Kentucky Consumer Data Protection Act (KCDPA)
Kentucky's consumer privacy law effective January 1, 2026 — a Virginia-family regime distinguished administratively by the creation of a dedicated Office of Data Privacy within the Attorney General's office.
Overview
The Kentucky Consumer Data Protection Act (HB 15, 2024), codified at Ky. Rev. Stat. Ann. Sec. 367.800 et seq., takes effect on January 1, 2026. KCDPA hews closely to the Virginia operational template, distinguished primarily by an administrative innovation: the creation of a dedicated Office of Data Privacy inside the Attorney General's office to supervise enforcement and provide guidance.
Applicability tracks the Virginia ceiling: a controller must, in a calendar year, process personal data of 100,000 or more Kentucky consumers, or 25,000 or more consumers while deriving over 50% of gross revenue from the sale of personal data.
Exemptions mirror the Virginia family: government entities, HIPAA-covered entities, GLBA-regulated financial institutions, non-profits, higher-education institutions, and data covered by FCRA, DPPA, FERPA, and COPPA. Employee and B2B data remain out of scope.
Consumer Rights
Kentucky provides the full Virginia-family rights bundle:
- Right to access personal data and confirm processing
- Right to correct inaccuracies
- Right to delete personal data
- Right to data portability
- Right to opt out of sale of personal data
- Right to opt out of targeted advertising
- Right to opt out of profiling in furtherance of decisions producing legal or similarly significant effects
- Right to appeal a controller's denial
Sensitive data follows the standard Virginia-family definition and requires opt-in consent before processing.
Compliance Requirements
Controllers must publish a privacy notice, honor DSRs within 45 days (extendable +45 days), conduct DPIAs for heightened-risk processing (targeted advertising, sale, profiling with significant effects, sensitive data), and execute processor contracts covering statutory duties.
UOOM / GPC recognition is NOT required under KCDPA — Kentucky-only footprints do not need to detect Sec-GPC.
Office of Data Privacy
KCDPA's most distinctive feature is an Office of Data Privacy established as a division within the Kentucky Attorney General's office. The Office is responsible for:
- Supervising KCDPA compliance across regulated controllers
- Receiving and processing consumer complaints
- Coordinating investigations into alleged violations
- Providing guidance and educational materials to businesses and consumers
- Issuing informal guidance (but not formal regulations — no rulemaking authority, unlike New Jersey)
Contrast with California: Unlike California's independent California Privacy Protection Agency (CPPA), Kentucky's Office is a division inside the AG rather than a standalone agency. It has narrower autonomy and no independent rulemaking authority but offers a specialized point of contact for compliance questions.
Cure Period + Enforcement
The Kentucky Attorney General, acting through the Office of Data Privacy, holds exclusive enforcement authority — no private right of action. Violators receive a 30-day cure period. Civil penalties reach up to $7,500 per violation.
Because KCDPA is new (effective 2026), enforcement practice is unsettled — the Office will set tone during its first enforcement cycle.
How Inori Addresses This
Inori's v1.2 privacy.mdx includes Kentucky with its January 1, 2026 effective date. Our /api/dsar endpoint services the full rights bundle with a 45-day SLA and +45-day extension tracking. Hard-purge on account deletion runs via cron at 90 days, satisfying the right-to-delete lifecycle.
GPC handling via middleware.ts respectGpc is active platform-wide — although KCDPA does not mandate UOOM, Kentucky residents benefit by default. Inori's compliance team tracks Office of Data Privacy guidance as it is published so any practical-implementation expectations beyond statutory text are incorporated. DPIA-style documentation is maintained procedurally; automated DPIA generation is deferred.
Related Concepts
See how Inori handles kentucky consumer data protection act (kcdpa)
Try our free COI checker first, or start a free trial of the full platform.