Data Strategy Briefing — September 20, 2025

Executive briefing: Kentucky Senate Bill 15 establishes the Kentucky Consumer Data Protection Act (KCDPA), effective January 1, 2026. Controllers processing data on at least 100,000 residents—or 25,000 with 50 percent of gross revenue from data sales—must deliver access, deletion, correction, and portability rights, respond to opt-out signals for targeted advertising, and document privacy impact assessments for profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment.

Key data governance checkpoints

Resident identification. Enhance data inventories to tag Kentucky residents using billing addresses, IP ranges, and loyalty programme attributes.
Assessment templates. Extend privacy impact assessments to capture profiling risk, sensitive data processing, and automated decision-making tied to significant effects.
Processor alignment. Update contracts to include audit cooperation, sub-processor notice, and deletion support obligations required under Section 3 of the Act.

Operational priorities

Opt-out automation. Integrate universal opt-out mechanisms, including browser-based global privacy control signals, across advertising stacks.
Response timelines. Configure request handling workflows to meet the 45-day response window (extendable by 45 days) and maintain appeal records for denied requests.
Attorney General engagement. Prepare cure plans to address alleged violations within the Act’s 30-day cure period, which sunsets after January 1, 2027.

Enablement moves

Benchmark KCDPA requirements against Virginia, Colorado, and Tennessee statutes to reuse control evidence.
Train frontline teams on Kentucky-specific sensitive data categories, including precise geolocation and known child data.

Sources

Zeph Tech unifies multi-state privacy roadmaps, enabling KCDPA compliance with scalable consent, request handling, and assessment workflows.