On April 4, 2024, Kentucky became the fifteenth state in the United States to enact a consumer privacy bill with the passing of House Bill 15, the Kentucky Consumer Data Protection Act (KCDPA). The law goes into effect on January 1, 2026 and gives organizations close to two years to prepare for compliance.
We look at the KCDPA, who it applies to, how it protects consumers, and how organizations can prepare for compliance.
What is the Kentucky Consumer Data Protection Act?
The Kentucky Consumer Data Protection Act (KCDPA) aims to protect the privacy and personal data of the state’s 4.5 million residents by regulating how it is collected and used. It sets obligations on businesses that operate in Kentucky or produce products or services consumed by its residents and process their personal data.
The KCDPA protects the personal data of residents acting in “an individual context” and not for commercial or employment purposes and defines them as “consumers”.
Like most other US states with consumer privacy laws, Kentucky follows an opt-out consent model. Businesses must clearly explain to consumers:
- what personal data they collect
- why they collect it
- third parties they share it with
- how consumers can opt out of its collection and processing for certain purposes
Definitions under the Kentucky Consumer Data Protection Act
The KCDPA defines key terms concerning the data it protects and data processing activities.
Personal data under the KCDPA
The Kentucky privacy law defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” The definition specifically excludes de-identified data or publicly available information.
Common types of personal data that businesses collect include name, phone number, email address, account name, IP address, passport number, or driver’s license number.
Sensitive data under the KCDPA
Sensitive data under Kentucky’s privacy law is personal data that could harm consumers if abused and includes:
- racial or ethnic origin
- religious beliefs
- mental or physical health diagnosis
- sexual orientation
- citizenship or immigration status
- genetic or biometric data processed for the purpose of uniquely identifying a specific natural person
- personal data collected from a known child (under 13 years of age)
- precise geolocation data that can accurately identify an individual’s specific location within a radius of 1,750 feet (533.4 meters)
Consent under the KCDPA
The Kentucky data privacy law defines consent as “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer.”
Consent may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.
Controller under the KCDPA
A controller under the law is “a natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data.“
A controller, often referred to as a “data controller” in some regulations, is responsible for protecting personal data and must comply with the legal requirements for data protection.
Processor under the KCDPA
A controller may share personal data it collects with a third party for processing purposes. This third-party is known as a processor under the Kentucky privacy law and is defined as “a natural or legal entity that processes personal data on behalf of a controller.”
Sale of personal data under the KCDPA
The Kentucky privacy law defines sale of personal data as “the exchange of personal data for monetary consideration by the controller to a third party.“
Sale does not include disclosure of personal data:
- to a processor that processes the personal data on the controller’s behalf
- to a third party for the purposes of providing a product or service the consumer has requested
- or its transfer:
- to the controller’s affiliate
- to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction
- that the consumer intentionally made available to the public through a mass media channel not restricted to a specific audience
Many other US state-level privacy laws define sale as the exchange of personal data “for monetary or other valuable consideration” by the controller or third party. The KCDPA, like the Virginia Consumer Data Protection Act (VCDPA) and the Utah Consumer Privacy Act (UCPA), requires monetary consideration for the exchange of personal data to be considered sale.
Non-monetary consideration does not constitute sale under the Kentucky privacy law.
Targeted advertising under the KCDPA
The KCDPA defines targeted advertising as “displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer’s activities over time and across nonaffiliated websites or online applications to predict that consumer’s preferences or interests.”
The definition excludes:
- ads based on activities within a controller’s own websites or online apps
- ads based on the context of a consumer’s current search query, visit to the website, or online app
- ads directed to a consumer in response to the consumer’s request for information or feedback
- processing of personal data solely for measuring or reporting ad performance, reach, or frequency
Who must comply with the Kentucky Consumer Data Protection Act
The Kentucky privacy law applies to businesses that operate in the Commonwealth of Kentucky or produce products or services aimed at its residents and which, during a calendar year:
- controlled or processed the personal data of at least 100,000 consumers
or
- controlled or processed the personal data of at least 25,000 consumers and derived more than 50 percent of gross revenue from the sale of personal data
Unlike some other US state laws, including the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA), the KCDPA does not require businesses to comply based on revenue alone.
Exemptions to compliance with the Kentucky Consumer Data Protection Act
The Kentucky data privacy law exempts certain entities and types of data from compliance. Entity-level exemptions include, among others:
- city or state agencies or state political subdivisions
- financial institutions or affiliates subject to the Gramm-Leach-Bliley Act (GLBA)
- covered entities or business associates governed by the Health Insurance Portability and Accountability Act (HIPAA)
- nonprofit organizations, including nonprofit controllers that process personal data solely to help:
- law enforcement agencies investigating suspected insurance-related crimes or fraud
- first responders dealing with catastrophic events
- higher education institutions
- small telephone utilities
Data-level exemptions include, among others:
- protected healthcare-related information, health data, and patient identifying information
- data processed or maintained as emergency contact information for a natural person and used for emergency contact purposes
- data created for or collected under several federal laws, including, among others:
- Health Care Quality Improvement Act
- Patient Safety and Quality Improvement Act
- HIPAA
- Fair Credit Reporting Act (FCRA)
- Combat Methamphetamine Epidemic Act
- Family Educational Rights and Privacy Act (FERPA)
- Farm Credit Act (FCA)
Consumer rights under the Kentucky Consumer Data Protection Act
Consumers have several rights under the Kentucky privacy law to protect their personal data.
