Kentucky’s New Privacy Law: What Every Kentuckian Needs to Know

Kentucky’s Consumer Data Protection Act (KCDPA) went into effect on January 1, 2026. It gives residents the right to access, correct, delete, and opt out of the sale of their personal data for the first time.

If you live in Kentucky and you’ve never heard of the KCDPA, you’re not alone. But the law applies whether you know about it or not — and more importantly, so does the data collection it’s designed to address.

What the KCDPA Gives You

The law applies to companies that conduct business in Kentucky or target Kentucky residents and that process the personal data of at least 100,000 consumers, or 25,000 consumers if they derive more than 50% of revenue from data sales.

Your rights: confirm whether a company is processing your data, access it, correct inaccuracies, delete it, obtain a portable copy, and opt out of targeted advertising, data sales, and profiling.

The Kentucky Attorney General enforces the law with a 30-day cure period for violations.

What’s Been Happening With Your Data

Before this law, companies collected and sold your personal information with no legal obligation to stop if you asked. Data brokers have compiled detailed profiles on virtually every adult in Kentucky — your name, address history, phone numbers, email addresses, family members, employment, property records, vehicle information, estimated income, and more.

This information is available to anyone willing to pay for it. Advertisers, employers, landlords, skip tracers, private investigators, and government agencies all purchase data broker information. Some of it is accurate. Some of it isn’t. All of it is available without your consent.

The Surveillance Landscape

License plate readers. Kentucky communities have deployed automated license plate readers, and Flock Safety operates in the state. Louisville and Lexington metro areas have the heaviest coverage.

Facial recognition. There are no statewide restrictions on law enforcement use of facial recognition in Kentucky. Louisville Metro Police Department has access to facial recognition tools.

No biometric protections. Unlike neighboring Illinois, which has the strongest biometric privacy law in the country (BIPA), Kentucky has no specific protections for biometric data like faceprints, fingerprints, or voiceprints beyond what the KCDPA covers generally.

What Kentucky Residents Should Do

Step 1: Use your new rights. Submit deletion requests to data brokers and cite the Kentucky Consumer Data Protection Act. Start with the major brokers: Spokeo, BeenVerified, WhitePages, Radaris, TruePeopleSearch, FastPeopleSearch.

Step 2: Run a facial recognition audit. Search yourself on PimEyes, FaceCheck.ID, Google Lens, Yandex, and TinEye. Without Illinois-style BIPA protections, Kentucky residents need to be proactive about managing their biometric exposure.

Step 3: Check your vehicle exposure. Use DeFlock.me to map license plate readers. Check plate lookup sites and opt out. Review connected car data sharing.

Step 4: Disable ad tracking. On iPhone: Settings > Privacy & Security > Tracking > toggle off. On Android: Settings > Privacy > Ads > Delete advertising ID.

Step 5: Harden social media. Private profiles, disable face tagging, remove tagged photos, disconnect linked accounts, strip EXIF data from photos.

Step 6: Monitor regularly. Data brokers re-acquire your information constantly. Check quarterly or set up ongoing monitoring.

The Illinois Comparison

If you live in Kentucky, you’re one state away from the strongest biometric privacy protections in America. Illinois’s BIPA lets individuals sue companies that collect biometric data without consent — and has produced settlements totaling over $1 billion.

Kentucky’s KCDPA doesn’t include a private right of action or specific biometric protections. But it does give you deletion rights that didn’t exist before. Use them.