Kentucky’s new privacy law, the Kentucky Consumer Data Protection Act (KCDPA), is now in effect as of January 1, 2026, and it significantly changes how many organizations must handle personal data for Kentucky residents. For Kentucky‑facing businesses, this means new consumer rights, new transparency and security obligations, and a need to formalize data governance practices that may previously have been informal.
What changed in Kentucky privacy law?
The KCDPA is Kentucky’s first comprehensive consumer data privacy law, modeled closely on other state laws like Virginia’s and taking effect at the start of 2026. It establishes a baseline set of privacy rights for Kentucky residents and a corresponding set of duties for businesses that determine how and why personal data is processed.
Under the new law, Kentuckians now have statutory rights to access, correct, delete, and obtain a copy of certain personal data held about them. They also gain the right to opt out of targeted advertising, the sale of personal data, and certain types of profiling that produce legal or similarly significant effects.
Who is covered (and who is not)?
The KCDPA applies to “controllers” and “processors” that conduct business in Kentucky or target Kentucky residents, but only if they meet specific volume thresholds. A controller is an organization that determines the purpose and means of processing personal data, while a processor handles personal data on behalf of a controller (for example, a service provider or vendor).
A business generally falls in scope if, during a calendar year, it either controls or processes the personal data of at least 100,000 Kentucky consumers, or 25,000 consumers and derives more than 50% of gross revenue from selling personal data. Certain entities and data sets are exempt, including some data already regulated under regimes like GLBA and specific categories of HIPAA‑regulated health information, which the legislature clarified through subsequent technical amendments.
New rights for Kentucky consumers
From a consumer perspective, the law creates a clearer and more actionable set of privacy rights than most general consumer‑protection statutes. Individuals can now submit requests to covered businesses to access the personal data held about them, correct inaccuracies, request deletion of certain data, and receive a portable copy of their information where appropriate.
Consumers can also direct businesses not to use their data for targeted advertising, not to sell their personal data, and not to use profiling that has significant effects, and they must be offered a way to appeal if a business denies a request. Covered businesses must respond to these requests within defined timeframes and may not discriminate against consumers for exercising their rights.
Key obligations for businesses
For organizations that meet the thresholds, the KCDPA turns modern privacy practices into explicit legal requirements. Some of the most important obligations include:
Providing a “reasonably accessible, clear, and meaningful” privacy notice that explains what personal data is collected, why it is collected, how consumers can exercise their rights, what data is shared, and with which categories of third parties.
Limiting collection and use of personal data to what is adequate, relevant, and reasonably necessary for disclosed purposes, and avoiding processing that is incompatible with those purposes without additional consent.
Security and governance expectations also step up under the new law. Covered businesses must implement reasonable administrative, technical, and physical safeguards aligned to the volume and sensitivity of the personal data they process, and for certain higher‑risk activities (such as targeted advertising, sale of personal data, profiling, or processing sensitive data), they must conduct and document data protection assessments.
Practical next steps for Kentucky‑facing businesses
For many organizations already navigating other state privacy laws, the KCDPA will feel familiar but still requires explicit alignment of Kentucky‑specific obligations. Suggested actions include:
Determining whether your organization meets the KCDPA thresholds, based on the number of Kentucky consumers whose data you process and your revenue model.
Reviewing and updating privacy notices, internal procedures, and consumer‑facing workflows so that access, correction, deletion, and opt‑out requests can be received, authenticated, tracked, and fulfilled within the required timelines.
Organizations should also revisit contracts with vendors that act as processors to ensure they contain required privacy and security terms and clear instructions around data handling. Finally, this is a good moment to refresh data classification, retention, and security controls so that your technical environment supports sustainable compliance rather than one‑off fixes.
Argus Cybersecurity and Support helps businesses stay ahead of changing compliance requirements—including new state privacy laws like the KCDPA—and is available to assist with assessments, remediation plans, and ongoing governance support.