Kentucky Biometric Privacy Laws: Collection, Consent & Penalties (2026)

Kentucky does not have a standalone biometric privacy statute like Illinois's BIPA or Texas's CUBI. Instead, biometric data protections in the state come primarily from the Kentucky Consumer Data Protection Act (KCDPA), a comprehensive consumer privacy law that classifies biometric identifiers as sensitive data requiring affirmative consent.

Governor Andy Beshear signed House Bill 15 into law on April 4, 2024, making Kentucky the 16th state to enact a comprehensive consumer data privacy law. The KCDPA took effect on January 1, 2026.

For an overview of Kentucky's broader privacy framework, see the parent guide to Kentucky Data Privacy Laws.

How the KCDPA Defines Biometric Data

The KCDPA defines biometric data under KRS 367.3611 as data generated by automatic measurements of an individual's biological characteristics that are used to identify a specific individual. The statute lists these examples:

• Fingerprints
• Voiceprints
• Eye retinas
• Irises
• Other unique biological patterns or characteristics

The law draws a clear boundary around what does not qualify. A physical or digital photograph, a video or audio recording, or data generated from those recordings is not biometric data unless that data is specifically generated to identify a specific individual.

This definition follows the approach used in Connecticut's privacy law and several other state comprehensive privacy statutes. It is narrower than the definition used in Illinois's BIPA, which covers a broader set of biometric identifiers without the same exclusions.

The KCDPA also excludes information collected, used, or stored for health care treatment, payment, or operations under HIPAA from the biometric data definition.

Sensitive Data Classification and Consent

Under the KCDPA, biometric data processed for the purpose of uniquely identifying an individual qualifies as "sensitive data." This is the highest protection category in the law.

Other categories of sensitive data under KRS 367.3611 include:

• Data revealing racial or ethnic origin
• Religious beliefs
• Mental or physical health diagnoses
• Sexual orientation
• Citizenship or immigration status
• Genetic data processed for identification
• Precise geolocation data
• Personal data collected from a known child under 13

Consent requirement. Controllers must obtain a consumer's opt-in consent before processing sensitive data, including biometric data. This means a business cannot collect your fingerprint, faceprint, or iris scan for identification purposes without first asking for and receiving your affirmative agreement.

This consent must be freely given, specific, informed, and unambiguous. A buried clause in a terms-of-service agreement does not meet this standard.

Who Must Comply

The KCDPA applies to entities that conduct business in Kentucky or produce products or services targeted to Kentucky residents and meet one of these thresholds:

• Process personal data of 100,000 or more Kentucky consumers during a calendar year, or
• Process personal data of 25,000 or more Kentucky consumers and derive over 50% of gross revenue from the sale of personal data

The term "sale" under the KCDPA covers only exchanges for monetary consideration. This is a narrower definition than laws in states like California, which also cover non-monetary exchanges.

Key Exemptions

The KCDPA carves out several categories of entities and data types from coverage:

Entity exemptions:

• HIPAA-covered entities and their business associates
• Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
• Nonprofit organizations
• Higher education institutions
• Government agencies

Data exemptions:

• Data regulated under HIPAA
• Data governed by the Fair Credit Reporting Act (FCRA)
• Data covered by the Family Educational Rights and Privacy Act (FERPA)
• Data under the Driver's Privacy Protection Act (DPPA)
• Data regulated under the Farm Credit Act

Employee data exemption. The KCDPA excludes persons acting in a commercial or employment context from the definition of "consumer." Data processed about an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party is exempt when used in the context of that role.

This means that if your employer collects your fingerprints for a timekeeping system or uses facial recognition for building access, the KCDPA does not apply to that collection. Kentucky does not have a separate law regulating employer use of biometric data.

Consumer Rights Over Biometric Data

Because biometric data is sensitive personal data under the KCDPA, Kentucky consumers have these rights under KRS 367.3615:

Right to confirm and access. You can ask any covered business whether it is processing your biometric data and request access to that data.

Right to correct. If a business holds inaccurate biometric data about you, you can request a correction.

Right to delete. You can request that a business delete the biometric data it holds about you.

Right to data portability. You can obtain a copy of your biometric data in a portable and readily usable format.

