The Kentucky Consumer Data Protection Act (“KCDPA") went into effect on January 1, 2026. This new law provides Kentucky consumers with certain rights regarding their personal data collected by certain businesses as summarized below. The KCDPA is codified in KRS 367.3611 to 367.3629 which can be read here:
Rights of Kentucky consumers about their personal data.
The KCDPA provides Kentucky consumers with the following rights:
- Right to confirm whether certain businesses collecting personal data (“controllers") are processing their personal data;
- Right to access their collected personal data (without revealing trade secrets);
- Right to correct inaccuracies in the consumer's personal data;
- Right to delete personal data provided by, or obtained about, the consumer;
- Right to obtain a portable copy of their personal data to the extent feasible (without revealing trade secrets);
- Right to opt-out of the processing of data for purposes of targeted advertising, sale of personal data or profiling “in furtherance of decisions that produce legal or similarly significant effects" concerning the consumer; and
- Right protecting the consumer's sensitive data from processing without the consumer's consent.
Personal Data
“Personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include deidentified data or publicly available information (public records).
Please note: Not all types of personal data are covered by the KCDPA. The following are some of the types of personal data exempt from the KCDPA: (1) protected health information under the Health Insurance Portability and Accountability Act (“HIPAA"); (2) health records; (3) patient identifying information; and (4) other data (full list of exempt data can be found here)
Sensitive Data
Sensitive data is personal data that has added protections under the KCDPA.
Sensitive data indicates racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data used for personal identification, precise geolocation data, and data collected from a known child younger than 13 years old.
Controllers cannot process a consumer's sensitive data without first obtaining the consumer's consent.
Controllers
The KCDPA applies to “Controllers" defined to mean persons or businesses that control or process personal data of at least: (1) 100,000 Kentucky consumers' data; or (2) control or process personal data of at least 25,000 Kentucky consumers and derive 50% of their gross revenue from the sale of personal data.
Some types of businesses and entities are not subject to the KCDPA and exempt. The following are some of the exempt entities: (1) cities, state agencies, or any political subdivision of the state; (2) nonprofit organizations; (3) institution of higher education; and (4) more. (A full list of exempt data can be found here)
Notice to Consumers
Controllers must provide Kentucky consumers with a “accessible, clear, and meaningful" privacy notice, which includes:
(a) The categories of personal data processed by the Controller;
(b) The purpose for processing personal data;
(c) The categories of personal data that the Controller shares with third parties, if any;
(d) The categories of third parties, if any, with whom the controller shares personal data;
(e) How consumers may exercise their KCDPA rights, including how a consumer may appeal a controller's decision to deny a consumer's request; and
(f) If a controller sells personal data to third parties or processes personal data for targeted advertising, and how consumers may exercise their rights to opt-out of such sales or processing.
How do Kentucky consumers exercise their KCDPA rights?
To exercise their KCDPA rights, consumers follow the instructions stated in the Controller's required privacy notice.
A consumer's request to a Controller must specify which KCDPA rights they want to invoke.
Controllers must provide KCDPA information to consumers, free of charge, up to twice annually per consumer.
A Controller must respond to the consumer request without undue delay (but no later than forty-five (45) days). The Controller may extend the response period by forty-five (45) additional days when reasonably necessary if the consumer is notified of the extension and the reasons needed for same.
The Controller may request that the consumer provide additional information if needed to authenticate the consumer and request.
The Controller will either grant the request the consumer's request or deny it. If a Controller declines the consumer's request, the Controller must inform the consumer without undue delay (but no later than forty-five (45) days) about its justification for declining to act, and instructions for how the consumer can appeal the denial.
The Controller's appeal process must be conspicuously available and like the process for
submitting requests. Within sixty (60) days of receipt of an appeal, a Controller must inform the consumer, in writing, of any action taken or not taken in response to the appeal, and an explanation of the reasons for the decision.
If the appeal is denied, the Controller must also provide the consumer with an online mechanism or other method through which the consumer may contact the Attorney General to submit a complaint.
What can the Attorney General's Office do to help?
Consumers do not have a private right of action for KCDPA violations. The Attorney General has sole authority to enforce the KCDPA against Controllers and Processors. A Processor is a company that processes personal data on behalf of a controller. The KCDPA requires that certain specific provisions be included in contracts between controllers and processors.
Consumers can file complaints with the Attorney General's Kentucky Office of Data Privacy if a Controller declines an appeal or if the Controller violates any other consumer right under the KCDPA. A complaint can be filed here.
If the Kentucky Office of Data Privacy determines that a KCDPA violation occurred, the Office will notify the Controller or processor that the violation occurred. A Controller then has 30 days to inform the Office, in writing, that the violation has been cured. If the Controller fails to cure a KCDPA violation within the 30-day period, the Office can file a lawsuit against the Controller and may seek civil penalties of up to $7,500 for each violation.
For further assistance call the Kentucky Office of Data Privacy at (502) 892-8538 or email: matthew.cocanougher@ky.gov.