- Right to access: consumers can confirm whether or not the controller is processing their personal data and can access their data, unless doing either requires the controller to reveal trade secrets
- Right to correction: consumers can have inaccuracies in their personal data corrected, taking into account the nature of the personal data and purposes of processing
- Right to deletion: consumers can request controllers to delete any personal data provided by, or obtained about, them, with exceptions
- Right to data portability: consumers can obtain a copy of their personal data that they previously provided to the controller, in a ready usable format, with some exceptions
- Right to opt out: consumers can opt out of the processing of their personal data for the purposes of its sale, use in targeted advertising, or profiling in furtherance of “decisions that produce legal or similarly significant effects” concerning them
There is no private right of action — or right to directly sue a controller — under the KCDPA.
Controllers’ obligations under the Kentucky Consumer Data Protection Act
Organizations subject to KCDPA compliance have several obligations under the law to protect consumers’ personal data.
Privacy policy under the KCDPA
Controllers must publish a privacy notice, or, similarly, privacy policy, that informs consumers about:
- categories of personal data the controller processes
- purpose(s) for processing personal data
- method of exercising their rights under the law and how to appeal the controller’s decision regarding a request
- categories of personal data shared with third parties, if any
- categories of third parties who receive personal data, if any
Controllers must clearly inform consumers if they sell personal data to third parties or process it for targeted advertising purposes. Unlike the CCPA, Florida Digital Bill of Rights (FDBR), and Texas Data Privacy and Security Act (TDPSA), the Kentucky privacy law doesn’t require any specific wording to be used to disclose this information. Controllers must also advise consumers how they can opt out of sale or processing for targeted advertising.
The privacy notice must be accessible, clear, and meaningful. It is usually published through a link on the controller’s website, like in the footer, to ensure that consumers can access it from any page.
Consumer rights requests under the KCDPA
Controllers must provide one or more secure and reliable methods for consumers to exercise their rights. Consumers may be asked to log in to an existing account for identity verification, but they can’t be required to create a new account solely for this purpose.
Controllers have 45 days to respond to consumer requests, with the option to extend this period by another 45 days if reasonably necessary. If they need an extension, the controller must inform the consumer before the initial 45-day period expires.
If the controller is unable to reasonably verify the consumer’s identity, they may request additional verification or decline the request. In cases where a request is declined, the controller must notify the consumer within 45 days of receiving the request, providing the reason for the denial and information on how to appeal the decision. Controllers must respond to appeals within 60 days. If an appeal is denied, the controller must provide the consumer a method to contact the Attorney General online to submit a complaint.
Purpose limitation under the KCDPA
Controllers are required to disclose the purpose(s) for which they collect personal data, and the KCDPA requires them to limit the personal data they collect to only what is “adequate, relevant, and reasonably necessary” for the purposes.
Controllers cannot process personal data for any purposes other than those that are disclosed to consumers. If the purpose of data processing changes, they must inform consumers about the new purpose and obtain consent for processing their data, if applicable.
Data security under the KCDPA
Controllers must ensure the confidentiality, integrity, and accessibility of the personal data they collect and process. The Kentucky data privacy law requires them to establish, implement, and maintain reasonable administrative, technical, and physical security measures that are appropriate to the volume and nature of the personal data.
Data protection assessments under the KCDPA
The Kentucky privacy law requires controllers to conduct and document a data protection impact assessment (DPIA) when processing personal data:
- for the purpose of targeted advertising
- for sale
- for the purpose of profiling that presents a reasonably foreseeable risk of:
- unfair or deceptive treatment of or disparate impact on consumers
- financial, physical, or reputational injury
- physical or other intrusion into consumers’ private affairs
- other substantial injury to consumers
- that is classified as sensitive data under the law, including childrens’ data
- presents a heightened risk of harm to consumers
DPIAs are classified information under the law and are exempt from disclosure, public inspection, and copying. However, the Attorney General can request the controller to disclose a DPIA during its investigations into any alleged violations, and the controller must make it available in this circumstance.
If a controller has already conducted a DPIA for other laws or regulations, and it is similar in scope and effect to what is required under the law, the controller can use that DPIA to comply with the KCDPA.
DPIAs shall be required for data processing activities on or after June 1, 2026.
Consent requirements under the KCDPA
The KCDPA primarily follows an opt-out model for personal data processing, like the other US state-level data privacy laws. This means that, in most cases, businesses can collect and process personal data without needing prior consumer consent. An exception to this is processing that involves sensitive data, and controllers must obtain explicit consent before its processing.
Controllers are required to clearly inform consumers about their data processing activities and provide options for consumers to opt out of the sale of their personal data and its use for targeted advertising or profiling.
