The Kentucky Consumer Data Protection Act (KCDPA), signed into law on April 4, 2024, positions Kentucky as the 15th U.S. state to enact comprehensive privacy legislation. Scheduled to take effect on January 1, 2026, the KCDPA grants consumers rights over their personal data and imposes obligations on businesses handling it. Modeled after Virginia’s Consumer Data Protection Act, it emphasizes transparency, data minimization, and consumer opt-out rights.
What is the Kentucky Consumer Data Protection Act (KCDPA)?
Why was KCDPA passed?
What makes KCDPA unique?
The KCDPA stands out for its no-revenue threshold, permanent 30-day cure period, and no private right of action. It grants strong data rights (access, correction, deletion, portability) and requires contracts with processors to ensure proper data handling.
The key definitions in the Kentucky Consumer Data Protection Act (KCDPA) are outlined in Section 1 of the Act.
Consumer: A Kentucky resident acting in an individual or household context (not commercial or employment).
Personal data: Information that is linked or reasonably linkable to an identified or identifiable individual.
Sensitive data: Includes racial/ethnic origin, religious beliefs, health data, sexual orientation, biometric/genetic data, precise geolocation, and children's data.
Controller: The person or business that determines the purpose and means of processing personal data.
Processor: A person or business that processes data on behalf of a controller.
Processing: Any operation performed on personal data, including collection, storage, use, and sharing.
Sale of personal data: The exchange of personal data for monetary consideration to a third party.
Targeted advertising: Ads shown based on a consumer’s personal data from activity across nonaffiliated websites or apps.
Who must comply with KCDPA?
The KCDPA applies to businesses that:
Conduct business in Kentucky or target products/services to Kentucky residents, and
During a calendar year, either:
Control or process personal data of at least 100,000 consumers, or
Control or process data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data
These thresholds are similar to those in Virginia’s VCDPA and help exclude smaller businesses from the law’s scope.
KCDPA exemptions
The KCDPA exempts government entities, nonprofits, higher education institutions, GLBA-regulated financial institutions, and HIPAA-covered entities. It also excludes data covered by HIPAA, FCRA, FERPA, DPPA and employment-related data.
Key provisions of KCDPA
The Kentucky Consumer Data Protection Act establishes comprehensive consumer data privacy protections. Key provisions of the KCDPA include:
Consumer rights: Individuals can access, correct, delete, and obtain a copy of their personal data, and opt out of targeted ads, data sales, and profiling.
Sensitive data: Requires opt-in consent before processing data like health info, race, religion, or geolocation.
Controller obligations: Businesses must provide clear privacy notices, limit data collection, and implement reasonable security measures.
Processor contracts: Controllers must have agreements with processors outlining data-handling responsibilities.
Appeals process: Consumers must be able to appeal when a rights request is denied.
Data protection assessments: Required for high-risk processing, like profiling or handling sensitive data.
Enforcement: Handled by the Kentucky Attorney General with a 30-day cure period for violations (no expiration).
Is KCDPA opt-in or opt-out?
The KCDPA is primarily an opt-out law. Consumers have the right to opt out of:
Targeted advertising
Sale of personal data
Profiling that produces significant effects
However, it requires opt-in consent to process sensitive data, such as health information, race, religious beliefs, and precise geolocation.
The price of non-compliance
The price of non-compliance with KCDPA includes:
Civil penalties of up to $7,500 per violation, enforced by the Kentucky Attorney General.
A 30-day cure period gives businesses an opportunity to fix violations before penalties are imposed. Unless other U.S. state privacy laws, this cure period does not expire.
No private right of action, but enforcement can still result in public scrutiny, reputational damage, and increased regulatory oversight.
The impact of KCDPA on businesses
The Kentucky data privacy law introduces a structured framework for how businesses collect, use, and safeguard personal data.
What are the KCDPA requirements for businesses?
To comply with the KCDPA, businesses must:
Honor consumer rights: Enable consumers to access, correct, delete, and obtain their personal data, and opt out of targeted advertising, data sales, and profiling.
Obtain opt-in consent: Before processing sensitive data such as health, race, religion, or precise geolocation.
Provide clear privacy notices: Explain what data is collected, why it's used, and how consumers can exercise their rights.
Implement data security: Use reasonable administrative, technical, and physical safeguards to protect personal data.
Limit data collection: Collect only what is necessary for disclosed purposes.
Offer an appeals process: Allow consumers to challenge denied rights requests and escalate to the Attorney General if unresolved.
Maintain processor contracts: Ensure contracts with vendors outline their obligations for protecting personal data.
Conduct data protection assessments: Evaluate risks for high-impact processing like profiling or handling sensitive data.
