Kentucky
What Is the KCDPA? Kentucky Consumer Data Privacy
The Kentucky Consumer Data Protection Act (KCDPA), codified at KRS 367.3611 to 367.3629, is Kentucky's comprehensive consumer data privacy law. It was enacted as House Bill 15 during the 2024 session, signed by Governor Andy Beshear on April 4, 2024, and takes effect January 1, 2026, giving Kentucky residents rights to access, correct, delete, and port their personal data and to opt out of its sale, targeted advertising, and certain profiling.
As of 2026, the Kentucky Attorney General holds exclusive enforcement authority and may seek civil penalties of up to $7,500 per violation under KRS 367.3627. The KCDPA is closely modeled on Virginia's Consumer Data Protection Act, so businesses already aligned with the Virginia framework will find Kentucky's obligations familiar.
Jurisdiction scope: This covers Kentucky's Kentucky Consumer Data Protection Act (KRS 367.3611 to 367.3629). It is general legal information, not legal advice.
What the KCDPA is: statute, enactment, and effective date
The Kentucky Consumer Data Protection Act is Kentucky's first comprehensive consumer data privacy law. It is codified at Kentucky Revised Statutes Sections 367.3611 through 367.3629, inside the state's broader consumer protection chapter. The General Assembly passed it as House Bill 15 during the 2024 regular session.
Governor Andy Beshear signed the bill on April 4, 2024. The legislature built in a long runway: the act does not take effect until January 1, 2026. As of 2026, that date has arrived, so every covered business is now fully subject to the KCDPA.
The act expressly names itself. Section 11 of HB 15 provides that the law "may be cited as the Kentucky Consumer Data Protection Act," and Section 12 sets the January 1, 2026 effective date. The 2025 General Assembly later amended the act through House Bill 473 (Chapter 13), which adjusted exemptions and timing, but the core rights and enforcement framework stayed intact.
For the controller and processor obligations, privacy notice rules, and data protection assessment requirements in detail, see the Kentucky data privacy laws parent page.
Who the KCDPA covers: the thresholds
The KCDPA's applicability test lives in KRS 367.3613. The law applies to a person that conducts business in Kentucky, or that produces products or services targeted to Kentucky residents, and that during a calendar year meets one of two data-volume triggers.
The first trigger is controlling or processing the personal data of at least 100,000 consumers. The second is controlling or processing the data of at least 25,000 consumers while deriving over 50 percent of gross revenue from the sale of personal data.
There is no separate revenue floor. Unlike laws such as California's, which can pull a business in on annual revenue alone, the KCDPA keys solely on consumer volume and the data-sales revenue share. A small company that never crosses 100,000 consumers and does not make most of its money selling data stays outside the law.
A "consumer" under KRS 367.3611 is a natural person who is a Kentucky resident acting only in an individual context. The definition expressly excludes a person acting in a commercial or employment context, so workforce and business-to-business data fall outside the consumer-facing rights.
The KCDPA's exemptions: broad entity-level carve-outs
The KCDPA exempts whole categories of organizations at the entity level under KRS 367.3613(2), a structure that removes many businesses regardless of how much data they hold. Several of these exemptions are sweeping.
Cities, state agencies, and political subdivisions of the state are exempt. So are financial institutions, their affiliates, and data subject to Title V of the federal Gramm-Leach-Bliley Act. Entities and data governed by HIPAA are carved out, as are nonprofit organizations and institutions of higher education.
The act also exempts specific utilities, including small telephone utilities and certain municipally owned utilities that do not sell or share personal data with a third-party processor. Beyond entity-level exemptions, KRS 367.3613(3) carves out specific data sets, including protected health information, data regulated by the federal Fair Credit Reporting Act, FERPA-governed education records, and employment and applicant data.
The practical effect is that the KCDPA's covered population is narrower than the consumer-volume thresholds alone suggest. A business should map its status against KRS 367.3613 rather than assume coverage, because the exemptions are framed around specific federal regimes and licensed roles.
The opt-in sensitive-data rule
Sensitive data carries a stricter rule than ordinary personal data. Under KRS 367.3617(1)(e), a controller may not process sensitive data concerning a consumer without first obtaining the consumer's consent. This is an opt-in model: the default is no processing until the consumer affirmatively agrees.
