On April 4, 2024, Kentucky’s Governor Beshear signed the recently enacted Kentucky Consumer Data Protection Act (“KCDPA”). The KCDPA will become effective on January 1, 2026. Kentucky is the most recent state to pass a consumer data privacy statute. The various statutes have now converged and are quite similar in their framework, scope, and coverage. The KCDPA is well within these boundaries and opens no new legal ground. In this two-part series, the Consumer Data Privacy and Compliance Lawyers at Revision Legal provide an overview of the KCDPA for businesses, which businesses and what types of data are covered, and what is mandated by the KCDPA for businesses that collect, control, and process consumer data.

The KCDPA uses the standard data privacy framework

As noted, the KCDPA uses the standard framework, in that, the KCDPA is:

• Aimed at controllers and processors of personal and sensitive consumer data
• Consumers are given certain rights with respect to their data
• Controllers and processors must comply with various KCDPA mandates (such as supplying notices to and obtaining consent from or allowing opt-outs for consumers) and
• Enforcement is through the State’s Attorney General’s Office

How the KCDPA resolves current policy debates

That being said, within the standard data privacy framework, there are still a number of nuanced policy debates that are ongoing as of early 2024. Many of these policy debates are listed below along with how the KCDPA resolves those debates for consumers in Kentucky:

• Whether documented data assessment reports are required — the KCDPA DOES require these
• Whether the statute applies to out-of-state businesses because they target in-state consumers or because they provide goods and services to in-state consumers — the KCDPA uses the word “target”
• Whether data processed exclusively for payment purposes is included or excluded when determining thresholds for coverage — the KCDPA includes such data processing
• Whether data related to employment and employment applications are included or excluded from coverage — the KCDPA excludes such data
• Whether nonprofit entities are exempt from coverage — nonprofits ARE exempt under the KCDPA
• Whether businesses are required to accept global or universal consumer privacy choices established through apps, browser settings, and the like — the KCDPA does NOT require this
• Whether an appeal mechanism is mandated if a controller refuses/fails to take an action requested by a consumer — the KCDPA DOES mandate such a mechanism
• Whether non-action can be deemed “consent” — the KCDPA is silent on whether non-action can be deemed consent
• Whether an affirmative consent must be obtained or whether an opt-out choice is sufficient – the final version of the KCDPA says that consent is needed in some cases whereas an opt-out choice is sufficient in others

Coverage

The KCDPA applies to any business or individual that:

• Conducts business in Kentucky OR who produces products or services that target residents of the state AND
• Controls or processes data of at least 100,000 Kentucky consumers OR
• Controls and processes data for at least 25,000 Kentucky consumers AND derives over 50% of gross revenue from the sale of personal data

Unlike other similar statutes, the list of exemptions for organizations is short. The exemptions include government agencies and subdivisions, nonprofits, financial institutions regulated by federal law (Gramm-Leach-Bliley Act), health entities governed by the federal HIPAA privacy rules, institutions of higher education, fraud investigation entities, first responder entities and certain small telecommunication utilities.

Certain types of data are also excluded. This list is about the same length as the lists found in other data privacy statutes. Data that is excluded include health data, data when a person is acting in an employment or commercial capacity, pseudonymous data, de-identified data, data used for credit reporting, and more.

See Part Two for more information.

Step-by-Step Compliance Roadmap for KCDPA

With the KCDPA now effective as of January 1, 2026, covered businesses need an actionable compliance roadmap. The first step is a data mapping exercise: identify every category of personal data your business collects, the sources from which it is collected, the purposes for which it is processed, who it is shared with, and where it is stored. Data mapping is the foundation of every KCDPA compliance obligation — you cannot draft an adequate privacy notice, conduct a data protection assessment, or respond to a consumer rights request without knowing what data you have and where it lives.

The second step is a gap analysis: compare your current data practices against the KCDPA’s requirements for privacy notices, consumer rights request mechanisms, consent and opt-out procedures, processor agreements, data protection assessments, and security standards. The gap analysis will identify the specific compliance work that needs to be done before enforcement begins. Revision Legal can assist businesses in conducting both data mapping exercises and KCDPA gap analyses.

Privacy Notice Requirements: What Must Be Disclosed

The KCDPA requires that controllers provide consumers with a privacy notice that is “reasonably accessible, clear, and meaningful.” The notice must disclose: (1) the categories of personal data being processed; (2) the purposes for processing; (3) how consumers may exercise their rights — including rights of access, correction, deletion, portability, and opt-out — and how they may appeal a controller’s decision; (4) categories of personal data shared with third parties; and (5) categories of third parties with whom data is shared.

Posting a privacy policy on your website satisfies the notice requirement only if the policy meets all of these disclosure requirements and is actually accessible to consumers — meaning it must be linked prominently from your homepage, checkout pages, and any data collection forms. Privacy policies buried in footer links that require multiple clicks to locate are technically compliant with some statutes, but the KCDPA’s “reasonably accessible” standard should be interpreted to require more prominent placement for covered data collection activities.

The “Targets” Language: Out-of-State Businesses Covered

The KCDPA applies to businesses that produce products or services that “target” residents of Kentucky — not just businesses physically located in the state. This targeting language means that an e-commerce business based in New York that sells to Kentucky consumers, a SaaS company in California that has Kentucky business clients, or an app developer in Texas whose app is used by Kentucky residents can each be covered by the KCDPA if they meet the applicable data thresholds.

Indicators that a business “targets” Kentucky residents include accepting Kentucky billing addresses, shipping to Kentucky addresses, displaying prices in U.S. dollars, mentioning Kentucky specifically in marketing materials, and tailoring content to Kentucky-specific interests. Businesses conducting e-commerce or digital services on a nationwide basis should assume they may be subject to the KCDPA and evaluate their data practices against its requirements.

Comparing KCDPA to Virginia, Colorado, and Connecticut Statutes

The KCDPA is modeled closely on the Virginia Consumer Data Protection Act (VCDPA), which was itself a template for several subsequent state statutes. Businesses that have already achieved compliance with the VCDPA will find that KCDPA compliance requires modest additional work: the primary differences include the KCDPA’s exclusion of data processed solely for payment processing from the threshold calculation (making coverage broader), the KCDPA’s requirement for data protection assessments (which Virginia also requires), and a few definitional differences. Businesses operating in multiple states should use a unified privacy compliance framework that addresses the highest common denominator across all applicable state statutes — typically a framework designed to satisfy California’s CPRA requirements, supplemented by state-specific provisions for consent, appeal mechanisms, and coverage thresholds.

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.