On March 11, the Kentucky Senate passed the Kentucky Consumer Data Protection Act (KCDPA or the “Act”) (House Bill 15) by a unanimous 35-0 vote. Upon House concurrence and the governor’s signature, the Act would become the nation’s fifteenth state comprehensive privacy law, and the third enacted this year (following New Jersey and New Hampshire). The Act would go into effect in January of 2026.

Overall, the KCDPA follows the “Virginia” model of comprehensive privacy laws and will not impose major requirements on companies that have taken steps to comply with the other state privacy laws currently in effect. For example, the Act creates a relatively lightweight enforcement regime, with no private right of action and a permanent cure period provision. The Act also eschews the expanded definition of “sale of personal data” and opt-out preference signal requirements that we have seen in several recently enacted state laws. The Act will, however, require companies to conduct data protection impact assessments for certain higher-risk processing activities and obtain consent before processing consumers’ sensitive data.

In this post, we summarize notable provisions of the KCDPA and highlight key takeaways for companies looking to understand how this law will affect their privacy compliance obligations. 

NOTABLE TAKEAWAYS

• Virginia Model. The Act exemplifies the continued appeal of the non-California comprehensive privacy law model across state legislatures, and the draw of the Virginia model specifically. The Act’s applicability threshold, exemptions, consumer rights, and privacy notice provisions, for example, all hew fairly closely to similar provisions that we have seen adopted across several other states.
• Business-Friendly Requirements. Within the broad framework of the non-California model, the Act skews towards a business-friendly approach in several areas. First, the Act limits its definition of “sale of personal data” to include only exchanges of personal data for monetary consideration, unlike some states that have broadened the term to include non-monetary consideration. Second, the Act does not require that controllers recognize opt-out requests submitted via opt-out preference signals or global privacy controls. Finally, the Act’s enforcement regime should come as a relief to businesses. Notably, the Act does not feature a private right of action (instead relying solely on the Kentucky Attorney General (AG) for enforcement) and includes a permanent (i.e., non-sunsetting) 30-day cure period provision. In addition, the Act does not establish any sort of privacy-focused regulator, nor does it grant the state AG rulemaking authority.
• Data Protection Assessments and Sensitive Data Opt-Ins. Like several states’ laws, the Act will require that controllers perform data protection impact assessments for certain higher-risk data processing activities (including targeted advertising, sale, profiling, and processing of sensitive data) and obtain consumer consent before processing sensitive data. However, as these requirements are also present in other states’ comprehensive privacy laws, the resulting disruption to companies’ compliance programs should be relatively minimal.
• Effective Date. The Act will take effect on January 1, 2026.

KEY PROVISIONS

• Key Definitions:
  • Consumer: The Act’s definition of “consumer” excludes persons “acting in a commercial or employment context.”
  • Sale: The Act’s definition of “sale of personal data” is limited to “the exchange of personal data for monetary consideration” (i.e., exchanges for non-monetary consideration are not “sales” under the Act).
• Applicability Thresholds: The Act applies to entities that conduct business in Kentucky or target products or services to Kentucky residents and during a calendar year either (1) control or process personal data of at least 100,000 Kentucky residents or (2) control or process personal data of at least 25,000 Kentucky residents and derive over 50% of their gross revenue from the sale of personal data.
• Exemptions: The Act exempts various entities and information types, including: state, city, and political subdivision entities; financial institutions or data subject to the Gramm-Leach Bliley Act (GLBA); covered entities, business associates, and protected health information governed by the Health Insurance Portability and Accountability Act (HIPAA); nonprofit organizations; institutions of higher education; information governed by the Fair Credit Reporting Act (FCRA), the Driver’s Privacy Protection Act (DPPA), the Family Educational Rights and Privacy Act (FERPA), or the Farm Credit Act; certain employment-related data; certain data processed by utilities; and personal data processed “for purposes of federal policy under the Combat Methamphetamine Epidemic Act of 2005.” In addition, entities that comply with the Children’s Online Privacy Protection Act’s (COPPA’s) verifiable parental consent requirements are deemed to comply with the Act’s parental-consent requirements.
• Consumer Data Rights: The Act creates rights for consumers, including: the right to confirm whether a controller is processing a consumer’s personal data and to access said data; the right to correct inaccurate personal data; the right to delete personal data; the right to data portability; and the right to opt-out of the processing of personal data for purposes of targeted advertising, sale of personal data, or “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.”
• Opt-In for Sensitive Data Processing: The Act prohibits controllers from processing sensitive consumer data without obtaining the consumer’s consent.
• Privacy Notices: The Act requires that controllers provide consumers with a privacy notice that includes: the categories of personal data processed; the purpose for said processing; a description of how consumers may exercise their consumer data rights; the categories of personal data shared with third parties; and the categories of third parties with which personal data is shared.
  • The Act requires that controllers “clearly and conspicuously disclose” their processing of personal data for targeted advertising or sale of personal data, as well as the manner in which consumers may opt-out of such processing.
• Data Protection Impact Assessments: The Act requires that controllers conduct data protection impact assessments for processing activities including the processing of personal data for purposes of targeted advertising, sale of personal data, or certain types of high-risk profiling; processing of sensitive data; and any other processing that “presents a heightened risk of harm to consumers.”
• Data Processing Agreements for Processors: The Act requires that a processor’s data processing activities on behalf of a controller be governed by a data processing agreement.
• Enforcement: The Act does not create a private right of action; rather, it grants the Kentucky AG exclusive enforcement authority.
• Cure Period: The Act requires that the AG provide entities with a 30-day cure period before initiating an enforcement action.
• Penalties: The Act authorizes the AG to seek civil penalties of up to $7,500 per violation.
  • Consumer Privacy Fund: The Act creates a consumer privacy fund into which civil penalties collected under the Act are to be deposited.
• Effective Date: The Act will take effect on January 1, 2026.