Learn about the Kentucky Consumer Data Protection Act, the latest comprehensive consumer privacy law in the United States. Discover its implications for businesses, consumer rights, obligations, and enforcement. Stay informed about the changing landscape of data privacy.
Kentucky is the fifteenth US state to enact a comprehensive consumer privacy law. The Kentucky Consumer Data Protection Act grants consumers data privacy rights, prescribes obligations for covered companies that process personal data, and follows trends in the US state privacy landscape.
Explore more privacy compliance insights and best practices
This privacy bill is very similar to others that are already in effect, most notably the Connecticut Data Protection Act.
Being the fifteenth state with a comprehensive privacy law in place means that almost one-third of the states now have a state privacy law. With a few more legislative procedures, it is safe to conclude that the days when the US had no privacy legislation are about to become history.
If you haven't learned about the data protection laws in the US yet, we have a comprehensive blog archive. In summary, it is crucial for you to prioritize data privacy compliance promptly. In this article, we will dive into Kentucky House Bill 15, widely known as the Kentucky Consumer Data Protection Act (KCDPA), and explain what it requires from your business.
The Kentucky Consumer Data Protection Act (KCDPA) is the most comprehensive privacy bill in Kentucky. The Kentucky Senate passed HB 15 to regulate the state's data processing activities and grant consumers rights to their data.
It will come into effect on January 1, 2026.
Any information that identifies or could identify a person is personal information.
Aside from obvious data categories, such as personal name, home address, email address, Social Security number, and phone number, information that could indirectly lead to a person is also personal. That includes browsing behavior, purchase behavior patterns, IP addresses, device fingerprints, and similar data.
De-identified data and publicly available data are not considered personal information.
KCDPA follows the definitions of many other state laws. It entails:
The Kentucky Consumer Data Protection Act (HB 15) applies to your business if you either operate from the state or target Kentucky consumers, and at the same time either:
However, the application excludes some entities. They include:
Kentucky consumers have the right to:
Businesses can and should authenticate the consumer request before responding to it. However, the response time shall not take longer than 45 days, or 90 days in some complex cases.
Businesses should have designated methods for receiving requests. Requests for information must be free of charge, unless it results in excessive expenses for the business.
Every business that needs to comply with the Kentucky comprehensive privacy law must do the following:
Processors handle personal data on behalf of the controller. Considering their role in the processing, processors must adhere to the controller's instructions on what and why to process, while also assisting the controller in complying with legal requirements.
A written contract that clearly outlines the obligations and demands confidentiality from the processor must govern the relationship between the controller and the processor.
Yes, you need a privacy policy to comply with this law.
At the very least, it should include:
You should provide consumers with a privacy notice at the time of data collection.
As the state privacy bills from across the US allow, the processing of personal data in Kentucky is allowed based on the opt-out principle, which means that you don't need consent before collecting data. But sensitive data is an exception. To process it, you must obtain consent.
"A clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer" is required for the consent, and it may take the form of a written statement, including one written electronically, or any other unambiguous affirmative action.
Kentucky consumers can opt out of the sale of their personal data and from processing data for purposes of targeted advertising.
The sale of personal data means the exchange of personal data for monetary consideration by the controller with a third party.
"Displaying advertisements to a consumer based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict such consumer's preferences or interests" is the definition of targeted advertising.
Yes, for high-risk processing activities, you will need to conduct a data protection impact assessment.
In general, you'll need to conduct a DPIA before selling personal information, before processing personal data for targeted advertising, or when processing sensitive information.
The DPIA shall assess the risks of the processing or sale and identify measures for mitigating those risks.
The Kentucky Attorney General enforces the state's comprehensive data privacy law. Businesses found to be in violation have a 30-day cure period to remedy the violation. If they fail to do so, the fine is USD 7,500 per violation, as in many other US states.
This privacy act does not grant consumers a private right to action but focuses the entire enforcement power on the Attorney General.
