Privacy Laws in Kentucky: What You Need to Know

The Kentucky Consumer Data Protection Act (KCDPA) went into effect on January 1, 2026, making Kentucky the fifteenth state to enact a comprehensive consumer data privacy law. Here's what Kentucky residents need to know about their new rights and how businesses must handle their personal data.

What Is the KCDPA?

Governor Andy Beshear signed the Kentucky Consumer Data Protection Act into law on April 4, 2024, as House Bill 15. Codified in KRS 367.3611 through 367.3629, the KCDPA establishes a framework for how businesses must collect, process, and protect the personal data of Kentucky consumers.

The law is modeled closely after privacy laws in Virginia and other states, providing consumers with a set of core data rights while establishing obligations for businesses that handle personal information.

Who Does the KCDPA Apply To?

The KCDPA applies to businesses ("controllers") that conduct business in Kentucky or produce products or services targeted to Kentucky consumers and meet at least one of the following thresholds:

• Process the personal data of 100,000 or more Kentucky consumers in a calendar year
• Process the personal data of 25,000 or more Kentucky consumers and derive more than 50% of gross revenue from the sale of personal data

The law defines "consumers" as Kentucky residents acting as individuals, not in a commercial or employment capacity. It applies to businesses regardless of whether they are physically located in Kentucky.

Who Is Exempt?

The KCDPA exempts several types of organizations, including:

• State and local government entities
• Financial institutions governed by the Gramm-Leach-Bliley Act (GLBA)
• Entities covered by HIPAA (with a 2025 amendment clarifying the scope of this exemption)
• Nonprofits
• Institutions of higher education

Your Rights Under the KCDPA

As a Kentucky consumer, you have the following rights regarding your personal data:

Right to Know

You can confirm whether a business is processing your personal data and access the categories and specific pieces of data being processed.

Right to Correct

You can request that a business correct inaccurate personal data it holds about you, taking into account the nature of the data and the purposes for processing.

Right to Delete

You can request deletion of your personal data that a business has collected. There are exceptions for data needed to complete transactions, comply with legal obligations, or exercise legal rights.

Right to Data Portability

You can obtain a copy of your personal data in a portable, readily usable format that allows you to transfer it to another business without hindrance.

Right to Opt Out

You can opt out of the processing of your personal data for three specific purposes:

• Targeted advertising: Ads directed at you based on personal data obtained from your activities across different websites or applications
• Sale of personal data: The exchange of your personal data for monetary consideration
• Profiling: Automated processing that produces legal effects or similarly significant effects concerning you

Protection of Sensitive Data

Businesses cannot process sensitive personal data without first obtaining your consent. Sensitive data includes racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship or immigration status, genetic or biometric data, personal data of known children, and precise geolocation data.

How to Exercise Your Rights

To exercise your rights under the KCDPA:

1. Identify the business: Determine which company has your personal data that you want to access, correct, delete, or opt out of
2. Find the request method: Look for the company's privacy notice on its website, which must include instructions for submitting consumer requests
3. Submit your request: Use the method specified in the privacy notice (typically an online form, email address, or toll-free number)
4. Wait for a response: Businesses must respond to your request within 45 days, with the option to extend by an additional 45 days for complex requests
5. Appeal if denied: If your request is denied, you have the right to appeal. The business must respond to your appeal within 60 days

What Businesses Must Do

Businesses covered by the KCDPA are required to:

• Provide a reasonably accessible and clear privacy notice that discloses the categories of personal data processed, the purposes of processing, how consumers can exercise their rights, the categories of data shared with third parties, and the categories of those third parties
• Limit data collection to what is adequate, relevant, and reasonably necessary for the disclosed purposes
• Implement reasonable data security practices to protect personal data
• Conduct data protection impact assessments for processing activities that present a heightened risk of harm, including targeted advertising, profiling, and selling personal data
• Obtain consent before processing sensitive data

How PrivacyOn Helps Kentucky Residents

While the KCDPA gives you important new rights, the reality is that exercising them requires identifying every business that has your data and submitting individual requests to each one. Data brokers alone account for over 100 sites that may have your personal information.

PrivacyOn automates this entire process. We continuously scan 100+ data broker and people search sites for your personal data, submit removal requests on your behalf, and monitor for reappearances around the clock. Combined with dark web monitoring and family plans covering up to 5 people starting at $8.33/month, PrivacyOn makes it easy to exercise your privacy rights without the hassle.

Whether you're opting out of data brokers, monitoring for identity theft, or simply trying to reduce your online footprint, PrivacyOn gives Kentucky residents the tools they need to take control of their personal data.