Kentucky Privacy & Security Compliance Guide

🚨 KENTUCKY: COMPREHENSIVE PRIVACY LAW ACTIVE JAN 1, 2026

MAJOR UPDATE: Kentucky Consumer Data Protection Act (KCDPA) took effect January 1, 2026, dramatically expanding privacy obligations beyond breach notification.

Who Must Comply:
• Businesses conducting business in Kentucky or targeting residents
• Processing data of 100,000+ Kentucky consumers per year
• OR 25,000+ consumers with revenue from data sales
• Applies to out-of-state businesses selling to Kentuckians

New KCDPA Requirements (Beyond Breach Notification):
• Consumer Rights: Access, deletion, correction, data portability, opt-out of sales/targeted advertising
• Privacy Policy Mandates: Clear disclosure of data practices
• Sensitive Data Consent: Opt-in required for health, biometric, genetic data
• Data Protection Assessments: Required for high-risk processing activities
• 30-Day Cure Period: Attorney General provides cure window for violations

Bourbon Industry Data Implications:
• Distillery tour and tasting databases
• Bourbon club membership information
• Recipe and production data (trade secrets)
• Distribution and retailer customer data

Automotive Manufacturing: Toyota, Ford plants processing employee data, production metrics, and supply chain information now face comprehensive privacy requirements beyond previous breach-only obligations.

Healthcare Networks: Baptist Health, Norton Healthcare processing patient data across rural communities must implement KCDPA consumer rights (access, deletion) in addition to existing HIPAA requirements.

Enforcement Readiness: Kentucky AG announced KCDPA enforcement priorities for 2026: data brokers, health apps, social media platforms. Early enforcement actions expected Q1-Q2 2026. Businesses with privacy policies and opt-out mechanisms will be prioritized for cure periods; obvious violators face immediate penalties.