Kentucky
KCDPA Compliance Checklist: Kentucky Privacy Law
Complying with the Kentucky Consumer Data Protection Act (KCDPA), KRS 367.3611 to 367.3629, means confirming whether you are covered, posting a conforming privacy notice, getting opt-in consent before processing sensitive data, building consumer-rights and opt-out workflows, conducting data protection assessments, and signing KCDPA-compliant processor contracts. The act took effect January 1, 2026, so covered businesses are obligated now.
As of 2026, the Kentucky Attorney General enforces the KCDPA exclusively under KRS 367.3627, with a permanent 30-day cure period and civil penalties up to $7,500 per violation deposited into a consumer privacy fund. There is no private right of action, and because Kentucky's law closely mirrors Virginia's, a Virginia-ready program needs only modest tailoring.
Jurisdiction scope: This covers Kentucky's Kentucky Consumer Data Protection Act (KRS 367.3611 to 367.3629). It is general legal information, not legal advice.
Step 1: Determine whether you are covered
The first task is the applicability analysis in KRS 367.3613. The KCDPA reaches a person that conducts business in Kentucky or targets Kentucky residents and that, in a calendar year, controls or processes the personal data of at least 100,000 consumers, or at least 25,000 consumers while deriving over 50 percent of gross revenue from the sale of personal data.
Count only "consumers," which KRS 367.3611 defines as Kentucky residents acting in an individual context. Employee and business-to-business contacts do not count toward the threshold, so a company should scope its count to consumer-facing data.
Then run the exemption screen under KRS 367.3613(2) and (3). Government bodies, GLBA-covered financial institutions, HIPAA-covered entities and business associates, nonprofits, and institutions of higher education are exempt at the entity level, and specific data sets such as FCRA, FERPA, and employment data are exempt at the data level. A business can be wholly or partly outside the law, so document the analysis before building controls.
Step 2: Publish a conforming privacy notice
If you are covered, the privacy notice is the most visible obligation. KRS 367.3617(3) requires a reasonably accessible, clear, and meaningful privacy notice with specific contents.
The notice must list the categories of personal data the controller processes, the purpose for processing, and how consumers can exercise their rights under KRS 367.3615, including how to appeal a decision. It must also state the categories of personal data shared with third parties and the categories of third parties that receive the data.
There is an extra disclosure for data sales and targeted advertising. Under KRS 367.3617(4), if a controller sells personal data or processes it for targeted advertising, it must clearly and conspicuously disclose that activity and the manner in which a consumer may opt out.
Step 3: Get opt-in consent for sensitive data
Sensitive data triggers the strictest rule in the act. Under KRS 367.3617(1)(e), a controller may not process sensitive data without first obtaining the consumer's consent.
Sensitive data under KRS 367.3611 includes data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, plus genetic or biometric data used to identify a person, a known child's data, and precise geolocation data. Map where each category lives in your systems before launch.
Consent must be a clear affirmative act that is freely given, specific, informed, and unambiguous. For data collected from a known child, the controller must instead comply with the federal Children's Online Privacy Protection Act, and KRS 367.3613(4) deems COPPA-compliant parental consent sufficient for the act's parental-consent obligations.
Step 4: Build consumer-rights and opt-out workflows
Covered controllers need an operational pipeline to handle the rights in KRS 367.3615. Consumers can confirm and access, correct, delete, obtain a portable copy, and opt out of targeted advertising, data sales, and profiling.
Set the clock to 45 days. KRS 367.3615(3) requires a response without undue delay and within 45 days, with one permitted 45-day extension if you notify the consumer in time. Responses are free up to twice a year per consumer, and you may charge or decline only for excessive, repetitive, technically infeasible, or manifestly unfounded requests, with the burden on you.
Stand up a conspicuous appeal process under KRS 367.3615(4) with a 60-day response window, and provide a way to reach the Attorney General if you deny an appeal. Under KRS 367.3617(5) you cannot force a consumer to create a new account to exercise rights. Note that the KCDPA does not require honoring a universal opt-out signal such as the Global Privacy Control, so your own clearly disclosed opt-out methods satisfy the act, although a multistate program may choose to honor signals voluntarily. The KCDPA consumer rights guide details the request mechanics.
Step 5: Conduct data protection assessments
The KCDPA requires documented risk assessments for higher-risk processing. KRS 367.3621(1) lists the activities that trigger a data protection impact assessment.
