Kentucky
Kentucky Consumer Data Protection Act (KCDPA)
| Passed | April 4, 2024 |
| Effective Date | January 1, 2026 |
| Who it applies to |
Entities that determine the purposes and means of processing personal data—that either conduct business in Kentucky or produce products or services targeted to Kentucky residents, and who within a calendar year: 1) control or process personal data of at least 100,000 Kentucky consumers; or 2) control or process data of at least 25,000 consumers and derive over 50% of their gross revenue from the sale of personal data. The KCDPA exempts state and local government agencies, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), nonprofit organizations, institutions of higher education, and data regulated by laws such as the Family Educational Rights and Privacy Act (FERPA), the Driver’s Privacy Protection Act (DPPA), the Farm Credit Act, and information collected or maintained by HIPAA-covered entities, including protected health information and limited data sets processed according to HIPAA requirements. |
| Penalties |
Kentucky’s law features an extended phase-in period for data protection assessments starting June 1, 2026, giving organizations more time to prepare for obligations related to high-risk data processing. Unlike the CCPA, Kentucky does not require recognition of universal opt-out mechanisms (UOOMs) for data sales and targeted advertising, simplifying implementation for businesses but limiting consumer opt-out convenience. Additionally, the law includes a permanent 30-day cure period before enforcement actions can proceed, ensuring ongoing opportunities for businesses to address alleged violations before penalties apply. |
What’s notable about it:
Kentucky’s law features an extended phase-in period for data protection assessments starting June 1, 2026, giving organizations more time to prepare for obligations related to high-risk data processing.
Unlike the CCPA, Kentucky does not require recognition of universal opt-out mechanisms (UOOMs) for data sales and targeted advertising, simplifying implementation for businesses but limiting consumer opt-out convenience. Additionally, the law includes a permanent 30-day cure period before enforcement actions can proceed, ensuring ongoing opportunities for businesses to address alleged violations before penalties apply.