Unlike several other privacy laws, the Kentucky privacy law does not require controllers to recognize consumer consent preferences communicated through a universal opt-out mechanism such as Global Privacy Control (GPC).
With respect to children’s data, the KCDPA aligns with the Children’s Online Privacy Protection Act (COPPA), as is standard among the US data privacy laws. This requires controllers to obtain consent from a parent or guardian before processing any personal data of children under 13 years old, as the Kentucky privacy law considers all personal data of children under this age as sensitive data.
Nondiscrimination under the KCDPA
The KCDPA explicitly prohibits businesses from discriminating against consumers who exercise their rights under the law. Businesses cannot deny goods or services, charge different prices, or offer varying quality levels to these consumers. However, they may offer different prices, rates, levels, quality, or selections of goods or services to consumers if the offer is related to a voluntary loyalty, rewards, premium features, discounts, or club card program in which the consumer participates.
If a consumer chooses not to allow their personal data to be collected, processed, or sold, businesses cannot deny them access to their website. However, certain website features requiring essential cookies may not function properly if those cookies are declined. This limitation is not considered discrimination under the law.
Businesses are not required to offer a product or service that requires personal data they do not collect or maintain. They are also required to comply with state and federal discrimination laws and cannot process personal information in violation of these laws.
Data processing agreement under the KCDPA
The Kentucky privacy law requires controllers and processors to enter into contracts that govern data processing procedures. This contract is known as a “data processing agreement” under the European Union’s General Data Protection Regulation (GDPR) and Virginia’s CDPA and must include:
- instructions for processing personal data
- nature and purpose of processing
- type of data subject to processing
- duration of processing
- rights and obligations of both parties
Processors must ensure confidentiality of the personal data and that, at the controller’s direction or when the contract is complete, all personal data will be deleted or returned to the controller.
Under most data privacy laws, controllers are held accountable for the data processing actions, breaches, and violations by processors. However, the KCDPA provides two exceptions:
- if a controller or processor lawfully shares personal data with a third-party controller or processor, they are not liable for any violations by the recipient, provided they were unaware of any intent to break the law at the time of sharing
- if a controller or processor lawfully receives personal data, they are not responsible for any legal violations committed by the party that disclosed the data
The Nebraska Data Privacy Act (NDPA) contains a similar provision regarding controllers’ ultimate accountability for data processing activities.
Enforcement of the Kentucky Consumer Data Protection Act
The Kentucky Attorney General has the exclusive enforcement authority under the KCDPA. Consumers do not have a private right of action, but they can report potential violations or denials of their privacy rights directly to the Attorney General’s office.
Before initiating an enforcement action, the Attorney General must provide written notice to the implicated party, detailing the alleged violations and offering a 30-day cure period for organizations to address and resolve any issues. This cure period, which is a permanent aspect of the law, enables companies to rectify problems and implement measures to prevent future breaches.
Organizations found in violation must inform the Attorney General in writing of their corrective actions and confirm that future breaches will not occur.
Fines and penalties under the KCDPA
The Attorney General can initiate a civil action seeking damages against organizations that do not cure the violation within the 30-day period or breach the written statement they provide. Violations of the Kentucky privacy law may result in civil penalties of up to USD 7,500 per violation.
Consent management and the Kentucky Consumer Data Protection Act
The KCDPA adopts an opt-out model for data privacy, which allows businesses to collect and process personal data without requiring prior consent from individuals. However, exceptions are made for sensitive personal data and data belonging to children, where prior consent is mandatory. This approach is consistent with other US state-level data privacy laws.
Consumers must be able to opt out of data collection and processing for purposes such as sale, targeted advertising, or profiling. Businesses are required to make this opt-out option clearly available on their websites, usually through the privacy policy or privacy notice.
Websites often use consent banners on their websites that include clear links or buttons enabling users to opt out of data processing. Consent management platforms (CMPs) like Usercentrics CMP automate this process by managing cookies and other tracking technologies, ensuring they are blocked until the consumer gives consent, where this is required by law. CMPs also provide transparent information about the types of data collected, the purposes for which it is collected, and any third parties with whom the data is shared.
In the absence of a single federal privacy law in the US, businesses operating across the US and/or internationally may need to comply with various state and international privacy laws. CMPs assist by customizing cookie banners based on the user’s location, ensuring adherence to state-level laws like the KCDPA and international regulations like the GDPR.
Preparing for the Kentucky Consumer Data Protection Act
Businesses operating in Kentucky have until 2026 to comply with the KCDPA. Companies already adhering to privacy laws in other states will find that much of their existing compliance work aligns with the KCDPA requirements. Businesses that meet the compliance thresholds set by the law must be prepared to offer users clear opt-out options and accessible privacy notices. Implementing privacy by design improves all aspects of organizational operations, not just compliance with regulations.
As the KCDPA adapts to new technologies and shifting consumer expectations, it is strongly recommended for businesses to seek guidance from a qualified legal professional or data privacy expert, such as a Data Protection Officer, to achieve and maintain compliance.
Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.