What Is the Kentucky Consumer Data Protection Act?
KCDPA applies to controllers processing data of 100,000+ Kentucky consumers or 25,000+ while selling data. Rights include delete, access, correct, port, and opt-out. Enforcement is exclusive to the AG with a 30-day cure period and civil penalties up to $7,500 per violation. No private right of action.
At a glance
- Full name
- Kentucky Consumer Data Protection Act
- Short code
- KCDPA
- Effective date
- January 1, 2026
- Response deadline
- 45 days
- Cure period
- 30 days
- Private right of action
- No
- Enforcement
- Kentucky Office of the Attorney General
- Maximum penalty
- Up to $7,500 per violation under the Kentucky Consumer Protection Act
- Statutory citation
- Ky. Rev. Stat. § 367.3611 et seq.
Who KCDPA applies to
A business is covered if it meets the applicability thresholds set out in Ky. Rev. Stat. § 367.3611 et seq.. Most state laws use an “or” framework — any one of the thresholds triggers coverage unless otherwise noted.
- Conducts business in Kentucky or targets Kentucky residents, AND
- Controls or processes personal data of 100,000+ Kentucky consumers in a calendar year, OR
- Controls or processes personal data of 25,000+ Kentucky consumers AND derives over 50% of gross revenue from the sale of personal data
Consumer rights under KCDPA
Delete, access, correct, port, opt-out
AG enforcement only
Notable features (vs. CCPA)
KCDPA is a business-friendly post-VCDPA law: it carries a permanent 30-day cure period, excludes employee and B2B data, has AG-exclusive enforcement, and does not mandate universal opt-out mechanism recognition. Kentucky also maintains an explicit exemption for data processed under HIPAA, GLBA, and FCRA — a common but notable overlap-avoidance provision.
Enforcement & penalties
Enforcing agency: Kentucky Office of the Attorney General
Maximum penalty: Up to $7,500 per violation under the Kentucky Consumer Protection Act
Cure period: KCDPA carries a permanent 30-day cure period with no sunset.
Private right of action: KCDPA has no private right of action. Enforcement is exclusive to the Kentucky Office of the Attorney General.
Where to file a complaint: Kentucky Office of the Attorney General
How to exercise your KCDPA rights
- 1
Identify the business that holds your data (or use OfflistMe, which pre-targets 300+ known brokers and applies KCDPA citations automatically).
- 2
Submit a verifiable consumer request to the business's designated contact. Include enough identifying data that the business can verify you as a Kentucky resident (e.g., ZIP code, email associated with your record).
- 3
Under KCDPA, businesses have 45 days to respond. Extensions are permitted with written notice under most state laws.
- 4
If the business fails to respond or denies the request without legal basis, file a complaint with the Kentucky Office of the Attorney General at https://www.ag.ky.gov/Resources/Consumer-Resources.
Use your rights
KCDPA-compliant deletion emails, $5 one-time
OfflistMe drafts KCDPA-compliant deletion emails for 300+ data brokers. Citations included. You send from your own inbox. No account, no ID upload.
Start for $5 →FAQ
When does Kentucky's cure period sunset?+
The 30-day cure period in KCDPA does not have a statutory sunset date unlike many peer laws. The AG may choose to enforce without cure in egregious cases but typically provides notice and opportunity first.
Official sources & citations
Compare with sibling state laws
KCDPA is one of 18 comprehensive US state privacy laws. Its closest peers by effective date — useful when tracking how this law influenced or was influenced by neighbouring legislation: