Introduction
The patchwork of US state data privacy laws continues to grow, and Kentucky is now part of the conversation. With the KCDPA now in effect as of January 1, 2026, businesses operating online and serving Kentucky residents must comply with new requirements around the collection, processing, and protection of personal information.
The KCDPA is Kentucky’s comprehensive consumer data protection act, designed to safeguard data privacy for residents acting in a personal or household context. Signed into law as HB 15 on April 4, 2024, and refined by HB 473 amendments also effective on the same date, the law establishes clear rules for data collection, consumer rights, and controller/processor accountability.

Who Must Comply with the KCDPA?
The KCDPA applies based on how much consumer data a business handles, not on revenue alone. Only certain controllers and processors that conduct business in Kentucky or target Kentucky residents fall within the scope.
The applicability criteria are straightforward:
- 100,000+ consumers: KCDPA applies to businesses processing personal data of 100,000 or more Kentucky consumers in a calendar year.
- 25,000+ consumers with data sales revenue: KCDPA covers businesses that process data of at least 25,000 consumers and generate more than half of their gross revenue from selling personal data.
The term “consumer” means a Kentucky resident acting in an individual, personal, or household context. The KCDPA does not apply to businesses acting in a purely commercial or employment capacity, meaning B2B contacts and employee HR data are excluded. Any entity offering products or services to Kentucky residents, including online businesses and Shopify stores that ship to Kentucky or run targeted campaigns, can fall within scope if the thresholds are met.
Entity-level exemptions include:
- State and local government agencies
- Any nonprofit organization
- Higher education institutions
- GLBA-covered financial institutions and affiliates
- HIPAA-covered entities and their business associates (expanded by HB 473)
- Small telephone utilities and certain Tier III CMRS providers
- Municipally owned utilities that do not share personal data with third-party processors
Data-level exemptions encompass protected health information under HIPAA, data governed by the Fair Credit Reporting Act, FERPA-protected education records, DPPA motor vehicle data, employment-related records, and data utilized in insurance fraud or public safety scenarios.
KCDPA Exemptions and Edge Cases in Practice
Consider practical examples: a nonprofit university in Kentucky is exempt. A HIPAA-covered health system maintaining protected health information in compliance with HIPAA is also fully exempt. But an e-commerce retailer or SaaS provider selling consumer goods to Kentucky residents is not exempt, even if it also handles some health data in a separate line of business.
Mixed data environments create complexity. A business may be exempt from PHI datasets but still covered for ordinary consumer data like marketing profiles, analytics cookies, and advertising identifiers. Controllers must segment their data to determine which datasets are inside or outside KCDPA.
Employee HR data and B2B contact data fall outside “consumer data” for KCDPA purposes. This is a notable difference from broader regimes like California’s CCPA/CPRA.
Organizations should perform a scoping exercise early, mapping which entities and datasets are covered to avoid over- or under-compliance. A structured data privacy audit is a strong starting point.

Key Definitions Under the KCDPA
Understanding KCDPA definitions is critical because they determine when obligations are triggered and how consumer rights apply. Getting the terminology right prevents costly misinterpretation.
- Personal data: Any data connected or reasonably associated with a identified or identifiable person, except for de-identified data, pseudonymous data (when adequately separated and protected), and publicly accessible information.
- Consumer data: Personal data of Kentucky consumers-residents acting in a personal or household capacity. Employee and B2B records are not included.
- Controller: The individual or organization responsible for setting the purposes and methods of handling personal data.
- Processor: An entity that handles data for a controller.
- Processing: Broadly covers collection, use, storage, disclosure, analysis, deletion, and modification of data, whether automated or manual. This means virtually any handling of personal data counts as data processing.
- Sale of personal data: The exchange of personal data for monetary consideration by a controller to a third party. Disclosures to processors or affiliates, or made during mergers, are not considered data sales. This is narrower than California’s definition, which includes non-monetary exchanges.
Biometric Data and Sensitive Data
Biometric data under the KCDPA means data generated by automatic measurement of biological characteristics-fingerprints, voiceprints, iris scans, facial geometry-used to uniquely identify an individual. The law explicitly excludes any physical or digital photograph, video, or audio recordings, and data generated therefrom, unless used for identification purposes or under HIPAA-covered health care treatment.
