FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatoryprivacydata protectionKCDPA

Kentucky Consumer Data Protection Act: What Bourbon Country Just Joined

By Basel IsmailMay 16, 2026

Kentucky Consumer Data Protection Act: What Bourbon Country Just Joined

Kentucky Governor Andy Beshear signed HB 15 into law on April 4, 2024, making Kentucky the fifteenth state to enact a comprehensive consumer data privacy law. The Kentucky Consumer Data Protection Act takes effect January 1, 2026, which gives businesses roughly a year and a half from signing to build out compliance. If you have customers, employees, or data touchpoints in Kentucky, this one is worth reading carefully.

The Basics of KCDPA

The KCDPA applies to persons that conduct business in Kentucky or produce products or services targeted to Kentucky residents and that, during a calendar year, either (a) control or process personal data of at least 100,000 consumers, or (b) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data. These thresholds should look familiar. They are nearly identical to Virginia's Consumer Data Protection Act (VCDPA), which was the template here.

Consumer rights under the KCDPA include the right to confirm, access, correct, delete, and obtain a portable copy of personal data. Consumers also get the right to opt out of the processing of personal data for targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects. Controllers must respond to authenticated requests within 45 days, with one 45-day extension permitted.

Enforcement sits exclusively with the Kentucky Attorney General. There is no private right of action. Before bringing an enforcement action, the AG must provide a 30-day cure period. This cure provision does not sunset, which is a meaningful distinction from states like Colorado, where the cure period expired on January 1, 2025.

How It Stacks Up Against Virginia and Indiana

Kentucky clearly used Virginia's VCDPA as its starting point, but there are a few differences worth flagging for anyone already operating under a multi-state privacy program.

Thresholds. Kentucky and Virginia share the same 100,000/25,000 consumer thresholds. Indiana's SB 5 (effective January 1, 2026, the same day as KCDPA) also uses these numbers. If you already meet the Virginia threshold, you almost certainly meet Kentucky's and Indiana's.

Sensitive data. The KCDPA defines sensitive data to include racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data processed for identification, personal data of a known child, and precise geolocation data. This tracks closely with Virginia. One addition worth noting: Kentucky explicitly includes "status as transgender or nonbinary" within its sensitive data definition. This is a broader carve-out than most state privacy laws include.

Cure period permanence. As mentioned, Kentucky's 30-day cure period is permanent under the statute as written. Virginia's cure period also remains in effect. Indiana similarly includes a permanent 30-day cure period. Compare this to Connecticut (HB 6, effective July 1, 2023), where the cure provision expired on December 31, 2024. For compliance teams, a permanent cure period reduces enforcement risk somewhat, but it should not be treated as a reason to delay compliance. AGs in other states have made clear that repeated failures to cure can escalate quickly.

Data protection assessments. Kentucky requires controllers to conduct and document data protection assessments for processing activities that present a heightened risk of harm. This includes targeted advertising, the sale of personal data, processing sensitive data, and profiling. Virginia has the same requirement. Indiana does too, though Indiana's language is slightly less prescriptive about when assessments must be conducted. If you are already running DPAs under Virginia's framework, your Kentucky obligations should be largely covered with jurisdiction-specific adjustments.

Universal opt-out mechanisms. The KCDPA requires controllers to recognize universal opt-out mechanisms, sometimes referred to as Global Privacy Control signals. Virginia's original VCDPA did not include this requirement, though Virginia amended its law in 2024 to add it effective January 1, 2025. Indiana does not currently require recognition of universal opt-out signals. This is a meaningful operational detail. If your consent management platform does not already handle GPC signals, Kentucky's effective date is your deadline.

The AI Angle

Kentucky's profiling provisions deserve specific attention for anyone deploying AI systems that touch consumer data. The KCDPA gives consumers the right to opt out of profiling "in furtherance of decisions that produce legal or similarly significant effects concerning the consumer." The statute defines profiling as "any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements."

This is broad. If you are using machine learning models for credit decisioning, insurance underwriting, hiring screening, or healthcare risk stratification involving Kentucky consumers, those activities likely fall within the profiling definition. The opt-out right means you need a mechanism for consumers to invoke it, and you need a fallback process for when they do.

The data protection assessment requirement also applies to profiling activities. So you need documented assessments that weigh the benefits of the processing against the potential risks to consumers, including the use of de-identified data, the reasonable expectations of consumers, and the context of the processing. These assessments must be made available to the AG upon request.

For organizations building or deploying AI in regulated industries, this creates a layered compliance obligation. You are not just managing data minimization and purpose limitation. You are also maintaining auditable documentation of why your AI processing is justified, and you are building opt-out infrastructure that can actually interrupt automated pipelines. In practice, this is harder than it sounds, especially when models are trained on pooled datasets or when profiling is embedded in real-time decision systems.

Practical Compliance Posture for Kentucky-Touching Businesses

If you are already compliant with Virginia's VCDPA, your gap analysis for Kentucky should be relatively contained. The main areas to audit are:

Sensitive data definitions. Review whether your data inventory captures the additional categories Kentucky includes, particularly the transgender and nonbinary status category.
Universal opt-out signals. Confirm your CMP or consent layer recognizes and processes GPC signals. If you built your Virginia compliance before Virginia's 2024 amendment, this may be a gap.
Privacy notice updates. Your consumer-facing disclosures need to reflect Kentucky-specific rights and processing categories. Boilerplate multi-state notices work up to a point, but regulators increasingly expect specificity.
Processor agreements. The KCDPA requires contracts between controllers and processors that include clear instructions for processing, confidentiality obligations, deletion requirements, and audit rights. Review your existing DPAs for conformity.
DPA documentation for AI. If you are running profiling or automated decision-making, ensure your data protection assessments are current and specifically address Kentucky consumer data.

The January 1, 2026 effective date aligns with Indiana, which means compliance teams are going to be managing two new state laws simultaneously. Building a unified compliance framework now, rather than treating each state as a separate project, will save significant effort.

How FirmAdapt Addresses This

FirmAdapt's platform is built to handle exactly this kind of multi-state regulatory layering. The compliance mapping engine tracks jurisdictional requirements across all active state privacy laws, including KCDPA-specific obligations like universal opt-out signal recognition and the expanded sensitive data categories. When Kentucky's law takes effect, organizations using FirmAdapt will have their data processing inventories, assessment templates, and consumer rights workflows already aligned to the statute's requirements.

On the AI side, FirmAdapt's architecture supports the documentation and audit trail requirements that profiling provisions demand. Data protection assessments can be generated, versioned, and stored within the platform, tied directly to the processing activities they evaluate. For regulated industries where AI governance intersects with state privacy law, this is the kind of infrastructure that keeps you ahead of enforcement rather than reacting to it.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free