The Kentucky Consumer Data Protection Act (KCDPA) is now in effect. It is the state's first comprehensive consumer privacy law, signed by Governor Andy Beshear on April 4, 2024, after passing the Kentucky legislature in March of that year. It makes Kentucky the 15th state to enact this kind of legislation, and it arrived alongside Indiana and Rhode Island as part of a January 2026 wave that materially expanded the US state privacy law map overnight.

TL;DR

• The KCDPA took effect January 1, 2026. It applies to businesses that process personal data of 100,000 or more Kentucky consumers annually, or 25,000 or more if over 50% of gross revenue comes from selling personal data. There is no standalone revenue threshold.
• Consumer rights include access, correction, deletion, portability, and opt-out of targeted advertising, data sales, and certain profiling. Sensitive data requires opt-in consent.
• The Kentucky Attorney General has exclusive enforcement authority. Penalties reach $7,500 per violation. A permanent 30-day cure period applies — it never sunsets.
• Data Protection Assessments for high-risk processing activities apply to processing created on or after June 1, 2026, giving businesses a short runway for that specific obligation.

What the KCDPA Is and Why It Matters Now

The KCDPA is a comprehensive state consumer data privacy law structured in the Virginia Consumer Data Protection Act (VCDPA) model — the same framework that influenced Indiana, Tennessee, and several other states. That lineage matters for compliance planning: if your organization has already built a VCDPA-aligned privacy program, Kentucky requires incremental adjustments rather than a ground-up rebuild. If you have not addressed any of these Virginia-model laws yet, the KCDPA is a practical reason to start, because the same infrastructure that satisfies Kentucky will serve you well across most of the Virginia-model states simultaneously.

The law reflects a deliberate policy balance. Kentucky legislators wanted meaningful consumer rights and genuine business accountability, but they also wanted a framework that was predictable and workable for the businesses that operate in and around the state — many of which are mid-market companies without dedicated privacy teams. The result is a law with clear applicability thresholds, a narrow definition of data sale, a permanent cure period, and no private right of action. None of those features are invitations to ignore the law. They are structural choices that make compliance more predictable than in California, Colorado, or Connecticut, and they do not reduce the underlying obligations once the thresholds are met.

Does the KCDPA Apply to You?

The KCDPA applies to any person or entity that conducts business in Kentucky, or produces products or services targeted to Kentucky residents, and during a calendar year meets either of two volume-based thresholds. The first threshold is controlling or processing the personal data of 100,000 or more Kentucky consumers. The second is controlling or processing the personal data of 25,000 or more Kentucky consumers and deriving more than 50% of gross revenue from the sale of personal data.

There is no standalone revenue threshold of the kind California's CCPA uses. Applicability is tied to data processing volume rather than company size or annual revenue from any source. A large enterprise that processes very little Kentucky consumer data may not be covered. A mid-sized SaaS platform that processes large volumes of consumer behavioral data likely is. The question to answer is not "how big is our company?" but "how much Kentucky consumer data do we process?"

The definition of "consumer" under the KCDPA covers Kentucky residents acting in an individual or household context. It does not cover individuals acting in an employment or commercial capacity. Employee data, job applicant data, and business-to-business contact data are outside the law's scope — which is a meaningful carve-out compared to California's CPRA, which brought much of that data under its reach. This exclusion is structural to the Virginia model and narrows the practical compliance surface for many organizations.

Several categories of entities are exempt entirely. State and local government bodies are excluded. Financial institutions and data regulated under the Gramm-Leach-Bliley Act are exempt. Covered entities and business associates governed by HIPAA are exempt — and a March 2025 amendment (HB 473) expanded this exemption to explicitly cover Protected Health Information and Limited Data Sets held by HIPAA-compliant entities, resolving ambiguity that had existed in the original text. Nonprofits and institutions of higher education are also exempt. If your organization falls into one of these categories, the KCDPA does not apply to you, though you should verify the specific scope of each exemption against your actual processing activities rather than assuming categorical exemption.

