Organizations of all sizes collect and store more information than ever before, and personal information is as, or more valuable than currency in many cases today. The Kentucky Attorney General’s office defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include deidentified data or publicly available information (public records).”
Hackers and criminals understand the power of your personal data and aggressively pursue it, which is why data breaches are rising. The Identity Theft Resource Center reported 3,158 known compromises in 2024, highlighting the growing risks to personal and company information.
I’ll wager that every person reading this has received at least one data breach notice and more likely several. I have received several over the last few years, including from companies that I have never done business with. Most likely the breached companies I have not done business with bought my data (and likely yours too) from a data broker.
This is all legal as there is no federal data privacy law to protect consumers and, until recently, no data privacy law in Kentucky. There is no real incentive for companies to protect your data and no real penalty when it’s leaked, which has placed each of us at increasing risk.
Enter the Kentucky Consumer Data Protection Act (KCDPA) which was passed in 2024 and went into effect January 1st, 2026. This is a welcome and significant step toward safeguarding Kentucky residents’ privacy. KCDPA establishes clear rights for consumers over their personal data while imposing responsibilities on organizations that handle it, and makes Kentucky one of 19 states to enact comprehensive data privacy legislation thus far.
Modeled after Virginia’s Consumer Data Protection Act, the KCDPA applies to companies operating in the Commonwealth or doing business with Kentucky residents, specifically those processing data for at least 100,000 consumers annually or 25,000 if they derive more than half their revenue from selling personal data. Exemptions to the law include government entities, nonprofits, higher education institutions, and sectors already regulated under federal laws such as HIPAA or the Gramm-Leach-Bliley Act.
The KCDPA is a pivotal shift of power to the consumer, you are no longer powerless against the invisible data economy hoovering up your every click, post, purchase, location and anything else they can get their hands on. While the KCDPA is not a panacea for every privacy woe, it’s a strong first step to educate consumers on their rights, drive consumers to take action on protect their privacy, and to encourage organizations to prioritize ethical data practices as well as strong cybersecurity protections. Let’s explore some of the key consumer benefits.
The Right to Know and Access Your Personal Data
One of the most immediate advantages of the KCDPA is the right to confirm if an organization is processing your personal data and if so, to access that information. Personal data under the law includes anything that can identify you, such as your name, email, browsing history, geolocation, or inferences drawn from your behavior. Imagine a fitness app you’ve used to track your hikes in Red River Gorge that has been compiling a detailed profile of your health metrics, sleep patterns, and even dietary habits without your explicit knowledge. Or an online retailer tracking your purchases of rare bourbon bottles from distilleries, inferring your income level, drinking habits, or gifting habits.
The KCDPA allows you to submit a request to the company (known as a “controller” in legal terms) to reveal what data they hold on you. In the pre-KCDPA world, consumers often operated in the dark, unaware of how their information was being collected and used. Now, organizations must respond to your access request within 45 days, free of charge (up to twice a year), unless they can justify an extension.
This provision of the law not only demystifies the data collection process but also helps you spot potential inaccuracies or overreaches. It promotes a culture of informed consent and reduces the risk of identity theft by allowing you to check what sensitive details are in corporate databases.
Additionally, organizations must now limit data collection to what’s adequate, relevant, and reasonably necessary for the purposes disclosed to you. No more blanket permissions buried in fine print. As a consumer, you should start seeing clearer privacy notices, making it easier to decide whether to engage with a service.
Opting Out of Data Sales, Targeted Ads, and Profiling
Perhaps the most consumer-friendly aspect of the KCDPA is the ability to opt out of the sale of your personal data, targeted advertising, and automated profiling. “Sale” in this context means exchanging data for monetary or other valuable consideration, a common practice in the ad-tech industry. Targeted ads, those eerily specific promotions based on your online behavior, can now be halted at your request. Profiling refers to automated decisions that produce legal or significant effects, like denying a job based on AI-analyzed social media. This translates into greater autonomy over your online experience. Opting out of profiling could prevent discriminatory outcomes, such as insurance quotes inflated by inferred health data from fitness trackers used during hikes or the results of online searches for health related issues. The law requires companies to honor these opt-outs, and for very sensitive data such as biometric info from health apps, precise geolocation from mapping apps, or details on race, religion, or health, explicit consent must be given by the consumer before processing.
