Are you running a business in the Kentucky region? If so, you need to be prepared to comply with Kentucky’s New Data Privacy Act.
A significant shift in privacy is coming, and your business cannot afford to ignore it if you collect data about residents in Kentucky. The Kentucky Consumer Data Protection Act (KCDPA) will come into effect on January 1, 2026, and it may change the way you collect consumer data altogether.
The easiest way to think of the KCDPA’s new privacy law is that it highly resembles other major privacy laws like the GDPR and the Virginia Consumer Data Protection Act.
That means compliance here (within KCDPA) is a benefit because you’re mitigating risk not only in Kentucky, but it’s also easing compliance efforts across multiple jurisdictions.
In this compliance guide, we will delve into the details of what the KCDPA means for your company, who it applies to, and how you can prepare.
Let’s get started.
The Kentucky Consumer Data Protection Act (KCDPA) is a new law that helps protect the personal information of people living in Kentucky. It gives them more control over how businesses collect, use, and share their data online.
Kentucky became the 15th state in the U.S. to pass such a law on April 4, 2024.
This law outlines the rules governing how businesses can and cannot use your personal information. It also explains what happens if they break the rules; businesses can be fined up to $7,500 for each violation. The law adheres to privacy rules similar to those in other states, such as Virginia.
Once the law takes effect on 1st January 2026, businesses must look forward to complying with the law. They’ll need to tell people what data they’re collecting, why they’re collecting it, and get clear permission when needed. They must also provide ways for people to make data requests, like asking for their data to be deleted or corrected.
The law gives Kentucky residents important rights. They can request to view the data the company has recorded about them, request changes, or ask the company to delete it. This empowers the consumer more and their rights.
The KCDPA will be part of Kentucky’s official state laws under Chapter 367 of the Kentucky Revised Statutes. If your business operates in Kentucky, you will be required to comply with the KCDPA law regulations and take the necessary actions.
Despite the KCDPA being Kentucky’s first consumer privacy protection law, several other privacy laws exist in Kentucky, such as the following:
Your company is required to comply with the KCDPA if you are doing business in or offering products and services to residents of the state and meet any one of the following during a calendar year:
Unlike most other U.S. state privacy legislation, Kentucky does not prescribe a monetary limit.
The key rights that the residents of Kentucky will enjoy under the Kentucky Consumer Data Protection Act (KCDPA) are as follows:
How do you, as a businessperson, ensure that consumers can exercise these rights and that you are KCDPA-compliant? Let’s discuss these questions in detail.
There are certain criteria that businesses need to follow to comply with the Kentucky Consumer Data Protection Act (KCDPA), including:
You should also provide at least 2 options for consumers to exercise their privacy rights, such as a data subject access request (DSAR) form, a cookie consent banner, or an active email address.
It is also advisable to prepare your site for Universal Opt-Out Mechanisms (UOOM), such as GPC, to provide a verifiable opt-out option for users to exercise their rights.
To follow all the criteria mentioned above, you’ll need to use a compliance platform like WPLP Compliance Platform or a similar platform. If you’re a WordPress user, then the WPLP Compliance Platform is your ideal choice for creating a privacy policy, a cookie consent banner, and offering your users a Data request form.
With the WPLP Compliance Platform’s privacy policy generator and consent management platform, businesses can easily comply with the KCDPA.
Let’s take a close look at the requirements and how to achieve them.
Businesses that collect personal data are required to include the following in the privacy policy under Kentucky law regulations:
Although the KCDPA does not mandate where to place your privacy policy, it must be readable by consumers.
To create one for your website, you can use a privacy policy generator from the WPLP Compliance Platform.
Further, you can create other legal pages like Privacy Policies, Disclaimers, Terms and Conditions, and more within a few minutes.
You need to fill in simple questions about your business, and the platform automatically creates a legal page for you.
See what it looks like below.
You must have the consumer’s consent before you can process or sell sensitive personal information.
Sensitive personal information reveals an individual’s religion, racial or ethnic origins, as well as location and biometric data, and personal information that has been collected from anyone.
Consent must be provided clearly and unambiguously. Consumers clicking a pop-up away or accepting a terms and conditions agreement with the privacy policy hidden inside does not suffice as consent.
Consumers must give explicit consent to a privacy policy (i.e., a tick box to give consent). See below an example of this from the WP Legal Pages Compliance Platform.
Additionally, you can display a cookie consent banner on your website to inform users that you collect and process their personal information.
To add a cookie banner on your website, you can use a consent management tool from the WPLP Compliance Platform.
The Consent Management Platform is a Google-certified WordPress plugin that helps organizations stay compliant with international privacy laws, including GDPR, CCPA, LGPD, Quebec Law 25, and others.
The plugin ensures that websites collect and manage user consent in a legal and transparent manner. As data privacy legislation requires websites to notify users about their data-processing activities, this plugin is a necessity for ethical data handling.
More importantly, the platform follows the opt-out measures outlined in KCDPA legislation.
Take a look at what it looks like in the screenshot below.
Data controllers have to carry out a data protection assessment that analyzes the following practices:
The report must analyze both the advantages that such practices offer to the business and consumer sides, as well as the risks they pose to consumers. It must also propose steps for minimizing or controlling those risks.
The Kentucky privacy law only has the Kentucky Attorney General as the enforcement authority, unlike the CCPA, KCPDA does not offer any private right of action.
Businesses are given 30 days to cure the violation before the case begins. If the business corrects the violation, no case will be developed. The law does not set forth a sunset provision for the cure period.
A single violation could be subject to a penalty of up to $7500. In this case, the fine amount will increase with the number of violations.
The KCDPA is a recently enacted law in Kentucky that provides individuals with privacy and sufficient protection of their data. It assists people in learning what data companies collect, as well as why they use this data, and offers individuals the means to opt out or have it deleted.
It applies to businesses that collect or use personal data sourced from individuals within Kentucky, including any business based outside Kentucky with customers in the state.
If there is a violation, the law permits a $7,500 penalty for each violation. The Kentucky Attorney General is responsible for taking action against businesses within Kentucky.
To comply with the law, a business must disclose the data it collects and allow individuals to view, correct, or delete their information. Businesses must be honest and secure the data they collect, only taking the information that is necessary.
The Kentucky Consumer Data Protection Act (KCDPA) becomes effective on January 1, 2026, so businesses should begin preparing now.
Complying with the KCDPA sooner rather than later will enable your business to avoid any last-minute chaos and incorporate compliance into your business processes, aligning your business with GDPR and other major privacy laws.
To comply with the KCDPA, businesses must make their privacy policy easily accessible on their website, obtain consent (through opt-in or opt-out) to share the personal data of residents with third parties, and provide transparency regarding their data practices.
Businesses must also use reasonable cybersecurity practices and conduct regular data impact assessments.
We recommend using the WPLP Compliance Platform as your compliance solution to prepare attorney-drafted privacy policies, automate your consent banners, and become proactive on data privacy laws without the guesswork of which web services or processes comply with the KCDPA.
If you like this article, you might also like reading:
Are you looking to stay compliant with data privacy regulations? Grab the WPLP Compliance Platform now!