The impact of KCDPA on consumers
Understanding Kentucky consumer rights
The impact of KCDPA on consumers is increased control, transparency, and protection over their personal data:
Greater control: Consumers can access, correct, delete, and obtain a copy of their personal data.
Opt-out rights: Individuals can opt out of targeted advertising, data sales, and profiling.
Consent for sensitive data: Businesses must get opt-in consent before processing sensitive data like health or location info.
Transparency: Clear privacy notices help consumers understand how their data is used.
Appeals process: If a rights request is denied, consumers can appeal and escalate to the Kentucky Attorney General.
How KCDPA compares to other U.S. data privacy laws
The KCDPA closely mirrors Virginia’s VCDPA, offering a structured, business-friendly framework. Compared to California’s CCPA/CPRA, it is narrower in scope—excluding employee and B2B data and lacking a private right of action.
KCDPA vs other state privacy laws
State
Scope
Effective Date
Key Features
Penalties for Non-Compliance
Kentucky (KCDPA)
Kentucky residents
January 1, 2026
Consumer rights, opt-out of targeted advertising and data sales, data protection assessments
Up to $7,500 per violation
Rhode Island (RIDTPPA)
Rhode Island residents
January 1, 2026
Consumer rights to access, delete, and opt out of targeted advertising and data sales
Up to $10,000 per violation
Indiana (ICDPA)
Indiana residents
January 1, 2026
Consumer rights, opt-out of targeted advertising, consent for sensitive data
Up to $7,500 per violation
Connecticut (CTDPA)
Connecticut residents
July 1, 2023
Opt-out for targeted ads and data sales; requires data protection assessments; expanded consumer rights
Up to $5,000 per violation
Colorado (CPA)
Colorado residents
July 1, 2023
Opt-out for targeted advertising; sensitive data consent; data protection assessments
Up to $20,000 per violation
California (CCPA/CPRA)
California residents
January 1, 2023
Right to access, delete, opt-out; data protection assessments; enforcement includes private right of action
Up to $7,500 per violation
Virginia (VCDPA)
Virginia residents
January 1, 2023
Opt-out rights, data protection assessments, strong consumer rights
Up to $7,500 per violation
Texas (TDPSA)
Texas residents
July 1, 2024
Consumer rights, data protection, opt-out of data sales
Up to $7,500 per violation
Oregon (OCPA)
Oregon residents
July 1, 2024
Strong consumer rights, opt-out options, data minimization
Up to $7,500 per violation
Iowa (ICDPA)
Iowa residents
January 1, 2025
Data protection, opt-out of data sharing
Up to $7,500 per violation
Montana (MCDPA)
Montana residents
October 1, 2024
Consumer rights, opt-out options, sensitive data consent
Up to $7,500 per violation
New Jersey (NJDPA)
New Jersey residents
January 15, 2025
Right to access, correct, delete data; opt-out of targeted advertising
Up to $10,000 per violation
What makes KCDPA stand out?
KCDPA applies only to larger businesses based on consumer count, not revenue thresholds like some other states. It provides core rights like access, correction, deletion, and opt-out, and requires opt-in consent for sensitive data—similar to laws in Colorado and Connecticut. One key distinction is its permanent 30-day cure period, which does not sunset, giving businesses a consistent opportunity to remedy violations.
What makes KCDPA stand out:
No revenue threshold: Applicability is based solely on consumer data volume, not revenue from data sales.
Permanent 30-day cure period: Unlike other states, the cure period for violations never expires.
No private right of action: Only the Kentucky Attorney General can enforce the law, reducing litigation risk.
Modeled after Virginia’s VCDPA: Offers a familiar, business-friendly structure for compliance.
Strong consumer rights: Includes access, correction, deletion, portability, and opt-out of targeted ads, data sales, and profiling.
Processor contract requirements: Mandates written agreements outlining processor responsibilities.
Applies to sensitive data: Requires opt-in consent for processing health, biometric, and geolocation data.
No provision for UOOMs: Unlike many other U.S. states, Kentucky will not require controllers to allow consumers to communicate their privacy preferences through UOOMs.
What are the differences between KCDPA and CCPA?
KCDPA applies only to consumer data (not employee or B2B), has no private right of action, and includes a permanent 30-day cure period. CCPA is broader, allows limited private lawsuits, and includes more complex compliance rules like recognizing global opt-out signals.
What are the differences between KCDPA and GDPR?
KCDPA is a U.S. state law with opt-out rights and limited scope, applying to larger businesses. GDPR is broader, applies globally, requires opt-in consent for most processing, mandates a legal basis for data use, allows private lawsuits, and requires a data protection officer in some cases.
