Support Centre



Law: Please note this State does not have a general privacy law in effect, you can visit USA State Law Tracker to monitor the progress of US State bills.

Regulator: The Kentucky Attorney General ('AG')

Summary: Although Kentucky does not have a general privacy law, the Supreme Court of Kentucky has interpreted that the Constitution of Kentucky 1792 (as adopted in 1891) recognises the right of privacy. In addition, the State has various laws related to privacy such as §367.170 of Chapter 367 of Title XXIX of the KRS ('the Consumer Protection Act'), which refers to unfair, false, misleading, or deceptive acts or practices in the conduct of any trade or commerce as unlawful. The AG is charged with enforcement of the Consumer Protection Act, and is empowered to seek injunctive relief, sue for, collect, receive and take into their possession all property of the defendant, and ask for the appointment of a receiver to settle the estate of the defendant and distribute assets under the direction of the court. Under the Kentucky data breach notification law (§365.732 of Title XXIX of the KRS), a personal data breach must be notified to affected Kentucky residents and, if such breach affects more than 1,000 Kentucky residents, all consumer reporting agencies and credit bureaus that compile and maintain files on consumers on a nationwide basis.


On 8 April 2022, the Kentucky Governor signed into law House Bill ('HB') 502 for the Genetic Information Privacy Act ('the Act'). In particular, the Act grants consumers greater control over their genetic materials by regulating the collection, use, and disclosure of genetic data, among others. The Act will go into effect on 1 June 2022. As such, OneTrust DataGuidance highlights some of its key provisions, focusing on areas such as consumer rights, business obligations, and what to expect with regard to enforcement.