Tracking which of the 20+ active US state privacy laws apply to your operations — and what each one actually requires in practice — is the starting point for any multi-state privacy compliance program in 2026.

Consumer Rights Under the KCDPA

Kentucky consumers covered by the law have five core rights, all of which controllers must honor within 45 days of a verified request, with a 45-day extension available when reasonably necessary.

The right to access allows consumers to confirm whether a controller is processing their personal data and to obtain a copy of that data. The right to correction allows consumers to request that inaccuracies in their personal data be corrected. The right to deletion allows consumers to request that their personal data be deleted, subject to narrow exceptions such as legal obligations or completion of a transaction. The right to data portability allows consumers to obtain their data in a portable, usable format. These four rights are standard across virtually all Virginia-model state laws and broadly consistent with what California's CCPA/CPRA provides, though the mechanisms differ.

The right to opt out covers three specific processing activities: targeted advertising (which the KCDPA defines as displaying ads selected based on personal data obtained from a consumer's activity across nonaffiliated websites), the sale of personal data (defined narrowly as exchange for monetary consideration, not the broader "valuable consideration" standard California uses), and profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.

Notably, the KCDPA does not require controllers to recognize universal opt-out mechanisms such as Global Privacy Control browser signals. This is a material difference from California's CPRA, Colorado's CPA, and Connecticut's law, which do require GPC recognition. Businesses operating only under the KCDPA (and not subject to those other state laws) do not need to build GPC signal processing into their infrastructure for Kentucky compliance. Organizations that are subject to those other states do, and a unified infrastructure that handles GPC signals will cover all of them.

When a consumer's rights request is denied, controllers must inform the consumer of the denial and provide a process through which the consumer can appeal the decision. If the controller denies the appeal, the consumer may file a complaint directly with the Kentucky Attorney General's Office of Data Privacy.

Business Obligations

Controllers — the entities that determine the purposes and means of processing personal data — carry the primary compliance obligations under the KCDPA. Processors — entities that process personal data on behalf of a controller, such as SaaS vendors or analytics platforms — must operate under a written contract with the controller that specifies the scope of processing, security requirements, and the processor's obligation to assist the controller in meeting its KCDPA duties.

The privacy notice obligation requires controllers to maintain a "reasonably accessible, clear, and meaningful" privacy notice that discloses: the categories of personal data being processed, the purposes of that processing, how consumers may exercise their rights, the categories of personal data shared with third parties, and the categories of third parties receiving the data. For organizations that serve consumers across multiple states, a single well-constructed privacy notice that satisfies the disclosure requirements of the most demanding applicable law — typically California's — will generally satisfy Kentucky's requirements as a subset. Building a privacy program infrastructure that handles data inventory, privacy notices, and DSAR workflows as integrated operational functions rather than separate compliance exercises is what makes multi-state compliance operationally sustainable.

Data minimization and purpose limitation require that personal data collection be limited to what is "adequate, relevant, and reasonably necessary" for the disclosed processing purpose. Data collected for one purpose cannot be repurposed for an incompatible one. This principle has direct implications for marketing teams that routinely collect data for one stated purpose and then route it to other uses — CRM enrichment, cross-sell targeting, third-party data sharing — that were not disclosed at collection.

Data security requires that controllers implement "appropriate administrative, technical, and physical security measures" to protect the confidentiality and integrity of personal data and reduce reasonably foreseeable risks of harm. The KCDPA does not prescribe specific security standards, but the "appropriate" standard invites assessment of the sensitivity of the data, the volume of data processed, and the state of the art in security practices for the industry.

Controllers must also process personal data in a nondiscriminatory manner — they cannot deny goods or services, charge different prices, or provide different quality to consumers who exercise their KCDPA rights. And they must comply with restrictions on selling personal data of or directing targeted advertising to individuals under 16 years of age when the controller knows or reasonably should know the individual is a minor.

