[co-author: Kathryn Smith]

With the Kentucky governor recently signing into law that state’s privacy law the US now has 16 states with “comprehensive” privacy laws. This newest one will go into effect on January 1, 2026 – the same day as Indiana. It closely resembles other state privacy laws, in particular, Virginia’s privacy law. For a recap of all of the US state privacy laws and their obligations you can visit our interactive tool.

The new Kentucky law will mirror all other states (except California) and define “consumer” to exclude those in an employment context. Key provisions of the law include:

• Applicability. Kentucky’s privacy law has familiar applicability thresholds. It will apply to businesses that either (1) process personal data of at least 100,000 Kentucky residents or (2) control or process personal data of at least 25,000 consumers and derive more than fifty percent of gross revenue from the sale of personal data. The law also contains several familiar exemptions. Non-profits, higher education institutions, and entities that comply with GLBA and HIPAA. The law also exempts data processed by a utility, an affiliate or a holding company organized specifically for providing goods or services. Only Colorado, Indiana, and Texas have carveouts for utilities.
• Sensitive information. Businesses that process the sensitive information of Kentucky residents will need to first get consent. The list of information deemed “sensitive” is familiar and aligns with other state laws. It includes consumers’ religion, precise geolocation, and health diagnoses.
• Consumer rights. Kentucky consumers will enjoy the rights provided by other state laws. These include the right to access, correct, delete, and port personal information. Timing for processing rights will be 45 days. Kentucky’s law is silent on whether consumers can designate an authorized agent to submit the request on their behalf with the exception of parents with minor children. Kentucky’s law does not require businesses to comply with universal online opt-out mechanisms.
• Opt-outs mechanism. Businesses that engage in targeted advertising, the sale of personal data, or profiling will need to give Kentucky residents notice and the ability to opt out of those activities.
• Data Protection Impact Assessments. Like all states except Iowa and Utah, businesses must conduct data protection impact assessments if processing data presents a heightened risk to consumers. This includes processing consumer data for targeted advertising, risky profiling, selling consumer data, or processing sensitive information.

Like other states, consumers will not have a private right of action. Instead, the Kentucky Attorney General’s office will be responsible for enforcement. The law contains a 30-day cure period which is not set to expire, unlike other states’ privacy laws. There are also no provisions for additional rulemaking.

Putting it Into Practice: With the enactment of a sixteenth privacy law, the similarities can obscure important differences. We anticipate more states will pass similar laws in the coming months, and companies will thus want a privacy program approach that is both adaptable and flexible.