By Dave Hatter
Special to NKyTribune
Data increasingly powers commerce across industries and new state privacy laws are reshaping how organizations collect, use, and protect personal information with consumer’s interests in mind. The Kentucky Consumer Data Protection Act (KCDPA), codified in KRS 367.3611 to 367.3629, became effective January 1, 2026. KCDPA ushers in new consumer rights for Kentucky residents and places new compliance obligations on covered businesses operating in the Commonwealth.
For covered Kentucky organizations, compliance is not just about avoiding enforcement risk. It is also an opportunity to strengthen customer trust, modernize data governance practices, improve cybersecurity protections, and align with a growing patchwork of state privacy laws.
This guide clarifies the law’s core points and includes practical, actionable steps to help organizations assess and achieve compliance.
What is the Kentucky Consumer Data Protection Act?
The KCDPA grants Kentucky residents (“consumers”) rights over their personal data. It also imposes obligations on businesses that determine the purposes and means of processing consumer data (“controllers”).
Personal data includes information that is linked or reasonably linkable to an identifiable individual including names, emails, device identifiers, browsing history, location data, and inferences drawn from those elements. It excludes publicly available information and properly de-identified data, provided appropriate safeguards are maintained to prevent re-identification.
The KCDPA emphasizes:
• Transparency: Clear disclosures regarding data collection and use.
• Consumer control: Rights to access, correct, and delete data, and to opt out of data collection.
• Accountability: Data minimization and reasonable security safeguards.
Unlike California’s rigorous California Consumer Privacy Act (CCPA), Kentucky follows an opt-out model. Businesses may generally process personal data without prior consent, except where the law requires opt-in consent for sensitive data. However, consumers must be given the option to opt out of:
• Targeted advertising.
• The sale of personal data. Kentucky defines a “sale” narrowly as the exchange of personal data for monetary consideration, a more limited definition than California’s broader “valuable consideration” standard.
• Certain profiling activities that produce legal or similarly significant effects.
The law applies to organizations that conduct business in Kentucky or produce products or services targeted at Kentucky residents, provided they meet specific statutory processing thresholds, regardless of where the organization is headquartered.
Which organizations must comply?
The KCDPA applies to controllers that, during a calendar year:
• Control or process personal data of at least 100,000 Kentucky consumers, or
• Control or process personal data of at least 25,000 Kentucky consumers and derive more than 50% of gross revenue from the sale of personal data.
The KCDPA does not include a standalone minimum annual revenue threshold; however, revenue is relevant when determining applicability under the 25,000consumer threshold tied to the sale of personal data. Smaller companies may still fall within scope if they process significant volumes of consumer data.
If your business processes data through vendors (processors), you’re still responsible as the controller, and contracts must outline their compliance duties under the KCDPA.
Scope and exemptions
KCDPA’s scope is narrower for certain entities and data types:
• The statute primarily targets forprofit businesses. Exemptions include government entities, nonprofits, financial institutions under GLBA, healthcare providers under HIPAA, and data governed by FCRA or FERPA. Note: Nonprofits are fully exempt, and government entities (state, local, subdivisions) are explicitly exempt.
• Children’s data: Federal COPPA continues to govern online collection of information from children under 13. Under the KCDPA, personal data collected from a known child under 13 is classified as sensitive data and requires consent consistent with COPPA standards.
• Because some exemptions apply only to certain categories of data, organizations may be partially exempt depending on the nature of the information processed. If you are uncertain about exemptions, engage legal counsel.
Risks of Non-Compliance: Enforcement and Penalties
The Kentucky Attorney General has exclusive enforcement authority under the KCDPA.
Key enforcement features include:
• Civil penalties of up to $7,500 per violation.
• A permanent 30day statutory cure period, with no sunset provision.
• No private right of action.
To cure an alleged violation, a business must provide a written statement confirming remediation and committing to avoid future violations. While the cure period provides flexibility, repeated or systemic violations could result in substantial cumulative penalties.
It’s worth noting that the Kentucky Attorney General (AG) announced its first lawsuit for violations of the KCDPA against an artificial intelligence (AI) chatbot company on January 8, 2026, a mere seven data after the law went into effect. The complaint alleges violations of the KCDPA alongside claims under other Kentucky consumer protection statutes, including unfair, false, misleading, or deceptive acts and practices and the improper collection and exploitation of children’s data. This may indicate rigorous enforcement of this new law.
Key compliance responsibilities for covered businesses
Consumer rights management
• Right to Access: Confirm whether you process a consumer’s personal data and provide categories of data, sources, purposes, and recipients.
• Right to Correction: Allow consumers to request correction of inaccurate personal data.
• Right to Deletion: Honor deletion requests for personal data provided by or obtained about the consumer, subject to lawful retention needs such as tax, accounting, or fraud prevention.
• Right to OptOut: Support optouts for the sale of personal data, targeted advertising, and certain automated profiling that produces legal or similarly significant effects.
• Right to Portability: Provide a copy personal data that the consumer previously provided to the controller in a portable, commonly used, and machinereadable format.
• Sensitive Data: Obtain explicit consent before processing sensitive data such as precise geolocation, biometrics, health data, racial or ethnic origin, sexual orientation, immigration status, genetic data, and certain data about minors. Consent for processing sensitive data must be revocable.
