It’s Time for Privacy Pros to Make a Strategic Shift
The importance of effective data privacy can no longer be ignored.
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Updated: September 23, 2024
Published: April 18, 2024
It’s official. Kentucky will join Indiana, New Hampshire, and a slew of other states with the enactment of a comprehensive data privacy act.
The Kentucky Consumer Data Protection Act (KCDPA)–at least this iteration of it–was several years in the making after the competing Senate Bill couldn’t garner enough support to pass in the House.
This blog will outline key provisions of the Kentucky privacy act, along with how businesses will be impacted, and how to comply.
The KCDPA provides data privacy protections for consumers of the Bluegrass State, granting them certain, now standard rights. We’ll dive into more on that later.
The law defines consumers as residents of the state acting only as an individual, not in commercial or employment contexts. It closely aligns with Virginia’s law, which is good news for businesses already complying with the Virginia Consumer Data Protection Act (VCDPA). And, because the VCDPA is considered a framework or foundation legislation, the KCDPA also tracks closely with other state laws that used Virginia’s law as a framework, including Tennessee and Indiana.
Businesses will become subject to the law as of January 1, 2026.
Similar to Virginia, Colorado, Connecticut, and Indiana, Kentucky’s privacy act allows companies to collect and process most types of personal information without obtaining affirmative user consent first (in most cases). This is known as the opt-out model, which most U.S. data privacy laws follow.
By now, you may be wondering if the law will impact your business. Just like Virginia’s law, the KCDPA applies to any person who conducts business in Kentucky or who produces products or services that target residents of the state, and during a calendar year controls or processes data of at least:
Like all data privacy laws that came before it, the KCDPA applies to both controllers, or entities who determine the purpose and means of processing data, and processors, or entities that process personal data on behalf of a controller, such as a third-party vendor charged with analyzing data. The delineation between controllers and processors exists to clearly assign responsibilities for data governance between the parties involved in collecting and processing consumer data.
To avoid conflicts with established laws in other sectors, the KCDPA provides exemptions for certain organizations and various types of data. These exceptions are primarily for organizations and data already regulated by other federal laws.
Organizational exceptions in Kentucky privacy law include:
When it comes to data-level exemptions, the biggest category impacted is health data, including data regulated under the Health Insurance Portability and Accountability Act (HIPAA), health records, patient identifying information, human subjects research data, and data used for quality improvement and patient safety efforts.
In addition, personal data used in certain contexts and subject to laws like the Fair Credit Reporting Act, FERPA, the Driver’s Privacy Protection Act, and the Farm Credit Act are exempt.
Finally, data collected for law enforcement, public health, emergency response, and the Combat Methamphetamine Epidemic Act are exempt from Kentucky’s data privacy act.
The law also notes that those who already comply with parental consent requirements outlined in the Children’s Online Privacy Protection Act (COPPA) are considered automatically complaint with obligations to obtain parental consent.
If you’re thinking, “That’s a lot of exemptions,” you’re right. The scope of the Kentucky data privacy law makes it critical for business owners to understand whether the law applies to them based on the applicability thresholds and list of exemptions.
Kentucky’s privacy law lays out a host of requirements for controllers related to how data is handled, along with security, consent, and privacy policy requirements, and how they should handle consumer rights requests.
Like other state privacy laws, the KCDPA requires controllers to:
Similar to other state laws, including Virginia and those created using its framework, the KCDPA grants consumers several rights that enable them to limit how companies use their personal data.
Namely, consumers can:
Like California, Colorado, Virginia, and Indiana, the KCDPA requires controllers to conduct and document a DPA for several processing activities involving personal data. These include processing of personal data for the purposes of:
A single DPA may address a comparable set of processing operations if they include similar activities. The Kentucky data privacy law gives controllers a little longer to come into compliance with DPAs, stating the requirement kicks in for processing activities created or generated on or after June 1, 2026.
Because Kentucky’s privacy law mirrors other state privacy laws, if you’re already compliant with one, you’re ahead of the game with it comes to compliance with the KCDPA. Still, when there’s a new privacy law, it’s always worth it to:
It’s also helpful to stay up to date on new laws and be proactive about learning how your company will be impacted. A data privacy platform like Osano can help manage opt-out requests, data subject requests, vendors, and more, even as new laws and regulations are added to the data privacy landscape.
Kentucky’s privacy act goes into effect Jan. 1, 2026.
The state’s Attorney General has exclusive authority to enforce violations of the Kentucky privacy law.
If a controller or processor violates the KCDPA, the Attorney General will give them 30 days to “cure,” or remedy the violation and write a statement that the alleged violations have been cured and no further violations will occur.
The penalty for violating the KCDPA is up to $7,500 for each violation. Penalties paid will be put into a fund the Office of the Attorney General can use to enforce the KCDPA.
Kentucky’s privacy act does not require controllers or processors to recognize universal opt-out mechanisms.
The law defines sensitive data as a category of personal data that includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data processed for identifying a specific natural person; personal data collected from a known child; or precise geolocation data.
Need to navigate the complex patchwork of U.S. data privacy regulations? Use this guide to identify the major activities you need to complete to enable compliance.
Download Now
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.