Kentucky

    •  

Code/Regulations

Effective Date: January 1, 2026

Details

Threshold

Conducts business in Kentucky or produces products or services that are targeted to residents of Kentucky; and that during a calendar year control or process personal data of at least 100,000 consumers or 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

Definition of "Personal Data"

Any information that is linked or reasonably likable to an identified or identifiable natural person. Personal data does not include de-identified data or publicly available information.

Definition of "Sensitive Data"

As with all state general privacy laws, includes the following Personal Data:

  • Race or ethnic origin;
  • Religious beliefs;
  • Citizenship or immigration status;
  • Genetic data;
  • Biometric data;
  • Physical or mental health diagnosis; and
  • Sexual orientation.

In addition, Kentucky's definition also includes:

  • Precise geolocation data; and
  • Personal data collected from known child.

Definition of "Sale"

Exchange of personal data for monetary consideration by the controller to a third party.

Data-Protection Assessments

Yes, on the processing of personal data created or generated on or after June 1, 2026

Opt-In Consent Required for Processing Sensitive Data

Yes

Consumer Rights to Confirm Processing, Request Access, Correction, Deletion & Portability

Yes

Consumer Right to Opt Out of Sale

Yes

Consumer Right to Opt Out of Targeted Ads/Sharing

Yes

Consumer Right to Opt Out of Profiling

Yes

Consumer Right to Opt Out of Certain Profiling

Yes

Pseudonymous Data Exempt from Consumer Requests

Yes, in some cases

Appeal Rights

Yes

Universal Opt-Out Mechanism Required Recognition/Date

None

Data of Minors

Process personal data of a known child in accordance with COPPA

GLBA Exemption

Yes (Both entity and data level)

HIPAA Exemption

Yes, (Entity and data level)

Applies/Does Not Apply to Personal Information in a Commercial or Employment Context

Does not apply

Nonprofit Exemption

Yes

Private Right of Action

No

Cure Period

30-day

Cure Period Expiration

None

Enforcement Authority/Damages

Attorney General/$7,500

Disclaimer: States may periodically amend their laws and regulations and such amendments may affect or modify certain legal requirements or compliance obligations. There is no guarantee that this research is up to date as laws and regulations in the state consumer data privacy space continue to evolve. You should consult an attorney to assess the applicability of any existing, new, or proposed state consumer data privacy laws. By accessing this site, you acknowledge your understanding that the underlying content is not a replacement for legal counsel and does not constitute legal advice.