On this pageDoes the Kentucky Consumer Data Protection Act apply to your business?
State Law Practice Note

Kentucky Consumer Privacy Law (KCDPA)

The Kentucky Consumer Data Protection Act, effective January 1, 2026, gives Kentucky consumers rights over their personal data and imposes notice, contracting, and consent duties on controllers above defined thresholds — closely modeled on Virginia, it is enforced exclusively by the Attorney General with a permanent 30-day cure period and provides no private right of action.

Lawyer Harvard Law '18 (J.D.) MIT '13 (S.B.) Former Ropes & Gray (6 yrs) Admitted in NY Last reviewed
More details about this document
Editor
, OpenAgreements editor
Feedback
Report a correction
Errata
View reported errata
License
CC BY 4.0
Authorities relied on
Primary lawKRS 367.3613; KRS 367.3617; KRS 367.3619; KRS 367.3627

Does the Kentucky Consumer Data Protection Act apply to your business?

It turns on consumer volume, not revenue. The KCDPA applies to persons that do business in Kentucky or target its residents and that, in a calendar year, control or process the personal data of at least 100,000 consumers, or at least 25,000 consumers while deriving over 50% of gross revenue from selling personal data .

Kentucky's law took effect January 1, 2026, later than most of the early movers, and it is closely patterned on Virginia — so this note reads much like Virginia, Colorado, Connecticut, and Texas. Like those, it sets no dollar revenue floor; it also exempts nonprofit organizations and institutions of higher education, along with state and local government and GLBA-, HIPAA-, and FCRA-regulated data. A consumer is a Kentucky resident acting only in an individual context, not an employee or business contact.

Sources for this answer

Primary law

A.1 KRS 367.3613

The KCDPA applies to persons doing business in Kentucky or targeting its residents that control or process the data of at least 100,000 consumers, or 25,000+ while deriving over 50% of gross revenue from selling personal data.

KRS 367.3611 to 367.3629 apply to persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that during a calendar year control or process personal data of at least: (a) One hundred thousand (100,000) consumers; or (b) Twenty-five thousand (25,000) consumers and derive over fifty percent (50%) of gross revenue from the sale of personal data.

See KRS 367.3613(1).

What must your Kentucky privacy policy contain?

A controller must provide a reasonably accessible, clear, and meaningful privacy notice that lists the categories of personal data processed, the purpose for processing, how consumers exercise their rights (including how to appeal), the categories of personal data shared with third parties, and the categories of those third parties .

For a template privacy policy, KRS 367.3617 is the content checklist. Kentucky also requires data minimization (collection limited to what is adequate, relevant, and reasonably necessary) and, where a controller sells personal data or processes it for targeted advertising, a clear and conspicuous disclosure of that activity and how to opt out. The notice the policy presents should match the data practices the controller actually carries out.

Sources for this answer

Primary law

B.1 KRS 367.3617

A controller must provide a reasonably accessible, clear, and meaningful privacy notice listing the categories of personal data processed and the purpose for processing, among other required disclosures.

reasonably accessible, clear, and meaningful privacy notice that includes: (a) The categories of personal data processed by the controller; (b) The purpose for processing personal data;

See KRS 367.3617(3).

What must your contracts with processors say?

A contract between a controller and a processor must govern the processor's data processing on the controller's behalf — so a data processing agreement is a statutory requirement, not a best practice .

KRS 367.3619 then specifies the required terms: processing instructions, the nature and purpose of processing, the type of data and duration, a duty of confidentiality, deletion or return of data at the controller's direction, the information needed to demonstrate compliance, cooperation with reasonable assessments, and a requirement to bind subcontractors by written contract to the same obligations. A compliant template DPA tracks each of these.

Sources for this answer

Primary law

C.1 KRS 367.3619

A contract between a controller and a processor must govern the processor's data processing performed on behalf of the controller.

A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller.

See KRS 367.3619(2).

Do you need consent to process sensitive data?

Yes. A controller may not process a consumer's sensitive data without first obtaining consent, and for a known child it must instead follow the federal Children's Online Privacy Protection Act . Sensitive data includes data indicating race or ethnicity, religious beliefs, a mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data processed to uniquely identify a person; data from a known child; and precise geolocation.

This is the opt-in model shared by Virginia, California, Colorado, and Texas — the opposite of Utah's notice-and-opt-out approach. Kentucky does not, however, require honoring a universal opt-out preference signal the way California, Colorado, and Connecticut do, so a Kentucky-only program can rely on its own opt-out mechanisms — though a multi-state template generally has to support universal signals to stay compliant elsewhere.

Sources for this answer

Can a consumer sue your business under the KCDPA?

No. The Attorney General has exclusive authority to enforce the KCDPA , so there is no private right of action for consumers . Before suing, the Attorney General must give 30 days' written notice of the specific alleged violations and a chance to cure .

Like Virginia, and unlike Colorado and Connecticut, Kentucky's 30-day cure period has not sunset — it remains a permanent, built-in off-ramp. A controller that cures within the window and certifies it in writing avoids the action; an uncured violation exposes it to damages of up to $7,500 per continued violation, plus the Attorney General's expenses and costs. The practical posture is still to build the notice, consent, and contracting controls up front, but a covered business that receives a notice has a genuine window to fix the issue.

Sources for this answer

Primary law

E.1 KRS 367.3627

The Attorney General has exclusive authority to enforce the KCDPA — there is no private right of action.

The Attorney General shall have exclusive authority to enforce violations of KRS 367.3611 to 367.3629.

See KRS 367.3627(1).

Primary law

E.3 KRS 367.3627

Before bringing an action, the Attorney General must give a controller or processor 30 days' written notice identifying the specific provisions allegedly violated.

the Attorney General shall provide a controller or processor thirty (30) days' written notice identifying the specific provisions of KRS 367.3611 to 367.3629, the Attorney General alleges have been or are being violated.

See KRS 367.3627(2).

Primary law

E.2 KRS 367.3627

The KCDPA does not provide a private right of action for violations.

Nothing in KRS 367.3611 to 367.3629 or any other law, regulation, or the equivalent shall be construed as providing the basis for, or give rise to, a private right of action for violations of KRS 367.3611 to 367.3629.

See KRS 367.3627(4).

OpenAgreements is a free legal reference project maintained by UseJunior. See our methodology for how we research and verify the content.
This research preview is not legal advice. Page text is intended for reuse under CC BY 4.0; source excerpts and linked materials belong to their respective owners.
PrivacyTermsDisclaimer