Right to opt out. You can opt out of the processing of your personal data for targeted advertising, the sale of personal data, or profiling that produces legal or similarly significant effects.

Right to non-discrimination. Businesses cannot penalize you for exercising any of these rights by denying goods or services, charging different prices, or providing a different quality of service.

Businesses must respond to consumer rights requests within 45 days. They can extend this period by an additional 45 days when reasonably necessary, but must notify the consumer of the extension and the reason for it.

Data Protection Assessments

Controllers that process sensitive data, including biometric data, must conduct data protection assessments under the KCDPA. These assessments apply to processing activities created or generated on or after June 1, 2026.

A data protection assessment must weigh the benefits of the processing against the potential risks to the consumer, including risks of:

• Unfair or deceptive treatment or unlawful disparate impact
• Financial, physical, or reputational injury
• Intrusion upon solitude or seclusion
• Other substantial injury

The Kentucky Attorney General can request these assessments during an investigation. They are considered confidential and exempt from public inspection under the Kentucky Open Records Act.

Breach Notification and Biometric Data

Separate from the KCDPA, Kentucky's breach notification law at KRS 365.732 requires businesses to notify affected individuals when a security breach compromises their unencrypted personal information.

Kentucky's definition of personal information for breach notification purposes includes an individual's name in combination with a unique biometric or genetic print or image. This means that if a data breach exposes biometric data linked to your name, the entity holding that data must notify you.

The notification obligation applies to any entity that conducts business in Kentucky and owns or licenses computerized data containing personal information of Kentucky residents. There is no minimum size threshold for this requirement.

Kentucky law does not specify an exact timeline for notification. Instead, it requires notification in the most expedient time possible, without unreasonable delay, consistent with the needs of law enforcement and any investigation.

Enforcement and Penalties

The Kentucky Attorney General has exclusive enforcement authority over the KCDPA. There is no private right of action, which means individual consumers cannot file lawsuits against businesses for KCDPA violations.

The enforcement process works as follows:

1. The Attorney General's Office of Data Privacy identifies a potential violation
2. The office notifies the business in writing, identifying the specific provisions believed to have been violated
3. The business has 30 days to cure the alleged violation
4. If the business cures the violation and provides a written statement that it will not engage in further violations, the Attorney General takes no action
5. If the business fails to cure, the Attorney General can bring a civil action with penalties of up to $7,500 per violation

The 30-day cure period is permanent. Unlike privacy laws in some other states, the KCDPA's cure provision does not sunset, giving businesses an ongoing opportunity to correct violations before facing penalties.

Consumers can file complaints with the Kentucky Attorney General's Office of Data Privacy. The office can be reached at (502) 892-8538.

How Kentucky Compares to Other States

Kentucky's approach to biometric privacy falls in the middle of the spectrum among U.S. states:

Stronger than states with no protections. Many states still lack any specific biometric data protections. Kentucky's classification of biometric data as sensitive data requiring consent puts it ahead of states like Georgia, which has no dedicated biometric privacy statute and no comprehensive privacy law in effect.

Weaker than dedicated biometric privacy laws. States like Illinois, Texas, and Washington have standalone biometric privacy statutes with specific requirements for notice, consent, retention schedules, and data destruction. Illinois's BIPA includes a private right of action that has produced significant litigation and settlements.

Similar to other comprehensive privacy law states. Kentucky's approach closely mirrors states like Connecticut, Indiana, Montana, and Tennessee, which all classify biometric data as sensitive data within their comprehensive consumer privacy frameworks and require opt-in consent for processing.

More Kentucky Laws

• Kentucky Data Privacy Laws
• Kentucky Data Privacy Laws
• Kentucky Hit and Run Laws
• Kentucky Recording Laws
• Kentucky Child Support Laws
• Kentucky Lemon Laws

Sources and References

This article references Kentucky statutes and official state government publications. For the full text of the KCDPA, visit the Kentucky Legislature website. For guidance on consumer rights and filing complaints, visit the Kentucky Attorney General's Office of Data Privacy.

This article provides general legal information about Kentucky biometric privacy laws. It is not legal advice. Consult a qualified attorney for guidance on your specific situation. Laws and regulations change frequently. Verify current requirements through official Kentucky government sources.