Kentucky Consumer Data Protection Act: Key Takeaways For The New Bluegrass Statute

As we begin 2026, Kentucky has officially enacted the Kentucky Consumer Data Protection Act (KCDPA), a comprehensive privacy statute that took effect on January 1, 2026. As with Indiana, is KCDPA is modeled on the now‑familiar Virginia‑style framework. The KCDPA establishes consumer data rights, imposes governance obligations on businesses, and grants exclusive enforcement authority to the Kentucky Attorney General.

What Entities Are Covered?

The KCDPA applies to persons (defined, under Kentucky law, to include businesses and other organizations) that conduct business in Kentucky or produce products or services targeted to Kentucky residents and, during a calendar year, either control or process personal data of at least 100,000 consumers or control or process personal data of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal data.

The law contains broad entity‑level and data‑level exemptions. It does not apply to:

• cities, state agencies, or political subdivisions;
• financial institutions and data subject to Title V of Gramm‑Leach‑Bliley;
• HIPAA‑regulated covered entities and business associates;
• nonprofits;
• institutions of higher education;
• certain insurance‑focused organizations engaged in fraud or catastrophe‑related work; and
• specified small or municipal utilities that do not sell or share personal data with third‑party processors.

Likewise, familiar categories of information are explicitly carved out, including protected health information under HIPAA, health records, certain research data, Fair Credit Reporting Act (FCRA)‑regulated data, Driver's Privacy Protection Act (DPPA) data, Family Educational Rights and Privacy Act (FERPA)‑regulated education records, Farm Credit Act data, and employment‑context data, emergency contacts, and benefits‑administration data.

What Counts as "Personal" and "Sensitive" Data?

"Personal data" is defined as any information that is linked or reasonably linkable to an identified or identifiable natural person, excluding de‑identified data and publicly available information. Publicly available information includes data made lawfully available through government records or that a business reasonably believes is lawfully made available to the general public via widely distributed media, by the consumer, or by a person to whom the consumer disclosed the information—unless the consumer has restricted it to a specific audience.

"Sensitive data" is defined as personal data indicating racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status. It also includes genetic or biometric data used for uniquely identifying a person, personal data collected from a known child, and precise geolocation data that identifies a person within a 1,750‑foot radius. Controllers may not process sensitive data without the consumer's consent and must process children's sensitive data in accordance with Children's Online Privacy Protection Act (COPPA). The KCDPA also defines "sale of personal data," "targeted advertising," and "profiling" in a manner consistent with other state privacy laws, while expressly excluding common operational transfers such as disclosures to processors, affiliates, and in certain transactions.

What Rights do Kentucky Consumer Receive?

Kentucky consumers acting in an individual (non‑employment, non‑commercial) context have several enumerated rights that they may invoke at any time by submitting a request to a controller. Once a controller authenticates the request, the consumer has the right to:

• Confirm whether the controller is processing their personal data and access that data, subject to trade secret protections.
• Correct inaccuracies in their personal data, considering the nature of the data and the purposes of processing.
• Delete personal data provided by or obtained about the consumer.
• Obtain a copy of personal data the consumer previously provided, in a portable, readily usable format that allows the consumer to transmit the data to another controller where processing is automated, again without requiring disclosure of trade secrets.

Consumers may also opt out of the processing of personal data for targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects such as financial services, housing, employment, insurance, or access to basic necessities. Controllers must respond to consumer requests without undue delay and within 45 days, with a single 45‑day extension where reasonably necessary, and must provide responses free of charge up to twice annually per consumer. If a request is denied, controllers must explain the justification and provide an appeal mechanism; appeals must be resolved within 60 days, and denials must include a method to contact the Attorney General to lodge a complaint.

Controllers that obtained personal data from a source other than the consumer may comply with a deletion request by retaining a record of the request and minimal data necessary to ensure the personal data remains deleted and is not used for other purposes, or by opting the consumer out of further processing of that data for any non‑exempt purpose.

What Does the Law Expect from Controllers and Processors?

The KCDPA sets out core duties for controllers that will feel familiar to organizations already operating in other comprehensive privacy states. Controllers must limit collection to personal data that is adequate, relevant, and reasonably necessary for purposes disclosed to consumers, and may not process data for purposes that are neither reasonably necessary nor compatible with those disclosed purposes without obtaining consent. Controllers must establish, implement, and maintain reasonable administrative, technical, and physical security practices appropriate to the volume and nature of the personal data to protect its confidentiality, integrity, and accessibility.

Controllers may not process personal data in violation of state or federal anti‑discrimination laws and may not discriminate against consumers for exercising their rights, including by denying goods or services, charging different prices or rates, or providing a different level of quality solely because a consumer invoked statutory rights. However, the law preserves flexibility to offer different prices, rates, levels, quality, or selections— including no‑fee offerings—when tied to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discount, or club card program.

