Kentucky Consumer Data Protection Act
Data last verified: March 23, 2026
- Effective Date
- January 1, 2026
- Enforcement Date
- Not specified in statute
Summary
Kentucky Consumer Data Protection Act provides consumers the right to opt out of profiling for decisions with legal or similarly significant effects, requires data protection assessments, mandates privacy notice disclosure, and requires consent for sensitive data processing. AG exclusive enforcement with 30-day cure period.
Who It Applies To
100K consumers OR 25K consumers + 50% revenue from data sales
- Min Consumers:
- 100,000
Any threshold triggers applicability
Penalties
- Penalty Range
- $0 – $7,500per violation
- Cure Period
- 30-day cure period
- Private Right of Action
- No private right of action
- Enforcement Body
- Kentucky Attorney General
Requirements (4)
- Opt-OutHB15 Section 3(2)(e); Section 1(10)
Consumers have the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects.
- Impact AssessmentHB15 Section 6(1)-(2), (8)
Controllers must conduct data protection impact assessments for processing involving profiling, targeted advertising, sale of personal data, sensitive data, or heightened risk activities.
- DisclosureHB15 Section 4(3); Section 4(4)
Controllers must provide a reasonably accessible, clear, and meaningful privacy notice.
- ConsentHB15 Section 4(1)(e); Section 1(28)
Controllers must obtain consent before processing sensitive data, or comply with COPPA for children's data.
Claire tracks 31 state and local AI laws across 23 US states. No prescriptive federal AI compliance statutes have been enacted. EU AI Act and sector-specific regulations are not covered.
Check if this law applies to your business