The Kentucky Consumer Data Protection Act (KCDPA): A Comprehensive Analysis

Introduction and Overview

The Kentucky Consumer Data Protection Act (KCDPA), codified at Kentucky Revised Statutes (KRS) 367.3611 through 367.3629, establishes Kentucky’s comprehensive consumer privacy regime. Enacted as House Bill 15 on April 4, 2024, and signed by Governor Andy Beshear, the law became effective January 1, 2026. Subsequent refinements via House Bill 473 (signed March 15, 2025) expanded healthcare exemptions and clarified prospective application of certain provisions.

Closely patterned after the Virginia Consumer Data Protection Act (VCDPA), the KCDPA is recognized as one of the more business-friendly state privacy laws. It grants Kentucky residents acting in individual or household contexts (“consumers”) core rights to confirm processing, access, correct, delete, port, and opt out of certain uses of their personal data. Controllers face proportionate obligations centered on transparency, data minimization, and consent for sensitive data processing.

Distinguishing features include relatively high applicability thresholds (reducing burden on smaller entities), a narrow definition of “sale” limited to monetary consideration, no requirement to honor universal opt-out mechanisms, a permanent 30-day cure period, and exclusive enforcement by the Attorney General with no private right of action. These elements make compliance more predictable than in states like California or Colorado.

The law reflects a balanced approach: acknowledging the economic value of data while empowering Kentuckians with control. The Kentucky Attorney General’s Office of Data Privacy has released consumer-friendly resources, including a “Rights of Kentuckians under the KCDPA” summary, emphasizing that “Kentuckians now have new tools to manage their personal information collected by covered businesses.” As of early January 2026, the Office continues to prioritize education and assistance over punitive measures.

This exhaustive analysis provides section-by-section statutory review, direct quotations, real-world examples, expanded comparison tables, industry impacts, and actionable compliance roadmap.

Legislative History and 2025 Amendments

House Bill 15, sponsored by Representative Matt Lockett and others, passed with strong bipartisan support in the 2024 session. The two-year implementation window aligned Kentucky with emerging 2026-effective laws in neighboring states.

In 2025, House Bill 473 introduced targeted amendments responding to stakeholder concerns, particularly from healthcare providers:

• Expanded entity-level exemptions for certain HIPAA-related activities and limited data sets;
• Clarified that data protection impact assessments apply only to processing on or after June 1, 2026;
• Added protections for public health reporting and fraud prevention.

These changes demonstrate legislative responsiveness, ensuring minimal conflict with federal regimes like HIPAA and GLBA while maintaining consumer protections.

Applicability and Exemptions (KRS 367.3613)

Covered Controllers

The KCDPA applies to persons that conduct business in Kentucky or target Kentucky residents with products/services, and that annually:

• Control or process personal data of 100,000+ Kentucky consumers; or
• Control or process personal data of 25,000+ Kentucky consumers and derive >50% of gross revenue from the sale of personal data.

No global revenue threshold exists, focusing coverage on significant Kentucky-specific activity.

Entity- and Data-Level Exemptions

Exempt entities include government bodies, GLBA financial institutions, HIPAA entities (broadened in 2025), nonprofits, higher education, and certain utilities. Data exemptions cover protected health information, research data, FCRA reports, employment data, and de-identified/publicly available information.

Example: A national bank operating branches in Kentucky is exempt under GLBA, but a non-financial e-commerce platform processing loyalty data for 120,000 Kentuckians is covered.

Key Definitions (KRS 367.3611)

• Personal data: “any information that is linked or reasonably linkable to an identified or identifiable natural person” (excludes de-identified/publicly available).
• Sensitive data: Racial/ethnic origin, religious beliefs, health diagnoses, sexual orientation, citizenship status, genetic/biometric data for identification, children’s data (under 13), precise geolocation.
• Sale of personal data: Exchange for monetary consideration only (narrow; excludes processor, affiliate, or consumer-directed disclosures).
• Targeted advertising: Ads based on cross-context behavioral data.
• Profiling: Automated processing producing legal/significant effects.
• Consent: Freely given, specific, informed, unambiguous affirmative act.

Example: Sharing consumer data with an affiliate for joint marketing without payment is not a “sale,” but licensing a de-identified dataset for cash would qualify if re-identification risk exists.

Consumer Rights (KRS 367.3615)

1. Confirm and Access: Verify processing and obtain data (excluding trade secrets).
2. Correct: Fix inaccuracies.
3. Delete: Remove provided or obtained data.
4. Portability: Receive readily usable copy.
5. Opt-Out: From targeted advertising, sales, or profiling with significant effects.

Additional safeguards: opt-in consent for sensitive data; non-discrimination; appeal process (60 days); 45-day response timeline (extendable once).

Example: A Kentuckian using a fitness app can opt out of data sales to third-party advertisers and appeal any denial through the controller before contacting the AG.

Controller Obligations (KRS 367.3617–3619)

Controllers must provide transparent privacy notices, limit processing to necessary purposes, secure data reasonably, avoid discrimination, and execute compliant processor contracts.

Example: A streaming service must disclose targeted advertising practices and offer an opt-out link prominently in its privacy policy.

Data Protection Impact Assessments (KRS 367.3621)

Required for targeted advertising, sales, profiling with risks, sensitive data processing, or substantial injury risk. Assessments weigh benefits against harms and are available to AG. Prospective only per 2025 amendments.

Example: An HR tech platform using automated screening tools must document mitigation of bias risks.

Enforcement (KRS 367.3627)

Exclusive AG enforcement with permanent 30-day cure, penalties up to $7,500 per violation, and injunctive relief. Early 2026 focus remains educational.

Multi-State Comparison Tables

Practical Compliance Roadmap

1. Inventory: Map Kentucky data flows and classify sensitive categories.
2. Notice: Update policies with AG-aligned language.
3. Rights Workflow: Build authenticated request portals.
4. Consent: Implement clear opt-in for sensitive data.
5. DPIAs: Template assessments for June 2026 rollout.
6. Vendors: Amend contracts with required clauses.
7. Training: Educate teams on timelines and appeals.
8. Monitoring: Track AG resources and complaint portal.

Industry Implications

Retail/E-Commerce: Narrow sale definition eases loyalty program sharing.

Ad Tech: High thresholds and cure period reduce risk.

Healthcare: 2025 exemptions minimize overlap.

Small Businesses: Most excluded by thresholds.

KCDPA Compliance Provider

Captain Compliance is proud to be a data privacy and compliance provider for KCPA compliance. As we help businesses automate their legal requirements with Kentucky’s privacy law. The KCDPA delivers pragmatic privacy enhancements with clear, achievable obligations. Its VCDPA alignment, generous cure period, and educational focus position Kentucky favorably in the state privacy landscape. Proactive compliance will ensure smooth adaptation throughout 2026.