It's official. Kentucky will join Indiana, New Hampshire, and many other states in enacting comprehensive data privacy laws.
The Kentucky Consumer Data Protection Act (KCDPA) has been at least several years in the making after a competing Senate bill failed to garner enough support to pass in the House. Ta.
This blog outlines the key provisions of the Kentucky Privacy Act, how businesses are affected, and how to comply.
What is KCDPA?
The KCDPA provides data privacy protections for consumers in the Bluegrass State and grants them certain rights that are now standard. More on this later.
The law defines a consumer as a resident of the state. only Not in a commercial or employment context, but as an individual. This closely aligns with Virginia law and is good news for businesses that already comply with the Virginia Consumer Data Protection Act (VCDPA). Because the VCDPA is considered a framework or foundation law, the KCDPA also works closely with other state laws such as Tennessee and Indiana, which used Virginia law as a framework.
Businesses will be subject to this law from January 1, 2026.
Similar to Virginia, Colorado, Connecticut, and Indiana, Kentucky's privacy laws allow companies to collect most types of personal information without first obtaining the user's affirmative consent (in most cases). and can be processed. This is known as an opt-out model and is covered by most US data privacy laws.
At this point, you may be wondering whether this law will affect your business. Similar to Virginia law, the KCDPA applies to anyone doing business in Kentucky or producing products or services intended for residents of the state who, during a calendar year, manages or processes at least the following data: To do.
- 100,000 consumers.or
- It has 25,000 consumers and more than 50% of its total revenue comes from the sale of personal data.
Like all data privacy laws before it, the KCDPA requires the controller or organization that determines the purposes and means of data processing, and the processor or organization that processes personal data on the controller's behalf (such as a third party). Applies to both. Vendor responsible for data analysis. The line between controller and processor exists to clearly allocate data governance responsibilities between parties involved in the collection and processing of consumer data.
Exemptions to KCDPA
To avoid conflicts with established laws in other areas, the KCDPA provides exemptions for certain organizations and various types of data. These exceptions primarily target organizations and data that are already regulated by other federal laws.
Organizational exceptions to the Kentucky Privacy Act include:
- A city, state agency, or state political division.
- Financial institutions, affiliates, or data subject to the Gramm-Leach-Bliley Act.
- A covered entity or business associate to whom the HIPAA Privacy Rule applies.
- Non-profit organization.
- Higher education institutions.
- Organizations that collect, process, use, and share data solely for the purpose of identifying and investigating insurance fraud or assisting first responders.
- Small carriers, Tier III CMRS providers, or local governments that do not sell or share personal data.
When it comes to data-level exemptions, the largest categories affected are Health Insurance Portability and Accountability Act (HIPAA) regulated data, medical records, patient identities, human subject research data, and quality improvement data. Medical data, such as data used for. and a commitment to patient safety.
Additionally, personal data that is used in certain circumstances and is subject to laws such as the Fair Credit Reporting Act, FERPA, the Driver Privacy Protection Act, and the Farm Credit Act is exempt.
Finally, data collected for law enforcement, public health, emergency response, and Methamphetamine Epidemic Control Act purposes are exempt from Kentucky's data privacy laws.
The law also states that a person who has already complied with the parental consent requirements outlined in the Children's Online Privacy Protection Act (COPPA) is automatically deemed obligated to obtain parental consent. There is.
If you're thinking, “There are too many exemptions,” you're right. The scope of Kentucky's data privacy law makes it important for business owners to understand whether the law applies to them based on the applicable thresholds and list of exemptions.
What does KCDPA require of organizations?
Kentucky's privacy law establishes a number of requirements for controllers related to how data is processed, as well as security, consent, and privacy policy requirements and how consumer rights requests are handled.
Like other state privacy laws, the KCDPA requires controllers to:
- Limit the collection of personal data to what is appropriate, relevant, and reasonably necessary.
- Do not process personal data for non-public purposes without consent.
- We establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect Personal Data.
- We must comply with anti-discrimination laws when processing personal data and must not discriminate against consumers in exercising their rights.
- We do not process sensitive data without consent and comply with COPPA when processing children's data.
- Privacy, including the categories of personal data processed, the purposes for which the personal data is processed, how consumers can exercise their rights, the categories of personal data shared with third parties, and the categories of third parties with whom personal data is shared. Provide notifications.
What rights does the Kentucky Privacy Law give consumers?
Like Virginia and state laws enacted using its framework, the KCDPA provides consumers with several rights that allow them to limit how businesses use their personal data.
This means consumers can:
- Check whether the controller processes your personal data and whether they have access to it.
- Correct any inaccuracies in your personal data.
- Delete the acquired personal data provided by the consumer.
- Obtain a copy of the personal data previously provided to the controller in a portable and ready-to-use format.
- Opt out of processing your personal data for targeted advertising, the sale of your personal data, or profiling where the data is used to make decisions that have legal or other significant implications for consumers. Masu.
Data protection assessment (DPA) requirements
Similar to California, Colorado, Virginia, and Indiana, KCDPA requires air traffic controllers to D.P.A. For several processing activities involving personal data. These include the processing of personal data for the following purposes:
- Targeted advertising.
- Sale of personal data.
- Profiling where there is a risk of unfair or deceptive treatment, potential harm to the consumer, or intrusion into the consumer's isolation or isolation.
- Confidential data.
- Personal data that poses an increased risk of harm to consumers.
A single DPA can address an equivalent set of processing operations if they involve similar activities. Kentucky's data privacy law gives controllers a little more time to comply with their DPAs, and this requirement begins for processing activities created or generated after June 1, 2026. It has been with.
Compliance with KCDPA
Kentucky's privacy laws mirror those of other states, so if you're already compliant, you're ahead of the curve when it comes to complying with the KCDPA. Still, it's always worth doing the following when new privacy laws are enacted:
- Review the law with your attorney.
- Conduct data mapping to understand what personal data is collected, where it comes from, how it is used, and how it is stored.
- Please review your website's privacy notice and policy to ensure that it meets the legal requirements.
- We will conduct evaluations as necessary.
It also helps to stay informed about new laws and be proactive about how your company may be affected. Data privacy platforms like Osano can help you manage opt-out requests, data subject requests, vendors, and more, even as new laws and regulations add to the data privacy landscape.
FAQ
When is the Kentucky Consumer Data Protection Act effective date?
Kentucky's privacy law goes into effect on January 1, 2026.
Who enforces the KCDPA?
The state attorney general has exclusive authority to enforce violations of the Kentucky Privacy Act.
Is there a recovery period for lawbreakers?
If a controller or processor violates the KCDPA, the Attorney General will have 30 days to “cure” the violation and write a statement that the alleged violation has been remedied and no further violations will occur. Masu.
What are the penalties for violations?
The penalty for violating the KCDPA is up to $7,500 per violation. Fines paid will be deposited into a fund that can be used by the Attorney General's Office to enforce the KCDPA.
Does the law require controllers to respect global opt-out mechanisms?
Kentucky privacy law does not require controllers or processors to be aware of a universal opt-out mechanism.
How does KCDPA define sensitive data?
The law defines sensitive data as categories of personal data that include racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status. Genetic or biometric data processed to identify a specific natural person. Personal Data Collected from Known Children. or precise geolocation data.