Sensitive data includes:
- Race or ethnic origin
- Religious beliefs
- Mental or physical health diagnoses (health data)
- Sexual orientation
- Citizenship or immigration status
- Genetic or biometric identifiers
- Precise geolocation
- Personal data of known children under 13 (children’s data)
HB 473 fine-tunes health-related categories, offering broader exemptions for protected health information while keeping consumer data protection robust. For more on children’s privacy protections, specific compliance steps apply.
Consent and Opt-Out: How KCDPA Treats Consumer Choices
The KCDPA is primarily an opt-out regime for most processing activities. However, it mandates opt-in consent for processing sensitive data, including sensitive categories and children’s data under 13 (aligned with COPPA).
Valid consent must be a clear, affirmative act freely given, specific, informed, and unambiguous. Pre-ticked boxes, dark patterns, and bundled consents do not meet the standard for obtaining consent under KCDPA.
Controllers must enable consumers to opt out of targeted ads, selling personal data, and profiling that has significant legal or similar effects. While the specific opt-out rules differ across US states, the fundamental principle remains the same: consumers should have meaningful control over how their data is collected and used.
Consumer Rights Under the KCDPA
The KCDPA grants Kentucky residents specific rights regarding their personal data, giving them direct control over how businesses use it. Kentucky consumers can exercise consumer rights by submitting consumer requests through channels that must be clearly described in the controller’s privacy notice.
The five core rights are:
Right | Description |
|---|---|
Access / Confirm | Consumers can confirm whether a business is processing their personal data and access the personal data provided |
Correct | Consumers have the right to correct inaccuracies in their data |
Delete | Consumers can request deletion of their personal data |
Portability | Consumers can access, correct, delete, and port their personal data in a commonly used format |
Opt-Out | Consumers can opt-out of targeted advertising, data sales, and certain profiling |
Timelines: Businesses must respond to consumer requests within 45 days. KCDPA allows a one-time 45-day extension for responses when reasonably necessary, provided the consumer is notified of the delay and the reason for it.
Controllers may require reasonable verification to authenticate consumer rights requests, including requests from authorized agents, without making the process unduly burdensome. If a request is denied, the business must provide justification and instructions for appeal, including a reference to the Kentucky Attorney General’s complaint process.
- No coding required
- Works with all Shopify themes
- Blocks tracking before consent
- Google Consent Mode v2 ready
- Trusted by 180k+ stores
- 2,900+ 5-star reviews
- Google CMP Partner
Handling Consumer Requests and Appeals
Accept consumer requests via multiple channels-web forms, account dashboards, email-and maintain a standardized workflow for compliance and auditability.
Track all data requests (access, deletion, correction, opt-out requests) in a centralized system. Log dates, outcomes, and extensions to demonstrate KCDPA compliance if the AG ever requests evidence.
The appeals process must be:
- Accessible and conspicuously described in the privacy notice
- Subject to defined deadlines (controllers must respond to appeals within 60 days)
- Transparent about reasons for upholding a denial
Training customer support and privacy teams to recognize and correctly handle consumer rights requests under KCDPA, CCPA, GDPR, and other data privacy laws simultaneously is essential. Mishandled or missed opt-out requests can quickly become enforcement triggers.

Core Obligations for Controllers and Processors
Beyond rights handling, the KCDPA requires proactive governance: data minimization, security, contract controls, and data protection assessments for certain activities.
Data minimization: Businesses must limit data collection to what is adequate, relevant, and necessary. Controllers cannot repurpose personal data processed for unrelated objectives without further consent.
Purpose limitation: Personal data should not be processed in ways incompatible with the original, disclosed purposes unless the consumer provides new consent.
Transparency: Businesses must provide transparent privacy notices to consumers. These notices must explain categories of personal data processed, purposes, categories of personal data sold or used for targeted advertising, how to exercise consumer rights, and whether profiling is used.
Data security: Controllers must implement security measures-reasonable administrative, technical, and physical safeguards-appropriate to the volume, nature, and sensitivity of consumer data. This duty to safeguard data and reduce data breach risk is central to the law.
Non-discrimination: Controllers may not discriminate against consumers who exercise their rights (e.g., deny goods, alter price or quality), subject to limited exceptions for bona fide loyalty programs or transparent data-driven pricing.
Data Protection Impact Assessments (DPIAs)
The KCDPA mandates that controllers perform data protection assessments for specific high-risk processing activities. Triggers include targeted advertising, the sale of personal data, and profiling with significant consumer effects.
