The Kentucky Consumer Data Protection Act (KCDPA), effective from January 1, 2026, is the state's first comprehensive privacy law. It imposes data governance and transparency requirements on entities doing business or targeting residents of Kentucky, designed along Virginia’s CDPA framework.
Obligations under the KCDPA include data minimization, transparency, technical and organizational safeguards, nondiscrimination, prior consent for sensitive data, and DPIAs for high risk processing.
Take the following actions as part of KCDPA Kentucky compliance:
Update privacy policy:
Updating privacy and cookie policies covering purpose, categories, third parties and opt-out methods.
Implement consent management:
Implementing cookie consent banners and opt-out flows to obtain clear, affirmative consent, give consumers mechanisms to exercise rights, and log consent and opt-outs
Conduct assessments:
Undertake Data Protection Assessments (DPIAs) for sensitive processing, profiling, targeted ads, or data sale.
Manage third parties:
Have data processing agreements with vendors and processors.
You should be taking these actions to comply with KCDPA.
Businesses conducting instate or targeting Kentucky residents. Organizations that process data of ≥ 100,000 Kentucky consumers or ≥ 25,000 and earn > 50% revenue from data sales are subject to KCDPA.
Exemptions include government entities, GLBA regulated firms, HIPAA-covered providers, nonprofits, higher-ed institutions, small telecoms/utilities, law-enforcement-related uses, health, FERPA, FCRA and similar regulated data.
Kentucky consumers enjoy the right to:
Consumers can access and confirm processing of personal data
Consumers can request to correct inaccuracies
Consumers can request that their personal data be deleted
Consumers have a right to port/download/transmit their information in a usable format
Consumers can opt out of the sale of personal data, targeted advertising, and profiling that produces legal/significant effect
Businesses have 45 days to comply (extendable by another 45 days).
Cookies may drop personal or sensitive data. Nonsensitive cookie usage (e.g., analytics) is optout permissible, but sensitive data via cookies requires explicit optin consent.
Organizations that fail to comply with KCDPA may face penalties up to 7,500 USD per violation. There is a 30-day cure period in place, and penalties may be applied in cases where issues remain unresolved. Compliance is enforced by the Kentucky Attorney General. In Kentucky, there is no private right of action.
To check that your approach to data privacy is in line with best practices and compliant with KCDPA Kentucky, organizations should:
Audit:
Conduct a data audit to identify all cookies and trackers on their websites
Categorize:
Categorize cookies (e.g., necessary, preference, analytics, marketing)
Implement consent management:
Ensure consent banners are implemented correctly with granular choices, enable users to withdraw consent at any time, and maintain consent logs
Check third-party contracts:
Review third-party data-sharing practices
KCDPA applies to natural persons in individual/household contexts in Kentucky, not to business/employment. The regulation covers controllers and processors meeting data volume or revenue thresholds and targeting Kentucky residents.
"Any information linked or reasonably linkable to an identified or identifiable natural person," excluding deidentified or public data. Includes names, IPs, emails, purchase history, device fingerprints.
Sensitive data includes: racial/ethnicity, religion, health, sexual orientation, citizenship, biometric/genetic data for ID, personal data of known children, and precise geolocation (within ~533m).
The Kentucky Attorney General has exclusive enforcement authority; there is no consumer private right of action.
Exempt categories include: government, GLBA/HIPAA-regulated entities, nonprofits, higher education, small telecoms/utilities, law enforcement/fraud prevention data handlers, federal-regulated data types (health, FERPA, FCRA, etc.).
Consult the full HB 15 legislation and AG guidance for official definitions, effective dates, and compliance rules.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
