The Kentucky Consumer Data Protection Act (KCDPA), effective from January 1, 2026, is enacted to protect the privacy rights of Kentucky residents concerning their personal data.  It establishes a clear framework for businesses to handle, process, and protect the personal data of consumers while granting Kentucky residents the right to control and access their data. If your business collects, processes, or sells personal data of Kentucky residents, it’s crucial to understand the KCDPA and how it impacts your operations.

Scope of the KCDPA: Who Needs to Comply?

The KCDPA regulates businesses operating in Kentucky or targeting products and services to Kentucky residents, provided they meet the following thresholds:

1. Process data of 100,000 or more Kentucky residents in a calendar year or
2. Process data of 25,000 or more consumers and derive over 50% of their revenue from the sale of personal data.

Exempted Entities

The law specifically excludes certain entities from its scope, including:

• Government Agencies and Political Subdivisions: he KCDPA does not apply to state and local government bodies, including public universities.
• Financial Institutions: Businesses governed by the Gramm-Leach-Bliley Act (GLBA) are exempt, such as banks, credit unions, and insurance companies.
• Healthcare Entities: Organizations covered by the Health Insurance Portability and Accountability Act (HIPAA), like hospitals and healthcare providers, are exempt.
• Nonprofits: Certain nonprofit organizations are excluded from the law.
• Educational Institutions: Universities and other higher education institutions that are regulated under federal privacy laws such as FERPA (Family Educational Rights and Privacy Act) are exempt from KCDPA.

Understanding whether your business falls under the law is critical, as these exemptions significantly reduce the compliance burden.

Key Definitions under the KCDPA

For businesses to fully comply, it is essential to understand the key definitions laid out by the law:

Personal Data: This refers to any information that can be linked to an identified or identifiable individual. This includes names, email addresses, and any other information used to track a person’s activities. It’s important to note that de-identified data (data that cannot be linked back to an individual) and publicly available information are not classified as personal data.

Sensitive Data: This data category needs extra protection because it can be intrusive in nature. Sensitive data includes:

• Health information
• Biometric data
• Genetic data
• Precise geolocation data
• Data about minors
• Racial or ethnic data, religious beliefs, and sexual orientation.

Businesses must be particularly cautious when processing sensitive data, as the law demands higher standards of notice and consent for these categories.

Consumer: In the KCDPA, a consumer is defined as a natural person who is a Kentucky resident and acts only in a personal or household context. This excludes individuals acting in a commercial or employment context, meaning the law does not cover employee data.

Controller: In other words, you are the controller if your business decides how and why consumer data is collected and used.

Processor: A processor is an entity that processes personal data on behalf of the controller. For example, a third-party vendor that handles customer data on behalf of your company would be considered a processor.

Sale of Personal Data: The exchange of personal data for monetary consideration, including sharing data with third parties. However, the law includes exceptions to a sale, including transfers to service providers and affiliates.

Consumer Rights under the KCDPA

The law grants consumers the following rights over their personal data. It’s critical for businesses to implement processes to enable consumers to easily exercise these rights:

Right to Access

Consumers have the right to request confirmation of whether a business is processing their personal data. They also have the right to access that data, allowing them to understand what personal information the business holds about them.

Right to Deletion

Consumers can request that businesses delete their personal data, except when data must be retained for legal or contractual reasons.

Right to Data Portability

Consumers can request a copy of their personal data in a format that can be easily transferred to another business or service provider. This right ensures that data can be moved freely across services without unnecessary obstacles.

Right to Opt-Out of Sales and Targeted Advertising

Consumers have the right to opt-out of the sale of their personal data and from being targeted with ads based on their data. Businesses must provide a clear and accessible way for consumers to exercise this right.

Business Obligations under the KCDPA

Businesses must adhere to several key obligations to ensure they meet KCDPA compliance requirements:

Data Security

To safeguard personal data, businesses must implement reasonable administrative, technical, and physical data security practices.

Transparency

Businesses must be transparent with consumers about their data practices by providing a clear and easily accessible privacy notices that explain:

• The types of personal data processed.
• The purposes of data processing.
• How consumers can exercise their rights under KCDPA.

