Kentucky Privacy Law (HB 15): New 2026 Law for Online Businesses
Kentucky's Consumer Data Protection Act took effect January 1, 2026. Here's what it requires and how it compares to other state privacy laws.
2026-03-05
Kentucky House Bill 15 — the Kentucky Consumer Data Protection Act — took effect on January 1, 2026. Like Indiana's law, it follows Virginia's VCDPA template closely, but Kentucky has some nuances worth understanding.
Who Does Kentucky's Law Apply To?
The law applies to businesses that conduct business in Kentucky or target Kentucky residents and meet either threshold:
- Control or process personal data of at least 100,000 Kentucky consumers per year, OR
- Control or process personal data of at least 25,000 Kentucky consumers and derive more than 50% of gross revenue from selling personal data
Government entities, nonprofits, higher education institutions, and entities covered by HIPAA or GLBA are exempt.
Consumer Rights
Kentucky consumers can:
- Access their personal data
- Correct inaccurate data
- Delete their personal data
- Data portability — obtain a copy in a portable format
- Opt out of sale of personal data, targeted advertising, and profiling
You must respond within 45 days, with a possible 45-day extension if you notify the consumer of the reason.
Key Requirements
Privacy Notice
Your privacy policy must include:
- Categories of personal data processed
- Purposes for processing
- How consumers can exercise their rights and appeal decisions
- Categories of third parties you share data with
- Whether you sell personal data or use it for targeted advertising
Sensitive Data
Opt-in consent required before processing:
- Racial or ethnic origin
- Religious beliefs
- Health diagnosis or condition
- Sexual orientation
- Citizenship or immigration status
- Genetic or biometric data
- Children's data (under 13)
- Precise geolocation
Data Protection Assessments
Required for activities that present a heightened risk of harm:
- Targeted advertising
- Sale of personal data
- Profiling
- Processing sensitive data
Enforcement
Enforced by the Kentucky Attorney General exclusively — no private right of action. Kentucky includes a 30-day cure period that does not expire, similar to Indiana.
Violations are treated as violations of Kentucky's Consumer Protection Act, with penalties that can be significant depending on the scope of the violation.
How Kentucky Compares
| Feature | Kentucky | Virginia | Indiana |
|---|---|---|---|
| Effective date | Jan 1, 2026 | Jan 1, 2023 | Jan 1, 2026 |
| Consumer threshold | 100K or 25K + revenue | 100K or 25K + revenue | 100K or 25K + revenue |
| Cure period | 30 days (permanent) | Expired Jan 2025 | 30 days (permanent) |
| Sensitive data consent | Opt-in | Opt-in | Opt-in |
| GPC required | No | No | No |
| Private lawsuits | No | No | No |
Kentucky Compliance Checklist
- Privacy policy with all required disclosures
- Cookie consent banner with opt-out for tracking cookies
- Consumer request process — 45-day response window
- Sensitive data consent — opt-in before processing
- Data protection assessments for high-risk processing
- Appeal mechanism for denied consumer requests
Check Your Compliance
ClearConsent scans your site against all 19 US state privacy laws including Kentucky's new law. See exactly what's missing in under 60 seconds.
Scan your site free — no signup required.