Kentucky Consumer Data Protection Act (KCDPA): Complete 2026 Compliance Guide

Kentucky’s Privacy Law Is Now Live

The Kentucky Consumer Data Protection Act (KCDPA) took effect on January 1, 2026. Signed by Governor Beshear in April 2024, Kentucky became one of the first states to enact a comprehensive data privacy law in that year’s legislative session. Like most recent state privacy laws, the KCDPA draws heavily from the Virginia Consumer Data Protection Act (VCDPA) framework.

Kentucky is now part of a growing group of 21 states with comprehensive privacy laws. Here is everything your business needs to know about compliance.

Who Does the KCDPA Apply To?

The KCDPA applies to persons that conduct business in Kentucky or produce products or services targeted to Kentucky residents, and that during a calendar year meet either threshold:

Control or process personal data of 100,000 or more Kentucky consumers, OR
Control or process personal data of 25,000 or more Kentucky consumers and derive more than 50% of gross revenue from the sale of personal data

These thresholds mirror Virginia, Indiana, and Oklahoma. Use our Privacy Law Calculator to check applicability across all state privacy laws at once.

Key Exemptions

The KCDPA exempts:

Government entities (state, county, municipal)
Nonprofit organizations
Institutions of higher education
Entities and data regulated under HIPAA (as amended by HB 473 to clarify that HIPAA-covered data is exempt even when held by non-HIPAA-covered entities in certain circumstances)
Financial institutions and data subject to the Gramm-Leach-Bliley Act
Data regulated under FERPA, FCRA, DPPA, and other federal frameworks

The 2025 amendment (HB 473) notably expanded the HIPAA exemption to better protect healthcare entities from dual compliance burdens.

Consumer Rights Under the KCDPA

Kentucky consumers have the following data privacy rights:

Right to confirm and access — verify whether their data is being processed and obtain a copy
Right to correct — fix inaccuracies in their personal data
Right to delete — request deletion of their personal data
Right to data portability — receive a copy in a portable, readily usable format
Right to opt out of targeted advertising — stop the use of their data for targeted ads
Right to opt out of sale — prevent the sale of their personal data
Right to opt out of profiling — opt out of profiling that produces legal or similarly significant effects

Controllers must respond to requests within 45 days, with a possible 45-day extension. An appeals process must be provided when requests are denied. If the appeal is also denied, consumers must be informed of how to file a complaint with the Kentucky Attorney General.

Business Obligations

Privacy Notice Requirements

Controllers must provide an accessible, clear, and meaningful privacy notice disclosing:

Categories of personal data processed
The purpose of processing
How consumers can exercise their rights and appeal decisions
Categories of data shared with third parties
Categories of third parties receiving data

Data Minimization and Security

The KCDPA requires businesses to limit data collection to what is adequate, relevant, and reasonably necessary for the disclosed purpose. Controllers must implement appropriate administrative, technical, and physical security measures to protect the confidentiality and integrity of personal data.

Sensitive Data

Processing sensitive personal data requires opt-in consent. Kentucky defines sensitive data as:

Racial or ethnic origin
Religious beliefs
Mental or physical health diagnosis
Sexual orientation
Citizenship or immigration status
Genetic or biometric data processed to identify a specific person
Personal data of a known child (under 13)
Precise geolocation data

Data Protection Impact Assessments (DPIAs)

One of the KCDPA’s notable features is its approach to DPIAs. Controllers must conduct and document data protection assessments for processing that presents a heightened risk of harm, including:

Targeted advertising
Sale of personal data
Processing of sensitive data
Profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment, financial or physical injury, or intrusion on solitude or seclusion

Under the 2025 HB 473 amendment, the DPIA requirement applies to processing activities created or generated on or after June 1, 2026. This means businesses have until mid-2026 to establish their assessment framework for new processing activities.

Processor Contracts

Contracts between controllers and processors must include provisions governing the nature, purpose, and duration of processing, the type of data processed, confidentiality obligations, and requirements to delete or return data at the controller’s direction.

Enforcement and Penalties

The KCDPA is enforced exclusively by the Kentucky Attorney General. There is no private right of action.

30-day cure period — the AG must provide written notice and a 30-day window to cure violations before taking action
Penalties — up to $7,500 per violation, plus investigative costs and reasonable attorney’s fees
Injunctive relief — the AG can seek court orders to stop violations

The Kentucky AG has published a consumer rights information page outlining protections under the KCDPA, signaling active interest in enforcement. Stay up to date with our enforcement tracker.

How the KCDPA Compares to Other State Laws

Kentucky’s law aligns closely with the Virginia model. Key comparisons:

Thresholds: Identical to Virginia, Indiana, and Oklahoma (100K consumers or 25K + 50% revenue from data sales)
No universal opt-out requirement: Like Indiana and Oklahoma, Kentucky does not require businesses to honor universal opt-out mechanisms like GPC. Check your obligations with our GPC Compliance Checker.
DPIA timing: Unique provision — DPIA requirements apply only to processing activities created or generated on or after June 1, 2026
HIPAA exemption expansion: Broader HIPAA exemption than many other states following the HB 473 amendment
Cure period: Permanent 30-day cure period — more business-friendly than states where cure periods have expired

For a detailed side-by-side view, use our state comparison tool.

Step-by-Step Compliance Plan

Determine applicability — Check whether you meet the 100K or 25K+ threshold for Kentucky consumers. Our calculator automates this across all states.
Conduct a data inventory — Identify what personal data you collect from Kentucky consumers, where it is stored, how it flows, and who can access it.
Update your privacy notice — Ensure your privacy policy includes all required Kentucky disclosures: categories, purposes, rights, third-party sharing, and appeal process.
Build consumer rights workflows — Implement request intake, identity verification, and response processes to meet the 45-day deadline.
Implement consent for sensitive data — Add opt-in consent mechanisms for any processing of sensitive personal data.
Prepare for DPIAs — Establish a framework for conducting data protection impact assessments by June 1, 2026, when the requirement kicks in for new processing activities.
Update processor agreements — Review and amend vendor contracts to include the required processor provisions.
Document everything — Maintain records of your compliance efforts, consumer request responses, and data protection assessments.

For a complete checklist, visit the Kentucky compliance checklist.

The Bottom Line

Kentucky’s Consumer Data Protection Act follows the well-established Virginia framework, and businesses already compliant with similar state laws will find the transition manageable. The most notable difference is the phased DPIA requirement (June 1, 2026 for new processing activities) and the expanded HIPAA exemption. With penalties of up to $7,500 per violation and the Kentucky AG actively publicizing consumer rights, compliance should be a priority for any business with a meaningful Kentucky consumer base.

This article provides general educational information and is not legal advice. Consult qualified legal counsel for guidance specific to your organization. Last updated: March 28, 2026.