Sensitive data is defined in KRS 367.3611. It includes personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis, sexual orientation, or citizenship or immigration status. It also includes genetic or biometric data processed to uniquely identify a person, personal data collected from a known child, and precise geolocation data.
"Consent" under the KCDPA is not a buried checkbox. KRS 367.3611 defines it as a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data. For sensitive data collected from a known child, the controller must instead follow the federal Children's Online Privacy Protection Act. Because the consent gate sits in front of an entire category of data, getting the definition of sensitive data right is an operational priority for covered businesses.
The Virginia clone: why the KCDPA looks familiar
The KCDPA's signature feature is not a novel provision but its near-identical resemblance to Virginia's Consumer Data Protection Act, the first of the modern state privacy laws. Kentucky's legislature copied the Virginia structure closely, from the definitions in KRS 367.3611 to the rights set in KRS 367.3615 to the enforcement model in KRS 367.3627.
That lineage matters for multistate businesses. A company that built its program around Virginia's law will recognize Kentucky's 100,000-consumer trigger, its opt-in rule for sensitive data, its 45-day response deadline, its data protection assessment duties, and its Attorney-General-only enforcement with a cure period. The terminology of "controller," "processor," "consumer," and "sensitive data" is the same.
One consequence of the Virginia model is what the KCDPA leaves out. The act does not mandate that controllers honor a universal opt-out mechanism such as the Global Privacy Control browser signal. KRS 367.3617 requires controllers to disclose and provide their own opt-out methods, but the statute contains no requirement to recognize a global signal, a feature that several newer state laws added but that Virginia and Kentucky did not.
For the rights themselves and how to invoke them, see the KCDPA consumer rights guide.
KCDPA vs. CCPA: the key differences
Kentucky's KCDPA and California's CCPA are often compared by companies that operate nationally. The state data privacy law comparison page covers the broader multistate picture, but several differences between the KCDPA and California's CCPA stand out.
| Feature | Kentucky KCDPA | California CCPA/CPRA |
|---|---|---|
| Coverage threshold | 100,000 consumers, OR 25,000 consumers plus over 50% revenue from data sales | $25M revenue, OR 100,000 consumers, OR 50% revenue from data sales |
| Revenue-only trigger | No; keys on consumer volume and data-sale revenue share | Yes; $25M annual revenue alone can bring a business in |
| Model | Virginia-style framework (controller and processor) | Stand-alone California framework (business and service provider) |
| Sensitive data | Opt-in consent required (KRS 367.3617(1)(e)) | Right to limit use; opt-out model |
| Universal opt-out signal | Not mandated | Required to honor opt-out preference signals |
| Private right of action | None (KRS 367.3627(4)) | Limited, for certain data breaches |
| Cure period | Permanent 30-day cure (KRS 367.3627(2)) | Cure provision narrowed over time |
The most consequential difference is the threshold structure. California can reach a business on revenue alone, while Kentucky keys on consumer volume and the data-sale revenue share, so a high-revenue company with few Kentucky consumers may sit outside the KCDPA.
The second major difference is the opt-out model. California requires businesses to honor universal opt-out preference signals, while Kentucky does not. A KCDPA-covered business must provide its own opt-out methods but is not required to recognize a global browser signal as of 2026.
Related guides
- Kentucky data privacy laws parent hub
- KCDPA consumer rights
- KCDPA compliance checklist
- State data privacy law comparison
- What is the CCPA?
Sources
Sources and References
- Kentucky HB 15 (2024): Kentucky Consumer Data Protection Act (Enrolled Bill Text)(legislature.ky.gov).gov
- Kentucky General Assembly: HB 15 Bill Page (2024 Regular Session)(legislature.ky.gov).gov
- KRS 367.3611: Definitions for KRS 367.3611 to 367.3629(legislature.ky.gov).gov
- KRS 367.3613: Application, Limitations, and Exemptions(legislature.ky.gov).gov
- KRS 367.3615: Consumer Rights Request and Appeal Process(legislature.ky.gov).gov
- KRS 367.3617: Controller Limitations and Sensitive Data Consent(legislature.ky.gov).gov
- KRS 367.3627: Attorney General Enforcement, Cure Period, and Civil Penalties(legislature.ky.gov).gov
- KRS 367.3629: Consumer Privacy Fund(legislature.ky.gov).gov
- Kentucky Attorney General: Rights of Kentuckians under the Kentucky Consumer Data Protection Act(ag.ky.gov).gov