Transparency is a central requirement. As with some many areas of data governance, including the use of artificial intelligence or processing consumer health data, transparency to the consumer is a critical component of KCDPA. Controllers must provide a reasonably accessible, clear, and meaningful privacy notice describing the categories of personal data processed, the purposes for processing, how consumers may exercise their rights and appeal decisions, the categories of personal data shared with third parties, and the categories of those third parties. If a controller sells personal data or processes it for targeted advertising, it must clearly and conspicuously disclose that activity and explain how consumers can exercise their right to opt out. Controllers must also maintain one or more secure and reliable methods for consumers to submit rights requests, described in the privacy notice, aligned with how consumers normally interact with the controller, and designed to support secure communication and authentication; controllers may require use of an existing account but may not require creation of a new one.

Processors must adhere to controllers' instructions and assist them in meeting obligations, including responding to consumer rights requests, addressing security, and supporting breach notification obligations under KRS 365.732. Controller–processor contracts must govern processing and include instructions, the nature and purpose of processing, the type of data, duration, and the rights and obligations of both parties. They must require confidentiality, govern deletion or return of data at the end of services, provide information needed to demonstrate compliance, allow reasonable assessments or independent audits, and flow down equivalent obligations to subcontractors.

What about De-Identified Data, Exemptions and Enforcement (DPIAs)?

DPIAs. The KCDPA requires controllers to conduct and document data protection impact assessments (DPIAs) for specific processing activities involving personal data, including targeted advertising, sales of personal data, certain profiling that presents reasonably foreseeable risks (such as unfair or deceptive treatment, disparate impact, or significant financial, physical, or reputational injury), processing of sensitive data, and any processing that presents a heightened risk of harm to consumers. These assessments must identify and weigh the benefits of processing to the controller, consumer, other stakeholders, and the public against the potential risks to consumers' rights, considering mitigations such as safeguards, the use of de‑identified data, reasonable consumer expectations, the context of processing, and the controller‑consumer relationship. DPIA requirements apply to processing activities created or generated on or after June 1, 2026, can be satisfied by reuse of comparable assessments prepared under other laws, and may cover similar processing operations in a single assessment. DPIAs are confidential, exempt from public disclosure, and may be requested by the Attorney General via investigative demand without waiving privilege or work‑product protections.

De-Identified Data. The statute also addresses de‑identified and pseudonymous data. Controllers in possession of de‑identified data must take reasonable measures to ensure it cannot be associated with a natural person, publicly commit not to attempt re‑identification, and contractually obligate recipients to comply with the Act's provisions. Controllers and processors are not required to re‑identify de‑identified or pseudonymous data, maintain data in identifiable form, or collect or retain data solely to be able to associate authenticated consumer requests with personal data. Consumer rights do not apply to pseudonymous data where identifying information is kept separately and protected by appropriate technical and organizational measures, and controllers that disclose pseudonymous or de‑identified data must reasonably oversee contractual compliance and address any breaches.

Exemptions. The KCDPA contains a detailed set of purpose‑based exemptions that allow controllers and processors to collect and use personal data for compliance with laws, responding to investigations, cooperating with law enforcement, protecting life or physical safety, preventing fraud and security incidents, defending legal claims, conducting certain research, and performing internal operations such as product improvement and error correction, subject to necessity, proportionality, and security requirements. Controllers bear the burden of demonstrating that processing qualifies for an exemption and complies with associated conditions.

Enforcement. The Kentucky Attorney General has exclusive authority to enforce the KCDPA and may bring actions in the name of the Commonwealth or on behalf of Kentucky residents, using investigative powers under KRS Chapter 15. Before initiating an action, the Attorney General must provide 30 days' written notice identifying the alleged violations; if the controller or processor cures the violation within that period and provides an express written statement that the violations have been cured and will not recur, the Attorney General may not initiate an action for damages for that violation. If violations continue after the cure period or an assurance is breached, the Attorney General may seek damages of up to $7,500 dollars per violation, as well as reasonable investigative expenses, court costs, attorneys' fees, and other relief ordered by the court. The Act expressly disclaims any private right of action.

Civil penalties collected under the KCDPA are deposited into a dedicated consumer privacy fund administered by the Attorney General and used to support enforcement, with amounts carrying forward across fiscal years.

What Should Businesses Do Now That KCDPA Is In Effect?

For organizations already subject to other state privacy laws, the KCDPA can largely be integrated into existing, Virginia‑style compliance programs by updating data inventories for Kentucky residency, refreshing privacy notices and consumer request workflows, ensuring contracts with vendors meet Kentucky's controller‑processor requirements, and implementing or extending DPIA processes for targeted advertising, sales, profiling, and sensitive data processing ahead of the 2026 effective dates.

Just the latest. Stay tuned to Taft Privacy, Security, & Artificial Intelligence.

As we previously posted, by the end of 2026, nearly 20 states will have their own consumer privacy law. Forty-six (46) bills were under consideration in 2025, alone. Kentucky is just the latest state to implement such laws to protect its residents' personal information. Last week, we provided a post on Indiana's new law and will report on Rhode Island's new law shortly.