Overall, these opt-outs curb the commodification of your life and the monetization of your data, turning privacy from a luxury into a standard expectation for Kentucky residents.
Correcting and Deleting Inaccurate or Unwanted Data
The KCDPA grants you the right to correct inaccuracies in your personal data and, crucially, to delete it altogether. This is particularly beneficial in an age of algorithmic decision-making, where flawed data can lead to real-world consequences. For example, if a credit reporting agency (though exempt under certain federal rules, similar principles apply to non-exempt entities) has erroneous information affecting your loan eligibility to buy a home, the KCDPA’s correction right ensures you can fix it promptly.
Deletion, often referred to as the “right to be forgotten,” allows you to request the erasure of data you’ve provided, such as old account details from a social media site you no longer use. The KCDPA mandates that the company deletes your data upon request, provided it doesn’t conflict with legal obligations like record-keeping for taxes. This minimizes the long-term risks of data lingering in systems vulnerable to breaches and reduces your digital footprint, making you less of a target for cybercriminals targeting personal information that can be used against you.
Additionally, this right extends to data portability, where you can obtain a copy of your data in a usable format to transfer to another service.
Enhanced Security and Accountability for Businesses
While the KCDPA focuses on consumer rights, its requirements for businesses indirectly benefit you through stronger data safeguards and penalties for violations. Organizations collecting your data (controllers) must implement reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the data processed.
Processors (third parties handling data on behalf of controllers) are bound by contracts ensuring compliance with the law. For you, this means fewer incidents where your data is mishandled by subcontractors. Enforcement falls to the Kentucky Attorney General, with penalties up to $7,500 per violation and a 30-day cure period for first offenses. The KCDPA’s penalties help to ensure that organizations collecting your data protect you by adopting best practices without stifling innovation.
While there’s no private right of action (you can’t sue directly), the KCDPA incentivizes compliance without overwhelming courts. It’s also worth noting that organizations cannot discriminate against consumers for exercising their privacy rights (e.g., by denying goods/services or charging different prices).
Why the KCDPA is a Great First Step for Consumers in Kentucky
I’ll be the first to admit that KCDPA isn’t perfect. Unlike California’s CCPA, it lacks a private right of action, relying solely on the Kentucky Attorney General for enforcement, which could limit deterrence against minor violations. It also doesn’t cover employee data or require opt-in for all processing, as some European GDPR-inspired laws do.
Some critics have argued KCDPA is too business-friendly and needs stronger consumer protections, but moderation makes it a pragmatic starting point, avoiding the compliance burdens that could drive businesses away from Kentucky. And by aligning with laws in neighboring states like Indiana and Tennessee, the KCDPA creates regional consistency, easing interstate commerce while amplifying privacy norms.
The KCDPA is an excellent first step because it educates consumers on privacy basics and encourages good habits like reviewing data requests annually. As privacy awareness grows, it paves the way for potential federal legislation, which could standardize consumer privacy protections nationwide.
Conclusion: Taking Control in the Digital Age
The Kentucky Consumer Data Protection Act is a clear declaration that your privacy matters and it signals to tech giants and data brokers that Kentucky values its citizens’ privacy and dignity. By granting rights to access, correct, delete, and opt out, it gives you power an increasingly data-driven world. While challenges remain, such as navigating requests or addressing exemptions, the pros far outweigh the cons. As a Kentuckian, embrace these new tools in 2026: Submit a data access request to your favorite apps, opt out of ads that invade your peace, and advocate for stronger measures ahead. I’ll delve into how to do these things in a future article, but if you can’t wait to get started, visit the Kentucky Office of Data Privacy at the Attorney General’s website for more information.
Stay informed, exercise your rights, and watch as Kentucky leads by example in consumer protection.
Dave Hatter is an award-winning technology leader with over 30 years of software engineering and cybersecurity experience and works as a Cybersecurity Consultant at Intrust IT. He has also served as the Mayor of Fort Wright since 2015.