Kentucky’s data privacy law balances data collection and privacy, giving consumers rights over personal data and allowing responsible data use by businesses. Similar to most US privacy laws, Kentucky’s KCDPA follows an opt-out model, with provisions for consent requirements in certain situations. 

Legal text: House Bill 15

Effective date: January 1, 2026

What is the Kentucky Consumer Data Protection Act (KCDPA)?

On 4th April 2024, Kentucky joined the growing wave of privacy legislation across the US by enacting its comprehensive consumer data protection law. The law upholds the privacy-by-design principles and requires businesses to be mindful and cautious while handling personal data.

Once the law comes into effect, businesses would have to provide privacy notices, establish consumer request methods, conduct data impact assessments, etc.

The law guarantees consumers the right to confirm, access, correct, or delete their personal data, thereby prioritizing consumer privacy and their authority over personal data.

The Attorney General holds the exclusive enforcement authority to initiate actions for up to $7500 per violation. 

To who does the Kentucky Consumer Data Protection Act (KCDPA) apply? 

The application of KCDPA to controllers is based on a numerical threshold. A controller is a person who makes decisions regarding the purpose and means of processing personal data.

KCDPA applies to businesses based in Kentucky or to those who target its products/services to the residents of Kentucky, and in a year meet any of the following criteria:

  • controls or processes the personal data of 100,000 consumers;
  • controls or processes the personal data of 25,000 consumers and generates higher than 50% of gross revenue from the sale of personal data.

What are the exemptions under KCDPA?

The Kentucky privacy law carves out an exception for the following entities:

  • City, state, or political subdivisions 
  • Entities or data covered by the Gramm-leach-Bliley Act
  • Entities covered by HIPAA
  • Non-profit entities
  • Higher education institutions

Apart from these entities, the law also exempts organizations with no private employee benefits arising from the net earnings and first responders from catastrophic events. Furthermore, there are data level exemptions such as for health records, protected health information under HIPAA, etc.

What is personal data in KCDPA? 

The law defines personal data as any information that links or is reasonably linkable to any identified or identifiable natural person. Some examples of personal data are contact information, addresses, personal ID numbers, cookie IDs, etc. 

However, publicly available information and de-identified data are not personal data.

A piece of information becomes publicly available if it is made available to the general audience through government records, widely distributed media, or by the consumer himself.

What is sensitive data in KCDPA?

In all industries, protecting sensitive data is extremely important for customer trust, and thus one critical aspect of data security is understanding what constitutes sensitive data.

The following categories of data are considered sensitive under KCDPA:

  • Personal data that reveals:
    • Racial or ethnic origin
    • Religious beliefs
    • Mental or physical health diagnosis
    • Sexual orientation
    • Citizenship or immigration status
  • Genetic or biometric data
  • Personal data collected from a known child (under 13 years)
  • Precise geolocation data

What are the privacy notice requirements under KCDPA?

A privacy notice, sometimes known as a privacy policy is an inseparable part of data protection and privacy. It acts as a window through which consumers know about your data practices. Like most privacy laws, KCDPA also requires businesses to provide a privacy notice containing the following information:

  • Categories of personal data processed
  • Purpose of processing personal data
  • The process for exercising consumer rights including the process for appeal
  • Categories of personal data shared with third parties
  • Categories of third parties with whom personal data is shared
  • Whether the controller sells personal data or uses it for targeted advertising and how to opt out 
  • One or more means to submit consumer requests.

Create a KCDPA-compliant privacy notice
for free!

Create Privacy Notice for Free

No signup required

 

What are the consent requirements under KCDPA?

Consent is an essential part of all privacy laws, and the KCDPA is no exception. The definition of consent under Kentucky privacy law is synonymous with other US state privacy laws. 

Consent for personal data processing must be freely given, specific, informed, and unambiguous, through an affirmative act from the consumer. Consent can be obtained through various methods including written statements, electronic means, opt-in checkboxes, or by clicking yes specifically for that purpose.

Though KCDPA follows an opt-out model, it requires businesses to obtain consent for certain activities such as the processing of sensitive data. We will learn more about it while discussing the obligations of businesses.

What are the obligations of businesses under KCDPA?

Once the law becomes effective, businesses will be required to fulfill these obligations:

Data minimization and purpose limitation

When collecting personal data, it is important to only gather what is necessary and relevant for the specific purpose. Additionally, the processing of this data should be limited to only what was disclosed to the consumer, unless further consent is obtained for any additional use.

Security safeguards

Implement reasonable security measures to protect the confidentiality of personal data handled by your business. Such measures should be proportionate to the volume and nature of the data.

