For two decades, most businesses across Kentucky and the Tri-State have watched the state-level data privacy patchwork reshape California, Virginia, and Colorado from a comfortable distance. That window is closed. As of January 1, 2026, the Kentucky Consumer Data Protection Act (KCDPA) is the law of the land, and many mid-market firms we talk to are still working out whether it applies to them, what it requires, and how to get ready for the data protection assessment requirements that kick in this June.
The good news: The Kentucky data privacy law follows the well-trodden Virginia model rather than carving out a unique California-style framework. The bad news: predictable laws still have teeth. The Kentucky Attorney General has exclusive enforcement authority, and penalties run up to $7,500 per violation.
Here’s a clear-eyed look at what changed, who’s covered, and what to put on the calendar this quarter.
Who the Kentucky Data Privacy Law Applies To
The KCDPA applies to any business that operates in Kentucky or sells products and services to Kentucky residents and meets one of two thresholds during a calendar year:
- Controls or processes the personal data of at least 100,000 Kentucky consumers, or
- Controls or processes the data of at least 25,000 Kentucky consumers AND derives more than 50% of gross revenue from selling personal data.
A few things worth pointing out. There is no revenue-only threshold, which means a small but data-heavy operation can fall outside the scope, while a larger company with little consumer data may not. The law uses a narrow definition of sale that covers only exchanges of data for money, which gives a bit more breathing room than California’s broader definition. And entities already governed by HIPAA, the Gramm-Leach-Bliley Act, or other federal frameworks may qualify for partial exemptions, especially after the March 2025 amendments under HB 473 expanded carveouts for protected health information.
Local employers should also know that their own employee data isn’t generally in scope. The KCDPA applies to consumers acting in an individual or household context, not in an employment or commercial setting.
What the Kentucky Data Privacy Law Actually Requires
Five obligations matter most for compliance:
- A privacy notice that’s easy to find and easy to understand. Kentucky requires that your notice clearly state what categories of personal data you collect, why you process it, how consumers can exercise their rights, what categories of data you share with third parties, and which categories of third parties receive that data
- Consumer rights and a 45-day response window. Kentucky residents can ask you to confirm whether you process their data, access it, correct inaccuracies, delete it, or obtain a portable copy. They can also opt out of targeted advertising, the sale of their data, and certain profiling activities. You have 45 days to respond, with one possible 45-day extension when reasonably necessary.
- Data minimization and security. Collect only what you need for the disclosed purpose, and protect it with appropriate administrative, technical, and physical safeguards. The law isn’t prescriptive about specific controls, but the practical floor for any mid-market business should include enforced multi-factor authentication, encrypted backups, endpoint detection and response, and a documented incident response plan. The NIST Cybersecurity Framework remains the de facto reference point if your security program is audited.
- Opt-in consent for sensitive data. Sensitive data under the KCDPA includes precise geolocation, racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship status, genetic and biometric data, and the personal data of known minors. Processing any of this requires affirmative consent, not a buried checkbox in your terms of service.
- Data Protection Impact Assessments (effective June 1, 2026). High-risk processing activities, including targeted advertising, data sales, and certain profiling, require documented assessments.
What to Do in the Next 90 Days
A practical sequence for organizations realizing they’re now in scope:
Inventory your data first. You can’t protect or appropriately disclose what you haven’t mapped. Identify what personal data you collect, where it lives, who has access, and which third parties receive it. Spreadsheets work for smaller operations. Mid-market firms generally need something more durable, especially as the data inventory becomes the backbone of the privacy program rather than a one-time exercise.
Update your privacy notice. The five required disclosure elements are non-negotiable, and Kentucky’s statutory language calls for a notice that is “reasonably accessible, clear, and meaningful.” Generic templates usually fail the meaningful test.
Stand up a consumer rights process. You need a documented intake mechanism, a 45-day response workflow, and an appeals process for denials. If your team gets one request a quarter, ad hoc handling may work. If you’re consumer-facing at scale, you need automation.
Audit your processor contracts. Every vendor that processes personal data on your behalf should have contract language that meets the law’s requirements, including limits on use, security obligations, and assistance with consumer rights requests. This is one of the most overlooked areas, and it’s also one of the easiest for an enforcement action to discover.
Review your security posture. The KCDPA’s security obligation is broad and non-prescriptive, which means in an enforcement scenario, the AG and any third-party reviewer will look at industry standards. Aligning with NIST is the cleanest path, and it’s the framework Emerge’s managed cybersecurity practice uses for clients across the region.
A Note on Indiana
If your business serves customers across the Tri-State or beyond, know that Indiana enacted similar laws, which also took effect on January 1, 2026. Indiana’s data privacy law mirrors Kentucky’s closely.
Best Done Right
For organizations that have been operating without a formal privacy program, the KCDPA is the forcing function. The 30-day cure period offers some breathing room, but that clock starts the moment the AG sends notice, not when you decide to start preparing. Building the privacy and security foundation now is meaningfully cheaper than rebuilding it under enforcement pressure later, and the work is broadly transferable to other state privacy regimes that will continue to come online over the next few years.
If you’d like help figuring out whether the Kentucky data privacy law applies to your organization, what your current security posture would look like under regulatory scrutiny, or how to align your privacy program with NIST controls in a way that holds up over time, we’re happy to talk.