Kentucky Consumer Data Protection Act: What Your Business Needs to Know
A practical guide to Kentucky's KCDPA for small businesses: thresholds, consumer rights, enforcement, and compliance steps effective January 1, 2026.
Last updated: 2026-02-08
Kentucky's Consumer Data Protection Act (KCDPA) was signed into law on April 4, 2024, making the Bluegrass State the latest to join the growing roster of states with comprehensive consumer privacy legislation. The KCDPA takes effect on January 1, 2026, alongside Indiana's INCDPA. If your business collects personal data from Kentucky residents, you now have a clear deadline to understand what the law requires and get your compliance house in order.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Privacy regulations are complex and change frequently. You should consult a qualified attorney for guidance specific to your business. The information here is based on the Kentucky Consumer Data Protection Act (HB 15, 2024), codified at KRS ch. 367, as of the date of publication.
The KCDPA follows the Virginia model closely, which means businesses that have already addressed Virginia, Connecticut, or similar state privacy laws will find the compliance requirements familiar. For businesses encountering state privacy law compliance for the first time, this guide provides the practical foundation you need. No law degree required.
Does This Law Apply to Your Business?
The KCDPA applies to persons that conduct business in Kentucky or produce products or services targeted to Kentucky residents and meet at least one of two thresholds during a calendar year:
- Control or process the personal data of 100,000 or more Kentucky consumers.
- Control or process the personal data of at least 25,000 Kentucky consumers and derive more than 50% of gross revenue from the sale of personal data.
The term "consumer" means a Kentucky resident acting in an individual or household capacity. It does not include a person acting in a commercial or employment context. This means employee data and B2B contact data are carved out from the law's scope.
Example: A software-as-a-service company based in Tennessee provides project management tools used by businesses across Kentucky. While the tool's users are numerous, they are acting in a commercial context (employees using business software). These users are likely not "consumers" under the KCDPA. However, if the same company also runs a consumer-facing app with 100,000+ Kentucky individual users, that threshold would be met.
Example: A regional online marketplace based in Louisville processes personal data from 35,000 individual Kentucky shoppers and earns 55% of its revenue from selling customer data to advertising partners. This business meets the second threshold and must comply.
Exemptions. The KCDPA exempts state and local government entities, nonprofits, higher education institutions, financial institutions subject to GLBA, covered entities and business associates under HIPAA, and data subject to FCRA, FERPA, and the Driver's Privacy Protection Act. It also provides entity-level and data-level exemptions for insurance-related activities under Kentucky insurance law.
What Rights Do Consumers Have?
The KCDPA grants Kentucky consumers a full set of privacy rights, closely mirroring Virginia's VCDPA:
Right to Access. Consumers can confirm whether a business is processing their personal data and request access to that data.
Right to Correction. Consumers can request correction of inaccurate personal data.
Right to Deletion. Consumers can request that their personal data be deleted.
Right to Data Portability. Consumers can obtain a copy of their personal data in a portable, readily usable format.
Right to Opt Out. Consumers can opt out of the processing of personal data for targeted advertising, the sale of personal data, and profiling that produces legal or similarly significant effects.
| Right | Granted? | Notes |
|---|---|---|
| Access | ✅ | Confirm processing and request a copy of personal data |
| Correction | ✅ | Request correction of inaccurate data |
| Deletion | ✅ | Request deletion of personal data |
| Data Portability | ✅ | Obtain data in a portable format |
| Opt-Out of Targeted Ads | ✅ | Consumer can opt out of targeted advertising |
| Opt-Out of Data Sales | ✅ | Consumer can opt out of sale of personal data |
| Opt-Out of Profiling | ✅ | Limited to decisions with legal or similarly significant effects |
| Right to Non-Discrimination | ✅ | Cannot disadvantage consumers for exercising rights |
Businesses must respond to consumer requests within 45 days. An extension of up to 45 additional days is available when reasonably necessary, provided the business notifies the consumer of the extension and the reason within the initial period.
If a business denies a consumer request, it must provide a way for the consumer to appeal the decision. The business must respond to the appeal within 60 days.
What Your Business Must Do
Compliance with the KCDPA requires several practical steps. Here is what to prioritize.
Publish a clear and accessible privacy notice. Your privacy notice must include the categories of personal data processed, the purposes of processing, how consumers can exercise their rights (including the appeal process), the categories of data shared with third parties, and the identity of those third parties. The notice must also disclose whether you sell personal data or process it for targeted advertising.
Build a consumer request process. You need documented workflows for handling access, correction, deletion, portability, and opt-out requests. This includes identity verification procedures to prevent unauthorized access to consumer data. Our DSAR response guide provides a practical framework.
Implement an appeal mechanism. Unlike some state privacy laws, the KCDPA explicitly requires a consumer appeal process. If you deny a consumer request, you must inform the consumer how to appeal and respond to the appeal within 60 days. If the appeal is also denied, you must provide the consumer with a mechanism to contact the Kentucky Attorney General.
