Kentucky’s Consumer Data Protection Act (KCDPA) took effect January 1, 2026. For the first time, residents can access, correct, delete, and opt out of the sale of their personal data. Most Kentuckians have no idea this law exists. The data collection it addresses does not care.
What the Law Actually Does
The KCDPA covers companies doing business in Kentucky that process data on 100,000+ consumers, or 25,000+ if more than half their revenue comes from selling data. Your rights under it: confirm processing, access your data, correct it, delete it, get a portable copy, and opt out of targeted ads, data sales, and profiling.
The Attorney General enforces it. Violators get a 30-day cure period before penalties kick in. No private right of action. You cannot sue. Only the state can.
What Has Been Happening With Your Data
Before this law, companies collected and sold your information with zero obligation to stop. Data brokers built profiles on every adult in Kentucky — name, address history, phone numbers, family members, employment, property records, estimated income, all of it. Advertisers, employers, landlords, skip tracers, and government agencies buy this data freely. Some of it is accurate. Some is not. None of it required your consent.
Surveillance in Kentucky
License plate readers. Flock Safety operates across the state. Louisville and Lexington metro areas have the heaviest coverage.
Facial recognition. No statewide restrictions on law enforcement use. Louisville Metro PD has access to facial recognition tools.
No biometric protections. Illinois next door has BIPA — the strongest biometric privacy law in the country, with over $1 billion in settlements. Kentucky has nothing comparable. The KCDPA covers biometric data in general terms only.
What to Do About It
1. Submit deletion requests. Cite the KCDPA by name. Start with Spokeo, BeenVerified, WhitePages, Radaris, TruePeopleSearch, FastPeopleSearch.
2. Audit facial recognition exposure. Search yourself on PimEyes, FaceCheck.ID, Google Lens, Yandex, TinEye. Without BIPA-level protections, you manage this yourself or nobody does.
3. Check vehicle exposure. Use DeFlock.me to map plate readers near you. Opt out of plate lookup sites. Review connected car data sharing settings.
4. Kill ad tracking. iPhone: Settings > Privacy & Security > Tracking > off. Android: Settings > Privacy > Ads > Delete advertising ID.
5. Monitor. Brokers re-acquire your data constantly. One round of opt-outs is not enough. Check quarterly or use ongoing monitoring.
— J. Daniel, Dark Scrub