Non-discrimination

Do not retaliate against the consumers for exercising consumer rights by reducing the quality or increasing the price of the product, etc. This does not mean you are restricted from giving benefits based on the consumer’s participation in loyalty and discount programs. Furthermore, do not violate any federal or state laws prohibiting unlawful discrimination.

Consent

Businesses must obtain consent from the consumer before processing sensitive data. To process children’s personal data (Below 13 years), obtain verified parental consent.

As we already discussed, prior consent is mandatory if you process the personal data of consumers for any new purpose other than those already disclosed.

Transparency

Provide a clear and conspicuous privacy notice to consumers containing all the necessary information as discussed in the privacy notice requirements.

Manage KCDPA compliance
without any hassle

Add a cookie opt-out banner, manage cookie compliance and create privacy notice for Kentucky Consumer Data Protection Act

Try for free

14-day free trialCancel anytime

 

Response to consumer requests

Establish one or more convenient and reliable consumer request methods for the consumers to exercise their rights. Respond to such requests within 45 days which can be extended for another 45 days, if necessary. 

If the response time is extended, it should be promptly communicated to the consumer. Fulfill consumer requests free of charge twice annually per consumer.

Also, establish an appeal mechanism for the consumers to appeal against the decision of the controller. The response period for an appeal is 60 days.

Contractual relationship

It is important to establish a contractual relationship with processors and third parties who are involved in the processing of personal data. This contract should clearly outline the rights and obligations of each party involved, as well as the nature and duration of the processing, and ensure that everyone involved is compliant with the law.

Data protection impact assessments

Conduct regular assessments identifying the benefits, risks, and mitigation measures associated with the processing of personal data involving high risks. This includes sensitive data, personal data used for targeted advertising and profiling, etc. The impact assessments must be documented and kept confidential.

What are the rights of consumers under KCDPA?

The Kentucky privacy law not only imposes obligations upon businesses but also guarantees rights to consumers. They can exercise the following rights through the manner established by businesses such as a toll-free number, dedicated email address, or a request form.  

  • Right to confirm: Consumers have the right to know if their personal data is being processed, and to access it without revealing trade secrets.
  • Right to correct: If there are any inaccuracies in the personal data maintained by controllers, individuals can request them to correct it.
  • Right to delete: The law also gives consumers the right to delete their personal data irrespective of the source of such data.
  • Right to obtain/ Right to portability: Consumers can obtain a copy of the personal data provided by them to the controllers in a portable and technically feasible manner.
  • Right to opt-out:  Consumers have the right to opt out of targeted advertising, profiling, and sale of personal data.

What is the penalty for violating KCDPA?

The Attorney General of Kentucky is the sole enforcement authority of the Kentucky privacy law. Unlike CCPA, there is no private right of action under KCPDA.

Before initiating legal action, the businesses will get 30 days to cure the violation. If it is cured within that time, then no action will arise. There is no sunset provision for the cure period under the law.

The penalty for a single violation may go up to $7500. This means that the fine amount will increase with the number of violations. 

KCDPA compliance checklist

  • Practice data minimization and purpose limitation
  • Implement adequate security measures to protect personal data
  • Obtain consent before processing sensitive data
  • Obtain verified parental consent before processing the personal data of children under 13
  • Provide clear and accessible privacy notice
  • Provide opt-out mechanisms for consumers
  • Establish one or more convenient means for consumers to exercise their rights
  • Respond to consumer requests promptly
  • Conduct regular data protection impact assessments
  • Do not discriminate against consumers for exercising their rights
  • Have a contractual relationship with third parties and processors to ensure their compliance

FAQ on Kentucky Consumer Data Protection Act

Does KCDPA require businesses to recognize global opt-out requests?

Unlike many US privacy laws, Kentucky privacy law does not require businesses to recognize global opt-out signals. 

What is the Kentucky privacy bill?

Kentucky Consumer Data Protection Act (HB15) is the privacy bill of Kentucky and is expected to come into effect on January 1, 2026. The law guarantees consumers with consumer rights such as the right to confirm, delete, correct, and opt-out. Businesses will also be imposed with many obligations to protect the privacy of consumers.

How to comply with Kentucky’s KCDPA?

The first step is to determine whether the law applies to your business. If it does, you must adhere to the requirements under the law like obtaining consent, data minimization, and purpose limitation. 

Obtain prior consent before processing sensitive data and children’s data. To manage and track cookie consent effortlessly, you can resort to CMPs like CookieYes, the #1 ranked consent management platform on G2.