Kentucky Data Removal Guide (2026)
Kentucky's Consumer Data Protection Act took effect January 2026. KCDPA closely tracks Virginia's VCDPA template, providing Kentuckians with access, deletion, correction, and opt-out rights.
At a glance
- Comprehensive state privacy law
- Yes, KCDPA
- Broker response deadline
- 45 days from verifiable request
- Enforcement
- Kentucky Office of the Attorney General
- Residents
- 4.5M (approx.)
Kentucky Consumer Data Protection Act (KCDPA)
KCDPA applies to controllers processing data of 100,000+ Kentucky consumers or 25,000+ while selling data. Rights include delete, access, correct, port, and opt-out. Enforcement is exclusive to the AG with a 30-day cure period and civil penalties up to $7,500 per violation. No private right of action.
Read the full KCDPA explainer →Thresholds, penalties, cure period, private right of action, enforcement history.
What rights do Kentucky residents have?
- →Delete, access, correct, port, opt-out
- →AG enforcement only
Where does your data leak from in Kentucky?
Data brokers don’t guess your address — they scrape specific public-record sources. The ones most relevant in Kentucky:
- Kentucky CourtNet
- Jefferson, Fayette County property records
- Kentucky Transportation Cabinet driver records
Ready to remove
Opt out of 500+ brokers for $7
OfflistMe drafts a legally compliant deletion email citing KCDPA for every broker. You send from your own inbox. No account, no ID upload.
Start for $7 →What if a broker ignores your request?
If a broker does not respond within 45 days, file a complaint with the Kentucky Office of the Attorney General. The enforcement authority can assess civil penalties and compel compliance.
File a complaint with Kentucky Office of the Attorney General ↗FAQ: Kentucky data removal
When does Kentucky's cure period sunset?+
The 30-day cure period in KCDPA does not have a statutory sunset date unlike many peer laws. The AG may choose to enforce without cure in egregious cases but typically provides notice and opportunity first.