When does the KCDPA take effect?

The Kentucky Consumer Data Protection Act becomes effective on January 1, 2026.

Who does the KCDPA apply to?

The KCDPA applies to entities conducting business in Kentucky or targeting Kentucky consumers that process data of 100,000+ consumers, or 25,000+ consumers while deriving 50%+ of revenue from data sales.

What is the cure period under the KCDPA?

The KCDPA provides a 30-day cure period. Businesses have 30 days to cure alleged violations after being notified by the Attorney General.

Kentucky Privacy Law

Kentucky Consumer Data Protection Act

Effective: January 1, 2026Active

Overview

The Kentucky Consumer Data Protection Act (KCDPA) was signed into law on April 4, 2024, and becomes effective on January 1, 2026. Kentucky's law follows the Virginia VCDPA model closely, providing a comprehensive set of consumer privacy rights while maintaining moderate enforcement provisions. The KCDPA grants Kentucky consumers the right to access, correct, delete, and obtain a portable copy of their personal data. Consumers also have the right to opt out of the sale of personal data, targeted advertising, and profiling. The law includes an appeals process for denied consumer requests, consistent with the VCDPA framework. Enforcement is vested exclusively in the Kentucky Attorney General. The law applies to entities conducting business in Kentucky or targeting Kentucky consumers that control or process personal data of 100,000 or more consumers, or control or process personal data of 25,000 or more consumers while deriving over 50% of gross revenue from the sale of personal data. The KCDPA includes a 30-day cure period and penalties of up to $7,500 per violation.

Applicability Thresholds

Conditions are joined by OR — meeting ANY one triggers applicability.

100,000+

Kentucky consumers' data processed

25,000+ consumers

AND 50%+ revenue from data sales

Consumer Rights

Right to Access

Right to Delete

Right to Correct

Data Portability

Opt-Out of Sale

Opt-Out of Targeted Ads

Opt-Out of Profiling

Limit Sensitive Data Use

Right to Appeal

Private Right of Action

Key Changes in 2025-2026

Law became effective January 1, 2026 — businesses must be in full compliance
Kentucky AG published consumer rights information page outlining protections under the KCDPA
30-day cure period in effect — AG must provide written notice of alleged violations before enforcement
No revenue-only threshold — applicability depends primarily on volume of consumer data processed

Enforcement Details

Enforced By

Kentucky Attorney General

Penalty Per Violation

$7,500

Cure Period

30 days

Private Right of Action

No — AG enforcement only

Sensitive Data Categories

Consent model: opt-in

Racial or ethnic originReligious beliefsMental or physical health diagnosisSexual orientationCitizenship or immigration statusBiometric data for identification

Universal Opt-Out / GPC Requirements

No Universal Opt-Out Requirement

The KCDPA does not require businesses to honor universal opt-out mechanisms. Businesses may voluntarily support GPC and similar signals.

Minor / Child Protections

The KCDPA requires opt-in consent before processing personal data of known children under 13. For teens aged 13-17, businesses must obtain consent before processing their data for targeted advertising or sale.

Compliance Checklist

1Determine applicability based on Kentucky consumer data processing volumes and revenue thresholds
2Update privacy notices with all required KCDPA disclosures
3Implement opt-out mechanisms for data sales, targeted advertising, and profiling
4Obtain opt-in consent for processing sensitive personal data
5Create consumer rights request processes with a 45-day response period
6Establish an appeals process for denied consumer rights requests

Kentucky Privacy Law FAQ

Official Resources

Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.