Kentucky Consumer Data Protection Act (KCDPA)

The Kentucky Consumer Data Protection Act (KCDPA) was adopted on April 4, 2024 and is set to become law on January 1, 2026. This law has far-reaching implications for any business with Kentucky-based customers. It impacts what type of personal data you can process without consent, and it has a significant effect on your ability to sell data to third parties.

If you do business in Kentucky, then you need to understand how the KCDPA affects you, and what steps you should be taking now to ensure KCDPA compliance.

Below, we explain everything you should know about the Kentucky Consumer Data Protection Act and how you can achieve legal compliance prior to the deadline.

What is the Kentucky Consumer Data Protection Act (KCDPA)?

The Kentucky Consumer Data Protection Act (KCDPA) is a privacy law. It gives individuals specific rights to control who has access to their personal information, and it prevents businesses from collecting certain categories of data without express consent (more on this below).

• Kentucky's KCDPA is modeled on similar privacy laws in nearby states, such as Virginia's Consumer Data Protection Act (VCDPA).
• Most businesses with customers who reside in Kentucky will be expected to comply with the KCDPA.
• Kentucky's KCDPA may apply whether you're a data controller (the company responsible for determining the means and purpose for data collection) or a data processor (the company processing data on behalf of a controller).

Once formally enacted, the Act will form part of the Kentucky Revised Statutes (KRS) at Chapter 367.

What are the Goals and Objectives of the Kentucky Consumer Data Protection Act (KCDPA)?

Kentucky's KCDPA brings Kentucky into line with neighboring states that have similar privacy laws. The main objectives behind the Kentucky Consumer Data Protection Act are to:

• Give Kentucky residents more confidence to shop and transact online.
• Safeguard personal information by obliging businesses to protect it.
• Empower Kentucky residents to request that a company deletes or amends personal data, or gives them access to the personal data stored on them.
• Ensure that businesses handle personal data belonging to Kentucky residents responsibly.

The KCDPA aims to balance commercial needs and realities against the rights of individuals to protect their personal information.

Who Must Comply with the Kentucky Consumer Data Protection Act (KCDPA)?

Kentucky's KCDPA helpfully specifies which businesses must comply with its terms. According to the Act, the KCDPA applies to you if you target Kentucky residents, or if you do business in Kentucky, and:

• You process or collect personal information belonging to more than 100,000 Kentucky residents, or
• You make more than 50% of your gross revenue from selling data belonging to 25,000 or more Kentucky residents

In practical terms, this means that the KCDPA will affect most businesses with any business operations in KY, or any business with a Kentucky-based audience.

What are the Exemptions to the Kentucky Consumer Data Protection Act (KCDPA)?

Not every business or entity must comply with the Kentucky Consumer Data Protection Act (KCDPA), even if they have direct dealings with Kentucky residents. The following entities are exempt from KCDPA compliance:

• Certain financial institutions
• Government agencies
• Higher education institutions
• Charities and nonprofit organizations
• Certain small utilities companies

Unless you can claim such an exemption, then assume the KCDPA may apply to you.

Key Terms and Definitions Under the Kentucky Consumer Data Protection Act (KCDPA)

Before proceeding, let's briefly summarize key terms in the Kentucky Consumer Data Protection Act (KCDPA) and how such words are used.

• Personal information: Information you can link, or reasonably link, to a certain individual. Information freely available online is not protected.
• Consumer: Consumers, in this context, are individuals. The KCDPA does not cover anyone acting in an employment or commercial context. So, for example, it covers an individual shopping online.
• Consent: Clear, specific, and informed agreement to certain types of personal data processing. Consent must be freely given to be valid.
• Sale of personal data: Selling data to a third party in exchange for money, or monetary consideration. It doesn't include transferring data to a third party in order to provide a service requested by the consumer.
• Sensitive data: Certain categories of information e.g. political affiliations, religion, sexual orientation, or race. However, if you need to know this information in order to ensure you don't discriminate based on protected categories, then it is exempt from protection.

Let's now consider what rights consumers have under the KCDPA and how businesses can ensure compliance with these rights.

What Consumer Rights are Granted Under the Kentucky Consumer Data Protection Act (KCDPA)?

The main rights that Kentucky residents will have under the Kentucky Consumer Data Protection Act (KCDPA) are as follows:

• Right to know: Consumers have a right to know if a business processes their personal information, and for what purpose.
• Right to opt-out: Under Kentucky's KCDPA, consumers can now opt-out of processing for targeted advertising, and the selling of data to third parties.
• Right of correction: A consumer has the right to request for a business to correct errors in their data. A business must act on this request.
• Right of deletion: Consumers can ask companies to delete their data. Unless you must hold it for e.g. compliance with other legal responsibilities, then you must honor this request.
• Right to portability: A business must provide consumers with an easily transmissible copy of the data stored on them. An example is an emailed copy of a file containing the data.

How, as a business owner, do you ensure that consumers can exercise these rights and that you are KCDPA-compliant? Let's consider these questions in more detail.

How to Comply with the Kentucky Consumer Data Protection Act (KCDPA)?

