Kentucky
Code/Regulations
- Kentucky Consumer Data Protection Act (CDPA)
- Code: Ky. Rev. Stat. Ann. §§ 367.3611-367.3629 (2026)
Effective Date: January 1, 2026
Details
Threshold
Conducts business in Kentucky or produces products or services that are targeted to residents of Kentucky; and that during a calendar year control or process personal data of at least 100,000 consumers or 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.
Definition of "Personal Data"
Any information that is linked or reasonably likable to an identified or identifiable natural person. Personal data does not include de-identified data or publicly available information.
Definition of "Sensitive Data"
As with all state general privacy laws, includes the following Personal Data:
- Race or ethnic origin;
- Religious beliefs;
- Citizenship or immigration status;
- Genetic data;
- Biometric data;
- Physical or mental health diagnosis; and
- Sexual orientation.
In addition, Kentucky's definition also includes:
- Precise geolocation data; and
- Personal data collected from known child.
Definition of "Sale"
Exchange of personal data for monetary consideration by the controller to a third party.
Data-Protection Assessments
Yes, on the processing of personal data created or generated on or after June 1, 2026
Opt-In Consent Required for Processing Sensitive Data
Yes
Consumer Rights to Confirm Processing, Request Access, Correction, Deletion & Portability
Yes
Consumer Right to Opt Out of Sale
Yes
Consumer Right to Opt Out of Targeted Ads/Sharing
Yes
Consumer Right to Opt Out of Profiling
Yes
Consumer Right to Opt Out of Certain Profiling
Yes
Pseudonymous Data Exempt from Consumer Requests
Yes, in some cases
Appeal Rights
Yes
Universal Opt-Out Mechanism Required Recognition/Date
None
Data of Minors
Process personal data of a known child in accordance with COPPA
GLBA Exemption
Yes (Both entity and data level)
HIPAA Exemption
Yes, (Entity and data level)
Applies/Does Not Apply to Personal Information in a Commercial or Employment Context
Does not apply
Nonprofit Exemption
Yes
Private Right of Action
No
Cure Period
30-day
Cure Period Expiration
None
Enforcement Authority/Damages
Attorney General/$7,500
Disclaimer: States may periodically amend their laws and regulations and such amendments may affect or modify certain legal requirements or compliance obligations. There is no guarantee that this research is up to date as laws and regulations in the state consumer data privacy space continue to evolve. You should consult an attorney to assess the applicability of any existing, new, or proposed state consumer data privacy laws. By accessing this site, you acknowledge your understanding that the underlying content is not a replacement for legal counsel and does not constitute legal advice.