Takeaways for Business to Understand Kentucky Consumer Privacy La

Cynthia J. Larose

Email

617-348-1732

Bio and Articles

Michael B. Katz

Email

617-348-1631

Bio and Articles

Find Your Next Job !

Litigation Legal Support Specialist
Greenberg Traurig

Legal Expert in Commercial & Real Estate Litigation / Property Dispute Speciali…
On Balance Search Consultants

Litigation Attorney / Real Estate and Commercial Litigator
On Balance Search Consultants

Trusts & Estates Attorney / Estate Planning Lawyer
On Balance Search Consultants

Family/Matrimonial Law Attorney
On Balance Search Consultants

Commercial Real Estate Transactional Attorney / Real Estate Lawyer
On Balance Search Consultants

Trusts & Estates Partner / Senior Attorney
On Balance Search Consultants

Litigation Paralegal
Greenberg Traurig

Chief Operating Officer / Business Manager
On Balance Search Consultants

Matrimonial Attorney
On Balance Search Consultants

Explore More Job Openings

Kentucky’s Consumer Privacy Law Is Coming, But on a Slow Track

by: Cynthia J. Larose, Michael B. Katz of Mintz - Privacy & Cybersecurity Viewpoints

Tuesday, December 31, 2024

Print Mail Download info_icon_img

/>i

To round out this year’s series on new state consumer privacy laws, we are covering the statute passed by Kentucky earlier this year. Please also keep your eye out for our 2024 round-up article that will be published soon, as it will provide a helpful overview of many of the new consumer privacy laws across the United States.

On April 4, 2024, Kentucky Governor Andy Beshear (D) signed the Kentucky Consumer Data Protection Act (“KCDPA”) into law, with a slow roll to the date it takes effect on January 1, 2026. Though similar to many other recent state data privacy laws, the KCDPA goes a bit easier on businesses and (1) does not impose a requirement to provide a universal opt-out mechanism, and (2) has a permanent cure provision that will afford violators ongoing opportunities to rectify alleged violations of the law. The following article provides a summary of key provisions and takeaways for businesses seeking to understand how the KCDPA may affect them.

For additional resources about state consumer privacy laws, we are including an index at the bottom of this article with hyperlinks to our blog posts covering laws passed in other states.

To Whom Does the Kentucky Consumer Data Protection Act Apply?

The KCDPA applies to entities that:

conduct business in Kentucky or produce products or services that are targeted to residents of Kentucky; and during a single calendar year:
1. control or process personal data of at least 100,000 Kentucky consumers; or
2. control or process personal data of at least 25,000 Kentucky consumers and derive over fifty percent (50%) of their annual gross revenue from the sale of personal data.

The KCDPA defines a “consumer” as an individual who is a resident of Kentucky and acting only in an individual context. Note that this definition excludes individuals acting in a commercial or employment context.

Exemptions

Like many other state data privacy laws, the KCDPA includes a list of common exemptions for certain types of government actors and regulated entities or data, including: cities, state agencies, and political subdivisions of Kentucky; financial institutions and their affiliates subject to the Gramm-Leach-Bliley Act (GLBA); covered entities or business associates established pursuant to HIPAA; nonprofit organizations; higher education institutions; and small telephone utilities or municipally owned utilities that do not sell or share personal data with third party processors. In addition, the law exempts organizations that (i) do not provide net earnings to, or does not operate in any way that benefits, the officers, shareholders, or employees of the entity; and (ii) solely process personal data in connection with suspected insurance fraud or first responders dealing with catastrophic events.

The KCDPA also exempts specific types of data such as protected health information (“PHI”) under HIPAA; health records, patient identifying information, identifiable private information, data collected for clinical trials, and data subject to the Health Care Quality Improvement Act; data covered by the Fair Credit Reporting Act; data belonging to patient safety work products under the Patient Safety and Quality Improvement Act; data regulated by the Driver’s Privacy Protection Act, Family Educational Rights and Privacy Act, Combat Methamphetamine Epidemic Act, and Farm Credit Act; and data processed or maintained for emergency contact purposes, job applications, or administering benefits. Finally, the KCDPA exempts data processed by utilities, affiliates of utilities, or holding company systems organized specifically to provide goods or services to utilities. Note that some of these exemptions relate to the data and not to the entity, therefore, some personal data collected or processed by entities regulated by the various federal statutes could be required to comply with the KCDPA as it relates to other types of personal data. Entity and data exemptions run to those covered by HIPAA and GLBA.

Consumer Rights

Kentucky consumers have a number of important rights under the KCDPA, which they may invoke at any time by submitting a request to a covered entity specifying which right(s) they wish to exercise. These rights include:

Right to confirm whether or not their personal data is being processed (unless access would require the business to reveal a trade secret);
Right to correct inaccuracies in their personal data;
Right to the deletion of their personal data;
Right to obtain a portable copy of their personal data that they previously provided to the business (so long as such access is feasible and would not require the business to reveal a trade secret); and
Right to opt out of the processing of their personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that would create legally or similarly significant effects for the consumer.

