On April 4, Kentucky Governor Andy Beshear signed the Kentucky Consumer Data Protection Act (KCDPA) into law. This makes Kentucky her 16th state to enact a comprehensive data privacy law and his third to enact one in 2024. KCDPA primarily tracks the revised Virginia Consumer Law. Data Protection Act (VCDPA), but some notable differences are explained below. KCDPA should not impose significant additional compliance requirements on companies that already comply with non-California privacy laws.
KCDPA's applicability criteria, unique exemptions from the law, some definition highlights, implementation details, and important dates are discussed below. Given the similarities between KCDPA and VCDPA (and other existing state privacy laws), the following analysis will primarily focus on the unique aspects of KCDPA. KCDPA goes into effect on January 1, 2026.
Applicability
The KCDPA applies to any entity that does business in Kentucky or produces products or services intended for Kentucky residents and that during a calendar year controls or processes at least one of the following personal data: .
- 100,000 consumers.
- It has 25,000 consumers and more than 50% of its total revenue comes from the sale of personal data.
This threshold follows the same thresholds established by privacy laws in various other states, including Indiana, Iowa, Utah, and Virginia. Also note that, like some other state privacy laws, the KCDPA does not apply to individuals operating in a commercial or employment context.
unique exemption
The KCDPA includes several exemptions common to other state data privacy laws. This includes covered entities, business associates, protected health information under the Health Insurance Portability and Accountability Act (HIPAA), nonprofit organizations, institutions of higher education, and data and financial institutions. Includes exemptions for both (such as information under the Gramm-Leach-Bliley Act, information pursuant to the Fair Credit Reporting Act, and personal data processed for federal policy purposes under the Methamphetamine Epidemic Response Act of 2005. The definition of a commercial entity does not include political entities, such as the updated definition in the VCDPA. Also, entities that comply with the verifiable consent requirements under the Children's Online Privacy Protection Act must comply with the KCDPA's parental consent requirements. deemed to be compliant with consent requirements.
Additionally, the KCDPA provides that nonprofit organizations and similar entities only collect, process, use, or share data in connection with identifying, investigating, or assisting law enforcement related to suspect insurance. , which includes its own insurance fraud-related exemptions. -Related criminal or fraudulent activity, or first responders in connection with a catastrophe. Additionally, the KCDPA does not apply to small telephone carriers or Tier III CMRS providers (each as defined by Kentucky law), and does not apply to municipally-owned carriers that do not sell or share personal data with third-party processors. It also does not apply to
Definition: Selling biometric data and personal data
Kentucky's new law follows Connecticut's consumer-friendly approach to defining biometric data. At KCDPA, “[b]Iiometric data includes physical or digital photographs, except where the data is generated to identify a specific individual or information collected, used, or stored for medical treatment, payment, or operations purposes under HIPAA. , does not include video or audio recordings or data generated therefrom. ”
KCDPA's definition of selling personal data is business-friendly because it only includes the exchange of personal data for monetary consideration, unlike some other states' broader definitions that include non-monetary consideration. .
execution
The KCDPA does not include a private right of action and is enforced exclusively by the Kentucky Attorney General. Additionally, KCDPA offers his 30-day curing period without sundown. If the company fails to correct the violation within the remediation period, he will be fined $7,500 for each violation.
important dates
- January 1, 2026: KCDPA comes into effect.
- June 1, 2026: Data protection assessment requirements apply to processing activities created or generated after this date.
Our team will continue to monitor KCDPA.