Contracts with Processors

If your business uses processors (e.g., third-party vendors or service providers), the KCDPA requires that you have written contracts that outline the terms of data processing. These contracts must specify:

• The types of data processed.
• The purpose of processing.
• The duration of processing.
• The rights and obligations of both parties regarding data security, breach notification, and data retention.

No Discrimination for Exercising Rights

The KCDPA explicitly prohibits businesses from discriminating against consumers who exercise their rights under the law. For example, a business cannot deny services, charge higher fees, or provide lower quality services to a consumer who opts out of data collection or requests deletion of their data.

Sensitive Data Processing

Businesses must present consumers with clear notice and the option to opt-out before processing sensitive data. If the consumer does not agree, the business cannot process that data, unless the processing is exempt under other laws (such as for healthcare data).

Enforcement and Penalties

Enforcement of the KCDPA lies exclusively with the Kentucky Attorney General (AG). If a business violates the law, the AG may initiate enforcement actions.

Enforcement Procedures

Before taking any legal action, the Attorney General has to first send the business a notice explaining what they did wrong. The business then gets 30 days to fix the violations. If they are not compliant within 30 days, the Attorney General may initiate a lawsuit and impose fines. 

Fines

Businesses that continue to violate the law after the cure period may face penalties of up to $7,500 per violation. This means each instance of non-compliance could result in significant fines. For example, failing to honor a consumers opt-out request could result in multiple violations, each subject to penalties.

No Private Right of Action

The KCDPA does not allow consumers to sue businesses directly. Only the Attorney General has the authority to take action, ensuring that enforcement remains centralized and manageable. However, businesses must still be proactive in preventing violations to avoid hefty penalties.

Exemptions and Limitations

There are several exemptions and limitations under the KCDPA that businesses should be aware of:

Legal Exemptions

Certain types of data and processing activities are exempt from the law, including:

• Health information covered by HIPAA (e.g., medical records).
• Patient identifying information (e.g., for substance abuse treatment).
• Data for human subjects research under federal regulations.
• Credit data under the Fair Credit Reporting Act (FCRA).
• Driver’s license data under the Driver’s Privacy Protection Act (DPPA).
• Educational records governed by FERPA.
• Farm Credit data under the Farm Credit Act.
• Employee data collected for employment purposes, and emergency contact information.

De-identified and Pseudonymous Data

De-identified or pseudonymous data is not subject to the same requirements as identifiable data. If your business processes pseudonymous data (data that cannot be traced back to an individual without additional information), you are not required to fulfill certain consumer rights, such as access or deletion, unless the identifying information is re-associated with the data.

Research and Public Safety

Businesses can process personal data for public safety or scientific research purposes without complying with the full provisions of KCDPA’s. However, these activities must follow strict ethical standards and must be approved by relevant institutional review boards (IRBs) to ensure consumer privacy is protected.

Steps for Compliance

To ensure compliance with the KCDPA, businesses should take the following steps:

1. Determine Applicability: Assess whether your business meets the thresholds for KCDPA coverage (i.e., the volume of data processed or revenue derived from data sales).
2. Update Privacy Policies: Revise your privacy notices to align with KCDPA requirements, ensuring transparency regarding data practices and consumer rights.
3. Implement Data Security Measures: Invest in appropriate cybersecurity practices to protect personal data from breaches or unauthorized access.
4. Respond to Consumer Rights Requests: Develop internal processes to handle consumer requests for data access, deletion, portability, and opt-out.
5. Review Contracts with Processors: Make sure all contracts with third-party processors follow KCDPA standards. They should include data security, how to notify of a breach, and other privacy responsibilities.
6. Monitor Compliance: Continuously monitor your data processing practices and keep up with any updates or changes in the law.

By following these steps, businesses can ensure they meet the requirements of the KCDPA, avoid penalties, and demonstrate a strong commitment to protecting consumer data.

Conclusion

If your business collects, processes, or sells the personal data of residents in Kentucky, complying with KCDPA will help you avoid expensive fines and protect your reputation. To comply with the Kentucky Consumer Data Protection Act (KCDPA), make sure you understand the law’s scope, important terms, consumer rights, and your responsibilities as a business. By doing this, you can take the right steps to align your operations with KCDPA requirements. With enforcement focused on the Attorney General and no private right of action for consumers, it is in your best interest to comply early.