Your Rights as a Kentucky Resident

Starting January 1, 2026, the Kentucky Consumer Data Protection Act will grant Kentucky residents comprehensive rights over their personal information. These rights apply to businesses that meet specific thresholds for data processing and provide meaningful control over how your personal data is collected, used, and shared.

• Right to know what data is collected: You can confirm whether a business is processing your personal data and access that information, unless revealing it would expose trade secrets[2][9][13][14]
• Right to delete personal information: You can request deletion of personal data provided by you or obtained about you, regardless of how the business acquired it[2][9][13][14]
• Right to opt out of data sales: You can opt out of having your personal data sold to third parties, as well as opt out of targeted advertising and certain types of automated profiling that produce legally significant effects[2][9][13][14]
• Right to correct inaccurate data: You can request that businesses correct any inaccuracies in your personal information that they maintain[2][9][13][14]
• Right to data portability: You can obtain a copy of your personal data in a portable, readily usable format that allows you to transmit it to another business without hindrance[2][9][13][14]
• Right to non-discrimination: Businesses cannot discriminate against you for exercising any of these privacy rights[2][13]

Businesses must respond to your requests within 45 days, which may be extended by another 45 days for complex requests[13][14].

Business Requirements

The Kentucky Consumer Data Protection Act establishes clear obligations for businesses that collect and process Kentucky residents’ personal information, ensuring transparency and accountability in data handling practices.

• Companies that must comply: Businesses conducting business in Kentucky or targeting Kentucky residents that either process personal data of at least 100,000 consumers annually, or process data of 25,000 consumers while deriving over 50% of gross revenue from data sales[1][2][9][5]
• Notice and transparency requirements: Covered businesses must provide clear, accessible privacy notices detailing what personal data they collect, why they collect it, how consumers can exercise their rights, and what third parties receive the data[2][9][12][13]
• Consumer request procedures: Companies must establish reliable methods for consumers to submit privacy requests, respond within 45 days, and provide appeal processes for denied requests[2][13][14]
• Data protection assessments: Businesses must conduct and document impact assessments for high-risk processing activities including targeted advertising, data sales, and certain profiling activities[2][9][13][4]
• Security measures: Controllers must implement reasonable administrative, technical, and physical safeguards to protect personal data confidentiality, integrity, and accessibility[2][9][13]
• Consent for sensitive data: Companies must obtain explicit consent before processing sensitive personal information such as health data, precise geolocation, religious beliefs, or data from known children[2][9][4][14]

Practical Impact

• Daily life protection: The law will give you greater control over how businesses use your personal information for advertising, limit unwanted data sharing, and ensure you can correct errors in your personal records held by companies[2][11][13]
• Violation reporting: If businesses violate your privacy rights, you can file complaints with the Kentucky Attorney General’s Office, which has exclusive enforcement authority and can impose penalties up to $7,500 per violation[2][3][12][15][16]
• Protection limitations: The law does not provide a private right of action, meaning you cannot directly sue companies for violations – only the Attorney General can bring enforcement actions[3][12][5]. Additionally, the law does not require businesses to honor universal opt-out signals, so you must make individual opt-out requests to each company[1][11][12][5][17]
• Exempted information: The law does not cover information already protected under federal laws like HIPAA for healthcare data or GLBA for financial information, and excludes nonprofit organizations and higher education institutions[2][7][9][14]

Comparison Context

• Similar to other states: Kentucky’s law closely follows the Virginia model and provides consumer rights comparable to Colorado, Connecticut, and Utah, including access, deletion, correction, portability, and opt-out rights[1][2][4][5]
• Notable differences: Unlike California, Colorado, Connecticut, and several other states, Kentucky does not require businesses to recognize universal opt-out mechanisms like Global Privacy Control, requiring individual opt-out requests instead[1][11][12][5][17]
• Enforcement approach: Kentucky maintains a permanent 30-day cure period for violations, while many other states have sunset clauses that eliminate cure periods after businesses have had time to comply[1][3][12]
• Business thresholds: Kentucky’s applicability thresholds are standard among state privacy laws, requiring businesses to process data for a minimum number of consumers or derive significant revenue from data processing activities[4][14]

Action Steps for Residents

• Prepare for 2026: Start reviewing privacy policies of businesses you interact with and identify which companies likely fall under the law’s requirements based on their size and data practices
• Document your preferences: Keep records of what personal information you want to control, which companies you want to opt out from for advertising or data sales, and any data accuracy issues you’ve noticed
• Understand your rights: Familiarize yourself with the specific rights you’ll have under the law and the procedures for exercising them, including potential appeal processes if companies deny your requests[2][9][13][14]
• Stay informed: Monitor updates from the Kentucky Attorney General’s Office about enforcement guidelines and consumer education resources as the implementation date approaches[15][16]
• Contact legislators: Reach out to your state representatives if you have concerns about the law’s provisions or want to advocate for stronger privacy protections, such as universal opt-out signal recognition[18][19]

Official Resources and Contact Information

Kentucky Legislature

For questions about privacy legislation or to contact your representatives about privacy issues, you can reach the Kentucky Legislative Research Commission at their main number 502-564-8100, or use their toll-free Legislative Message Line at 1-800-372-7181 to leave messages for your legislators[18]. Their address is 700 Capital Avenue, Frankfort, KY 40601.

To find your specific state legislators by district, use the official legislator lookup tool at https://apps.legislature.ky.gov/findyourlegislator/findyourlegislator.html[19]. You can also contact the Legislative Research Commission through their general contact form for questions about privacy legislation.

Kentucky Attorney General – Privacy Law Enforcement

The Kentucky Attorney General has exclusive authority to enforce the Consumer Data Protection Act and handle privacy violations. You can contact the Attorney General’s Office at their main switchboard: 502-696-5300, or reach the Consumer Protection division directly at 502-696-5389[15][16]. For consumer protection issues, there’s also a toll-free hotline at 888-432-9257[15].

The main office is located at Kentucky State Capitol, 700 Capital Avenue, Suite 118, Frankfort, Kentucky 40601-3449[15][16]. You can also submit general correspondence through their online contact form at https://ag.ky.gov/Contact-Us/Pages/default.aspx[16]. The Attorney General maintains several field offices throughout Kentucky for regional assistance[15].

Additional Legislative Information

For specific information about the Kentucky Consumer Data Protection Act (House Bill 15), you can review the official legislative record at https://apps.legislature.ky.gov/record/24rs/hb15.html[8]. This provides the complete text of the enacted law and legislative history.

General questions about Kentucky government services and legislative processes can be directed to the Legislative Research Commission’s contact form or main office. Remember that while the Attorney General’s office welcomes correspondence about privacy issues, they cannot provide private legal advice or representation to individual consumers[16].

Sources and Citations

Last Updated August 2025. Written with contributions from both human authors and Perplexity AI. If you find incorrect or outdated information let us know at support@optery.com.