KCDPA Consumer Rights: Kentucky Privacy Rights Guide

Under the Kentucky Consumer Data Protection Act (KCDPA), KRS 367.3615, Kentucky residents have the right to confirm and access their personal data, correct inaccuracies, delete their data, obtain a portable copy, and opt out of targeted advertising, the sale of personal data, and profiling that produces legal or similarly significant effects. A covered controller must respond to a verified request without undue delay, and in all cases within 45 days.

As of 2026, these rights are enforced solely by the Kentucky Attorney General under KRS 367.3627; there is no private right of action. If a controller denies a request, KRS 367.3615(4) gives the consumer an internal appeal and a path to complain to the Attorney General's Office of Data Privacy.

Jurisdiction scope: This covers Kentucky's Kentucky Consumer Data Protection Act (KRS 367.3611 to 367.3629). It is general legal information, not legal advice.

The five core rights under the KCDPA

KRS 367.3615(2) sets out the rights a covered controller must honor when it receives an authenticated consumer request. The structure tracks Virginia's law closely, so the rights mirror the now-standard state privacy package.

The first right is to confirm and access. A consumer can ask a controller to confirm whether it is processing the consumer's personal data and to access that data, unless doing so would require the controller to reveal a trade secret.

The second right is correction. A consumer can ask the controller to correct inaccuracies in personal data, taking into account the nature of the data and the purposes of processing. The third right is deletion: a consumer can ask the controller to delete personal data provided by or obtained about the consumer.

The fourth right is portability. A consumer can obtain a copy of personal data they previously provided, in a portable and, where technically feasible, readily usable format that lets them transmit the data to another controller without hindrance. The fifth right is the opt-out, covered separately below.

The opt-out right: three processing activities

The opt-out right under KRS 367.3615(2)(e) is the most actively used right in practice. It lets a consumer opt out of three distinct processing activities, and a controller must stop each one on request.

The first is targeted advertising. Under KRS 367.3611, that means showing ads selected based on personal data obtained from the consumer's activities across nonaffiliated websites or applications over time. First-party and contextual advertising are excluded.

The second is the sale of personal data, which KRS 367.3611 defines as exchanging personal data for monetary consideration to a third party. Kentucky's definition is the narrower "monetary consideration" version, not the broader "monetary or other valuable consideration" standard some states use.

The third is profiling in furtherance of decisions that produce legal or similarly significant effects, such as decisions about lending, housing, insurance, education, employment, health care, or access to basic necessities. A controller that sells data or runs targeted advertising must clearly disclose that activity and the way to opt out under KRS 367.3617(4).

The 45-day response deadline

KRS 367.3615(3)(a) sets the response clock. A controller must act on a consumer request without undue delay and in all cases within 45 days of receiving it.

The controller may extend the response period once, by an additional 45 days, when reasonably necessary given the complexity and number of requests. To use the extension, the controller must tell the consumer within the first 45 days, along with the reason for the delay.

If a controller declines to act on a request, KRS 367.3615(3)(b) requires it to tell the consumer within the same 45 days, with the justification and instructions on how to appeal. Information must be provided free of charge up to twice annually per consumer under KRS 367.3615(3)(c); only excessive, repetitive, technically infeasible, or manifestly unfounded requests can trigger a reasonable fee or refusal, and the controller bears the burden of proving the request fits that category.

Authentication and the no-new-account rule

A controller only has to honor a request it can authenticate. KRS 367.3615(3)(d) provides that if a controller cannot authenticate a request using commercially reasonable efforts, it need not comply and may ask the consumer for additional information reasonably necessary to verify identity.

That said, the KCDPA limits how far a controller can push. Under KRS 367.3617(5), a controller cannot require a consumer to create a new account in order to exercise rights, although it may require the consumer to use an existing account.

The act also protects consumers who do not have an account or whose data cannot be tied to them. KRS 367.3623 clarifies that a controller is not required to re-identify de-identified or pseudonymous data, or to retain data in identifiable form, just to honor a request. The rights attach to data the controller actually holds in identifiable form.

The appeal process

The KCDPA builds in a two-step remedy. If a controller refuses to act, the consumer can appeal that refusal, and only after that can the matter reach the Attorney General.

Under KRS 367.3615(4), a controller must establish a conspicuous appeal process similar to the way consumers submit requests. Within 60 days of receiving an appeal, the controller must tell the consumer in writing of any action taken or not taken, with a written explanation of the reasons.

If the appeal is denied, the controller must give the consumer an online mechanism, if available, or another method to contact the Attorney General and submit a complaint. The Kentucky Attorney General's Office of Data Privacy operates that complaint intake, so a denied appeal is the gateway to state enforcement.

No private lawsuits: how rights are actually enforced

The KCDPA gives consumers rights but not a courtroom. KRS 367.3627(4) states that nothing in the act provides the basis for, or gives rise to, a private right of action. A consumer cannot sue a controller directly for a violation.

Enforcement runs exclusively through the Attorney General under KRS 367.3627(1). The Attorney General investigates, issues notices, and brings actions in the name of the Commonwealth, with civil penalties up to $7,500 per violation.

Before suing, the Attorney General must give a 30-day cure notice under KRS 367.3627(2). That cure period is permanent, with no sunset date. The practical takeaway for consumers is that the appeal-then-complaint path is the real avenue: file the request, appeal a denial, and escalate to the Office of Data Privacy if the controller will not comply. The KCDPA compliance checklist guide covers the business side of responding to these requests.

Related guides

• Kentucky data privacy laws parent hub
• What is the KCDPA?
• KCDPA compliance checklist
• State data privacy law comparison
• What is the CCPA?

Sources