Kentucky is now one of 20 states to pass a comprehensive consumer privacy law, following a growing trend of states stepping up to the challenge of proactively regulating data through broader, more structured privacy frameworks. The Kentucky Consumer Data Protection Act (KCDPA) was passed on April 4, 2024, but did not go into effect until early 2026. The law sets new boundaries for employers and organizations doing business in or targeting Kentucky residents.
Kentucky’s new consumer data protection law took effect on January 1, 2026. Below is an overview of guidelines, exemptions, and requirements under the KCDPA.
Overview of KCDPA and who it applies to
KCDPA applies to businesses that meet certain size and data processing thresholds and grants new privacy rights to consumers.
Who the KCPDA applies to
Organizations are subject to the KCDPA if they:
1: Conduct business in Kentucky or target products/services to Kentucky residents, and
2: During a calendar year:
- Control or process personal data of at least 100,000 consumers, or
- Control or process personal data of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal data.
Starting on June 1, 2026, data protection assessments for applicable entities will be required for processing activities.
Consumer rights
Kentucky residents now have rights that are similar to consumer rights in other state privacy laws that we have covered recently, such as Rhode Island and Indiana.
- Right to access: Confirm whether personal data is being processed and access relevant data.
- Right to correct: Request correction of inaccurate personal data.
- Right to remove data: Request deletion of personal data.
- Right to request convenient data access: Receive personal data in a portable, readily usable format.
- Right to opt ‑out of data use: Consumers are granted the right to decline data use for:
- Targeted advertising
- Sale of personal data
- Using personal data to make decisions with legal or major consequences
- Right to exercise rights freely: Consumers are explicitly granted the right to exercise their rights under the KCDPA without fear of penalty.
- Right to appeal: Consumers may appeal against a controller’s refusal to act on a rights request.
Business obligations for covered entities
- Privacy notice: Provide clear disclosures about:
- Categories of personal data collected
- Purposes for processing
- Consumer rights
- Third-party data sharing
- Data limitations: Collect only what is “reasonably necessary” for disclosed purposes.
- Transparency: Businesses are directed only to process data for the purposes communicated to consumers.
- Security measures: Businesses are responsible for setting appropriate technical and organizational safeguards.
- Sensitive data consent: Obtain opt-in consent before processing sensitive personal data.
- Consumer request response: Respond to consumer rights requests within 45 days, with a possible 45-day extension.
- Data processing agreements: Establish contracts with processors that handle personal data on behalf of the organization.
- Data protection assessments: Perform risk evaluations for activities that could present significant privacy concerns for sensitive data.
Enforcement and penalty overview
The KCDPA grants a cure period to address violations. However, businesses that go beyond this grace period may face steep cumulative fines for noncompliance with the new regulations.
Attorney General oversight
- Enforcement authority is exclusive to the Kentucky Attorney General.
- Organizations are granted a permanent 30-day cure period to address alleged violations.
Penalties
- Civil penalties may reach up to $7,500 per violation.
- Because enforcement authority is exclusively granted to the Kentucky Attorney General, the KCDPA does not provide a private right of action.
Businesses and data exempt from KCDPA
The KCDPA includes several entity-level and data-level exemptions that apply to certain organizations and to data already regulated under pre-existing federal laws
Entities that are exempt from the law
- State and local government agencies
- Nonprofit organizations
- Higher education institutions
- HIPAA-covered entities‑covered entities
- Financial institutions subject to the Gramm-Leach Bliley Act (GLBA)
Data exemptions
Mostly in conjunction with the entities the law does not apply to, KCDPA does not apply to data already regulated by the:
- Family Educational Rights and Privacy Act (FERPA): Applying to education records
- Health Insurance Portability and Accountability Act (HIPAA): Protected health information
- Fair Credit Reporting Act (FCRA): Covered or conflicting reporting data directives
- Gramm-Leach-Bliley Act (GLBA): Applying to covered financial data
To read the full details of the law, including all business guidelines and exemption details, take a closer look at the full text of the law here.
Why this matters, even if you don’t operate in Kentucky
It’s important to understand that KCDPA isn’t exclusive to employers in Kentucky; it applies to all businesses dealing with Kentucky resident consumer data that meet KDCPA’s guidelines.
Since 2020, multiple states have adopted a data privacy framework, but laws regarding data privacy don’t seem to be showing any signs of slowing down. We covered eight other states with new data privacy laws in 2025, and two more in January 2026, in our other industry news resources for employers.
As of February 2026, Kentucky is one of 24 states with a consumer data privacy law and one of 20 states with a comprehensive privacy framework. Although most of these laws are similar, there are some differences from state to state, so HR teams and employers operating in multiple states may require a more comprehensive approach to data privacy.
As always, check with your legal counsel to make sure your practices are up to date and compliant.
This content is for informational purposes only and shall not constitute legal opinion or advice. Consult your legal counsel to ensure compliance.
