Kentucky Consumer Data Protection Act (KCDPA)

• Enacted: April 4, 2024
• Effective: January 1, 2026

KCDPA applies to businesses that:

• Conduct business in Kentucky or target Kentucky residents, and
• Annually control or process personal data of at least 100,000 consumers, or
• Derive over 50% of gross revenue from selling personal data of at least 25,000 consumers.

• State agencies and political subdivisions
• Financial institutions under GLBA
• Healthcare entities covered by HIPAA
• Nonprofits and higher education institutions
• Employment-related data
• De-identified or publicly available information

• Limit data collection to necessary, relevant purposes
• Provide transparent and accessible privacy notices
• Maintain reasonable data security measures
• Obtain opt-in consent for processing sensitive data
• Avoid processing data for discriminatory or deceptive purposes

• Display privacy notices clearly
• Include opt-out mechanisms for data sales or targeted advertising
• Offer clear links for consumers to exercise their rights

• Conduct data protection assessments for high-risk activities
• Use contracts with processors that outline responsibilities, instructions, and confidentiality
• Provide privacy training to relevant personnel

Consumers have the right to:

• Access personal data
• Correct inaccuracies
• Delete data
• Obtain a portable copy
• Opt out of:
  • Targeted advertising
  • Sale of personal data
  • Profiling with legal/effects-based outcomes

• Authority: Kentucky Attorney General
• Penalties: Up to $7,500 per violation
• Cure Period: 30 days, at the discretion of the Attorney General
• Private Right of Action: Not provided