Kentucky KCDPA: New Data Privacy Law Takes Effect in 2026

by Liza Kruse on 8/28/25 1:01 PM

The U.S. data privacy landscape continues to expand: On April 4, 2024, Governor Andy Beshear signed the Kentucky Consumer Data Protection Act (KCDPA), making Kentucky the fifteenth state to enact a comprehensive data privacy law. The act, which will take effect on January 1, 2026, gives businesses a generous timeframe to prepare. In its structure, the KCDPA is strongly oriented towards the Virginia Consumer Data Protection Act (VCDPA), which distinguishes it from the unique regulations of California's CCPA.

This article provides a clear overview of the key obligations under the KCDPA and shows you how to best prepare your business for the new regulations.

What is the Kentucky Consumer Data Protection Act (KCDPA)?

The Kentucky Consumer Data Protection Act (KCDPA) aims to protect the personal data of Kentucky's 4.5 million residents. For businesses, this means new obligations regarding data processing. We provide you with a clear overview of the most important regulations.

The Core Principle: Opt-Out Instead of Opt-In

Like most U.S. data privacy laws (e.g., in Virginia or Colorado), the KCDPA follows an opt-out model. This means:

  • Prior, active consent from users is not required for most data processing activities.

  • However, businesses are required to offer consumers a simple way to object (opt-out), especially for the sale of data or for targeted advertising.

Transparency is Mandatory: What Must You Disclose?

Even without a general opt-in requirement, the KCDPA demands comprehensive transparency. Businesses must clearly and understandably explain to their users—the so-called "consumers"—the following:

  • Which categories of personal data are collected.

  • Why this data is collected (the purpose of processing).

  • To which third parties the data may be disclosed.

  • How consumers can exercise their right to opt-out.

This information is typically part of a privacy policy and is crucial for compliance with the KCDPA.

Who Does the Law Protect? The Definition of a "Consumer"

The protection of the KCDPA applies to residents of Kentucky who are acting in a personal or household context. Interactions in a purely business or professional context (B2B) are not covered by the law.

Does the KCDPA Apply to Your Business? Thresholds and Exemptions in Detail

With the Kentucky Consumer Data Protection Act (KCDPA), many businesses are now questioning whether they are affected. The law defines clear thresholds that determine if your company must comply with the new obligations starting January 1, 2026.

When is the KCDPA Applicable? The Thresholds

The law applies to any business that operates in Kentucky or offers products to its residents and meets one of the following conditions per calendar year:

  • Condition 1: It controls or processes the personal data of at least 100,000 consumers.

  • Condition 2: It controls or processes the data of at least 25,000 consumers AND derives more than 50% of its gross revenue from the sale of this data.

A key difference from laws like the CCPA in California is that there is no revenue-only threshold. Applicability therefore depends primarily on the volume of data. The obligations apply to both the controller (the entity determining the purposes and means of processing) and the processor (the entity processing data on behalf of the controller).

Who is Exempt? An Overview of Key Exemptions

To avoid conflicts with existing regulations, the KCDPA provides for a series of exemptions. These apply to both specific organizations and specific categories of data.

Exempt Organizations:

  • Government and public authorities

  • Non-profit organizations

  • Institutions of higher education

  • Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)

  • Healthcare organizations subject to the Health Insurance Portability and Accountability Act (HIPAA)

Exempt Data: In addition to entire organizations, data that is already strictly regulated by other federal laws is also exempt. This particularly includes health data (under HIPAA), financial data (under the Fair Credit Reporting Act), and educational data (under FERPA). Furthermore, companies that already comply with the requirements of the Children's Online Privacy Protection Act (COPPA) are automatically considered KCDPA-compliant regarding parental consent.

Key Definitions in the KCDPA: Terms You Need to Know

To meet the requirements of the Kentucky Consumer Data Protection Act (KCDPA), understanding its central terms is essential. We have prepared the most important definitions for you.

Personal and Sensitive Data According to the KCDPA

  • Personal Data: Defined as "any information that is linked or reasonably linkable to an identified or identifiable individual." This includes common examples like names, email addresses, or IP addresses. Anonymized or publicly available data is exempt.

  • Sensitive Data: A specially protected subcategory of data that can cause harm if misused. This includes:

    • Racial or ethnic origin

    • Religious beliefs & sexual orientation

    • Health diagnoses

    • Biometric and genetic data for identification purposes

    • Data from children under 13 years of age

    • Precise geolocation data

The Players: Controller and Processor Under the KCDPA

  • Controller: The company or person that determines the purpose and means of data processing.

  • Processor: The company or person that processes data on behalf of a controller.

 


 

Sale of Personal Data Under the KCDPA

Sale of Personal Data: This is a key difference from other laws! The KCDPA very narrowly defines a "sale" as the exchange of data exclusively for monetary consideration. The exchange for other valuable goods, as defined by the CCPA in California, is not considered a sale here.