Consumers can make free requests up to twice annually per consumer; excessive requests may incur reasonable fees. Controllers must provide secure and reliable methods for submitting consumer requests, considering how consumers normally interact with the organization.
Controllers must respond within 45 days, with a possible 45-day extension when reasonably necessary. Processes to respond to verified consumer requests within the statutory time limits and to provide an appeals process for denials will help you comply with the law.
If a request is denied, the controller must provide a clear explanation and offer an internal appeals process. Appeals must generally be resolved within 60 days, and if denied, the consumer must be informed of how to contact the Kentucky Attorney General.
Data protection and transparency for controllers
• Data protection assessments: Conduct assessments for highrisk processing activities such as targeted advertising, sale of personal data, or sensitive data processing.
• Data minimization: Limit collection and retention to what is reasonably necessary for disclosed purposes.
• Privacy notice: Maintain a clear, accessible privacy policy that explains data practices and how consumers can exercise their rights. If personal data is sold or used for targeted advertising, that practice must be clearly disclosed, along with instructions for opting out.
• De-Identified and Pseudonymous Data Handling: For de-identified data (unlinkable to individuals), maintain technical measures to prevent re-identification, make public commitments against attempts to re-identify, and impose contractual obligations on recipients.
• Nondiscrimination: Do not discriminate or retaliate against consumers for exercising their rights under the KCDPA.
Security measures
Controllers must implement reasonable safeguards to protect consumer data such as encryption, access controls, multifactor authentication (MFA), logging and monitoring, incident response plans, and regular security testing.
Vendor and third party oversight
Controllers must ensure they have compliant contracts with processors. These agreements must govern:
• Processing instructions
• Confidentiality
• Subprocessor controls
• Data return or deletion
• udit rights
Businesses with complex vendor ecosystems should anticipate administrative and contract management impacts.
Marketing and data strategy adjustments
Targeted advertising is still allowed but subject to consumer opt-out rights. Organizations that monetize personal data should carefully evaluate whether they meet the 50% revenue threshold tied to applicability.
Practical compliance roadmap
A phased, organizationwide approach reduces risk and spreads cost. Below are concrete steps and recommended priorities.
1. Assess Applicability and Audit
• Applicability test: Determine whether KCDPA applies by measuring the number of Kentucky consumers you process and whether your revenue model involves selling personal data.
• Data mapping: Inventory personal data flows, sources, storage locations, retention, and recipients.
• Privacy impact assessment: Identify highrisk processing and prioritize mitigations.
2. Build a Request Management System
• Consumer portal: Provide a simple, straightforward way for consumers to submit requests. For example, a “Privacy Rights” page on your website.
• Automation: Use CRM integrations or privacy management platforms to verify identity, track requests, and manage response timelines.
• Verification: Implement reasonable verification procedures to prevent fraudulent requests while avoiding undue friction for legitimate consumers.
3. Update Policies and Consent Practices
• Privacy policy: Add KCDPAspecific disclosures, including optout mechanisms for sales and targeted advertising.
• Consent management: Use clear, granular optins for sensitive processing and maintain consent records.
• Minimization: Remove unnecessary data collection from forms, apps, and integrations. Delete data that is no longer needed.
4. Strengthen Security and Vendor Controls
• Security frameworks: Align your controls with recognized industry frameworks such as NIST CSF or the CIS Critical Security Controls. I am an enthusiastic fan of the latter.
• Vendor due diligence: Require contractual commitments for security, breach notification, and assistance with consumer requests.
• Testing and training: Conduct vulnerability assessments, penetration tests and regular employee training on phishing and data handling.
5. Prepare for Enforcement and Recordkeeping
• Appeals process: Document how denials are managed and how consumers can appeal.
• Designate responsibility: Appoint a compliance lead or privacy officer to oversee requests and coordinate with legal counsel.
• Recordkeeping: Maintain logs of consumer requests, verification steps, responses, and denials for a reasonable retention period consistent with enforcement guidance; many organizations retain these records for at least two years as a practical matter.
• If an appeal is denied, provide the consumer with instructions on how to file a complaint with the Kentucky Attorney General’s Office of Data Privacy.
6. Build a Privacy Culture
• Training: Provide annual training (at minimum) with scenariobased exercises.
• Ongoing monitoring: Track regulatory guidance from the Kentucky Attorney General’s Office of Data Privacy as well as best industry practices.
• Consumer tools: Consider selfservice dashboards or preference centers to reduce operational burden and increase transparency.
• Learn more about privacy trends and best practices at the International Association of Privacy Professionals (IAPP).
Get started on KCDPA compliance today
The KCDPA is a long-overdue shift toward consumer empowerment in Kentucky. For businesses, compliance is both a legal obligation and an opportunity to build trust. Start with an applicability check, map your data, and prioritize consumerfacing processes. Treat compliance as an ongoing program that combines legal review, technical controls, vendor management, and employee training.
Organizations that take a proactive approach today can reduce regulatory risk, improve operational efficiency, and demonstrate a meaningful commitment to both responsible data stewardship and consumer privacy.
Dave Hatter is an award-winning technology leader with over 30 years of software engineering and cybersecurity experience and works as a Cybersecurity Consultant at Intrust IT. He has also served as the mayor of Fort Wright since 2015.