In today’s increasingly datadriven world, your personal information such as your shopping habits, location history, fitness data, internet searches, and app usage is constantly collected and analyzed from the apps on your phone, your so-called “smart” aka Internet of Things (IoT) devices, data brokers, and the organizations you interact with on a daily basis. Much of this happens behind the scenes, and often without your informed consent. Who reads or can understand the legal mumbo-jumbo of an 80-page Privacy Policy or Terms of Service? It’s a confusopoly by design.
Take a look at the Privacy Label for TikTok from the Apple App Store:
TikTok’s App Store Privacy Label shows that the app collects a wide range of data—contacts, location, browsing history, device identifiers, and more. Most apps collect far more than they need, because your data is valuable and most consumers don’t realize how much is being gathered or how it’s used.
Now, thanks to Kentucky Consumer Data Protection Act (KCDPA), which took effect on January 1, as a Kentucky resident, you have meaningful control over how businesses use your information and start to take back control. And with Data Privacy Week occurring January 24-28 each year, now is the perfect time to learn how to use KCDPA to improve your privacy.
From a consumer perspective, KCDPA is not perfect. It doesn’t allow you to sue companies directly (aka “private right of action”), and it exempts some organizations such as nonprofits, highereducation institutions, state and local government agencies, and businesses already regulated under federal laws like HIPAA or the GrammLeachBliley Act. It also exempts certain data types such as employment data, and publicly available information.
Still, it is a major shift in your favor. It applies to companies that process the data of 100,000 or more Kentucky consumers, or 25,000 consumers if over half their revenue comes from selling personal data.
Let’s explore your rights under the KCDPA, how to exercise them, and how to build stronger privacy habits over time.
See What Companies Know About You: Your Right to Access
The foundation of privacy is visibility. KCDPA allows you to ask a company whether it processes your personal data and to request access to that information.
How to Do It
• Find the request portal: Look for a “Privacy Rights,” “Data Subject Request,” or similar section in a company’s privacy policy, usually linked at the bottom of their website or in app settings.
• Submit a request: Provide your name, email, and any account details. You can say: “Please confirm whether you are processing my personal data and provide access to all personal data associated with my account, including identifiers, browsing history, location data, and any inferences.”
• What to expect: You’ll receive a report describing the categories of data collected and how it’s used. A fitness app, for example, might reveal it tracks sleep patterns or locationbased exercise routes.
Best Practice
Request access annually from highrisk services such as social media, ecommerce platforms, or healthrelated apps. If a company denies your request, they must explain why and provide an appeals process. Use it.
Correct Mistakes or Delete Old Data: Your Rights to Correct and Delete
Incorrect or outdated information can affect everything from insurance premiums, job offers, rent, and personalized recommendations. Not to mention “surveillance pricing”, using your data to infer what you can pay and charging your more than other people. The KCDPA allows you to:
• Correct inaccurate personal data.
• Request deletion of personal data collected directly from you.
• Request a portable copy of your data.
How to Do It
• Correction:
“Please correct the following inaccuracies in my personal data: [details].”
• Deletion:
“Please delete all personal data you collected from me, including [specific items].”
• Portability:
“Please provide a portable copy of my personal data in a usable format.”
Under KCDPA, companies must comply unless they are legally required to keep certain information (for example, for tax or fraud prevention purposes).
Best Practice
Use deletion requests to clean up old accounts you no longer use. After deletion, you can submit a followup access request to confirm the data is gone. Companies may ask you to verify your identity before fulfilling your request. This protects you from unauthorized access.
Stop Data Sales and Targeted Ads: Your Right to Opt Out
If you’re tired of eerily accurate ads or companies selling your information, the KCDPA gives you the right to opt out of:
• Sale of personal data.
• Targeted advertising.
• Profiling used for decisions with legal or similarly significant effects (e.g., credit, housing, employment).
How to Do It
• Locate optout tools: Look for links such as “Do Not Sell My Personal Information” or “Opt Out of Targeted Advertising” in the privacy policy for a given company.
• Submit your optout:
“I opt out of the sale of my personal data.”
“I opt out of targeted advertising.”
“I opt out of profiling used to make decisions with legal or significant effects.”
• Sensitive data note: Legitimate companies must obtain your consent before processing sensitive data including:
o Precise geolocation
o Biometric identifiers
o Health data
o Children’s data
o Race/ethnicity
o Sexual orientation
o Immigration status
o Genetic data
If you have previously consented, you may revoke your consent.
Best Practice
Start with platforms that rely heavily on advertising or data sharing such as Google, Meta or TikTok. Pair your optouts with browser extensions that block trackers for stronger protection.
Manage Denials and Enforce Your Rights: Appeals and Complaints
Companies cannot retaliate against you for exercising your rights under KCDPA. No price increases, service denials, or degraded functionality are allowed. The Kentucky Attorney General must give companies 30 days to cure violations before penalties apply.
If Your Request Is Denied
• Appeal: Companies must offer an appeals process and respond within 60 days.
• Escalate: If the appeal fails, you can file a complaint with the Kentucky Attorney General’s Office of Data Privacy.
• Provide:
• Your original request.
• The company’s response.
• Dates and supporting documentation.
The Kentucky Attorney General can investigate and impose penalties of up to $7,500 per violation.
Best Practice
Keep a simple record of your requests: screenshots, dates, and responses. If multiple companies ignore your rights, you can submit a batch complaint.
Tips to Maximize Your Privacy Under the KCDPA
A Personal Privacy Audit
List the apps and websites you use regularly. Prioritize those handling sensitive data such as health, finances, or location. Drop those that you don’t need. The less apps you have, the smaller your digital footprint. In this case, smaller is better.
Build Better Digital Habits
• Read privacy notices before signing up for new services.
• Use guest checkout when possible while buying items online.
• Turn off ad ID tracking on your phone and IoT devices.
• Use separate email addresses for shopping, banking, and social media.
Use Privacy Tools Beyond the KCDPA
• Virtual Private Networks (VPNs).
• Trackerblocking browser extensions such as the EFF’s Privacy Badger.
• Use privacy friendly web browsers such as Safari, Firefox, or Brave.
• Enable strict browser privacy and security settings and delete cookies and history when you close the browser.
• Strong device security settings.
• Use privacy friendly email services that support email aliases.
• Disable precise location tracking for apps that don’t require it.
• Delete unused apps and accounts monthly.
You can see a list the privacy friendly technology stack that I use for my personal information here.
Understand What KCDPA Doesn’t Cover
• Employmentrelated data is exempt.
• HIPAAregulated health providers and GLBAregulated financial institutions are exempt.
• The law applies to adults; children under 13 are primarily protected under federal COPPA rules.
Stay Informed
Visit the Kentucky Attorney General’s Office of Data Privacy for updates, guidance, and complaint forms. Improvements to the KCDPA may emerge in the future, and staying informed helps you adapt.
Take Control of Your Data Today
The KCDPA empowers you to treat your personal information like the valuable asset it is. Exercising your rights under KCDPA: accessing your data, correcting inaccuracies, opting out of sales and targeted ads, and deleting what you no longer want stored allows you to reduce your exposure to breaches, profiling, and unwanted tracking.
For Data Privacy Week 2026, start small, but get started. Submit one access request to a company you use often. Review what they collect. Then take the next step. Each action strengthens your privacy and contributes to a safer digital Kentucky.
Dave Hatter is an award-winning technology leader with over 30 years of software engineering and cybersecurity experience and works as a Cybersecurity Consultant at Intrust IT. He has also served as the Mayor of Fort Wright, Kentucky since 2015.