Well that didn’t take very long with the new law passed on January 1st. Kentucky’s Attorney General has taken a landmark step in state privacy enforcement, filing a lawsuit against an artificial intelligence (AI) chatbot company for harmful practices that allegedly target children and violate the recently effective Kentucky Consumer Data Protection Act (KCDPA) and other consumer protection statutes. This case marks one of the first significant enforcement actions under a new wave of state privacy laws and underscores the evolving legal landscape for personal data protection in the United States.
This lawsuit highlights several critical legal trends: the expansion of state-level privacy enforcement authority, the intersection of privacy rights with emerging technologies like AI, and the need for robust compliance frameworks that align with both statutory requirements and evolving enforcement priorities. If you haven’t gotten a free privacy audit do so right now and learn about how Captain Compliance can automate your privacy requirements and protect you against expensive Kentucky AG privacy lawsuits along with the other 144+ privacy laws and legal requirements our software handles.
The Kentucky Lawsuit: Facts and Legal Basis
On January 8, 2026, Kentucky Attorney General Russell Coleman announced that the Commonwealth has initiated litigation in Franklin Circuit Court against Character Technologies, the operator of the Character.AI platform. The complaint asserts that the company’s platform “preyed on children,” resulting in psychological harm, including self-harm and suicide, by failing to implement meaningful protections for minors. The lawsuit alleges violations of the Kentucky Consumer Data Protection Act (KCDPA) as well as the Kentucky Consumer Protection Act and other applicable state laws.
Key Allegations Surrounding Privacy Violations in Kentucky
According to the complaint, the AI chatbot platform:
- Enabled widespread access by minors without adequate age verification.
- Engaged in business practices that allegedly prioritized profit over user safety.
- Facilitated interactions that led to dangerous outcomes for children, including self-harm and psychological distress.
The complaint cites specific incidents, including reported deaths of minors following interaction with the platform, as evidence of the harm allegedly caused by the company’s failure to implement sufficient safeguards.
Legal Authority Under the KCDPA
The KCDPA became effective on January 1, 2026, establishing a set of consumer privacy rights and imposing obligations on entities that collect or process personal information about Kentucky residents. Among other provisions, the KCDPA grants Kentucky’s Office of Data Privacy — under the direction of the Attorney General — exclusive authority to enforce the statute, seek civil penalties, and pursue injunctive relief against noncompliant entities.
Under the KCDPA, covered entities (“controllers”) must:
- Provide clear, accessible privacy notices explaining data collection, use, and consumer rights;
- Honor consumer rights to access (this is where our DSAR Software comes into play), correct, delete, or obtain their personal data, as well as opt-out of targeted advertising, data sales, and certain profiling;
- Respond to consumer requests within strict timelines, generally 45 days, with an opportunity for a single extension; and
- Maintain mechanisms for consumers to contact the Attorney General in case of unresolved complaints.
Importantly, the KCDPA does not provide for a private right of action — meaning consumers cannot directly file lawsuits under the statute. Instead, enforcement rests exclusively with the Attorney General’s Office and business owners should get compliant right away with the help of Captain Compliance.
Why This Case Matters: A Privacy Law Perspective
From the standpoint of legal practitioners and privacy compliance officers, the Kentucky AG’s lawsuit is significant for several reasons:
1. State Privacy Laws Are Now Enforceable
Kentucky joins a growing cohort of U.S. states with comprehensive consumer privacy laws. These laws have proliferated since California’s pioneering California Consumer Privacy Act (CCPA), prompting other jurisdictions such as Colorado, Connecticut, Virginia, Indiana, and Tennessee to enact similar statutes in recent years.
Each law establishes frameworks for consumer data protection but varies in scope, enforcement mechanisms, and timelines. Kentucky’s KCDPA, like many counterparts, includes a right to cure provision, affording companies 30 days to address alleged violations before formal enforcement actions are pursued. (Mintz)
2. Enforcement Authority Resides with the Attorney General
Unlike some state laws that permit consumer litigation (e.g., California’s CCPA and the Washington My Health My Data Act under certain circumstances), the KCDPA centralizes enforcement within the Attorney General’s Office — a model that intensifies governmental oversight and underscores the importance of robust compliance programs for organizations operating in the state.
