On April 4, Kentucky Governor Andy Beshear signed the Kentucky Consumer Data Protection Act (KCDPA) into law, making Kentucky the sixteenth state to enact comprehensive data privacy legislation and the third state to do so in 2024. The KCDPA largely tracks the amended Virginia Consumer Data Protection Act (VCDPA), but a few notable differences are addressed below. The KCDPA should not impose significant additional compliance requirements for companies that already comply with other non-California privacy laws.

The threshold for applicability of the KCDPA, unique exemptions from the law, a few definition highlights, enforcement details, and important dates are discussed below. Given the similarities between the KCDPA and the VCDPA (and other existing state privacy laws), the below analysis focuses primarily on the unique aspects of the KCDPA. The KCDPA will go into effect on January 1, 2026.

Applicability

The KCDPA applies to any entity that conducts business in Kentucky or produces products or services targeted to residents of Kentucky and that, during a calendar year, controls or processes the personal data of at least either:

  1. 100,000 consumers.
  2. 25,000 consumers and derives over 50% of gross revenue from the sale of personal data.

This threshold follows the same threshold found in various other state privacy laws, including Indiana, Iowa, Utah, and Virginia. Note also that, like several other state privacy laws, the KCDPA does not apply to persons acting in a commercial or employment context.

Unique Exemptions

The KCDPA contains several exemptions common in other state data privacy laws, including exemptions for covered entities, business associates, protected health information under the Health Insurance Portability and Accountability Act (HIPAA), nonprofit organizations, higher education institutions, both data and financial institutions (and their affiliates) under the Gramm-Leach-Bliley Act, information governed by the Fair Credit Reporting Act, and personal data processed for purposes of federal policy under the Combat Methamphetamine Epidemic of 2005, among others. The definition of a nonprofit organization, however, does not include political organizations like the updated definition found in the VCDPA. Also, entities that comply with the verifiable consent requirements under the Children’s Online Privacy Protection Act are deemed to be compliant with the KCDPA’s parental consent requirements.

Additionally, the KCDPA contains a unique insurance fraud-related exemption for nonprofit organizations and similar ventures so long as the entity collects, processes, uses, or shares data solely in relation to identifying, investigating, or assisting law enforcement agencies in connection with suspected insurance-related criminal or fraudulent acts or first responders in connection with catastrophic events. The KCDPA also does not apply to small telephone utilities or Tier III CMRS providers (each as defined under Kentucky law), nor does it apply to municipally owned utilities that do not sell or share personal data with third-party processors.

Definitions: Biometric Data and the Sale of Personal Data

Kentucky’s new law follows Connecticut’s consumer-friendly approach when it comes to the definition of biometric data. Under the KCDPA, “[b]iometric data does not include a physical or digital photograph, a video or audio recording or data generated therefrom, unless that data is generated to identify a specific individual or information collected, used, or stored for health care treatment, payment, or operations under HIPAA.”

The KCDPA’s definition of the sale of personal data is business-friendly, as it only includes exchanges of personal data for monetary consideration, unlike some other states’ broader definitions that include non-monetary consideration.

Enforcement

The KCDPA does not contain a private right of action and will be exclusively enforced by Kentucky’s Attorney General. Additionally, the KCDPA provides a 30-day cure period that does not sunset. If a business fails to remedy a violation within the cure period, there is a $7,500 fine per violation.

Important Dates

  • January 1, 2026: The KCDPA goes into effect.
  • June 1, 2026: Data protection assessment requirements apply to processing activities created or generated on or after this date.

Our team will continue to monitor the KCDPA. If you have any questions about the KCDPA or other state privacy laws and how they could affect your business, please contact the authors.