Kentucky Consumer Data Protection Act (KCDPA)
A practical compliance guide for website owners. Learn what Kentucky's privacy law requires and how to implement it on your site.
Who Must Comply
Conducts business in Kentucky or targets Kentucky residents AND controls/processes personal data of 100K+ consumers, OR controls/processes data of 25K+ consumers and derives 50%+ of gross revenue from selling personal data
What Your Website Must Do
| Requirement | Status |
|---|---|
| Cookie consent banner | Recommended |
| Do Not Sell link | Required |
| Do Not Share link | Not required |
| Honor GPC browser signals | Recommended |
| Universal opt-out mechanism | Not required |
| Sensitive data opt-in consent | Required |
Required Links & Notices
The KCDPA requires the following links or notices to be visible on your website:
- 1Privacy Policy
Enforcement & Penalties
Key Things to Know
Kentucky's privacy law follows the Virginia model closely and is among the more business-friendly state laws. It features a permanent 30-day cure period and standard consumer rights.
Virginia model: Kentucky closely mirrors Virginia's VCDPA in structure and requirements — standard opt-out rights for targeted advertising and data sale, opt-in for sensitive data, and AG-only enforcement.
Business-friendly: With standard 100K/25K+50% thresholds, a permanent cure period, no GPC requirement, and no data minimization provisions, Kentucky is among the lighter state privacy laws.
How to Configure LegalBanner for KCDPA
- 1
Create your site
Sign up for free and add your website domain in the dashboard.
- 2
Set consent mode to "Opt-out"
In Settings, select the consent mode that matches Kentucky's requirements.
- 3
Install the snippet
Add the one-line script tag to your website. The banner, opt-out links, and GPC support are automatic.
- 4
Generate your Privacy Policy
Use the built-in policy wizard to generate a KCDPA-compliant privacy policy.
Set up KCDPA compliance in 5 minutes
LegalBanner handles Kentucky privacy requirements automatically — cookie banner, opt-out links, and GPC support included.
Frequently Asked Questions
When does the Kentucky KCDPA take effect?
The KCDPA takes effect January 1, 2026. Businesses should begin preparing in advance.
Does Kentucky require a cookie consent banner?
No. Kentucky does not require opt-in cookie consent. You must provide opt-out mechanisms for targeted advertising and sale of personal data.
Does Kentucky require honoring GPC signals?
No. Kentucky does not require honoring GPC or universal opt-out mechanisms.
What are the penalties for KCDPA violations?
Up to $7,500 per violation. The 30-day cure period is permanent and does not sunset.
How does Kentucky compare to other state privacy laws?
Kentucky follows the Virginia model — moderate consumer rights, AG-only enforcement, permanent cure period, no GPC requirement. It is among the more business-friendly state laws.