3. AI and Privacy Risks Take Center Stage
This lawsuit is among the first to expressly connect AI product design and data practices with statutory privacy violations and consumer harm. As companies increasingly deploy AI models that interact with personal data — often including sensitive information about minors — regulators are scrutinizing not just technical compliance but also the real-world impact of these technologies.
4. Intersection With Consumer Protection Law
The Kentucky complaint also invokes the Kentucky Consumer Protection Act, highlighting that privacy enforcement intersects with broader consumer protection principles. Practices that are unfair, deceptive, or misleading — including failure to implement effective safety measures or misrepresentations about platform safeguards — can trigger multiple legal regimes beyond data privacy statutes.
Comparative Enforcement: National Trends
To fully appreciate the significance of the Kentucky action, it is helpful to consider similar enforcement activity across other U.S. jurisdictions.
California: Record Enforcement Under the CPRA
The California Privacy Rights Act (CPRA), an extension of the CCPA, has been vigorously enforced. In 2025, the California Privacy Protection Agency secured a $1.35 million settlement with Tractor Supply Company for failing to provide adequate privacy notices and opt-out mechanisms, among other violations. This enforcement action underscores how mature state privacy regimes are compelling businesses to meet procedural and substantive compliance standards.
Connecticut: First Monetary Penalty
Under the Connecticut Data Privacy Act (CTDPA), state regulators also imposed monetary penalties for deficient privacy notices and ineffective consumer rights mechanisms. Notably, enforcement teams alleged that remediation efforts were overstated, signaling that regulators are looking beyond written policies to actual functionality.
Texas: Early Enforcement Under the TDPSA
In Texas, the Attorney General’s Office issued noncompliance notices under the Texas Data Privacy and Security Act (TDPSA) and initiated an action alleging unlawful data collection and sale through embedded mobile applications. This highlights how enforcement agencies are testing varied compliance elements of privacy laws and focusing on nuanced technical requirements such as state-specific notice content.
Collectively, these actions reflect a broader regulatory shift: privacy enforcement is no longer theoretical. Regulators are taking actionable steps against both procedural lapses and substantive harm. For companies, this means that data privacy compliance must be operational, demonstrable, and aligned with evolving regulator expectations.
Practical Compliance Considerations for Businesses
For privacy counsel and compliance teams, the Kentucky lawsuit reinforces several best practices:
Conduct a Comprehensive Privacy Inventory
Organizations should maintain an up-to-date record of all personal data processing activities, including how data flows through systems, the purposes of collection, retention periods, and third-party disclosures. This inventory forms the backbone of compliance with privacy notice requirements and consumer rights facilitation.
Review Age Verification and Safety Controls
Given the allegations in the Kentucky case involving harm to minors, companies — especially those targeting broad audiences — must ensure that age-appropriate controls, parental consent mechanisms, and risk-based assessments are in place to protect young users and mitigate foreseeable harm.
Ensure Accurate and Accessible Privacy Notices
Privacy notices should clearly articulate data categories, processing purposes, data subject rights, and mechanisms for exercising those rights. Notices must be tailored to state-specific requirements — a one-size-fits-all approach is increasingly insufficient in the current regulatory patchwork.
Implement Consumer Rights Request Infrastructure
The KCDPA and other state laws require timely responses to consumer rights requests. Organizations need standardized workflows, automated tracking, and accountability mechanisms to ensure requests are fulfilled within statutory deadlines.
Plan for Periodic Compliance Audits
Standards of privacy compliance evolve quickly. Periodic internal audits — including assessments of legal changes, enforcement trends, and technological developments — can identify gaps before regulators do.
Looking Ahead: What This Means for the U.S. Privacy Landscape
The Kentucky AG’s lawsuit represents a turning point for state privacy enforcement:
- It signals that state laws are now active and enforceable, not merely aspirational.
- It illustrates the regulatory appetite for tackling novel technology risks, including those posed by AI platforms.
- It underscores the importance of operational compliance, not just documentation.
Without a comprehensive federal privacy statute, state laws like the KCDPA function as the primary regulatory sources governing data privacy rights and obligations. For multinational and U.S. businesses alike, complying with these laws is no longer optional. Instead, it requires strategic legal planning, cross-jurisdictional compliance frameworks, and ongoing engagement with evolving enforcement expectations.
As state attorneys general assert their authority in this space, enforcement actions will likely broaden in scope and frequency — touching on everything from consumer notice violations to algorithmic transparency and the safety of vulnerable populations.
