA(hunton.com)
- Koley Jessen - New State Privacy Laws Effective January 1, 2026(koleyjessen.com)
- Davis Wright Tremaine - Kentucky Data Breach Notification Chart(dwt.com)