Kentucky
💡 Last Updated October 2025. Written with contributions from both human authors and LLMs. If you find incorrect or outdated information let us know at support@optery.com.
Kentucky's KCDPA gives you the right to opt out of data brokers.
What the KCDPA does for you
As a Kentucky resident, you have real privacy rights under the KCDPA. You can ask companies to show you your personal data, correct mistakes, delete your information, or get a copy you can take elsewhere. You can also opt out of your data being sold, used for targeted advertising, or used in automated decisions that significantly affect your life. These rights take effect January 1, 2026.
Your rights under the KCDPA
Right to Know
You have the right to ask a company whether it is processing your personal data and to see what data it holds about you. The company must respond within 45 days.
Exceptions: Does not apply if confirming or providing access would require the business to reveal a trade secret; Does not apply to de-identified data or publicly available information; Does not apply to data protected by attorney-client privilege.
Source: Section 3(2)(a) of HB 15 (KRS Chapter 367)
Right to Delete
You have the right to ask a company to delete personal data it collected from you or about you. The company must honor verified deletion requests.
Exceptions: Does not apply to data the company is legally required to retain; Does not apply if compliance would violate an evidentiary privilege; Does not apply to data needed to complete a transaction you requested; Does not apply to data used for public health, research, or security purposes as listed in Section 8.
Source: Section 3(2)(c) of HB 15 (KRS Chapter 367)
Right to Correct
You have the right to ask a company to fix inaccurate personal data it holds about you. The company must take into account the nature of the data and why it is being processed.
Exceptions: Does not apply to de-identified or publicly available information.
Source: Section 3(2)(b) of HB 15 (KRS Chapter 367)
Right to Opt Out of Sales
You have the right to tell a company to stop selling your personal data to third parties for money. The company must honor your opt-out request.
Exceptions: Does not apply to data transferred as part of a merger or acquisition; Does not apply to sharing data with processors acting on the company's behalf; Does not apply to sharing data to provide a product or service you requested.
Source: Section 3(2)(e) of HB 15 (KRS Chapter 367)
Right to Opt Out of Processing
You have the right to opt out of your personal data being used for targeted advertising — ads chosen based on your activity across different websites and apps over time.
Exceptions: Does not apply to ads based on activity within the same company's own websites or apps; Does not apply to ads based on your current search query or website visit; Does not apply to ads shown in response to your own request for information.
Source: Section 3(2)(e) of HB 15 (KRS Chapter 367)
Right to Opt Out of Automated Decisions
You have the right to opt out of automated profiling when it is used to make significant decisions about you — such as decisions about credit, housing, insurance, employment, education, or health care.
Exceptions: Only covers profiling in furtherance of decisions that produce legal or similarly significant effects; Does not restrict processing for fraud prevention, security, or legal compliance.
Source: Section 3(2)(e) of HB 15 (KRS Chapter 367)
Right to Data Portability
You have the right to receive a copy of personal data you previously gave to a company in a portable, usable format, so you can transfer it to another company. This right applies where the processing was done by automated means.
Exceptions: Does not require the company to reveal trade secrets; Only applies to data you previously provided to the controller; Only applies where processing is carried out by automated means.
Source: Section 3(2)(d) of HB 15 (KRS Chapter 367)
Right to Non-Discrimination
Companies cannot penalize you for exercising your privacy rights. They cannot deny you goods or services, charge you different prices, or give you a lower quality of service just because you made a privacy request.
Exceptions: A company is not required to provide a service that depends on data you asked it to delete; A company may offer different prices or features tied to a voluntary loyalty or rewards program.
Source: Section 4(1)(d) of HB 15 (KRS Chapter 367)
Right to Limit Sensitive Data
Companies must get your consent before processing sensitive data about you — including data about your race, religion, health, sexual orientation, immigration status, genetic or biometric data, precise location, or data collected from children.
Exceptions: Processing of sensitive data collected from children must comply with COPPA instead of requiring separate consent; Does not apply to HIPAA-covered health entities or data already exempt under Section 2.
Source: Section 4(1)(e) of HB 15 (KRS Chapter 367)
How to exercise your rights
- See which data brokers have your information. Optery scans 200+ brokers to show you what’s exposed. Start a free scan →
- Submit a KCDPA deletion or opt-out request. Covered businesses have 45 days to respond (Section 3(3)(a), (d) of HB 15 (KRS Chapter 367)), with up to 45 additional days if they invoke the extension provision.
- Let Optery automate the whole process. We submit opt-out and deletion requests on your behalf, track compliance, and resubmit whenever brokers re-add your data. Sign up free →
Authorized agents
The KCDPA does not mention authorized agents (Ky. Rev. Stat. Ann. § 367.600 et seq.). This means data brokers are not required to honor privacy requests submitted by someone other than you personally. Optery can help you submit requests directly — we prepare everything for you; you hit send.
Enforcement and penalties
The KCDPA is enforced by Kentucky Attorney General. The Kentucky Attorney General is the only one who can enforce this law — you cannot sue a company yourself. Before filing a lawsuit, the AG must give businesses 30 days' written notice to fix the problem. If the business doesn't correct the violation, the AG can seek up to $7,500 per violation. Civil penalties go into a dedicated consumer privacy fund used to further enforce the law.
Who does the KCDPA apply to?
The KCDPA applies to businesses that do business in Kentucky (or target Kentucky residents) and either: (1) handle personal data of 100,000 or more Kentucky consumers per year, or (2) handle data of at least 25,000 consumers and make more than 50% of their gross revenue from selling personal data. Nonprofits, government agencies, financial institutions covered by the Gramm-Leach-Bliley Act, HIPAA-covered health entities, institutions of higher education, and certain small utilities are not covered.
Frequently asked questions
When does the Kentucky Consumer Data Protection Act take effect?
The KCDPA takes effect on January 1, 2026 (Section 12 of HB 15). This means businesses have until that date to comply, and you will be able to exercise your rights starting on that date.
Which companies does the KCDPA actually cover?
The law applies to businesses that operate in Kentucky or target Kentucky residents and either process personal data of at least 100,000 Kentucky consumers per year, or process data of at least 25,000 consumers and earn more than 50% of gross revenue from selling that data (Section 2(1) of HB 15). Nonprofits, government bodies, HIPAA-covered health entities, financial institutions under Gramm-Leach-Bliley, and institutions of higher education are all excluded (Section 2(2) of HB 15).
How long does a company have to respond to my privacy request?
A company must respond to your request within 45 days of receiving it (Section 3(3)(a) of HB 15). If needed, they can extend that deadline by another 45 days, but they must notify you of the extension and the reason within the first 45-day window.
Can I sue a company that violates my privacy rights under this law?
No — the KCDPA does not give you a private right to sue (Section 9(4) of HB 15). Only the Kentucky Attorney General can bring legal action against companies that violate the law. If you believe your rights have been violated, you can submit a complaint to the Attorney General's office.
What happens if a company violates the law?
Before the Attorney General can sue, the company must be given 30 days' written notice and a chance to fix the problem (Section 9(2) of HB 15). If the company doesn't correct the violation within that window, the AG can seek penalties of up to $7,500 per violation (Section 9(3) of HB 15). Those fines go into a dedicated consumer privacy fund used to enforce the law.