Sensitive Data: The Opt-In Requirement

The KCDPA's treatment of sensitive data is one of its most operationally significant features because it switches from the default opt-out model to a mandatory opt-in consent requirement. Sensitive data under the KCDPA includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis or condition, sex life or sexual orientation, citizenship or immigration status, genetic data, biometric data processed for the purpose of identifying a specific individual, personal data collected from a known child, and precise geolocation data.

For any of these categories, controllers must obtain opt-in consent before processing. This is a higher standard than the baseline opt-out model and requires affirmative, informed user action rather than passive non-objection. The practical implication is that any product feature or data flow that touches these categories — a health app that infers mental health conditions from usage patterns, a retail loyalty program that infers religious affiliation from purchase history, any system that processes precise location data — needs a documented consent mechanism that meets the opt-in standard.

The intersection between sensitive data categories, consent requirements, and the AI processing of personal information — where behavioral data is used to infer sensitive attributes — is a compliance risk that many organizations are not adequately assessing as part of their KCDPA readiness.

Data Protection Assessments

The KCDPA requires controllers to conduct and document Data Protection Assessments (DPAs) for certain high-risk processing activities. These include processing personal data for targeted advertising, selling personal data, processing sensitive data, and profiling where there is a foreseeable risk of unfair or deceptive treatment, potential injury to consumers, or intrusion on their privacy.

The key timing nuance is that the DPA requirement applies only to processing activities created or generated on or after June 1, 2026. Processing that predates that threshold is not retroactively captured, though organizations should still conduct assessments for existing high-risk processing as a governance best practice and because regulators will expect evidence of risk assessment discipline across the program. A single DPA can cover comparable sets of processing operations involving similar activities, which reduces the documentation burden for organizations with consistent processing patterns across product lines.

Assessments must weigh the benefits of the processing against the potential risks to consumer privacy and must document the analysis. They do not need to be filed with any government authority under the KCDPA — unlike California, which requires CPPA submission attestations — but they must be maintained and available if the Attorney General requests them during an investigation.

How KCDPA Compares to Other State Laws

The KCDPA's Virginia-model DNA makes it highly predictable for any organization that has worked through VCDPA compliance. The consumer rights — access, correction, deletion, portability, opt-out — are structurally identical. The applicability thresholds are the same numbers. The entity-level exemptions track the same categories. The narrow monetary-consideration-only definition of "sale" is shared. The AG-only enforcement with no private right of action is shared.

Where the KCDPA diverges most clearly from more demanding state laws is on three points. First, the absence of a GPC/universal opt-out signal requirement distinguishes Kentucky from California, Colorado, and Connecticut. Second, the permanent 30-day cure period is more business-friendly than most states: California eliminated its cure period for intentional violations, Colorado's cure period sunset in 2024, and Rhode Island (which also took effect January 1, 2026) has no cure period at all. Third, there is no requirement to conduct and document legitimate interests balancing assessments of the kind GDPR demands, or the complex risk-based framework Colorado's law imposes.

Compared to California's CCPA/CPRA, KCDPA is narrower in every dimension: lower applicability thresholds, narrower sale definition, no employee data coverage, no revenue-only trigger, no GPC requirement, no private right of action, and no CPPA rulemaking authority that can expand obligations through regulation. For businesses that have already built a comprehensive CCPA-compliant program, KCDPA compliance is largely a matter of confirming that the existing infrastructure satisfies the Kentucky-specific requirements and ensuring that opt-in consent mechanisms are in place for any sensitive data processing involving Kentucky consumers.

Enforcement

The Kentucky Attorney General has exclusive authority to enforce the KCDPA. Consumers do not have a private right of action — they cannot sue directly for violations. Instead, consumers who believe their rights have been violated file complaints with the AG's Office of Data Privacy, which investigates and determines whether a violation occurred.

If the Office concludes a violation has occurred, it notifies the controller or processor. The controller then has 30 days to cure the violation and provide a written statement to the Office confirming the violation has been remedied and will not recur. If the controller fails to cure within that period, the AG may file a lawsuit seeking civil penalties of up to $7,500 per violation and injunctive relief. The cure period is permanent — it does not sunset, meaning no future legislative action is required to eliminate it. This is among the most business-friendly enforcement designs of any state comprehensive privacy law currently in effect.

