Articles

The Kentucky Consumer Data Protection Act (KCDPA): What Businesses Need to Know

Written by Matt Davis, CIPM (IAPP) | April 18, 2024

It’s official. Kentucky will join Indiana, New Hampshire, and a slew of other states with the enactment of a comprehensive data privacy act.

The Kentucky Consumer Data Protection Act (KCDPA)–at least this iteration of it–was several years in the making after the competing Senate Bill couldn’t garner enough support to pass in the House.

This blog will outline key provisions of the Kentucky privacy act, along with how businesses will be impacted, and how to comply.

What Is the KCDPA?

The KCDPA provides data privacy protections for consumers of the Bluegrass State, granting them certain, now standard rights. We’ll dive into more on that later.

The law defines consumers as residents of the state acting only as an individual, not in commercial or employment contexts. It closely aligns with Virginia’s law, which is good news for businesses already complying with the Virginia Consumer Data Protection Act (VCDPA). And, because the VCDPA is considered a framework or foundation legislation, the KCDPA also tracks closely with other state laws that used Virginia’s law as a framework, including Tennessee and Indiana.

Businesses will become subject to the law as of January 1, 2026.

Similar to Virginia, Colorado, Connecticut, and Indiana, Kentucky’s privacy act allows companies to collect and process most types of personal information without obtaining affirmative user consent first (in most cases). This is known as the opt-out model, which most U.S. data privacy laws follow.

What Is the Scope of Kentucky’s Privacy Law?

By now, you may be wondering if the law will impact your business. Just like Virginia’s law, the KCDPA applies to any person who conducts business in Kentucky or who produces products or services that target residents of the state, and during a calendar year controls or processes data of at least:

  • 100,000 consumers; or
  • 25,000 consumers and derives over 50 percent of gross revenue from the sale of personal data.

Like all data privacy laws that came before it, the KCDPA applies to both controllers, or entities who determine the purpose and means of processing data, and processors, or entities that process personal data on behalf of a controller, such as a third-party vendor charged with analyzing data. The delineation between controllers and processors exists to clearly assign responsibilities for data governance between the parties involved in collecting and processing consumer data.

Exemptions to KCDPA

To avoid conflicts with established laws in other sectors, the KCDPA provides exemptions for certain organizations and various types of data. These exceptions are primarily for organizations and data already regulated by other federal laws.

Organizational exceptions in Kentucky privacy law include:

  • Cities, state agencies, or political subdivisions of the state.
  • Financial institutions, affiliates, or data subject to the Gramm-Leach-Bliley Act.
  • Covered entities or business associates governed by HIPAA privacy rules.
  • Nonprofit organizations.
  • Institutions of higher education.
  • Organizations that collect, process, use, or share data solely for identifying or investigating insurance fraud or assisting first responders.
  • Small telephone utilities, Tier III CMRS providers, or municipal utilities that don't sell or share personal data.

When it comes to data-level exemptions, the biggest category impacted is health data, including data regulated under the Health Insurance Portability and Accountability Act (HIPAA), health records, patient identifying information, human subjects research data, and data used for quality improvement and patient safety efforts.

In addition, personal data used in certain contexts and subject to laws like the Fair Credit Reporting Act, FERPA, the Driver’s Privacy Protection Act, and the Farm Credit Act are exempt.

Finally, data collected for law enforcement, public health, emergency response, and the Combat Methamphetamine Epidemic Act are exempt from Kentucky’s data privacy act.

The law also notes that those who already comply with parental consent requirements outlined in the Children’s Online Privacy Protection Act (COPPA) are considered automatically complaint with obligations to obtain parental consent.

If you’re thinking, “That’s a lot of exemptions,” you’re right. The scope of the Kentucky data privacy law makes it critical for business owners to understand whether the law applies to them based on the applicability thresholds and list of exemptions.

What Does the KCDPA Require of Organizations?