Targeted Advertising Under the KCDPA

  • Targeted Advertising: Refers to advertising that is selected based on user data collected from their activity across different, non-affiliated websites.

  • Exempt from this are contextual ads, first-party advertising, or pure audience measurement.

Consent According to the KCDPA

Consent: Must be a "clear, affirmative act"—meaning a freely given, specific, informed, and unambiguous agreement to the processing of data.

 

KCDPA Consumer Rights: The 5 Rights Companies Must Implement

The Kentucky Consumer Data Protection Act (KCDPA) strengthens consumers' data privacy rights, thereby imposing clear obligations on businesses. At its core are five data subject rights, for which every affected company must implement a process to handle requests.

The 5 Core Consumer Rights at a Glance:

  1. Right to Access: Consumers can have you confirm whether you are processing their data and have the right to access this data. (An exception exists if this would require the disclosure of trade secrets.)

  2. Right to Correct: Your customers have the right to have inaccurate personal data corrected.

  3. Right to Delete: Consumers can request the deletion of their personal data (subject to legal exceptions).

  4. Right to Data Portability: Customers can request a copy of their data in a common, machine-readable, and easily transferable format.

  5. Right to Opt-Out: This is a central right. Consumers can object to the processing of their data for the following purposes at any time:

    • The sale of personal data

    • Targeted advertising

    • Profiling that produces legal or other similarly significant effects

Important Limitation: No Private Right of Action

A crucial point for companies' risk assessment is that the KCDPA does not provide a private right of action. This means consumers cannot sue companies directly for a violation. Enforcement is the sole responsibility of the Kentucky Attorney General.

Consent Under the KCDPA: What Businesses Need to Know About the Opt-Out Model

Consent management under the Kentucky Consumer Data Protection Act (KCDPA) is closely aligned with other U.S. data privacy laws, primarily relying on an opt-out model. However, for businesses, this does not mean that consent is never required.

The General Rule: The Opt-Out Principle

For the general processing of personal data, the KCDPA does not require prior active consent. Instead, businesses must provide consumers with a clear and easily accessible right to object (opt-out). This opt-out right must be offered specifically for the following purposes:

  • The sale of personal data

  • Targeted advertising

  • Profiling that produces legal or other similarly significant effects

The Exception: When Active Consent (Opt-In) is Mandatory

Prior, active consent is mandatory when processing:

  • Sensitive personal data

  • Personal data of children (in accordance with COPPA)

Practical Implementation with a Consent Management Platform (CMP)

For the technical implementation of the opt-out right, most companies use a Consent Management Platform (CMP). A CMP ensures that:

  • Consumers are transparently informed about data processing.

  • Tracking technologies are blocked as soon as a user exercises their right to opt out.

  • Compliance across various laws is facilitated.

Since there is no uniformly applicable federal law in the U.S., a flexible solution is crucial. A CMP can adapt the cookie banner based on the user's location, thereby helping to meet the different requirements of the KCDPA, CCPA, and Europe's GDPR.

KCDPA Obligations: A Guide for Businesses on Data Privacy & Compliance

The Kentucky Consumer Data Protection Act (KCDPA) imposes a series of specific obligations on businesses ("controllers") and their service providers ("processors"). To ensure compliance by January 1, 2026, the following areas must be addressed.

1. Internal Governance: Strategy, Security & Assessments

  • Purpose Limitation & Data Minimization: Data collection must be limited to what is "adequate, relevant, and reasonably necessary" for the disclosed purpose.

  • Data Security: Businesses must implement appropriate administrative, technical, and physical security measures to protect the confidentiality and integrity of data.

  • Data Protection Impact Assessment (DPIA): An assessment is mandatory before initiating high-risk activities. This includes the sale of personal data, targeted advertising, high-risk profiling, and the processing of sensitive data.

2. Transparency & Consumer Interaction

  • The Privacy Notice: Every business must provide a clear and accessible privacy notice that informs about the following:

    • Categories and purposes of the data processed.

    • Sharing of data with third parties.

    • Instructions on how to exercise consumer rights, including the appeals process.

  • Consent Management: The law follows an opt-out model. However, active consent (opt-in) is required for sensitive data and data from children (in accordance with COPPA). Important: A universal opt-out mechanism like the Global Privacy Control (GPC) does not need to be recognized.

  • Processing of Data Subject Rights: Requests from consumers must be answered within 45 days (with a one-time extension option). There are also clear deadlines for the appeals process in case of a denial.

  • The Right to Non-Discrimination: Businesses must not discriminate against consumers for exercising their data privacy rights. However, voluntary incentive and loyalty programs remain explicitly permitted.

3. Collaboration with Service Providers

  • Data Processing Agreements (DPAs): The collaboration between controllers and processors must be governed by contracts that include clear instructions on data processing, its purpose, duration, and the duty of confidentiality.

  • Special Liability Provision: Similar to some other U.S. laws, the KCDPA includes a liability exception. A party is not liable for the violations of the other if, at the time of data disclosure, it had no knowledge of any intent to violate the law.

