Kentucky Privacy Law Overview
Kentucky's privacy law took effect January 1, 2026 and adopts the Virginia framework that has become the national mainstream. Kentucky's treatment of a known child's data as sensitive (requiring consent) and its dedicated privacy enforcement office are the main points to watch.
The Kentucky Consumer Data Protection Act (KCDPA)
Kentucky's law is closely modeled on Virginia's, providing comprehensive consumer rights with opt-in consent for sensitive data and a 30-day right to cure. The Attorney General established a dedicated Office of Data Privacy to handle complaints and enforcement.
KCDPA: Quick Overview
- Effective Date: January 1, 2026
- Citation: Ky. Rev. Stat. ch. 367 (HB 15)
- Enforced By: Kentucky Attorney General
- Maximum Penalty: Up to $7,500 per violation
- Private Right of Action: No (enforcement by the state only)
- Right to Cure: 30 days
Who Must Comply
The KCDPA applies to businesses that meet Kentucky's applicability thresholds:
- Controls or processes the personal data of 100,000+ Kentucky consumers per year, or
- Processes data of 25,000+ consumers and derives over 50% of gross revenue from selling personal data
What makes Kentucky different: Kentucky adopts the Virginia model and created a dedicated Attorney General Office of Data Privacy to enforce it.
Consumer Rights Under the KCDPA
Kentucky residents can exercise the following rights over their personal data:
- Right to access / confirm what data is held
- Right to correct inaccurate data
- Right to delete personal data
- Right to data portability
- Right to opt out of targeted advertising
- Right to opt out of the sale of personal data
- Right to opt out of profiling for significant decisions
Sensitive personal data: Businesses must obtain opt-in consent before processing sensitive data (such as health, biometric, precise-geolocation, or demographic data).
Data Breach Notification in Kentucky
Kentucky requires notice to affected residents without unreasonable delay; a separate Attorney General notification is not generally required of private businesses.
- Deadline to notify residents: Without unreasonable delay
- Attorney General notice: Kentucky does not require notice to the Attorney General by most private businesses
- Covered data: Name combined with sensitive identifiers (SSN, driver's license, financial-account or medical information, and more)
Federal Privacy Laws That Apply in Kentucky
Even where Kentucky law is silent, residents and businesses are covered by federal privacy statutes:
- HIPAA — health information held by providers, plans and their vendors
- GLBA — privacy and safeguards rules for financial institutions
- FERPA — student education records
- FCRA — consumer reporting agencies and background screening
- COPPA — online collection of data from children under 13
- FTC Act §5 — unfair or deceptive privacy and data-security practices
Kentucky Privacy Law FAQ
Is Kentucky's privacy law like Virginia's?
Who handles privacy complaints in Kentucky?
How a Kentucky Privacy Attorney Can Help
For Businesses
- Build and audit a privacy compliance program
- Draft privacy policies, notices and vendor contracts
- Respond to consumer rights requests
- Manage data-breach response and notification
- Defend regulatory investigations and enforcement
For Consumers
- Enforce your privacy rights against non-compliant businesses
- Pursue or join data-breach litigation
- File complaints with the Kentucky Attorney General
- Seek damages for identity theft and fraud
- Stop unlawful data sales and unwanted marketing
Need a Kentucky Privacy Attorney?
Whether you are a business working toward compliance or a Kentucky resident whose privacy has been violated, our network of Kentucky-licensed attorneys can help.
Find a Kentucky Privacy Attorney