Compliance with the Kentucky Consumer Data Protection Act (KCDPA) requires businesses to do the following:

• Limit the collection of personal data to only what is necessary to fulfill a specific purpose. For example, you don't need someone's home address to send an email newsletter.
• Obtain consent before processing sensitive data. You must also obtain consent before processing data belonging to minors. Consent should be verifiable parental consent, in line with federal laws.
• Create a Privacy Policy or Privacy Notice informing consumers of their rights and privacy choices.
• Disclose if you sell personal data for monetary consideration or targeted advertising and explain how individuals can opt out.
• Perform a Data Protection Impact Assessment (DPIA) to determine ways to reduce the amount of data you process. (This requirement takes effect on June 1, 2026)
• Secure personal data using sufficient safeguards e.g. firewalls, encryption, password protection.

For our purposes, the most significant of these steps is drafting a KCDPA-compliant Privacy Policy. Let's take a look at what you should include.

How to Draft a Privacy Policy That's Compliant With the Kentucky Consumer Data Protection Act (KCDPA)

A Privacy Policy is a notice informing individuals how you process personal data, for what purposes, and how they can exercise their privacy rights.

Under the KCDPA, your Privacy Policy should include clauses describing:

• Types of personal data that is processed
• Purposes of processing that personal data
• Consumers' rights under the KCDPA
• Rights around third-party data selling and targeted advertising
• How consumers can exercise these rights
• How to contact you

Let's briefly look at what each clause might look like.

Collectif Clothing clearly sets out, in bullet points, what personal data it collects and what personal data actually means. You'll note it's a user-friendly and clear clause:

It explains, in simple language, what the company does with the data collected. The use of bold text is helpful to emphasize the key components of each statement:

As mentioned, consumers have a right to know their privacy rights. Here is an example from Kentucky Horsewear of what such a clause might look like:

It also specifies how consumers can exercise their privacy rights. You'll note that each clause is relatively short. This is acceptable because the clauses provide just enough detail without overwhelming or confusing the average consumer.

Individuals must be informed if you share data for money, or for targeted advertising. Collectif Clothing, for example, discloses that it uses cookies to facilitate targeted advertising and marketing:

The Newell Brands Privacy Statement clearly explains how users can opt out of data selling (this is for the California Consumer Privacy Act, but the wording is transferable):

The Kentucky Shop explains, in simple terms, how and why consent for data processing might be needed. It also clearly explains how users can opt out of such processing:

The Kentucky Shop confirms who the Data Compliance Officer is, which is very helpful, and also provides clear details for how to contact the company regarding its privacy practices. You'll note that consumers' rights are again reiterated, which is good practice:

Displaying Your KCDPA-Compliant Privacy Policy

You should display your Privacy Policy conspicuously, meaning that it's easy for users to see and read it before continuing. The best places to display a link to your Privacy Policy are the website header, footer, or sidebar, and before the user provides personal data e.g. before creating an account or completing a transaction.

Rapha, for example, has a link to its Privacy Policy in the footer alongside other core policies:

Lancome links to its Privacy Policy within its Cookie Notice, which is helpful because users can read it before consenting to cookies or proceeding any further:

How to Obtain Consent to Personal Data Processing Under the Kentucky Consumer Data Protection Act (KCDPA)

Consent to personal data processing under the KCDPA should be express, clear, and informed. This is specified quite clearly in the Act itself:

In other words, users should take some affirmative and unequivocal action to show that they consent.

Here's an example. Before signing up for a newsletter, users must click a checkbox to confirm that they've read and accepted the store's Privacy Policy. This is good practice for obtaining clear, express, informed consent:

As another example, see how you can't create a Starbucks Rewards account without explicitly consenting to website Terms and Conditions, but this concept easily works for Privacy Policies, too:

Penalties for Non-Compliance with the Kentucky Consumer Data Protection Act (KCDPA)

Section 8 of the KCDPA gives the attorney general the authority to fine violating companies up to $7,500 for every violation. However, the law also states that the attorney general must give a company at least 30 days to "cure" a violation before imposing a fine.

Interestingly, consumers don't have any right to enforce the KCDPA themselves. All they can do is make a complaint to the attorney general who decides whether or not to take action.

There's no guarantee that the attorney general will show any leniency. You should seek legal advice if you're unsure how to comply with the KCDPA to avoid penalties.

Summary

The Kentucky Consumer Data Protection Act (KCDPA) will come into force on January 1, 2026.

While this may seem a long time away, you should act now to achieve compliance. Complying with the KCDPA will also help to ensure that you are complying with other major privacy laws, such as the EU's General Data Protection Regulation (GDPR), since the obligations are very similar.

Kentucky Consumer Data Protection Act (KCDPA) applies to you if you target Kentucky residents, or if you do business in Kentucky, and:

• At least 50% of your gross revenue comes from selling data belonging to 25,000 or more Kentucky residents.
• In the course of business, you process personal data belonging to 100,000 or more Kentucky residents.

Under the KCDPA, Kentucky consumers have various privacy rights, including the right to know what information you hold on them and why you collect it, the right to opt-out of third party data selling, and the right to request that you delete their data.

The main steps to Kentucky Consumer Data Protection Act (KCDPA) compliance are creating a Privacy Policy, disclosing your processing of personal data, and getting informed and clear consent when required.

• Your Privacy Policy should be posted somewhere conspicuous so that consumers can read it before doing business with you.
• You should use a pop-up banner, or notice, to get express consent to third-party data selling, and the processing of personal data.

You'll also be required to have sufficient cybersecurity in place and perform regular data impact assessments to help minimize the amount of personal data you collect. Failing to comply could lead to significant penalties, should the attorney general take enforcement action against you.