What the KCDPA Covers and Who It Applies To
Kentucky Governor Andy Beshear signed House Bill 15 into law on 4 April 2024. The Kentucky Consumer Data Protection Act (KCDPA) took effect on 1 January 2026, joining a growing patchwork of US state privacy laws that website owners must track.
The law applies to any person or entity that conducts business in Kentucky or produces products or services targeted at Kentucky residents and, during a calendar year, meets one of two thresholds:
- Controls or processes personal data of at least 100,000 Kentucky consumers, or
- Controls or processes personal data of at least 25,000 Kentucky consumers while deriving over 50 per cent of gross revenue from the sale of personal data.
Government entities, nonprofits, higher education institutions, and entities subject to HIPAA or the Gramm-Leach-Bliley Act fall outside its scope. The KCDPA closely mirrors the Virginia Consumer Data Protection Act (VCDPA), making it one of the more business-friendly state frameworks.
Consumer Rights Under the KCDPA
Kentucky residents gain six core rights over their personal data. These rights mirror the structure found in other US state privacy frameworks.
| Right | Description |
|---|---|
| Right to confirm | Verify whether a controller is processing your personal data |
| Right to access | Obtain a copy of personal data held by the controller |
| Right to correct | Fix inaccuracies in personal data |
| Right to delete | Request erasure of personal data provided by or obtained about the consumer |
| Right to portability | Receive personal data in a portable, readily usable format |
| Right to opt out | Opt out of processing for targeted advertising, sale of personal data, or profiling with legal effects |
Controllers must respond to consumer requests within 45 days. If more time is needed due to the complexity or volume of requests, the controller may extend the response period by another 45 days, provided the consumer is informed of the delay.
Consumers also have the right to appeal a denied request, and the controller must provide a mechanism for doing so.
Sensitive Data and Opt-In Consent
The KCDPA follows an opt-out model for most personal data processing. Sensitive data, however, requires opt-in consent before processing can begin.
Sensitive data under the KCDPA includes:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health conditions
- Sex life or sexual orientation
- Citizenship or immigration status
- Genetic or biometric data used to identify a specific individual
- Personal data of a known child
- Precise geolocation data (within a radius of 1,750 feet)
For children's data, the KCDPA mandates that controllers obtain verifiable parental consent in line with COPPA requirements before processing personal data of a known child under 13. This provision gained immediate attention when Kentucky Attorney General Russell Coleman filed suit against Character Technologies on 8 January 2026 - just eight days after the law took effect - alleging the AI chatbot company processed children's data without proper consent.
Controller and Processor Obligations
If your website or service falls within the KCDPA's applicability thresholds, several obligations apply.
Privacy notice requirements. You must publish a reasonably accessible, clear, and meaningful privacy notice. The notice needs to disclose the categories of personal data processed, the purposes of processing, how consumers can exercise their rights, the categories of data shared with third parties, and which third parties receive that data.
Data minimisation. Controllers may only collect personal data that is adequate, relevant, and reasonably necessary for the disclosed purpose. Collecting data beyond what your privacy notice describes is a violation.
Data security. Appropriate technical and organisational measures must protect the confidentiality, integrity, and accessibility of personal data. The standard expected is proportional to the volume and sensitivity of the data processed.
Data protection assessments. Controllers must conduct assessments for processing activities that present a heightened risk of harm. This includes targeted advertising, the sale of personal data, profiling that produces legal or similarly significant effects, and any processing of sensitive data. The assessment requirement applies to processing activities created or generated on or after 1 June 2026, giving organisations a brief grace period.
Processor Agreements
If you share personal data with processors (analytics providers, advertising platforms, or other third-party services), the KCDPA requires a binding contract that specifies the nature and purpose of processing, the type of data involved, the duration, and the rights and duties of both parties. This mirrors the processor agreement structure familiar from GDPR-style data processing agreements.
How the KCDPA Handles Cookies and Tracking
The KCDPA does not contain a standalone cookie provision equivalent to the EU's ePrivacy Directive. Its requirements centre on personal data processing rather than device storage. That said, cookies that collect personal data - analytics identifiers like _ga, advertising pixels like _fbp, or any tracker that builds a profile linked to an identifiable individual - fall squarely under the Act.
Because the KCDPA is an opt-out law, you do not need prior consent before setting most cookies. You must, however, provide a clear mechanism for visitors to opt out of the sale of personal data and targeted advertising. If your site processes sensitive data categories, opt-in consent applies to those specific activities.
