On April 4, 2024, Kentucky became the sixteenth State to enact a consumer data privacy statute — the Kentucky Consumer Data Protection Act (“KCDPA”). Since then, both Maryland and Nebraska have enacted data privacy statutes (and New Hampshire enacted a similar statute earlier in 2024). Eighteen States now have enacted some version of a consumer data privacy statute.

With respect to the KCDPA, in Parts One and Two of this series, we provided an overview and discussed what businesses should know about the KCDPA. In this Part Three, we provide an overview of what rights are granted and protected for Kentucky residents.

Enforcement

The KCDPA becomes effective on January 1, 2026.

As with most of these statutes, enforcement powers are granted to the State’s Attorney General’s Office. Thus, Kentucky residents who believe that their rights have been or are being violated must contact the Kentucky Office of the Attorney General. Generally, the Attorney General’s Office will conduct an investigation and, if warranted, begin an enforcement action including bringing civil actions in the courts of Kentucky either on behalf of the Commonwealth or on behalf of individual residents. Civil fines can be imposed of up to $7,500 for each violation and the Attorney General can recover reasonable expenses and costs.

Note that the KCDPA gives businesses a permanent 30-day “cure” period. So, if the Attorney General investigates, a business can fix — cure — the problem within 30 days without being deemed to have violated the KCDPA.

The KCDPA does not require that any of the civil fines be paid to consumers.

Rights Granted

The rights granted by the KCDPA to Kentucky residents are similar to the rights granted by other consumer data privacy statutes. In brief terms, these rights are:

• To confirm whether a business — identified as a “controller” of personal data — is processing their personal data
• To have access to their data, unless the confirmation and access would require the controller to reveal a trade secret
• To obtain a copy of the personal data that the consumer previously provided to the controller in a portable and readily usable format that allows the consumer to transmit the data to another controller without hindrance — note that this portability right is not for ALL data, but only data previously provided to that controller by the consumer
• To opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling
• To have the controller act within 45 days of receiving a request — the time can be extended for good reason
• To have access to an internal appeal process if the controller refuses or fails to act as requested by the consumer

For purposes of the KCDPA, data is protected when consumers are acting in an individual capacity, but not when acting in an employment or business capacity. The appeal process mentioned above must be “conspicuously available and similar to the process” provided to consumers for making initial requests for action by a controller. If the appeal is denied, the controller must provide a method for the consumer to submit a complaint to the Attorney General.

How to Exercise Your Rights Under the KCDPA

To exercise any of the rights granted by the Kentucky Consumer Data Protection Act, a Kentucky resident must submit a verifiable consumer request directly to the controller — the business collecting and controlling their personal data. The controller is required by the KCDPA to provide a reasonably accessible, clear, and meaningful privacy notice that explains how to submit requests. Look for a “Privacy Policy” or “Privacy Rights” link on the business’s website, which should identify a contact email address, web form, or toll-free phone number designated for data subject requests.

When submitting a request, be prepared to provide enough identifying information to allow the controller to verify your identity without requiring you to provide more personal data than is reasonably necessary for that purpose. Controllers may not charge a fee for responding to your first request in a 12-month period, and they must respond within 45 days (with a possible 45-day extension for complex requests).

The KCDPA’s Appeal Process: Your Next Step if a Request is Denied

If a controller refuses your request — for example, refusing to delete your personal data or refusing to correct inaccurate data — the KCDPA requires the controller to provide an internal appeal mechanism. The appeal process must be “conspicuously available” and similar in form to the process used for submitting the original request. After submitting an appeal, the controller must respond within 60 days with a written explanation of its decision. If your appeal is denied, the controller must provide information on how to submit a complaint to the Kentucky Attorney General’s Office at consumerprotection.ky.gov.

The internal appeal requirement is an important consumer protection, but it also means that consumers cannot go directly to the Attorney General without first attempting to resolve the issue through the controller’s appeal process. Documenting all communications with the controller — dates, methods, and content of requests and responses — is critical for any complaint you may later file with the AG’s office.

Sensitive Data and Children’s Data: Heightened Protections

Under the KCDPA, businesses cannot process your “sensitive data” without your affirmative, opt-in consent. Sensitive data under the KCDPA includes racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, precise geolocation data (within a radius of 1,750 feet), and personal data of a known child. If you have provided consent for sensitive data processing and later wish to revoke it, you have the right to do so, and the controller must stop processing within a reasonable time after revocation.

For parents concerned about data collected from their children, the KCDPA’s definition of “sensitive data” includes personal data of a known child — meaning a child under 13 as defined by COPPA. Controllers that knowingly collect personal data from children are subject to the KCDPA’s consent requirements in addition to federal COPPA obligations. Parents should verify whether apps, games, and educational platforms used by their children have KCDPA-compliant privacy notices and parental consent mechanisms in place.

What the KCDPA Does NOT Cover: Important Limitations

Consumer rights under the KCDPA do not apply to your data when you are acting in an employment or commercial capacity. This means your employer generally can collect and process your professional data — work emails, job performance records, workplace communications — without KCDPA-based consent requirements. Similarly, data collected from you in the context of a business-to-business transaction falls outside the KCDPA’s protections.

The KCDPA also does not apply to a range of regulated data types covered by federal law, including data governed by HIPAA, the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and COPPA. If your complaint involves health insurance records, medical records, financial account data regulated by federal law, or children’s online data collected by COPPA-covered operators, those concerns should be directed to the relevant federal agency rather than (or in addition to) the Kentucky AG.

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.