Kentucky’s privacy law lays out a host of requirements for controllers related to how data is handled, along with security, consent, and privacy policy requirements, and how they should handle consumer rights requests.

Like other state privacy laws, the KCDPA requires controllers to:

  • Limit the collection of personal data to what is adequate, relevant, and reasonably necessary.
  • Not process personal data for undisclosed purposes without consent.
  • Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect personal data.
  • Comply with anti-discrimination laws when processing personal data and not discriminate against a consumer for exercising their rights.
  • Not process sensitive data without consent and comply with COPPA when processing children’s data.
  • Provide a privacy notice that includes categories of personal data processed, purposes of processing personal data, how consumers can exercise their rights, categories of personal data shared with third parties, and categories of third parties with personal data is shared.

What Rights Does the Kentucky Privacy Act Give Consumers?

Similar to other state laws, including Virginia and those created using its framework, the KCDPA grants consumers several rights that enable them to limit how companies use their personal data.

Namely, consumers can:

  • Confirm whether a controller is processing their personal data and have access to the data.
  • Correct inaccuracies in their personal data.
  • Delete personal data provided by obtained about the consumer.
  • Obtain a copy of their personal data previously provided to the controller in a portable and readily usable format.
  • Opt-out of processing of personal data for targeted advertising, the sale of personal data, or profiling if the data will be used to make decisions that have legal or other significant impacts on the consumer.

Data Protection Assessment (DPA) Requirements

Like California, Colorado, Virginia, and Indiana, the KCDPA requires controllers to conduct and document a DPA for several processing activities involving personal data. These include processing of personal data for the purposes of:

  • Targeted advertising.
  • Selling of personal data.
  • Profiling, if there is a risk of unfair or deceptive treatment, potential injury to consumers, or an intrusion on their solitude or seclusion.
  • Sensitive data.
  • Personal data that presents a heightened risk of harm to consumers.

A single DPA may address a comparable set of processing operations if they include similar activities. The Kentucky data privacy law gives controllers a little longer to come into compliance with DPAs, stating the requirement kicks in for processing activities created or generated on or after June 1, 2026.

Complying With the KCDPA

Because Kentucky’s privacy law mirrors other state privacy laws, if you’re already compliant with one, you’re ahead of the game with it comes to compliance with the KCDPA. Still, when there’s a new privacy law, it’s always worth it to:

  • Review the law with your legal counsel.
  • Conduct data mapping to understand what personal data is collected, where it comes from, how it’s used, and how it’s stored.
  • Revisit your website privacy notices and policies to ensure they meet the requirements of the law.
  • Conduct assessments if required.

It’s also helpful to stay up to date on new laws and be proactive about learning how your company will be impacted. A data privacy platform like Osano can help manage opt-out requests, data subject requests, vendors, and more, even as new laws and regulations are added to the data privacy landscape.

Frequently Asked Questions

What Is the Kentucky Consumer Data Protection Act Effective Date?

Kentucky’s privacy act goes into effect Jan. 1, 2026.

Who Enforces the KCDPA?

The state’s Attorney General has exclusive authority to enforce violations of the Kentucky privacy law.

Is There a Cure Period for Those who Violate the Law?

If a controller or processor violates the KCDPA, the Attorney General will give them 30 days to “cure,” or remedy the violation and write a statement that the alleged violations have been cured and no further violations will occur.

What Are the Penalties for Violations?

The penalty for violating the KCDPA is up to $7,500 for each violation. Penalties paid will be put into a fund the Office of the Attorney General can use to enforce the KCDPA.

Does the Law Require Controllers Honor Global Opt-Out Mechanisms?

Kentucky’s privacy act does not require controllers or processors to recognize universal opt-out mechanisms.

How Does the KCDPA Define Sensitive Data?

The law defines sensitive data as a category of personal data that includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data processed for identifying a specific natural person; personal data collected from a known child; or precise geolocation data.