RatedWithAI

RatedWithAI

Accessibility scanner

Privacy LawJuly 15, 2026

Kentucky KCDPA AI Compliance 2026: New Law, Familiar Framework

Kentucky's Consumer Data Protection Act joined the state privacy law patchwork on January 1, 2026, and it follows the Virginia/Colorado template closely enough that compliance teams already covering those states will recognize most of the obligations. The parts worth double-checking are the assessment requirement for AI profiling and the dual-threshold scope test.

100,000 / 25,000
Dual consumer thresholds, the second tied to data-sale revenue
Assessments Required
Mandatory for high-risk profiling before it goes live
30-Day Cure
No sunset date on the right-to-cure provision as enacted

Does KCDPA Apply to Your AI Product?

KCDPA applies to businesses that conduct business in Kentucky or produce products or services targeted at Kentucky residents, and that during a calendar year control or process the personal data of at least 100,000 Kentucky consumers, or control or process the data of at least 25,000 consumers while deriving more than 50% of gross revenue from selling personal data. Nonprofits and higher education institutions carry limited exemptions, but most commercial AI SaaS products get no special carve-out.

The second prong of the threshold — 25,000 consumers plus majority revenue from data sales — is the one AI companies most often overlook. A smaller AI product that monetizes through data licensing rather than subscriptions can trip this trigger well before it reaches the 100,000-consumer mark that most teams treat as the relevant number.

Consumer Rights and AI Profiling

Profiling opt-out

Consumers can opt out of profiling in furtherance of decisions producing legal or similarly significant effects — credit, employment, housing, healthcare, insurance, and education outcomes.

Targeted advertising opt-out

Consumers can opt out of personal data being used for targeted advertising, including AI-driven ad personalization and lookalike-audience models.

Sale of data opt-out

Consumers can opt out of the sale of their personal data to third parties, including data-licensing arrangements with AI model developers or data brokers.

Right to appeal

Kentucky, like Virginia and Colorado, requires businesses to offer consumers a way to appeal a denied rights request, with a response window and an option to escalate to the Attorney General if the appeal is denied.

The Data Protection Assessment Requirement

KCDPA requires a documented data protection assessment before processing that presents a heightened risk of harm — a category that explicitly reaches profiling with a reasonably foreseeable risk of unfair or deceptive treatment, unlawful disparate impact, financial or physical injury, or intrusion into a consumer's private affairs. For AI companies, this means any scoring, ranking, or eligibility model that feeds into a consequential decision about a Kentucky consumer should have a written assessment on file before it goes live, not retrofitted after an inquiry.

KCDPA Compliance Checklist for AI Companies

1. Scope Determination
  • Track Kentucky consumer counts against both the 100,000 standard threshold and the 25,000/50%-revenue alternate trigger
  • Flag data-licensing or data-sale revenue lines specifically, since they drive the alternate trigger
  • Reassess scope at least quarterly as Kentucky user growth changes
2. Consumer Rights Infrastructure
  • Build opt-out flows for profiling, targeted advertising, and data sale
  • Implement an appeal path for denied consumer rights requests with a documented response window
  • Support access, correction, deletion, and portability requests within statutory timelines
3. Risk Assessments
  • Complete a data protection assessment before deploying any high-risk profiling model
  • Cover disparate impact and unfair-treatment risk explicitly in the assessment, not just data security
  • Update assessments when the underlying AI model or training data materially changes
4. Enforcement Readiness
  • Monitor Kentucky AG enforcement activity as the law matures past its first year
  • Retain records supporting your scope and threshold determinations
  • Respond to any AG cure notice within the 30-day window and document the remediation taken

See where your AI product is exposed

RatedWithAI helps SaaS and platform teams surface compliance and trust gaps across their web properties. Start with a free scan to understand how your product presents to users and regulators alike.

Scan Your Product for Free →

Frequently Asked Questions

How is KCDPA different from Indiana's INCDPA?

The two are structurally similar, both using a 100,000-consumer standard threshold with a 25,000/50%-revenue alternate trigger, and both lacking a sunset date on their 30-day cure period as enacted. The main practical difference is Kentucky's explicit requirement for a right-to-appeal process on denied consumer rights requests, which Indiana's statute also includes but which is worth verifying separately in each state's implementing guidance as agencies issue interpretations.

Do AI training activities alone trigger a data protection assessment?

The assessment requirement is tied to processing that presents a heightened risk of harm, not to model training in the abstract. Training on Kentucky consumers' personal data can trigger the requirement if the resulting model is then used for profiling with a foreseeable risk of unfair treatment, disparate impact, or injury — the trigger is the downstream use, not the training step in isolation.

Does KCDPA apply to B2B data or only consumer data?

KCDPA, like most comprehensive state privacy laws, generally exempts data processed in a commercial or employment context — B2B contact data used for sales outreach, for example, typically falls outside the definition of a covered 'consumer.' AI companies should still confirm this exemption applies to their specific data flows rather than assuming blanket B2B coverage.

Related Guides