Written by Dave Hatter, a Cybersecurity Consultant at Intrust IT. He has also served as the Mayor of Fort Wright since 2015
Organizations of all sizes collect and store more information than ever before, and in today’s digital economy, personal data is often as valuable as currency. The Kentucky Attorney General’s office defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable natural person,” excluding deidentified or publicly available records. Hackers and criminals understand this value and aggressively pursue it, one reason data breaches continue to rise. In 2024 alone, the Identity Theft Resource Center reported 3,158 known data compromises, exposing millions of individuals and businesses to risk.
Chances are every person reading this has received at least one data breach notification—likely several. Many of us have even received notices from companies we never knowingly did business with. That’s because personal data is routinely bought and sold by data brokers, often without our knowledge or consent. Until recently, this practice was entirely legal. With no federal data privacy law—and no Kentucky law until now—there was little incentive for companies to safeguard consumer data and few consequences when it was exposed.
That changed with the passage of the Kentucky Consumer Data Protection Act (KCDPA) in 2024, which took effect January 1, 2026. The law represents a meaningful step toward protecting the privacy of Kentucky residents, making the Commonwealth one of 19 states to enact comprehensive data privacy legislation. Modeled after Virginia’s Consumer Data Protection Act, the KCDPA establishes clear rights for consumers while imposing new responsibilities on organizations that collect, use, and sell personal data.
The law applies to businesses operating in Kentucky or targeting Kentucky residents that process data for at least 100,000 consumers annually, or 25,000 consumers if more than half of their revenue comes from selling personal data. Certain entities are exempt, including government agencies, nonprofits, higher education institutions, and organizations already regulated under federal laws such as HIPAA or the Gramm-Leach-Bliley Act.
At its core, the KCDPA shifts power back to consumers. While it is not a cure-all for every privacy concern, it provides a strong foundation—educating individuals about their rights, encouraging more ethical data practices, and pushing organizations to prioritize cybersecurity. Several consumer benefits stand out.
The Right to Know and Access Your Data
Under the KCDPA, consumers can confirm whether a company is processing their personal data and request access to it. Personal data includes identifiers such as name and email address, as well as browsing history, geolocation, and inferences drawn from behavior. For example, a fitness app may be compiling detailed health profiles from hiking or activity data, or an online retailer might infer income or lifestyle habits based on past purchases.
Consumers can now submit a request to a data “controller” to disclose what information it holds. Companies must respond within 45 days, free of charge (up to two requests per year). This transparency helps individuals understand how their data is being used, identify inaccuracies, and spot unnecessary or excessive collection. Importantly, organizations are also required to limit data collection to what is adequate, relevant, and reasonably necessary for disclosed purposes—moving away from blanket permissions buried in fine print.
Opting Out of Data Sales, Targeted Advertising, and Profiling
One of the most impactful provisions of the KCDPA is the right to opt out of the sale of personal data, targeted advertising, and certain forms of automated profiling. “Sale” includes exchanging data for monetary or other valuable consideration—a common practice in digital advertising. Consumers can now request that companies stop monetizing their information or using it to deliver hyper-targeted ads.
Profiling, which includes automated decisions that may significantly affect individuals—such as employment, credit, or insurance decisions—can also be restricted. For especially sensitive data, including biometric information, precise geolocation, health details, or data related to race or religion, companies must obtain explicit consumer consent before processing. These protections reduce the commodification of everyday life and help prevent discriminatory or harmful outcomes.
Correcting, Deleting, and Porting Data
The KCDPA also gives consumers the right to correct inaccurate personal data and request its deletion, subject to certain legal obligations such as tax or recordkeeping requirements. This is particularly important in an era where flawed data can lead to serious consequences, from denied loans to inflated insurance rates.
Deletion—often referred to as the “right to be forgotten”—reduces long-term exposure by limiting how much personal information remains stored in systems vulnerable to breaches. The law also provides for data portability, allowing consumers to obtain their information in a usable format and transfer it to another service if desired.
Stronger Security and Business Accountability
While consumer-facing rights are central, the KCDPA also improves data security behind the scenes. Businesses must implement reasonable administrative, technical, and physical safeguards appropriate to the data they process. Third-party processors are bound by contracts requiring compliance, reducing the risk of mishandling by vendors or subcontractors.
Enforcement rests with the Kentucky Attorney General, with penalties of up to $7,500 per violation and a 30-day cure period for first offenses. Although the law does not allow individuals to sue directly, it strikes a balance between accountability and avoiding excessive litigation. Importantly, companies are prohibited from discriminating against consumers for exercising their privacy rights.
A Pragmatic First Step
The KCDPA is not perfect. Unlike California’s law, it lacks a private right of action and does not cover employee data. Critics argue it could go further. Still, its moderate approach avoids burdens that could deter businesses while aligning Kentucky with neighboring states, promoting regional consistency.
Most importantly, the KCDPA empowers consumers and builds awareness. As Kentuckians begin exercising these rights, the law lays the groundwork for stronger protections, and potentially future federal action.
Conclusion
The KCDPA sends a clear message: privacy matters. By giving consumers the right to access, correct, delete, and control their personal data, it restores balance in an increasingly data-driven world. As 2026 unfolds, Kentuckians should take advantage of these new tools and stay informed, visit the Kentucky Office of Data Privacy at the Attorney General’s website for more information.
Dave Hatter is an award-winning technology leader with over 30 years of software engineering and cybersecurity experience and works as a Cybersecurity Consultant at Intrust IT. He has also served as the Mayor of Fort Wright, Kentucky since 2015.
###