In early April, Kentucky’s Governor Andy Beshear made a significant stride in data protection by signing the Kentucky Consumer Data Protection Act (KCDPA) into law. This act positions Kentucky as the sixteenth state to embrace comprehensive data privacy legislation, making it the third state to do so in 2024 alone. The framework of the KCDPA is closely aligned with the recently amended Virginia Consumer Data Protection Act (VCDPA), although it contains several distinct provisions.
For businesses that are already navigating the compliance landscape of other non-California privacy laws, the KCDPA does not heap on significant additional requirements. This new law is scheduled to become active starting January 1, 2026.
Scope and Application
The KCDPA casts a net over entities that engage in business within Kentucky or that target Kentucky residents with their products or services. A business falls under the purview of this law if it either handles the personal data of more than 100,000 consumers or manages the data of at least 25,000 consumers while deriving over half of its gross revenue from selling that data. These thresholds mirror those found in privacy legislation in several other states including Indiana, Iowa, Utah, and Virginia. It is noteworthy that the KCDPA excludes individuals acting in a commercial or employment context from its ambit.
Exemptions Worth Noting
In line with other state laws, the KCDPA includes exemptions for certain entities and data types. These exemptions encompass entities covered by HIPAA, non-profit organizations, educational institutions, and financial and data institutions that fall under the Gramm-Leach-Bliley Act. Additionally, data governed by the Fair Credit Reporting Act and certain types of non-profit activities, such as those aimed at combating insurance fraud or aiding first responders during catastrophic events, are also exempt.
One unique feature of the Kentucky law is its treatment of non-profit organizations, which specifically excludes political organizations from the exemption—a notable deviation from Virginia’s approach.
Definitional Clarity
The definition of “biometric data” under the KCDPA is notably consumer-centric, excluding general photographs, video, or audio recordings unless they are processed specifically to identify an individual. This definition also carves out exceptions for data collected, used, or stored for health care treatment, payment, or operations under HIPAA.
Regarding the “sale” of personal data, the KCDPA adopts a business-friendly stance by limiting the definition to the exchange of personal data for monetary compensation, thus excluding transactions involving other forms of consideration.
Enforcement and Compliance
The Kentucky Attorney General’s office is tasked with enforcing the KCDPA. There is no provision for private rights of action; however, businesses found in violation have a 30-day window to rectify the issue before facing a potential fine of $7,500 per incident.
Key Dates
- January 1, 2026: The law takes effect.
- June 1, 2026: Data protection assessment requirements kick in for processing activities that commence on or after this date.
Governor Beshear’s enactment of the KCDPA marks a critical moment for privacy regulation in Kentucky, reflecting a broader movement towards heightened consumer data protection across the United States. This legislation not only aligns Kentucky with national trends but also provides both businesses and consumers with clearer rules of engagement in the digital age.