How to ensure KCDPA compliance
If you’ve read this far, you know that building a privacy-compliant business is important, but also far from easy.
What is KCDPA compliance
KCDPA compliance means meeting Kentucky’s privacy law requirements by enabling consumer rights, protecting personal data, limiting data collection, obtaining consent for sensitive data, and maintaining proper contracts and security. Enforcement is handled by the Attorney General.
How to comply with KCDPA
To comply with the Kentucky Consumer Data Protection Act (KCDPA), businesses should:
Map data flows: Identify what personal data you collect, process, and share.
Update privacy policies: Clearly explain data practices and consumer rights.
Enable consumer rights requests: Build systems for access, correction, deletion, and opt-out.
Obtain opt-in consent: Before processing sensitive data.
Review processor contracts: Ensure they meet KCDPA requirements.
Conduct data protection assessments: For high-risk activities like profiling or sensitive data use.
Implement security measures: Safeguard data with reasonable protections.
Train staff: Educate teams on privacy obligations and request handling.
Establish an appeals process: Let consumers challenge denied requests.
Document compliance efforts: Keep records to show good faith in case of enforcement.
How Ketch can simplify KCDPA compliance
Using the Ketch Platform, you can automate and streamline RIDTPPA compliance with:
Consent management: Enables businesses to collect and track opt-in consent for sensitive data processing.
When you automate these processes, you enable your internal stakeholders:
Your developers and marketers can do their jobs without fretting about regulations
Your legal team can set guidelines for notice and consent, secure in the knowledge that any changes they make will ripple through your whole data ecosystem (including vendors or third-party companies using your data!)
Final thoughts: Preparing your business for KCDPA
The KCDPA introduces clear responsibilities for businesses and meaningful rights for Kentucky consumers. With enforcement on the horizon, now is the time to assess your data practices, update privacy notices, build consumer rights workflows, and review vendor contracts. Taking proactive steps not only ensures data privacy compliance but also strengthens trust with your customers in an increasingly privacy-conscious environment.
Contact Ketch today to streamline your compliance and future-proof your privacy strategy.
This a sample accordion element needed for script above to work
Ketch supports compliance with major privacy laws, including GDPR, CCPA, CPRA, and various emerging US state laws, ensuring businesses meet global and local data privacy requirements.
Does KCDPA apply to small businesses? KCDPA generally does not apply to small businesses. It only applies to entities that:
Process personal data of at least 100,000 Kentucky consumers annually, or
Process data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data
Does KCDPA apply to nonprofits or government agencies? No. KCDPA exempts nonprofits, state and local government entities, and institutions of higher education.
Does KCDPA apply to employee or business-to-business (B2B) data? No. It only applies to consumers acting in an individual or household context—not in an employment or commercial capacity.
Is there a revenue threshold for applicability under KCDPA? No. KCDPA does not include a revenue-based threshold—only thresholds based on the number of consumers whose data is processed.
Can consumers use authorized agents to submit data requests? Yes. Consumers may designate authorized agents to act on their behalf, but businesses may require proper authentication.
Does KCDPA require honoring universal opt-out mechanisms like Global Privacy Control (GPC)? No. KCDPA does not mandate recognition of universal opt-out signals, though businesses may choose to support them.
What qualifies as “sensitive data” under KCDPA? Sensitive data includes health info, race/ethnicity, religious beliefs, sexual orientation, citizenship status, biometric/genetic data, precise geolocation, and children’s data under 13.
How long do businesses have to respond to consumer rights requests? Businesses must respond within 45 days, with a possible 45-day extension when reasonably necessary.
Are small businesses exempt from KCDPA? Generally yes, unless they process data of 100,000+ consumers, or 25,000+ consumers and derive 50%+ revenue from data sales.
What is required in a data protection assessment? It must evaluate risks to consumer rights from high-risk processing activities like profiling, targeted ads, or processing sensitive data.
How can consumers escalate unresolved issues? If a business denies or fails to address a request properly, consumers can appeal. If still unresolved, they may file a complaint with the Kentucky Attorney General.
Jack Carvel is Head of Legal and DPO at Ketch, helping global SaaS companies operationalize privacy, data governance, and AI responsibly. Jack is a dual-qualified privacy attorney with 10+ years of experience.
Automate your privacy compliance with Ketch
Risk of regulatory action or fine is no longer an unlikely, empty threat—regulators across Europe and now the United States are charging brands with irresponsible handing of consumer data.
Your knowledge of the regulations and requirements for your business may be the difference maker in ensuring your brand reputation stays intact. Ketch can help.
.webp)
