Kentucky joins the biometric trend – new statute unlikely to result in civil litigation, but businesses and nonprofits should still prepare  



By: Curt M. Graham and Barry M. Miller

The Commonwealth of Kentucky—the 15th state admitted to the United States—is now the 15th state to pass a bill protecting biometric and other consumer data.

But the statute provides that Kentucky’s Attorney General has the exclusive authority to enforce it. Kentuckians have a right of action to sue for the violation of any state statute absent such a provision. Because the statute limits enforcement to the attorney general, Kentucky’s statute seems unlikely to lead to the kinds of lawsuits spawned by similar biometric privacy statues in Illinois and California. 

The Kentucky Consumer Data Protection Act (“KCDPA”), including the provision limiting enforcement to the Attorney General, is modeled after Virginia’s act. Like Virginia’s, it applies to organizations that: 

  • Control or process personal data of more than 100,000 consumers, or 
  • Derive 50% or more of their revenue from selling the data of more than 25,000 consumers, if they process and control that data. 

And like the Virginia statute, Kentucky’s would permit consumers to (a) confirm whether a covered entity is processing their personal data; (b) receive a machine-readable copy of their personal data; (c) correct or delete that data; and (d) opt out of targeted advertising and other data profiling.

The statute will not mandate that covered entities honor consumer requests to opt out of that entity’s data processing, although it will require them to provide at least one “secure and reliable” method for consumers to submit such requests.  

The statute exempts small telephone and commercial radio service companies and other utilities. But unlike the Virginia statute, the Kentucky bill does not exempt certain nonprofit organizations. Until the courts or statutory amendments clarify that situation, both profit-making and nonprofit entities who process or sell data for large numbers of Kentuckians must prepare themselves. They can take steps such as: 

  • Assessing the need for processing certain kinds of data, and weigh that need against potential risks, before deciding to process that data; 
  • Seeking contracts from data processors they may use, or review existing contracts, to see whether those processors comply;  
  • Seeking consent from consumers before processing sensitive data (health records, biometric information, and financial details); 
  • Enacting reasonable data security practices; 
  • Setting up a procedure for consumers to appeal any denial of their attempt to exercise data privacy rights. 

Kentucky’s Governor signed the bill into law on April 4. The Attorney General of Kentucky can begin enforcing the new law on January 1, 2026, giving affected businesses time to act.

Freeman Mathis & Gary’s Data Security and Privacy Practice Group is ready to assist businesses of all sizes in taking these steps. Please contact Curt Graham or Barry Miller in the Firm’s Lexington office for more information.