The AG's Office of Data Privacy has signaled that its initial enforcement posture is educational, prioritizing guidance and assistance before pursuing punitive measures. That orientation is consistent with other state AGs in the early months of new privacy law enforcement. It should not be read as a signal that enforcement will remain light indefinitely, particularly as the national enforcement landscape hardens and as the AG office builds its complaint docket.

Compliance Checklist

For organizations that meet the KCDPA thresholds, the operational compliance tasks break down into five workstreams.

Data mapping comes first. Controllers cannot comply with data minimization, purpose limitation, or rights response obligations without knowing what personal data they collect, where it comes from, how it is used, who it is shared with, and how long it is retained. For Kentucky-specific compliance, the data map should identify which processing activities involve Kentucky consumers and flag any sensitive data categories for the opt-in consent audit.

Privacy notice updates follow from the data map. The notice must accurately describe the categories of data processed, the purposes, the consumer rights, the data sharing relationships, and the third-party categories. Any gap between what the notice says and what the data map shows is both a KCDPA compliance problem and an enforcement risk.

Consumer rights infrastructure — the intake, verification, and fulfillment workflow for access, correction, deletion, portability, and opt-out requests — must be operational. Controllers have 45 days to respond. The appeals process for denied requests must be documented and functional. Building automated DSAR workflows that handle intake, identity verification, and cross-system fulfillment reduces the operational cost of rights response at scale and creates the audit trail that documents compliance with statutory response timelines.

Vendor contracts should be reviewed and updated to ensure processors operating under KCDPA-covered processing have written agreements that meet the law's processor contract requirements. Existing GDPR-compliant DPAs or CCPA service provider agreements will generally contain the required elements, but the specific KCDPA obligations should be confirmed and documented.

Data Protection Assessments should be templated and scheduled for any new processing activities involving targeted advertising, data sales, sensitive data, or profiling that launch on or after June 1, 2026. Organizations that have GDPR DPIA templates can adapt them to the KCDPA's assessment requirements with relatively modest effort.

FAQ

What is the Kentucky Consumer Privacy Act?

The Kentucky Consumer Data Protection Act (KCDPA) is Kentucky's first comprehensive consumer data privacy law, effective January 1, 2026. It grants Kentucky consumers rights over their personal data and imposes obligations on businesses that meet the law's applicability thresholds.

When does the KCDPA take effect?

The law took effect January 1, 2026. Data Protection Assessments apply to processing activities created on or after June 1, 2026.

Who must comply with the KCDPA?

Businesses that conduct business in Kentucky or target Kentucky residents with products or services and that annually process personal data of 100,000 or more Kentucky consumers, or 25,000 or more if over 50% of gross revenue comes from selling personal data.

Does the KCDPA require consent?

It requires opt-in consent for processing sensitive data categories including health, genetic, biometric, precise geolocation, and data from known children. For non-sensitive processing, it follows an opt-out model — businesses may process data unless a consumer opts out.

How is KCDPA different from CCPA?

The KCDPA is narrower: it has no standalone revenue threshold, covers only consumer (not employee) data, uses a monetary-consideration-only sale definition, does not require GPC signal recognition, has a permanent 30-day cure period, and has no private right of action. California's CCPA/CPRA is considerably more expansive across all of these dimensions.

The KCDPA is in effect now. For organizations that already operate VCDPA-aligned compliance programs, the incremental work is modest. For organizations that have not yet addressed any of the Virginia-model state laws, Kentucky's arrival — alongside Indiana and Rhode Island in January 2026 — is a signal that the window for reactive compliance has closed and a proactive multi-state program is the only operationally rational approach.

See how Secure Privacy's consent management and privacy operations platform helps businesses implement KCDPA-compliant rights workflows, notice management, and data protection assessments across all applicable US state privacy laws.