Three’s a Pattern: Kentucky Becomes the 15th State to Enact a Comprehensive Privacy Law

On April 4, Kentucky Governor Andy Beshear signed the Kentucky Consumer Data Protection KCDPA (the KCDPA) into law, making Kentucky the third state in 2024 to enact a comprehensive privacy law (following New Jersey and New Hampshire), and the 15th state overall to do so. Several other states, including New York, Pennsylvania, North Carolina, and Ohio, are currently considering similar comprehensive privacy legislation.

The KCDPA, which is similar to the Virginia Consumer Data Protection Act, takes effect on January 1, 2026.

Applicability

The KCDPA applies to controllers, defined as persons that conduct business in Kentucky or produce products or services that are targeted to Kentucky residents, and that during a calendar year, control or process personal data of at least: (a) 100,000 consumers; or (b) 25,000 consumers and derive over 50% of gross revenue from the sale of personal data. California, Indiana, Iowa, Utah, and Virginia privacy laws all have similar applicability thresholds.

Sale of Personal Data Under the KCDPA

The KCDPA limits its definition of “sale of personal data” to include only exchanges of personal data for monetary consideration. This is unlike California, Colorado, New Hampshire, and New Jersey to name a few, which treat any exchange of personal data for “other valuable consideration” as a sale under their respective definitions.

Consumer Rights

The KCDPA provides consumers with privacy rights, requiring controllers to:

1. Confirm whether they process a consumer’s personal data;
2. Correct inaccuracies to personal data;
3. Delete personal data;
4. Obtain a copy of personal data; and
5. Allow consumers to opt out of the processing of personal data for (a) targeted advertising; (b) sale; or (c) profiling in furtherance of decisions that produce legal or similarly significant effects.

The KCDPA does not contain certain additional consumer privacy rights offered under other state laws, such as New Jersey and New Hampshire, which permit consumers to revoke consent and require controllers to recognize of universal “opt-out signals.”

Controller Obligations

Similar to other comprehensive state privacy laws, controllers have various obligations, including limiting the collection of personal data to what is adequate, relevant, and reasonably necessary (i.e., data minimization); establishing, implementing, and maintaining administrative, technical, and physical data security practices; conducting and documenting data protection impact assessments; and providing a privacy notice.

Exemptions

There are a number of exemptions available to controllers in various industries, including financial institutions, nonprofits, and state agencies. There are also data level exemptions for protected health information; financial data; and personal data collected, processed, sold, or disclosed by a consumer reporting agency.

Enforcement Rights

The state attorney general (AG) is granted exclusive authority to enforce violations under the KCDPA, and there is no provision for a private right of action. Failure to comply with the KCDPA can lead to fines or penalties of up to $7,500 for each continued violation.

The KCDPA does not authorize any rulemaking authority.

Right to Cure

The KCDPA requires that the AG provide entities with a 30-day cure period before initiating an enforcement action. Such right to cure is permanent and does not sunset, unlike in states, such as New Jersey and New Hampshire, which will eventually expire under operation of law.