KCDPA Enforcement: What Are the Penalties for Violations?

The enforcement of the Kentucky Consumer Data Protection Act (KCDPA) is clearly regulated and includes an important, business-friendly component: a 30-day cure period. Here, you can learn who enforces the law and what penalties are threatened for violations.

Who Enforces the Law?

The sole authority for enforcement lies with the Attorney General of Kentucky. Consumers do not have a private right of action, meaning they cannot file lawsuits themselves. However, they can submit complaints about potential violations directly to the Attorney General's office, which often triggers an investigation.

The Decisive Factor: The 30-Day "Cure Period"

Before the Attorney General initiates legal action, they must send the affected company a written notice of the alleged violation. The company then has 30 days to remedy the deficiency (the so-called "cure period").

  • If the violation is remedied within this timeframe, the company must provide written confirmation to the Attorney General. In this case, no penalties will be imposed.

This cure period is a permanent feature of the law and offers businesses a fair opportunity to correct mistakes.

When Are Fines Imposed Under the KCDPA?

Penalties are only imposed if a company:

  • Fails to remedy the violation within the 30-day period,

  • or violates its own written confirmation and repeats the offense.

In these cases, civil penalties of up to $7,500 per violation can be imposed.

KCDPA Update: Kentucky Amends Data Privacy Law Before It Takes Effect

Even before the Kentucky Consumer Data Protection Act (KCDPA) comes into force on January 1, 2026, the legislature has already made important adjustments with bill HB 473 on March 15, 2025. These changes primarily affect the areas of healthcare (HIPAA) and the requirements for Data Protection Impact Assessments (DPIAs).

Update 1: Expanded Exemptions for Health Data (HIPAA)

The update creates more clarity for companies in the healthcare sector. Two central exemptions from the KCDPA requirements are specified:

  • Protected Health Information: Data already maintained as Protected Health Information (PHI) by organizations subject to HIPAA is now explicitly exempt.

  • Limited Data Sets: Information held in "Limited Data Sets" by HIPAA-compliant entities also does not fall under the scope of the KCDPA.

Update 2: Adjusted Rules for Data Protection Impact Assessments (DPIAs)

The obligation to conduct a DPIA for profiling activities has been narrowed. Such an assessment is now only required if the profiling creates a risk of "unlawful disparate impact." This means a DPIA is primarily necessary when there is a risk that members of a protected class will be disproportionately disadvantaged.

These amendments to the KCDPA will take effect together with the main act on January 1, 2026, and are crucial for preparing your compliance strategy.

KCDPA Compliance: How to Prepare Your Business for 2026

Companies have until January 1, 2026, to implement the requirements of the Kentucky Consumer Data Protection Act (KCDPA). If you already comply with other U.S. data privacy laws, you have a clear head start, as many requirements, such as the right to opt-out, are identical. Nevertheless, targeted preparation is essential.

Your Roadmap to KCDPA Compliance:

  1. Utilize Existing Processes: Analyze your current compliance measures. Processes for consent management or the privacy policy that you have established for other laws provide an excellent foundation.

  2. Embrace "Privacy by Design" as a Core Principle: Embed data privacy into your processes and technologies from the very beginning. This approach not only helps with KCDPA compliance but also improves your customers' trust and the efficiency of your overall data processing.

  3. Rely on the Right Tools: A professional Consent Management Platform (CMP) is a central tool. It helps you legally manage consent for cookies and trackers, technically implement the right to opt-out, and fulfill the required transparency obligations.

  4. Seek Expert Advice: The data privacy landscape is constantly evolving. To remain compliant in the long term, collaborating with qualified legal experts or an external Data Protection Officer (DPO) is strongly recommended. They ensure that your measures meet legal requirements not only today but also in the future.

Start preparing early to safely meet the January 1, 2026, deadline and avoid costly risks.

Conclusion: Act Now to Be Ready for 2026

The Kentucky Consumer Data Protection Act (KCDPA) joins the growing list of U.S. data privacy laws and requires targeted preparation. While the business-friendly 30-day cure period offers a degree of security, it is predicated on having a solid and proactive compliance strategy established by the January 1, 2026 deadline.

But you don't have to face this challenge alone. Our team of data privacy experts is ready to analyze your specific situation and develop a clear roadmap for your KCDPA compliance.

 
Previous story
← The Indiana Consumer Data Protection Act (INCDPA) will take effect in 2026
The Indiana Consumer Data Protection Act (INCDPA) will take effect in 2026
Indiana Consumer Data Protection Act

The Indiana Consumer Data Protection Act (INCDPA) will take effect in 2026

8/26/25 12:15 PM 9 min read
What is Consent Management?
What is Consent Management?

What is Consent Management?

12/19/24 9:08 AM 14 min read
What is Server-Side Tracking? A simple Explanation
Server-side tracking explained simply

What is Server-Side Tracking? A simple Explanation

10/30/24 2:38 PM 10 min read