Those activities are targeted advertising, the sale of personal data, sensitive-data processing, profiling that presents a reasonably foreseeable risk of unfair treatment or substantial injury, and any processing that presents a heightened risk of harm. Each assessment must weigh the benefits of the processing against the risks to consumers, as mitigated by safeguards.
Timing matters: KRS 367.3621(8) provides that the assessment requirement applies to processing activities created or generated on or after June 1, 2026. The Attorney General may demand an assessment relevant to an investigation under KRS 367.3621(3), and the assessments are confidential under the open-records exemption in KRS 367.3621(4). A single assessment can cover a comparable set of similar processing operations.
Step 6: Put KCDPA processor contracts in place
If a processor handles personal data on your behalf, KRS 367.3619 requires a written contract that governs the processing. The contract must set out the processing instructions, the nature and purpose of processing, the type of data, the duration, and the rights and obligations of both parties.
The contract must also require the processor to keep personnel under a duty of confidentiality, to delete or return all personal data at the end of the services at the controller's direction, and to make available information needed to demonstrate compliance. The processor must allow reasonable assessments, or arrange an independent assessment, and must flow these obligations down to any subcontractor under a written contract.
Both sides keep their own liability. KRS 367.3619(3) provides that the contract does not relieve a controller or processor of the duties tied to its role, and whether a party is a controller or processor is a fact-based determination.
Step 7: Understand enforcement, cure, and penalties
The KCDPA is enforced only by the Attorney General. KRS 367.3627(1) gives the Attorney General exclusive authority to investigate and bring actions, and KRS 367.3627(4) makes clear there is no private right of action.
Before suing, the Attorney General must give 30 days' written notice identifying the alleged violations. If the controller or processor cures within those 30 days and provides a written statement that the violation is cured and will not recur, no damages action follows under KRS 367.3627(2). This 30-day cure period is permanent, with no sunset, which distinguishes Kentucky from states that let their cure windows expire.
If the violation is not cured, the Attorney General may seek civil penalties up to $7,500 for each continued violation under KRS 367.3627(3), plus investigation costs and fees under KRS 367.3627(5). Penalties are deposited into the consumer privacy fund created by KRS 367.3629, an Attorney-General-administered account used to fund enforcement. For the statutory background and the Virginia-clone framing, see the What is the KCDPA? guide.
| Compliance area | KCDPA section | Key requirement |
|---|---|---|
| Applicability | KRS 367.3613 | 100,000 consumers, or 25,000 plus 50% data-sale revenue |
| Privacy notice | KRS 367.3617(3) | Disclose data categories, purposes, rights, sharing |
| Sensitive data | KRS 367.3617(1)(e) | Opt-in consent before processing |
| Consumer requests | KRS 367.3615 | 45-day response; 60-day appeal |
| Assessments | KRS 367.3621 | Document risk for high-risk processing (from June 1, 2026) |
| Processor contracts | KRS 367.3619 | Confidentiality, deletion, audits, flow-down |
| Enforcement | KRS 367.3627 | AG-only; 30-day cure; up to $7,500 per violation |
Related guides
- Kentucky data privacy laws parent hub
- What is the KCDPA?
- KCDPA consumer rights
- State data privacy law comparison
- What is the CCPA?
Sources
Sources and References
- Kentucky HB 15 (2024): Kentucky Consumer Data Protection Act (Enrolled Bill Text)(legislature.ky.gov).gov
- KRS 367.3613: Application, Limitations, and Exemptions(legislature.ky.gov).gov
- KRS 367.3615: Consumer Rights Request and Appeal Process(legislature.ky.gov).gov
- KRS 367.3617: Controller Limitations, Privacy Notice, and Opt-Out Methods(legislature.ky.gov).gov
- KRS 367.3619: Processor Obligations and Controller-Processor Contract Requirements(legislature.ky.gov).gov
- KRS 367.3621: Data Protection Impact Assessment Requirements(legislature.ky.gov).gov
- KRS 367.3627: Attorney General Enforcement, Cure Period, and Civil Penalties(legislature.ky.gov).gov
- KRS 367.3629: Consumer Privacy Fund(legislature.ky.gov).gov
- Kentucky Attorney General: Office of Data Privacy and the KCDPA(ag.ky.gov).gov