Kentucky Privacy Law (KCDPA): What Small Businesses Need to Know

The Kentucky Consumer Data Protection Act (KCDPA) takes effect January 1, 2026 and applies to any business processing the personal data of 100,000 or more Kentucky consumers in a calendar year — with no annual revenue threshold. A secondary trigger captures businesses processing data of 25,000 or more Kentucky consumers and deriving 50% or more of revenue from data sales. The Kentucky Attorney General is the sole enforcement authority. KCDPA closely follows the Virginia VCDPA model and is one of the most recent state privacy laws to take effect, alongside Indiana and Rhode Island. Businesses with Kentucky consumer reach should begin compliance preparation now.

Does KCDPA Apply to My Business?

KCDPA applies to any person that conducts business in Kentucky or produces products or services targeted to Kentucky residents AND meets one of two thresholds:

• Controls or processes personal data of 100,000 or more Kentucky consumers during a calendar year, OR
• Controls or processes personal data of 25,000 or more Kentucky consumers AND derives more than 50% of gross revenue from the sale of personal data.

The threshold logic is OR, with no revenue floor under either path.

Kentucky accounts for roughly 1.4% of the US population. A national e-commerce store with approximately 7.1 million annual unique US visitors would, on a population basis, reach 100,000 Kentucky consumers. Stores with strong Southeast or Midwest distribution can reach the threshold at lower volumes.

What Does KCDPA Require?

KCDPA grants Kentucky consumers a standard set of state privacy law rights and follows the Virginia model closely.

Consumer rights you must honor. Access, correction, deletion, portability, and opt-out of targeted advertising, sale of personal data, and profiling that produces legal or similarly significant effects. Response deadline is 45 days, with one possible extension. Consumers also have the right to appeal denied requests.

Disclosures you must publish. Privacy notice covering categories of data processed, purposes, third-party sharing categories, and instructions for exercising rights and appealing denials.

Operational practices you must implement. Conduct data protection assessments for high-risk processing activities. Obtain affirmative opt-in consent before processing sensitive personal data. Establish reasonable administrative, technical, and physical security practices. KCDPA does not currently mandate honoring universal opt-out signals.

How KCDPA Affects Small Businesses

KCDPA's January 1, 2026 effective date gives businesses lead time to prepare. The law follows the Virginia model so closely that compliance is essentially additive for businesses already in scope under VCDPA, Texas TDPSA, or other Virginia-model state laws.

For Shopify merchants and direct-to-consumer brands, the practical takeaway: if you have a multi-state privacy program in place for Virginia, Texas, Iowa, or similar states, KCDPA requires only Kentucky-specific privacy notice references and confirmation that your existing rights workflow can handle Kentucky requests when they arrive. The compliance lift is small.

Kentucky's smaller population means fewer national e-commerce businesses will be in scope under KCDPA than under laws covering more populous states. But if you reach the threshold in Virginia or Indiana, you may also reach it in Kentucky.

The Kentucky AG has not yet issued implementing regulations and has not signaled a public enforcement posture. The statute is the primary source of binding obligations.

Key Differences from Other State Privacy Laws

KCDPA closely tracks the Virginia model and is structurally similar to VCDPA, Texas TDPSA, Iowa ICDPA, Indiana INCDPA, and Nebraska NDPA. The distinguishing features are administrative rather than substantive:

Effective date. KCDPA takes effect January 1, 2026 — making it one of the most recent state privacy laws to come online.

No universal opt-out signal mandate. Like Virginia, Texas, and most other Virginia-model states, Kentucky does not require honoring GPC or other universal opt-out browser signals.

Cure period. KCDPA includes a 30-day cure period before AG enforcement.

Compared to California CCPA/CPRA, KCDPA is significantly narrower. California has a dedicated enforcement agency, a private right of action for breaches, GPC requirements, and broader sensitive data protections. Kentucky relies on the AG, has no private right of action, and does not require GPC handling.

Compared to Connecticut CTDPA, Kentucky has a much higher consumer threshold (100,000 vs 35,000) and does not require honoring GPC. Fewer mid-size businesses are in scope under KCDPA than under CTDPA.

How to Comply with KCDPA

If KCDPA will apply to your business when it takes effect in January 2026, the following steps establish a baseline.

1. Confirm scope. Calculate annual Kentucky consumer count from analytics and customer records. If you reach 100,000, or 25,000 with significant data sale revenue, you will be in scope.
2. Update your privacy notice to include Kentucky-specific references. If you already have a multi-state privacy notice, the work is largely additive.
3. Add opt-out mechanisms for targeted advertising, sale of personal data, and profiling.
4. Build a consumer rights request workflow with the 45-day response deadline tracked.
5. Build a denial appeals process with timely written response.
6. Implement opt-in consent for sensitive data before processing any sensitive personal data category.
7. Conduct data protection assessments for high-risk processing activities. Document and retain.
8. Document reasonable security practices appropriate to the volume and nature of data you process.
9. Be ready by January 1, 2026. Have your compliance program operational before the enforcement start date.

KCDPA Enforcement and Penalties

The Kentucky Attorney General has exclusive enforcement authority for KCDPA. There is no private right of action — Kentucky consumers cannot sue businesses directly. The AG may seek civil penalties of up to $7,500 per violation, plus reasonable expenses incurred in investigation.

KCDPA includes a 30-day cure period before formal enforcement. The AG must provide written notice of the alleged violation, and the business has 30 days to fix the issue and provide a written statement to the AG. If cured within 30 days, the AG may not bring an action for that specific violation.

Because KCDPA does not take effect until January 1, 2026, there is no enforcement history yet. Businesses should treat the upcoming effective date as a hard deadline for compliance readiness.

Frequently Asked Questions

When does Kentucky's privacy law take effect?

Kentucky's Consumer Data Protection Act (KCDPA) takes effect January 1, 2026. The Kentucky Attorney General will be the sole enforcement authority.

Does KCDPA have a revenue threshold?

No. KCDPA applies based on consumer data volume only: 100,000 or more Kentucky consumers annually, or 25,000 or more consumers if 50% or more of revenue comes from selling personal data. There is no annual revenue minimum.

Does KCDPA require honoring universal opt-out signals?

No. Like Virginia, Texas, and most other Virginia-model state privacy laws, Kentucky does not currently require businesses to honor the Global Privacy Control browser signal or other universal opt-out mechanisms.

What are the penalties for KCDPA violations?

The Kentucky AG can seek civil penalties of up to $7,500 per violation, plus reasonable investigation costs. There is no private right of action. KCDPA includes a 30-day cure period — if the business fixes the violation within 30 days of notice, the AG cannot bring an action for that violation.

Is KCDPA similar to other state privacy laws?

Yes. KCDPA closely follows the Virginia VCDPA model and is structurally similar to Texas TDPSA, Iowa ICDPA, Indiana INCDPA, and Nebraska NDPA. Businesses already complying with these laws will find KCDPA largely additive.

Should I start preparing for KCDPA now?

Yes. With a January 1, 2026 effective date and a 30-day cure period that only protects you after notice, the most efficient path is to extend existing multi-state privacy compliance work to cover Kentucky before the law takes effect.

Check if KCDPA applies to your business → Take the free 5-minute quiz

This guide is for informational purposes only and does not constitute legal advice. Last updated: April 2026.