HB 473 narrows the profiling trigger: DPIAs become mandatory when profiling presents a reasonably foreseeable risk of unlawful disparate impact on consumers. For processing activities created after June 1, 2026, this obligation is explicitly required.
A DPIA should generally include:
- Description of the processing activity
- Assessment of benefits vs. risks to consumers
- Safeguards adopted
- Measures to mitigate impacts on consumer rights
DPIAs must be documented and made available to the Kentucky Attorney General upon request. Maintain versioned records and review them periodically, especially after product changes or new data practices.
Enforcement, Cure Period, and Penalties
The Kentucky Attorney General has exclusive enforcement authority over the KCDPA. There is no private right of action for consumers to directly sue under this law.
Before filing an enforcement action, the AG must issue a written notice of alleged violations, giving the business a 30-day cure period to remedy the issue and provide written assurance that the violation has been resolved and will not recur. Unlike some other state laws, this cure period is permanent-it does not sunset after an initial implementation phase.
If a business fails to address a breach or violates its written assurances, the AG can impose civil penalties of up to $7,500 for each violation, plus injunctive relief, attorneys’ fees, and costs. Each violation can result in fines up to $7,500, with no limit on the total liability since each violation is considered separately.
Enforcement has already begun. The first known action under KCDPA was filed on January 8, 2026, against Character Technologies (Character.AI), alleging the processing of minors’ sensitive data without parental consent, a lack of age verification, and exposure to harmful content.
How KCDPA Compares to Other U.S. Data Privacy Laws
The KCDPA closely mirrors Virginia’s VCDPA in structure and is widely viewed as more business-friendly than California’s.
Feature | KCDPA (Kentucky) | CCPA/CPRA (California) | VCDPA (Virginia) |
|---|---|---|---|
Private right of action | No | Limited (data breach) | No |
Definition of “sale” | Monetary consideration only | Includes non-monetary | Monetary consideration only |
Employee/B2B data | Excluded | Included (CPRA) | Excluded |
Universal opt-out mechanisms / GPC | Not required | Required | Not required |
Cure period | 30 days (permanent) | None (as of 2025) | 30 days (expired) |
KCDPA shares similarities with Indiana, Iowa, Utah, and other recent state data privacy laws: threshold-based applicability, opt-out model, core consumer rights, and AG-only enforcement. Businesses already aligned with GDPR, CCPA/CPRA, and similar state laws may only need incremental changes. For a broader comparison, see an overview of the rights and requirements in US data privacy laws and the differences between GDPR and CCPA/CPRA.
- No coding required
- Works with all Shopify themes
- Blocks tracking before consent
- Google Consent Mode v2 ready
- Trusted by 180k+ stores
- 2,900+ 5-star reviews
- Google CMP Partner
How Pandectes Can Help Shopify Merchants with KCDPA
Pandectes GDPR Compliance, as a Shopify privacy compliance app, helps merchants implement consent management and cookie banners aligned with KCDPA, GDPR, CCPA, and other data privacy laws. It provides a centralized system to manage consumer rights workflows, including data access, deletion, and opt-out requests, helping merchants meet KCDPA response timelines.
Automated store scanning discovers cookies and tracking technologies, ensuring transparency over consumer data collection and supporting data minimization. Pandectes’ multilingual support and Google-certified CMP capabilities help global merchants maintain consistent compliance across regions where Kentucky residents might shop.
For merchants looking to simplify KCDPA compliance, Pandectes works as part of a broader compliance stack, coupled with updated privacy policies, trained teams, and robust security practices. It is especially useful for stores that also manage cookie compliance across the US states.

Conclusion
The KCDPA adds another layer to the US privacy landscape, but businesses with mature data privacy programs can leverage existing controls to comply efficiently. The law reflects the same principles, data minimization, transparency, and consumer empowerment that drive modern privacy regulation worldwide.
With the law now in effect, businesses should ensure they have completed scoping and gap analyses and continue refining their data practices as guidance evolves. Proactive compliance not only avoids enforcement and penalties but also strengthens consumer trust, a genuine competitive advantage for online retailers and SaaS platforms.
View the KCDPA as an opportunity to modernize your approach to protecting personal information, embrace privacy by design, and build lasting customer confidence. Evaluate your current tools and processes, and consider leveraging specialized platforms like Pandectes to operationalize data privacy across multiple jurisdictions.