Obtain consent for sensitive data. Processing sensitive personal data requires opt-in consent. Sensitive data under the KCDPA includes racial or ethnic origin, religious beliefs, mental or physical health conditions, sexual orientation, citizenship or immigration status, genetic or biometric data, personal data of a known child, and precise geolocation data.
Conduct data protection assessments. The KCDPA requires data protection assessments for processing activities involving targeted advertising, the sale of personal data, processing of sensitive data, profiling that presents a reasonably foreseeable risk of harm, and any processing that presents a heightened risk. These assessments must identify and weigh the benefits against potential risks to consumers.
Establish processor contracts. All data processing agreements with third-party vendors must include clear instructions for processing, confidentiality requirements, data return or deletion obligations upon contract termination, and obligations to assist the controller in responding to consumer requests.
Implement data minimization. Limit your collection to personal data that is adequate, relevant, and reasonably necessary for the purposes you have disclosed. Do not collect data "just in case."
How Is It Enforced?
The KCDPA is enforced exclusively by the Kentucky Attorney General. There is no private right of action.
The law includes a 30-day cure period that allows businesses to remedy alleged violations after receiving notice from the Attorney General. However, this cure period is set to sunset relatively quickly -- it applies only during the initial transition period. After the cure period sunsets, the Attorney General has discretion over whether to offer an opportunity to cure.
Penalties can reach up to $7,500 per violation under Kentucky's consumer protection enforcement framework. The Attorney General can also pursue injunctive relief and recover costs of investigation.
Kentucky's enforcement posture is likely to mirror the approach of Virginia and other states that have adopted similar frameworks: early enforcement will focus on clear failures like missing privacy notices, lack of consumer request mechanisms, and failure to obtain consent for sensitive data processing. Businesses that demonstrate good faith compliance efforts are in a significantly better position than those that ignore the law entirely.
How This Compares to Other State Laws
Kentucky closely follows the Virginia model. Here is how the KCDPA compares to its neighbors and benchmark state laws:
| Feature | Kentucky (KCDPA) | Virginia (VCDPA) | Indiana (INCDPA) |
|---|---|---|---|
| Effective Date | Jan 1, 2026 | Jan 1, 2023 | Jan 1, 2026 |
| Consumer Threshold | 100K consumers | 100K consumers | 100K consumers |
| Alt. Threshold | 25K + 50% revenue from data sales | 25K + 50% revenue from data sales | 25K + 50% revenue from data sales |
| Right to Correction | Yes | Yes | Yes |
| Opt-Out of Profiling | Yes | Yes | Yes |
| Cure Period | 30 days (sunset) | 30 days (sunset 2025) | 30 days (sunset 2028) |
| Appeal Process Required | Yes | Yes | Yes |
| Private Right of Action | No | No | No |
| Max Penalty | $7,500/violation | $7,500/violation | $7,500/violation |
The practical takeaway: if your business already complies with Virginia's VCDPA, the additional effort needed for Kentucky compliance is minimal. Indiana's INCDPA, taking effect on the same date, is also closely aligned. Businesses operating across the Southeast and Midwest can build a single compliance framework that satisfies all three laws. For comparison with California's broader requirements, see our CCPA compliance guide.
Action Checklist for Small Businesses
-
Determine applicability. Calculate the number of Kentucky consumers whose personal data you process annually. If you reach 100,000 (or 25,000 plus 50%+ revenue from data sales), the KCDPA applies.
-
Map your data. Identify what personal data you collect from Kentucky consumers, where it is stored, who has access, and which third parties receive it.
-
Update your privacy notice. Make sure it covers all KCDPA disclosures -- categories of data, processing purposes, third-party recipients, consumer rights, and the appeal process.
-
Build request handling workflows. Implement processes for access, correction, deletion, portability, and opt-out requests with clear timelines. See our DSAR workflow guide.
-
Create an appeal process. Build a documented mechanism for consumers to appeal denied requests, and ensure you can respond within the 60-day deadline.
-
Implement consent for sensitive data. Set up opt-in consent flows for all sensitive data categories.
-
Complete data protection assessments. Document assessments for high-risk processing activities.
-
Update vendor agreements. Ensure data processing contracts include all KCDPA-required provisions.
Key Dates
- April 4, 2024: KCDPA signed into law (HB 15).
- January 1, 2026: KCDPA takes effect. Full compliance required.
- Cure period sunset: The 30-day cure period sunsets after the initial transition. Businesses should not rely on it as a long-term safety net.
References
- Kentucky Consumer Data Protection Act: KRS ch. 367 (HB 15, 2024). Full text on Kentucky Legislature website
- Virginia Consumer Data Protection Act (VCDPA): Va. Code §§ 59.1-575 through 59.1-585.
- Indiana Consumer Data Protection Act (INCDPA): Ind. Code ch. 24-15 (Senate Enrolled Act 5, 2023).
Last reviewed: February 2026. Privacy laws change frequently. Verify all statutory references against the current text of the law and consult qualified legal counsel before making compliance decisions for your business.
Building your DSAR compliance process? Check out our DSAR Response Templates Guide for ready-to-use templates that cover access, deletion, and opt-out requests across state privacy laws including Kentucky's KCDPA.