On April 4, 2024, Kentucky became the sixteenth State to enact a consumer data privacy statute — the Kentucky Consumer Data Protection Act (“KCDPA”). Since then, both Maryland and Nebraska have enacted data privacy statutes (and New Hampshire enacted a similar statute earlier in 2024). Eighteen States now have enacted some version of a consumer data privacy statute.

With respect to the KCDPA, in Parts One and Two of this series, we provided an overview and discussed what businesses should know about the KCDPA. In this Part Three, we provide an overview of what rights are granted and protected for Kentucky residents.

Enforcement

The KCDPA becomes effective on January 1, 2026.

As with most of these statutes, enforcement powers are granted to the State’s Attorney General’s Office. Thus, Kentucky residents who believe that their rights have been or are being violated must contact the Kentucky Office of the Attorney General. Generally, the Attorney General’s Office will conduct an investigation and, if warranted, begin an enforcement action including bringing civil actions in the courts of Kentucky either on behalf of the Commonwealth or on behalf of individual residents. Civil fines can be imposed of up to $7,500 for each violation and the Attorney General can recover reasonable expenses and costs.

Note that the KCDPA gives businesses a permanent 30-day “cure” period. So, if the Attorney General investigates, a business can fix — cure — the problem within 30 days without being deemed to have violated the KCDPA.

The KCDPA does not require that any of the civil fines be paid to consumers.

Rights Granted

The rights granted by the KCDPA to Kentucky residents are similar to the rights granted by other consumer data privacy statutes. In brief terms, these rights are:

• To confirm whether a business — identified as a “controller” of personal data — is processing their personal data
• To have access to their data, unless the confirmation and access would require the controller to reveal a trade secret
• To obtain a copy of the personal data that the consumer previously provided to the controller in a portable and readily usable format that allows the consumer to transmit the data to another controller without hindrance — note that this portability right is not for ALL data, but only data previously provided to that controller by the consumer
• To opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling
• To have the controller act within 45 days of receiving a request — the time can be extended for good reason
• To have access to an internal appeal process if the controller refuses or fails to act as requested by the consumer

For purposes of the KCDPA, data is protected when consumers are acting in an individual capacity, but not when acting in an employment or business capacity. The appeal process mentioned above must be “conspicuously available and similar to the process” provided to consumers for making initial requests for action by a controller. If the appeal is denied, the controller must provide a method for the consumer to submit a complaint to the Attorney General.

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.