Kentucky Consumer Privacy Protection Act (KPPA)

Kentucky Consumer Privacy Protection Act (KPPA)

Overview

The Kentucky Consumer Privacy Protection Act (KPPA), codified as KRS §367.401 through §367.445, was signed into law on April 4, 2024 (HB 15), and becomes effective January 1, 2026. Kentucky follows the Virginia/Connecticut model with five consumer rights, controller-processor framework, sensitive data opt-in consent, and AG-only enforcement.

Applicability (§367.405)

The KPPA applies to persons that conduct business in Kentucky or produce products or services targeted to Kentucky residents AND during a calendar year:

1. Control or process personal data of at least 100,000 Kentucky consumers; OR
2. Control or process personal data of at least 25,000 Kentucky consumers AND derive more than 50% of gross revenue from the sale of personal data.

Exemptions (§367.407):

• State and local government entities
• GLBA-covered financial institutions (entity-level)
• HIPAA covered entities and business associates (entity-level)
• Nonprofit organizations
• Institutions of higher education
• Covered entities under FERPA
• Data governed by GLBA, HIPAA, FERPA, FCRA, DPPA, COPPA, Farm Credit Act

Liberty Commerce Inc. Assessment: Liberty Commerce Inc. processes personal data of approximately 68,000 Kentucky consumers. It does not meet either threshold but monitors as the law becomes effective January 1, 2026.

Consumer Rights (§367.415)

Five Consumer Rights

1. Right to Access (§367.415(1)(a)): Confirm processing and access personal data
2. Right to Correct (§367.415(1)(b)): Correct inaccuracies
3. Right to Delete (§367.415(1)(c)): Delete personal data
4. Right to Portability (§367.415(1)(d)): Obtain data in portable format
5. Right to Opt Out (§367.415(1)(e)):
   • Targeted advertising
   • Sale of personal data
   • Profiling in furtherance of decisions producing legal or similarly significant effects

Response Requirements (§367.417)

• Respond within 45 days
• Extension: up to 45 additional days (90 total) with notice
• At least one free response per 12 months per right
• Appeal: controller must respond within 60 days

Sensitive Data (§367.401(27), §367.413(5))

Categories

1. Racial or ethnic origin
2. Religious beliefs
3. Mental or physical health diagnosis
4. Sexual orientation
5. Citizenship or immigration status
6. Genetic or biometric data for identification
7. Personal data of a known child
8. Precise geolocation data

Consent Requirement

Processing requires opt-in consent before processing. The KPPA follows the Virginia model requiring affirmative, freely given consent.

Controller Obligations (§367.413)

1. Purpose limitation: Adequate, relevant, and reasonably necessary
2. Data minimization: Not excessive relative to purposes
3. Data security: Appropriate technical and organizational measures
4. Non-discrimination: No processing in violation of antidiscrimination laws
5. Sensitive data consent: Opt-in before processing
6. Transparency: Clear and reasonably accessible privacy notice

Privacy Notice Requirements (§367.413(2))

• Categories of personal data processed
• Purposes for processing each category
• Consumer rights and how to exercise them
• Categories of data shared with third parties
• Categories of third parties
• Active email or online contact mechanism

Data Protection Assessments (§367.419)

Required for:

• Targeted advertising
• Sale of personal data
• Profiling with significant effects
• Sensitive data processing
• High-risk processing activities

DPIAs must be made available to the AG upon request.

Processor Requirements (§367.421)

Processing must be governed by a contract that includes:

• Instructions for processing
• Nature, purpose, and duration
• Type of data and categories of consumers
• Controller and processor rights and obligations
• Confidentiality duty for persons processing data
• Return or deletion upon end of services
• Cooperation with compliance assessments
• Sub-processor contract requirements with equivalent protections

Enforcement (§367.435)

Attorney General Authority

• Exclusive enforcement — no private right of action
• Enforcement under KRS §367.990 (Kentucky Consumer Protection Act)

Cure Period (§367.437)

• AG must provide written notice of alleged violation
• Controller has 30 days to cure
• If cured and express written statement provided: AG may not bring action
• No sunset provision — 30-day cure period is permanent

Penalties

• Civil penalties up to $7,500 per violation
• Injunctive relief
• Costs and attorney fees

Implementation Timeline

Key Regulatory References

• KRS §367.401 through §367.445 (KPPA)
• KRS §367.990 (Kentucky Consumer Protection Act — enforcement penalties)
• KRS §365.732 (Kentucky Data Breach Notification)