Kentucky Privacy Laws
As businesses store and process more personal information digitally, data privacy has become an increasingly important issue for Kentucky residents. Under Kentucky law, residents have certain rights to access, correct, delete, and obtain a copy of personal data held by covered businesses. They may also opt out of certain uses of their data, including targeted advertising, the sale of personal data, and some types of profiling. Kentucky’s data breach notification law also requires covered businesses to notify affected residents when certain breaches create a risk of identity theft or fraud.
- June 24, 2026
Overview of Kentucky Data Privacy Laws
In Kentucky, the main state data privacy laws protecting consumers include the Kentucky Consumer Data Protection Act (KCDPA) and the Data Breach Notification Law. The former provides consumers with rights regarding the collection and use of their personal information, while the latter requires businesses to notify consumers in the event of a breach. Because there is no comprehensive federal data protection law, Kentucky’s state laws are crucial to consumer privacy.
Kentucky Consumer Data Protection Act (KCDPA)
The Kentucky Consumer Data Protection Act (KCDPA) grants Kentucky residents several rights regarding their personal data. Under the act, businesses must provide Kentucky consumers with an accessible, clear, and meaningful privacy notice, including what data will be collected, for what purposes, whether it will be shared, and how consumers can exercise their rights. These rights include:
- Right to know whether businesses collecting their personal data are processing it
- Right to access and/or get a copy of their collected personal data
- Right to correct and/or delete their personal data
- Right to opt out of data processing for targeted advertising, sale, or profiling
- Right protecting their sensitive data from processing without consent
Who Must Comply with the KCDPA?
The KCDPA applies to certain businesses that conduct business in Kentucky or produce products or services targeted to Kentucky residents and meet the law’s data-processing thresholds. Some entities and categories of data are exempt, including certain protected health information governed by HIPAA, health records, and patient-identifying information.
Kentucky's Data Breach Notification Law
Kentucky’s Data Breach Notification Law requires businesses to notify consumers and sometimes authorities in the event of a data breach.
What Constitutes a Data Breach Under Kentucky Law?
Under Kentucky law, a data breach is any unauthorized acquisition of unencrypted, unredacted computerized data that compromises the security, confidentiality, or integrity of personally identifiable information for multiple individuals. The breach must cause actual harm or pose a real risk of identity theft or fraud to any Kentucky resident.
Notification Requirements for Businesses
After a data breach in Kentucky, businesses must notify affected individuals without unreasonable delay. Notice may be provided by mail, email, or substitute notice if the cost of providing notice would exceed $250,000 or the affected class is over 500,000 people. Businesses must notify consumer reporting agencies and credit bureaus if over 1,000 people are affected.
Types of Personal Data Covered
Various types of personal data are covered under Kentucky’s data breach laws. Under the data breach notification law, “personally identifiable information” means a consumer’s full name in combination with their Social Security number, driver’s license number, or financial account access information.
Under the KCDPA, personal data means any information that can be linked to an identifiable person, excluding publicly available information. Sensitive data, which receives additional protections, includes information about race, ethnicity, religion, mental and physical health conditions, sexual orientation, citizenship status, genetic and biometric data, precise geolocation data, and data collected from known children under 13.
New cases and investigations, settlement deadlines, and news straight to your inbox.
Notable Data Breaches in Kentucky
Central Kentucky Radiology Data Breach (2024–2025)
In June 2025, radiology services provider Central Kentucky Radiology notified about 167,000 people of an October 2024 data breach that exposed their personal information. CKR determined that a threat actor accessed its network and copied files from its systems. Stolen files included personal information like names, addresses, dates of birth, Social Security numbers, dates of medical service, and service charges.
Orthopaedic Institute of Western Kentucky Vendor Breaches (2025–2026)
In March 2026, the Orthopaedic Institute of Western Kentucky notified patients that their personal health information was compromised in two security incidents involving their IT services provider. The breach involved unauthorized access to an employee’s email account.
The breaches occurred in April and July 2025 and compromised patient information like names, addresses, dates of birth, medical records, Social Security numbers, and more. Affected individuals were notified in December 2025 and January 2026.
Cumberland County Hospital Cyberattack (2025)
In June 2025, Cumberland County Hospital in Burkesville, Kentucky, reported a ransomware data breach involving the protected health information of more than 36,000 individuals. The breach occurred between February and April 2025 and was identified in April. During that time, there was unauthorized access to files containing patient information, including names, contact information, demographic information, health information, and employee data.
Warren County Sheriff’s Office Breach (2025)
In March 2026, the Sheriff’s office of Warren County, Kentucky, notified an undisclosed number of people about a December 2025 data breach that compromised names, Social Security numbers, driver’s license numbers, and health insurance ID numbers. Cybercriminal group RansomHouse took credit for the breach.
Jefferson County Clerk’s Office Ransomware Attack (2024)
In August 2024, the Jefferson County Clerk’s office in Kentucky confirmed that sensitive data, including personnel files, Social Security numbers, and election administration information, may have been compromised in a cyberattack. Election data as far back as 2008 may have been compromised. Cybercriminal group RansomHub took responsibility for the attack and published the files it claimed to have stolen on the dark web.
University of Kentucky Education Database Breach (2021)
In 2021, the University of Kentucky discovered a vulnerability in its website that allowed an unauthorized individual to acquire a copy of a College of Education database. The database contained the names and email addresses of students and teachers in Kentucky, across America, and in 22 other countries. Over 355,000 individuals were affected by the breach.
Consumer Rights Under Kentucky Data Privacy Laws
Under Kentucky’s data privacy laws, consumers have the right to access, correct, and delete their personal data from companies, as well as to opt out of the processing and sale of their data. Consumers do not have a private right of action for KCDPA violations; only the Attorney General can enforce it. However, consumers can file complaints with the Attorney General’s office for violations.
If your rights and interests as a Kentucky resident have been harmed by a data breach, you may still be entitled to seek financial compensation through legal action.
How Class Action U Can Help
At Class Action U, our goal is to simplify the process for individuals affected by data breaches to join ongoing lawsuits by connecting them with our legal partners. If you’ve been affected by a data breach, share your information with us to see if you qualify to file a lawsuit or join a class action or mass arbitration. If a legal action already exists for the breach that affected you, our site offers a straightforward way to sign up.
Speak to a Kentucky Data Privacy Lawyer
Kentucky’s Consumer Data Protection Act and other state laws provide consumers in the Bluegrass State with certain rights regarding the privacy, collection, and processing of their personal data. If you or a loved one was affected by a Kentucky data breach, contact Class Action U to be connected with an experienced data breach lawyer to learn more about your legal options for seeking justice and compensation.
New cases and investigations, settlement deadlines, and news straight to your inbox.