The Kentucky Consumer Data Protection Act: A Business Compliance Checklist

At a Glance: The Kentucky Consumer Data Protection Act

• On April 4, 2024, Kentucky Governor Andy Beshear signed the Kentucky Consumer Data Protection Act (KCDPA) into law, marking a significant step in the state’s data privacy landscape.
• Set to take effect on January 1, 2026, the KCDPA will establish a framework for how businesses collect, process, and manage personal data of Kentucky residents.
• This guide explores the key provisions of the KCDPA, detailing which businesses are affected, what rights Kentucky residents will gain, and the compliance obligations for companies.
• We’ll also cover how the KCDPA compares to other state privacy laws and provide a checklist for compliance.

Who's subject to Kentucky's privacy law?

The KCDPA imposes new obligations on businesses that:

• Conduct business in Kentucky or offer products or services targeted to Kentucky residents AND
• Control or process personal data of at least 100,000 Kentucky consumers OR
• 25,000 Kentucky consumers and derive over 50% of gross revenue from the sale of personal data

There are a few exemptions under the law, including government entities, financial institutions governed by the Gramm-Leach-Bliley Act, HIPAA-covered entities, higher education institutions, and nonprofits.

Certain data types, such as consumer credit-reporting data, healthcare data covered by HIPAA, and emergency contact information, are also exempted.

Compliance requirements under the Kentucky Consumer Data Protection Act (KCDPA)

Fulfilling consumer privacy rights

Under the KCDPA, businesses must ensure they uphold several key consumer rights. These rights allow individuals to manage their personal data and control how it’s used by companies, including the:

• Right to access: Consumers have the right to know what personal data businesses have collected about them.
• Right to confirm processing: Consumers can confirm whether their personal data is being processed by a business.
• Right to correct: Consumers can request the correction of inaccurate or outdated information.
• Right to delete: Consumers can request that their data be deleted.
• Right to data portability: Consumers can request that their personal data be provided in a usable format, allowing them to transfer it to another service.
• Right to opt-out: Consumers must be able to opt out of the sale of personal data, targeted advertising, and profiling.

Businesses must act on consumer requests within 45 days of receipt.

Appeals process for denied requests

If a controller denies a consumer's request to exercise these rights, they must establish an appeals process. The process should be easily accessible and similar to the method for submitting the initial request. If the appeal is denied, consumers can submit a complaint to the Kentucky Attorney General.

Obtaining consent before processing sensitive data

Kentucky’s privacy law places stricter rules on sensitive data, which includes:

• Racial or ethnic origin
• Religious beliefs
• Health data
• Biometric or genetic data
• Data collected from children (subject to COPPA)

Controllers must obtain explicit consent from consumers before processing sensitive data. And for children under 13, compliance with COPPA is required.

Conduct impact assessments for high-risk data processing

Businesses must also conduct data protection impact assessments (DPIAs) for any data processing activities that may present a heightened risk of harm to consumers, including processing sensitive data, engaging in targeted advertising, selling personal data, or profiling consumers.

Provide a clear privacy notice

Like other privacy laws, the KCDPA mandates that businesses provide a clear and easily accessible privacy notice. This notice should:

• Inform consumers about what data is collected
• Explain how the data will be used and shared
• Provide instructions on how consumers can exercise their rights

How Kentucky’s privacy law compares with other state laws

The Kentucky Consumer Data Protection Act shares many similarities with other state-level privacy laws, but also has some unique features:

When comparing the Kentucky Consumer Data Protection Act (KCDPA) to other state privacy laws, there are several distinctive features worth noting:

No universal opt-out mechanism requirement

Unlike many other recent state privacy laws, the KCDPA does not mandate that businesses recognize universal opt-out signals or mechanisms. This means businesses in Kentucky are not required to support browser-based signals, like the Global Privacy Control, that allow consumers to opt out of data processing across multiple websites at once.

Permanent 30 day cure period

The KCDPA provides a permanent 30 day cure period for businesses that receive notice about potential violations. This contrasts with other states like New Jersey and New Hampshire, where the cure period eventually expires. The permanent cure period in Kentucky ensures businesses have an ongoing opportunity to remedy violations before facing enforcement actions.

Limited definition of "sale"

Kentucky's definition of the "sale of personal data" is more restrictive than in many other states, as it only includes transactions where data is exchanged for monetary consideration. This differs from states like California, Colorado, New Hampshire, and New Jersey, where "sale" also covers exchanges involving "other valuable consideration."

Exemptions for certain utilities

The KCDPA includes specific exemptions for certain utility companies, which are not commonly found in other state privacy laws. These exemptions apply to:

• Small telephone utilities
• Tier III Commercial Mobile Radio Service (CMRS) providers, as defined by state law
• Municipally-owned utilities that do not sell or share personal data with third-party processors

No rulemaking authority

Unlike some other states, the KCDPA does not grant any rulemaking authority. This means there may not be any additional regulations or guidance beyond the text of the law itself to clarify or interpret its provisions.

Data protection assessment timing

The KCDPA requires businesses to conduct data protection assessments, but only for processing activities initiated or generated after June 1, 2026. This gives businesses five months extra to comply with this particular requirement, following the law's effective date of January 1, 2026.

While the KCDPA shares many commonalities with other state privacy laws, especially Virginia’s, these distinctive provisions set it apart in several key ways.

Kentucky Consumer Data Protection Act compliance checklist

To help your business get ready for the Kentucky Consumer Data Protection Act, here’s a checklist of key steps to take before the law goes into effect on January 1, 2026.

1. Determine applicability: Assess whether your business meets the thresholds for KCDPA compliance (100,000 consumers or 25,000 consumers with over 50% revenue from data sales).
2. Create a comprehensive data map: Perform an inventory of the personal data you collect, process, and store. Identify any sensitive data and ensure you have processes in place for handling it appropriately.
3. Set up consumer rights fulfillment processes: Ensure you have mechanisms for handling access requests, corrections, deletions, and opt-outs. Respond to requests within 45 days, and create an appeals process for denied requests.
4. Create a privacy notice: Draft a clear and accessible privacy notice that explains your data collection practices, consumer rights, and how those rights can be exercised.
5. Implement data protection impact assessments: Conduct DPIAs for any high-risk processing activities, especially those involving sensitive data, targeted advertising, or profiling.
6. Establish opt-out and consent mechanisms: Implement mechanisms that allow consumers to opt out of data sales, targeted advertising, and profiling.
7. Set up data processor agreements: Ensure all third-party data processors have binding agreements that guarantee they assist in meeting your KCDPA obligations.

By taking these steps, businesses can ensure they are well-prepared for the Kentucky Consumer Data Protection Act and ready to meet its requirements. With a long lead time before the law’s effective date, there’s ample time to prepare, but it’s crucial to start early to avoid any surprises come 2026.

About Transcend

Transcend is the next-generation privacy and data governance platform. Encoding privacy at the code layer, we provide solutions for any privacy challenge your teams may be facing.

From Consent Management to DSR Automation to a full suite of data mapping solutions (Data Inventory, Silo Discovery, Structured Discovery, and more), Transcend has you covered as your company grows and evolves in a swiftly changing regulatory environment.