What Is the Kentucky Consumer Data Protection Act?
KCDPA applies to controllers processing data of 100,000+ Kentucky consumers or 25,000+ while selling data. Rights include delete, access, correct, port, and opt-out. Enforcement is exclusive to the AG with a 30-day cure period and civil penalties up to $7,500 per violation. No private right of action.
At a glance
- Full name
- Kentucky Consumer Data Protection Act
- Short code
- KCDPA
- Effective date
- January 1, 2026
- Response deadline
- 45 days
- Cure period
- 30 days
- Private right of action
- No
- Enforcement
- Kentucky Office of the Attorney General
- Maximum penalty
- Up to $7,500 per violation under the Kentucky Consumer Protection Act
- Statutory citation
- Ky. Rev. Stat. § 367.3611 et seq.
Who KCDPA applies to
A business is covered if it meets the applicability thresholds set out in Ky. Rev. Stat. § 367.3611 et seq.. Most state laws use an “or” framework — any one of the thresholds triggers coverage unless otherwise noted.
- Conducts business in Kentucky or targets Kentucky residents, AND
- Controls or processes personal data of 100,000+ Kentucky consumers in a calendar year, OR
- Controls or processes personal data of 25,000+ Kentucky consumers AND derives over 50% of gross revenue from the sale of personal data
Consumer rights under KCDPA
Delete, access, correct, port, opt-out
AG enforcement only
Notable features (vs. CCPA)
KCDPA is a business-friendly post-VCDPA law: it carries a permanent 30-day cure period, excludes employee and B2B data, has AG-exclusive enforcement, and does not mandate universal opt-out mechanism recognition. Kentucky also maintains an explicit exemption for data processed under HIPAA, GLBA, and FCRA, a common but notable overlap-avoidance provision.
Enforcement & penalties
Enforcing agency: Kentucky Office of the Attorney General
Maximum penalty: Up to $7,500 per violation under the Kentucky Consumer Protection Act
Cure period: KCDPA carries a permanent 30-day cure period with no sunset.
Private right of action: KCDPA has no private right of action. Enforcement is exclusive to the Kentucky Office of the Attorney General.
Where to file a complaint: Kentucky Office of the Attorney General
How to exercise your KCDPA rights
- 1
Identify the business that holds your data (or use OfflistMe, which pre-targets 500+ known brokers and applies KCDPA citations automatically).
- 2
Submit a verifiable consumer request to the business's designated contact. Include enough identifying data that the business can verify you as a Kentucky resident (e.g., ZIP code, email associated with your record).
- 3
Under KCDPA, businesses have 45 days to respond. Extensions are permitted with written notice under most state laws.
- 4
If the business fails to respond or denies the request without legal basis, file a complaint with the Kentucky Office of the Attorney General at https://www.ag.ky.gov/Resources/Consumer-Resources.
Use your rights
KCDPA-compliant deletion emails, $7 one-time
OfflistMe drafts KCDPA-compliant deletion emails for $500+ data brokers. Citations included. You send from your own inbox. No account, no ID upload.
Start for $7 →FAQ
When does Kentucky's cure period sunset?+
The 30-day cure period in KCDPA does not have a statutory sunset date unlike many peer laws. The AG may choose to enforce without cure in egregious cases but typically provides notice and opportunity first.
Official sources & citations
Compare with sibling state laws
KCDPA is one of 18 comprehensive US state privacy laws. Its closest peers by effective date, useful when tracking how this law influenced or was influenced by neighboring legislation: