Kentucky Passes Privacy Law

The Kentucky Legislature passed the Kentucky Consumer Data Privacy Act (KCDPA), and the bill was signed by the Governor, making the Bluegrass State the 15^th to pass a privacy law.

Here is a breakdown of the key elements of the Kentucky privacy law that will go into effect on January 1, 2026.

Applicability

The law will apply to organizations that meet the following criteria:

• Control or process the personal data of at least 100,000 consumers
• Control or process the personal data of 25,000 or more consumers and derive more than 50% of their gross revenue from the sale of personal data.

The KCDPA has an exemption for organizations and data subject to HIPAA and the GLBA. The law also includes exemptions for non-profit organizations, institutions of higher education, and organizations using data to assist law enforcement investigate insurance-related crime.

Consumer Rights

Kentucky’s law gives consumers the following rights:

• Confirm whether a controller processes the consumer’s personal data and access to personal data
• Correct inaccuracies in their data
• Delete personal data
• Obtain a copy of the personal data held by the controller
• Opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or certain types of profiling

Business Obligations:

The Kentucky privacy law includes the following obligations for businesses:

• Limit collection and processing of personal data to what is adequate, relevant and reasonably necessary to the purposes for which the data was processed
• Implement and maintain reasonable safeguards to protect the personal data within their control
• Gain the consumer’s consent before collecting or processing data
• Do not discriminate against a consumer for exercising any of the consumer rights
• Gain the consumer’s consent before processing sensitive data. Sensitive data includes racial and ethnic data, religious beliefs, mental and physical health conditions, sexual information, citizenship status, precise geolocation data, and data collected from a known child.

Businesses must respond to consumer requests within 45 days. A 45-day extension is available when reasonably necessary.

Privacy Notice

The law requires businesses to provide a “reasonably accessible, clear, and meaningful” privacy notice that includes the following:

• The categories of personal data the controller processes
• The purpose for processing personal data
• How consumers may exercise their rights, including how a consumer may appeal a controller’s decision concerning the consumer’s request
• The categories of personal data that the controller shares with third parties
• The categories of all third parties to which the controller may disclose a consumer’s data

Data Protection Impact Assessments

The Kentucky Consumer Data Privacy Act requires businesses to conduct and document a data protection impact assessment of each of the following processing activities:

• Processing personal data for targeted advertising
• Processing data for selling
• Processing data for profiling
• Processing sensitive data
• Processing data that presents a heightened risk of consumer harm

Enforcement

The Kentucky Attorney General has the exclusive authority to enforce a violation. The law does not include a private right of action. There is a 30-day right-to-cure period. Penalties can be as much as $7500 per violation.

To learn how the KCDPA compares with other state laws that were previously passed, click here.

CompliancePoint has a team of experienced privacy professionals available to help your organization comply with GDPR, CCPA, and all other state privacy laws. Reach out to us at connect@compliancepoint.com to learn more.