---
name: kentucky-kppa
title: Kentucky Consumer Privacy Protection Act (KPPA)
description: Kentucky Consumer Privacy Protection Act (KPPA) compliance. Effective January 1, 2026. Covers consumer rights, controller thresholds at 100,000 consumers, sensitive data processing consent, cure period provisions, and AG enforcement framework.
author: mukul975
author_url: https://github.com/mukul975/Privacy-Data-Protection-Skills/tree/main/skills/privacy/kentucky-kppa
license: Apache-2.0
version: 0.1.0
execution_mode: open
jurisdiction: us
practice: data-protection
language: en
---

# Kentucky Consumer Privacy Protection Act (KPPA)

## Overview

The Kentucky Consumer Privacy Protection Act (KPPA), codified as KRS §367.401 through §367.445, was signed into law on April 4, 2024 (HB 15), and becomes effective **January 1, 2026**. Kentucky follows the Virginia/Connecticut model with five consumer rights, controller-processor framework, sensitive data opt-in consent, and AG-only enforcement.

## Applicability (§367.405)

The KPPA applies to persons that conduct business in Kentucky or produce products or services targeted to Kentucky residents AND during a calendar year:

1. Control or process personal data of at least **100,000** Kentucky consumers; OR
2. Control or process personal data of at least 25,000 Kentucky consumers AND derive more than **50%** of gross revenue from the sale of personal data.

**Exemptions (§367.407):**
- State and local government entities
- GLBA-covered financial institutions (entity-level)
- HIPAA covered entities and business associates (entity-level)
- Nonprofit organizations
- Institutions of higher education
- Covered entities under FERPA
- Data governed by GLBA, HIPAA, FERPA, FCRA, DPPA, COPPA, Farm Credit Act

**Liberty Commerce Inc. Assessment:**
Liberty Commerce Inc. processes personal data of approximately 68,000 Kentucky consumers. It does not meet either threshold but monitors as the law becomes effective January 1, 2026.

## Consumer Rights (§367.415)

### Five Consumer Rights

1. **Right to Access** (§367.415(1)(a)): Confirm processing and access personal data
2. **Right to Correct** (§367.415(1)(b)): Correct inaccuracies
3. **Right to Delete** (§367.415(1)(c)): Delete personal data
4. **Right to Portability** (§367.415(1)(d)): Obtain data in portable format
5. **Right to Opt Out** (§367.415(1)(e)):
   - Targeted advertising
   - Sale of personal data
   - Profiling in furtherance of decisions producing legal or similarly significant effects

### Response Requirements (§367.417)
- Respond within 45 days
- Extension: up to 45 additional days (90 total) with notice
- At least one free response per 12 months per right
- Appeal: controller must respond within 60 days

## Sensitive Data (§367.401(27), §367.413(5))

### Categories
1. Racial or ethnic origin
2. Religious beliefs
3. Mental or physical health diagnosis
4. Sexual orientation
5. Citizenship or immigration status
6. Genetic or biometric data for identification
7. Personal data of a known child
8. Precise geolocation data

### Consent Requirement
Processing requires opt-in consent before processing. The KPPA follows the Virginia model requiring affirmative, freely given consent.

## Controller Obligations (§367.413)

1. **Purpose limitation**: Adequate, relevant, and reasonably necessary
2. **Data minimization**: Not excessive relative to purposes
3. **Data security**: Appropriate technical and organizational measures
4. **Non-discrimination**: No processing in violation of antidiscrimination laws
5. **Sensitive data consent**: Opt-in before processing
6. **Transparency**: Clear and reasonably accessible privacy notice

### Privacy Notice Requirements (§367.413(2))
- Categories of personal data processed
- Purposes for processing each category
- Consumer rights and how to exercise them
- Categories of data shared with third parties
- Categories of third parties
- Active email or online contact mechanism

### Data Protection Assessments (§367.419)
Required for:
- Targeted advertising
- Sale of personal data
- Profiling with significant effects
- Sensitive data processing
- High-risk processing activities

DPIAs must be made available to the AG upon request.

## Processor Requirements (§367.421)

Processing must be governed by a contract that includes:
- Instructions for processing
- Nature, purpose, and duration
- Type of data and categories of consumers
- Controller and processor rights and obligations
- Confidentiality duty for persons processing data
- Return or deletion upon end of services
- Cooperation with compliance assessments
- Sub-processor contract requirements with equivalent protections

## Enforcement (§367.435)

### Attorney General Authority
- Exclusive enforcement — no private right of action
- Enforcement under KRS §367.990 (Kentucky Consumer Protection Act)

### Cure Period (§367.437)
- AG must provide written notice of alleged violation
- Controller has **30 days** to cure
- If cured and express written statement provided: AG may not bring action
- **No sunset provision** — 30-day cure period is permanent

### Penalties
- Civil penalties up to $7,500 per violation
- Injunctive relief
- Costs and attorney fees

## Implementation Timeline

| Milestone | Date | Action |
|-----------|------|--------|
| Law enacted | April 4, 2024 | HB 15 signed by Governor |
| Compliance planning | April 2024 - December 2025 | Gap analysis, privacy notice updates, consent mechanisms |
| Data protection assessments | July - December 2025 | Complete DPIAs for applicable processing activities |
| Technical implementation | September - December 2025 | Deploy consumer rights portal, opt-out mechanisms |
| Staff training | November - December 2025 | Train privacy team and customer service |
| **Effective date** | **January 1, 2026** | **Full compliance required** |

## Key Regulatory References

- KRS §367.401 through §367.445 (KPPA)
- KRS §367.990 (Kentucky Consumer Protection Act — enforcement penalties)
- KRS §365.732 (Kentucky Data Breach Notification)
