Fast Facts About Kentucky's Privacy Law


State assemblies are far from finished when it comes to passing privacy legislation. In March 2024, Kentucky became the 16th state to create its own comprehensive privacy law (if you count Florida's very narrow law).

The Kentucky Consumer Data Privacy Act (KCDPA) takes a cautious approach to privacy regulation, largely copying and pasting provisions from the Virginia Consumer Data Protection Act (prior to that law's amendments regarding minors’ data).

Here are the KCDPA's major features and how it could affect businesses.

When Does the KCDPA Go Into Effect?

The Kentucky privacy law goes into effect on January 1, 2026.

What Organizations Must Comply?

The Kentucky Consumer Data Privacy Act applies to any person or organization that does business in the state of Kentucky or targets its products or services toward state residents, and meets at least one of the following requirements:

  • Controls or processes the personal data of at least 100,000 state residents per year, OR
  • Controls or processes the personal data of at least 25,000 state residents per year AND derives over 50% of its revenue from the sale of personal data

The KCDPA has many of the same exemptions as other laws, including for government bodies and entities already regulated by federal laws such as the GLBA or HIPAA. It has also a new exemption for data covered by the federal Combat Methamphetamine Epidemic Act.

What Rights Do Consumers Have Under Kentucky Law?

The KCDPA gives consumers the following rights.

  • Right to Know - Consumers have the right to confirm whether a business is processing their personal data and to access that data.
  • Right to Correct - Consumers can request that a business correct any inaccurate personal information it holds about a consumer.
  • Right to Delete - Upon request, businesses must delete personal data concerning the consumer.
  • Right to Portability - Upon request, businesses must provide a copy of the consumer’s personal data in a readily portable format so that it can be transmitted to another controller.
  • Right to Opt Out - Consumers can opt out of:
    • The sale of their personal data
    • Targeted advertising
    • Profiling in furtherance of automated decisions that produce legal or similarly significant effects

Unlike many of the more recent state privacy laws, the KCDPA has no provisions requiring the recognition of universal opt-out mechanisms (UOOMs), such as Global Privacy Control, on their websites. 

What Is “Personal Data”?

Personal data is “any information that is linked or reasonably linkable to an identified or identifiable individual.” Deidentified data or publicly available information is excluded from this definition.

Personal data is more than just names and email addresses, though, and can cover anything from IP addresses to internet cookies to shopping habits. 

Are Data Protection Assessments Required?

The KCDPA requires organizations to perform data protection assessments for certain types of processing activities that present a “heightened risk of harm” to consumers. This includes:

  • Targeted advertising
  • Sale of personal data
  • Profiling of consumers, where it presents a foreseeable risk of harm
  • Processing of sensitive personal data
  • Any other processing activity that presents a heightened risk of harm to consumers

How Much Do Violations Cost?

The statute provides for damages of up to $7,500 per violation. The Attorney General's Office must give businesses 30 days to cure any alleged violations.

Can Businesses Be Sued by Consumers?

The KCDPA does not grant a private right of action to consumers, meaning they cannot sue an organization over violations. Only the Kentucky Attorney General’s Office has authority to enforce the law.

Cross-Country Privacy Compliance

The pace of state privacy legislation is picking up, with many more states likely to pass their own laws in the near future. With each new law, compliance becomes a little more complicated to manage, especially for businesses without in-house privacy experts.

TrueVault US helps businesses of all sizes get compliant with privacy laws from across the country with one streamlined platform. Built by attorneys, TrueVault US is a software solution that guides you at every step of the way, from onboarding vendors to responding to consumer privacy requests.

To learn more about how TrueVault US can help your business, contact our team today.


Schedule Call