Preparing for the Kentucky Consumer Data Privacy Act (KCDPA): What You Need to Know Before January 1, 2026

On January 1, 2026, the Kentucky Consumer Data Privacy Act (KCDPA) officially goes into effect. Modeled closely on Virginia’s privacy framework, Kentucky’s law aligns with nearby states like Tennessee and Indiana—giving businesses a more predictable, practical path to compliance. Kentucky, Indiana, and Rhode Island will all begin enforcing their new privacy laws on the same day, making January 2026 a milestone in the U.S. privacy landscape.

Below, we break down the KCDPA’s core requirements, how it compares to other state laws, and the steps businesses should take now to prepare.

What stands out about the KCDPA

Signed into law as HB 15 on April 4, 2024, the KCDPA establishes familiar consumer rights already seen in other state privacy laws. Kentuckians can access, correct, delete, and port their personal data, and they can opt out of targeted advertising and the sale of their personal data when money changes hands. While it introduces meaningful obligations, Kentucky avoids some of the more complex, high-friction requirements found elsewhere.

The KCDPA is considered a more business friendly law because it features:

• A narrower definition of “sale.” Only exchanges of personal data for money count as a sale. Some states include non-monetary exchanges, but Kentucky keeps this definition clean and predictable.
• No universal opt-out requirement. Unlike California and other states, the KCDPA does not require businesses to honor universal opt-out mechanisms (UOOMs) or global privacy signals like GPC.
• A permanent 30-day cure period. Regulators must give businesses 30 days to correct alleged violations before taking enforcement action—and that cure period never sunsets.
• More time for high-risk processing requirements. Data protection assessments tied to higher-risk activities don’t kick in until June 1, 2026, giving organizations extra runway to prepare.

Who must comply with the KCDPA

The KCDPA applies to businesses operating in Kentucky or targeting Kentucky residents if, during a calendar year, they:

• Process personal data for 100,000+ consumers, or

• Process personal data for 25,000+ consumers and earn 50% or more of revenue from selling personal data.

A consumer is any Kentucky resident acting in a personal or household context—not an employment or commercial one. Employees and B2B contacts fall outside the scope of the law.

Exemptions

Kentucky follows the common set of entity and data-level exemptions found in other state laws, including:

• State and local government agencies

• GLBA-covered financial institutions and affiliates

• Nonprofits

• Higher education institutions

• HIPAA-covered entities and business associates (expanded under HB 473 to fully exempt HIPAA-covered health care providers and limited data sets)

• Small telephone utilities, certain CMRS providers, and municipal utilities that do not sell or share personal data with third-party processors

Legal counsel should confirm whether your organization falls into an applicable exemption category.

Consumer rights under the KCDPA

Kentucky residents gain the following rights:

• Access: Confirm whether a business processes their personal data and access that data (without exposing trade secrets).

• Correction: Fix inaccuracies.

• Deletion: Request deletion of personal data provided by or collected about them.

• Portability: Obtain their data in a portable, usable format.

• Opt-Out: Decline targeted advertising, the sale of personal data, or profiling with legal or similarly significant effects. Kentucky does not require honoring GPC or other opt-out signals.

Businesses have 45 days to respond to a consumer request, with a one-time 45-day extension when reasonably necessary. If a request is denied, organizations must provide a clear appeals process. If an appeal is denied, consumers must receive a way to contact the Kentucky Attorney General— including an online mechanism, if available.

Key Business Obligations

The KCDPA creates obligations for both controllers (those determining the purpose and means of processing) and processors (those acting on behalf of controllers).

Controllers must:

• Limit data collection. Gather only what is adequate, relevant, and reasonably necessary. Sensitive data—such as biometric identifiers, health information, precise geolocation, children’s data, or ethnicity—requires express consent or COPPA compliance.
• Provide clear privacy notices. Notices must describe categories of personal data processed, purposes, third-party recipients, rights instructions, appeal mechanisms, and disclosures about data sales, targeted advertising, or profiling.
• Maintain reasonable data security. Administrative, technical, and physical safeguards are required to prevent unauthorized access or disclosure.
• Fulfill consumer requests. Meet response deadlines, honor opt-outs, and maintain a compliant appeal process.
• Conduct data protection assessments (effective June 1, 2026). Assessments are required for high-risk processing, including targeted advertising, data sales, sensitive data, and profiling with foreseeable risks. Assessments completed for similar laws may satisfy this requirement.
• Avoid discrimination. Businesses must process personal data in a nondiscriminatory manner.
• Protect minors. No selling or targeted advertising to individuals under 16 when the business knows—or reasonably should know—the individual is a minor.
• Manage third-party risk. Contracts with processors must limit how data is used and ensure protection of consumer rights.

Processors must: 

• Maintain data processing agreements that define scope, requirements, and security

• Support controllers with consumer request fulfillment and assessments

• Implement appropriate technical and organizational safeguards

Enforcement of KCDPA

The Kentucky Attorney General (AG) has exclusive enforcement authority. There is no private right of action.

The AG must issue notice and grant a 30-day cure period. If the violation is remedied and the business confirms compliance in writing, the AG may not proceed with further action. The cure period never expires. If the violation is not remedied, the business may be penalized up to $7,500 per violation, plus potential injunctive relief.

How DataGrail can help you comply with KCDPA

DataGrail helps simplify compliance with complex state privacy laws like the Kentucky Consumer Data Privacy Act (KCDPA). 

Here’s how:

• Automate Consumer Rights Requests: DataGrail Request Manager takes the manual work out of access, correction, deletion, portability, and opt-out requests. With responsible automation and 2,400+ integrations, you can confidently meet Kentucky’s deadlines. 
• Maintain a Compliant Data Inventory: Kentucky’s law requires transparency into personal data collection, processing, and sharing, including third-party disclosures. DataGrail Live Data Map provides a centralized, automated inventory of personal data—covering sensitive data, known children’s data, and high-risk processing activities—reducing reliance on spreadsheets and manual tracking.
• Simplify Consent and Opt-Out Management: DataGrail Consent solution automatically reflects user preferences for targeted advertising, data sales, and profiling—so you never have to worry about missing an opt-out.
• Effortless Data Protection Assessments: DataGrail gives you built-in workflows, reusable templates, and AI-powered insights to simplify DPIAs and high-risk processing assessments that become mandatory starting June 2026.

With DataGrail, you can reduce risk, build trust, and keep your privacy program ahead of new laws—not scrambling behind them.

Ready to simplify KCDPA compliance? Request a demo here.

Stay ahead of every state privacy law. Check out our Guide to State Privacy Laws and join Privacy Basecamp, our exclusive Slack community for privacy teams to connect, share resources, and discuss best practices.