The Kentucky state legislature approved Kentucky’s new consumer data protection act, which is now pending the governor’s final approval. Once approved, it is expected to take effect in January 2026.

The new Act joins 14 additional US states that have enacted comprehensive data protection laws in the recent years, the most recent ones that were enacted in 2024 are New Jersey and New Hampshire (read here a comparative guide we published on the key rights and requirements under these other laws).

Scope of Application

The new act applies to any person that conducts business in Kentucky or produces products or services targeted to Kentucky residents, and controls or processes personal data of:

• At least one hundred thousand (100,000) consumers; or
• Twenty-five thousand (25,000) consumers and derive over fifty percent (50%) of gross revenue from the sale of personal data.

as opposed to the other US states’ privacy laws, Kentuky’s new act does not include a revenue threshold for applicability.

The act exempts several types of organizations, such as governmental and educational bodies; non-profit organizations; and entities covered either by the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act.

Additionally, the act exempts a specific type of non-profit organizations that do not provide net earnings to or benefit anyone within the organization entity, and process data solely in connection with assisting law enforcement agencies with suspected insurance-related criminal acts or fraud or assisting first responders.

Also similarly to the other US states privacy laws, the act’s definition of personal data excludes publicly available information, which is defined as information “that is lawfully made available through federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience“.

Controllers Obligations

The data controllers’ obligations pursuant to the act include:

• Limited collection of personal data in accordance with the purpose of processing;
• Implementation of security measures;
• Prohibition of discriminating against consumers (either as prohibited by law or in cases where a consumer exercises their rights under the act);
• Avoidance of processing sensitive personal data or children’s personal data without consent (either from the consumer or from a parent, as applicable); and
• Provision of a clear and accessible privacy notice to consumers.

In addition, all processing of personal data by third-party processors must be governed by a binding agreement, which must include terms governing the processor’s obligations towards the controller.

The act also mandates controllers of personal data to conduct a data protection impact assessment in case processing of personal data is made in conjunction of targeted advertising; selling of personal data; or profiling. Such assessment must be conducted by the controller also in case the processing involves sensitive personal data or when the processing presents a heightened risk of harm to consumers. Kentucky’s Attorney General may request a controller to disclose the assessment conducted.

Consumers Rights

Pursuant to the new act, consumers (data subjects) have several rights they may exercise by submitting a request to the controller. Such rights include the right of access; right of rectification; right of deletion; right of data portability; and the right to opt out from processing the personal data for the purpose of targeted advertising, sale of personal data or profiling.

Consumers have the right to exercise their rights twice a year, and the controller must provide the relevant information free of charge, unless the request is excessive, repetitive, technically infeasible or manifestly unfounded.

The controller must reply to a consumer without undue delay, and in any case no later than 45 days from receiving the request.

Submitting an Appeal

To the extent the controller had rejected the consumer’s request to exercise their right, the consumer will have the right to appeal the decision. The controller must provide a written reasoning to the appeal within sixty 60 days from the date the appeal was submitted.

If the appeal was denied by the controller, the controller shall also provide the consumer with an online method, through which the consumer may contact the Kentucky Attorney General to submit a complaint.

Enforcement

Kentucky’s Attorney General has exclusive enforcement power per the new act. The Attorney General must provide businesses with a 30 day notice-and-cure period, prior to taking any action in response to a violation of the act. The cost of each violation can accrue at a rate of up to USD 7,500.

Companies providing services to consumers in the United States should evaluate their exposure to this additional data protection regulatory regimes in Kentucky. Feel free to contact us if you have any questions regarding the new act ‎and its practical implications.