U.S. Consumer Data Privacy Law Guide: Kentucky

Professionals

Name / Keyword Office Practice Industry Language Show All
Practices

Antitrust and Competition Law

Business and Corporate

Construction

Cross-Border Business

Data Protection, Privacy and Cybersecurity

Emerging Companies

Environment, Social and Governance (ESG)

Environmental, Sustainability, and Product Stewardship

Financial Services

Government Enforcement and Investigations

Government Relations and Public Policy

Health Law

Hospitality

Immigration

Intellectual Property

Labor & Employment

Litigation

Mergers and Acquisitions

Product Liability, Class Action and Mass Tort

Real Estate

Securities

Tax

Technology

Transportation and Logistics
Industries

Automotive

Aviation

Construction

Disaster Recovery and Government Services

Drug, Device and Life Sciences

Education

Energy

Financial Services

Food and Beverage

Gaming

Governmental Entities

Health Care

Hospitality

Manufacturing

Real Estate

Retail

Seniors Housing and Long Term Care

Technology

Telecommunications

Transportation and Logistics
Experience

Featured Case Study
Community Healthcare Trust Incorporated Community Healthcare Trust Incorporated More Case Studies

Search Experience
Keywords Practice Industry
News & Events

Professionals
Practices
Industries
Experience
News & Events
Other Pages

Quick Results

View More Results

U.S. Consumer Data Privacy Law Guide: Kentucky

This state-specific guide covers data privacy law, rules, and regulations that professionals and clients often encounter or have questions about in Kentucky.

Last updated: January 2025

Please note this is a highlighted overview and not a complete overview of privacy laws for this state. If you would like a complete review of this state's privacy laws or a multi-state privacy compliance cheat sheet on specific topics, please contact Vivien Peaden at vpeaden@bakerdonelson.com.

Disclaimer: These materials do not constitute legal advice and should not be substituted for the advice of legal counsel.

The Kentucky Consumer Data Protection Act (Kentucky CDPA)

Effective Date: January 1, 2026

1. Applicability Thresholds:

Subject to certain entity-level and data-level exemptions, the Kentucky CDPA applies to a natural or legal person conducting business in Kentucky or producing products/services that are targeted to residents of Kentucky that during a calendar year, control or process the personal data of:

100,000+ Kentucky consumers; or
25,000+ Kentucky consumers and derive more than 50 percent of revenue from the sale of personal data.

2. Key Definitions:

Sales of Personal Data: Narrowly defined as "the exchange of personal data for monetary consideration by the Controller to a third party" subject to a few exemptions.

3. Business Obligations:

The Kentucky CDPA imposes additional obligations on individuals or legal entities that determine the purpose and means of processing personal information (Controller):

Data Processing Agreement (DPA): Processing activities by a supplier (known as Processor) shall be governed by a DPA between the Controller and Processor.
Data Protection Impact Assessment: Controllers must conduct and document a data protection impact assessment for certain high-risk data processing activities.
Privacy Notice: Yes, a Controller must provide consumers with a privacy notice.

4. Consumer Rights:

Subject to certain exceptions, under the Kentucky CDPA, Kentucky consumers have the right to:

Confirm whether a Controller is processing their personal data and provide access;
Correct inaccuracies in their personal data;
Delete personal data provided by or obtained about the consumer;
Obtain a copy of or summary of personal data that the consumer previously provided to the Controller in a portable and readily usable format; and
Opt-out of targeted advertising, sales of personal data, and "profiling in furtherance of solely automated decisions that produce legal or similarly significant effects."

5. Enforcement and Penalties:

Private Right of Action: None

Penalties: The state attorney general has sole authority to enforce the statute, at a maximum of $7,500 per violation.

U.S. Consumer Data Privacy Law Guides

Key Contact

Vivien F. Peaden, AIGP, CIPP/US, CIPP/E, CIPM, PLS

T: 678.406.8722

Email Professional

Related Practices

Resources

Download PDF version

Have Questions?
Let's Talk!

To contact a Baker Donelson Privacy Professional, click above to email us.

Search By Last Name

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Baker Donelson is a national law firm with more than 650 attorneys and public policy advisors representing more than 30 practice areas to serve a wide range of legal needs. Clients receive knowledgeable guidance from experienced, multi-disciplined industry and client service teams, all seamlessly connected across 24 offices in Alabama, Florida, Georgia, Louisiana, Maryland, Mississippi, North Carolina, South Carolina, Tennessee, Texas, Virginia, and Washington, D.C.