The opt-out requirement means your cookie banner or privacy settings must include a functional way for Kentucky consumers to refuse targeted advertising and data sales. Merely displaying a notice without an actionable opt-out control would not satisfy the law.
KCDPA vs Other US State Privacy Laws
Kentucky's framework sits firmly in the Virginia camp of US privacy legislation. It does not include a private right of action (unlike California's CCPA for data breaches) and it provides a permanent 30-day cure period - something that several other states have sunset or never included.
| Feature | Kentucky (KCDPA) | Virginia (VCDPA) | Colorado (CPA) | Connecticut (CTDPA) |
|---|---|---|---|---|
| Effective date | 1 Jan 2026 | 1 Jan 2023 | 1 Jul 2023 | 1 Jul 2023 |
| Consumer threshold | 100,000 | 100,000 | 100,000 | 100,000 |
| Sale threshold | 25,000 + 50% revenue | 25,000 + revenue from sale | 25,000 | 25,000 |
| Universal opt-out signal | Not required | Not required | Required | Required |
| Cure period | 30 days (permanent) | 30 days (permanent) | 60 days (sunset 2025) | 60 days (sunset 2025) |
| Private right of action | No | No | No | No |
| Civil penalty per violation | Up to $7,500 | Up to $7,500 | Up to $20,000 | Up to $5,000 |
One notable absence: the KCDPA does not mandate recognition of Global Privacy Control (GPC) or other universal opt-out signals. Colorado and Connecticut both require GPC recognition, but Kentucky leaves the opt-out mechanism to the controller's discretion.
Enforcement: The Attorney General's Exclusive Authority
The Kentucky Attorney General holds exclusive enforcement authority over the KCDPA. There is no private right of action, meaning individual consumers cannot sue businesses directly for violations.
Before taking enforcement action, the AG must provide written notice to the controller describing the alleged violation. The controller then has 30 days to cure it. If the controller fixes the issue and provides a written statement confirming the correction, the AG cannot pursue the matter further.
If the violation is not cured, the AG may seek injunctive relief and civil penalties of up to $7,500 per violation. The early lawsuit against Character Technologies signals that the Kentucky AG's office intends to use this authority actively, particularly where children's data is concerned.
Practical Steps for Website Compliance
Getting your website ready for the KCDPA does not require a full overhaul if you already comply with Virginia or similar state laws. The key actions are:
- Check your thresholds. Review whether your site processes personal data of 100,000 Kentucky consumers, or 25,000 with significant revenue from data sales.
- Update your privacy notice. Disclose categories of data collected, processing purposes, third-party sharing, and instructions for exercising consumer rights.
- Provide opt-out controls. Ensure your cookie banner or privacy settings let visitors opt out of targeted advertising and data sales.
- Implement sensitive data consent flows. If you collect health data, geolocation, biometric identifiers, or children's data, set up opt-in consent mechanisms.
- Audit your processors. Confirm that contracts with analytics providers, ad platforms, and other processors meet the KCDPA's requirements.
- Prepare for data protection assessments. Processing activities involving targeted advertising, data sales, or sensitive data created after 1 June 2026 will need documented assessments.
Running a cookie scan is a practical first step to identify which cookies and trackers your site currently sets and whether any fall into sensitive data categories.
Frequently Asked Questions
When did the Kentucky Consumer Data Protection Act take effect?
The KCDPA took effect on 1 January 2026. Data protection assessment requirements for new processing activities apply from 1 June 2026.
Does the KCDPA require cookie consent before setting cookies?
No. The KCDPA follows an opt-out model, so prior consent is not required for most cookies. You must provide a mechanism for consumers to opt out of targeted advertising and data sales. Sensitive data processing does require opt-in consent.
Does the KCDPA recognise Global Privacy Control signals?
The KCDPA does not mandate recognition of GPC or other universal opt-out signals. Controllers can choose how to implement their opt-out mechanism.
What are the penalties for violating the KCDPA?
The Kentucky Attorney General can seek civil penalties of up to $7,500 per violation, plus injunctive relief. There is no private right of action for consumers.
Does the KCDPA have a cure period for violations?
Yes. The Attorney General must give controllers 30 days written notice to cure an alleged violation before taking enforcement action. This cure period is permanent and does not sunset.
How is the KCDPA different from the VCDPA?
The KCDPA closely mirrors Virginia's law in structure, consumer rights, and enforcement model. Key similarities include the 100,000-consumer threshold, the 30-day cure period, and AG-only enforcement. Minor differences exist in the definition of sensitive data, which includes citizenship and immigration status under the KCDPA.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets or whether your opt-out mechanisms meet Kentucky's requirements, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