As with other state data privacy laws, consumers have the right to appeal a business’s decision to not take action on their request. The KCDPA makes clear that any contracts or agreements that attempt to waive or limit a consumer’s rights will be deemed contrary to public policy and thus unenforceable.

Business Obligations to Consumers

Covered entities are required by the KCDPA to comply with consumer requests to exercise their rights. Entities must respond to consumer requests within 45 days of receipt of the request. In some cases, the response period may be extended by an additional 45 days if reasonably necessary, so long as the entity promptly informs the consumer and provides a reason for the extension.

If the covered entity declines to take any action in connection with a consumer’s request, it must inform the consumer within 45 days after receipt of the request and provide justification for its decision to decline such action. Note that if a business cannot reasonably authenticate a consumer request, it will not be required to act or respond.

The KCDPA generally requires entities to establish a conspicuously available appeals process. Covered entities must provide consumers with clear instructions on how to appeal a decision within a reasonable period of time after the consumer’s receipt of the decision. Entities have 60 days from receipt of an appeal to inform the consumer (in writing) of any action in response to the appeal. In cases where the entity denies an appeal, it must provide the consumer with the means to submit a complaint to the Kentucky Attorney General.

Privacy Notices to Consumers

Covered entities must provide consumers with a “reasonably accessible, clear, and meaningful” privacy notice. At a minimum, this privacy notice should include:

the categories of personal data processed by the entity;
the purposes for processing the personal data;
an explanation of consumers’ rights and how and where they can exercise such rights or appeal an action;
the categories of personal data that a business shares with third parties (if any); and
the categories of third parties with which the business shares personal data.

Additionally, where a business sells personal data to third parties or processes personal data for targeted advertising, it must conspicuously disclose these activities to the consumer and include instructions for how the consumer may opt out of processing.

Note that businesses must also provide a description of at least one secure method for consumers to submit a request to exercise their consumer rights. The method must not require consumers to create a new account in order to exercise their rights.

Other Business Obligations

THE DOs - Covered entities must:

Limit the collection of personal data to only the data that is “adequate, relevant, and reasonably necessary” to serve the purposes for which the data is collected and processed;
Establish, implement, and maintain reasonable administrative, technical, and physical data security safeguards that are appropriate to the volume and nature of personal data collected, in order to protect the confidentiality, integrity, and accessibility of the personal data;
Ensure that any sensitive data collected from known children under the age of thirteen years old be in compliance with the federal Children’s Online Privacy Protection Act (although the KCDPA makes clear that entities that otherwise comply with parental consent requirements under the Children’s Online Privacy Protection Act (COPPA) are deemed compliant with the parental consent obligations of the KCDPA);
Clearly and conspicuously disclose if the business sells consumers' personal data to third parties or engages in targeted advertising;
Provide consumers with a conspicuous opportunity to opt out from the sale of their personal data to third parties or engaging in targeted advertising; and
Conduct a data protection impact assessment for certain types of data use, including:
- targeted advertising,
- processing sensitive data,
- selling personal data,
- processing data for purposes of profiling, where profiling presents a reasonable risk of unfair or deceptive treatment of consumers, injury, intrusion upon privacy, or other substantial harm to consumers, and
- any processing activities involving personal data with a heightened risk of harm to consumers.

THE DON’Ts - Covered entities must not:

Process personal data for purposes that are not reasonably necessary or compatible with the disclosed purpose of processing (unless explicit consumer consent is otherwise given);
Process personal data in violation of state and federal laws that prohibit unlawful discrimination against a consumer;
Discriminate against consumers who exercise any rights under the KCDPA by denying goods or services, charging different prices for goods or services, or providing a different level of quality of goods and services; and
Process consumers’ sensitive data without obtaining prior consent (and in the case of children under thirteen years old, obtaining the consent of the parent or guardian).
- Sensitive data is defined as a category of personal data that indicates racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship status, immigration status, genetic or biometric data, personal data of a known child, or precise geolocation data.

Of note, the KCDPA does not require that businesses allow consumers to opt out of processing their personal data through a universal opt-out mechanism, which is common in many other recently enacted state laws.

Impact on Vendors and Data Processors

Processors, including vendors to covered businesses, will be required by the KCDPA to comply with the following obligations:

Adhere to instructions from the covered entity;
Assist the covered entity with its own compliance obligations, including responding to consumer rights requests and providing notice of any breaches to its security systems; and
Provide necessary information to enable the covered entity to conduct and document data protection assessments.

Moreover, the KCDPA requires that a processor enters into a binding contract with a covered business to govern the processor’s procedures for processing data on behalf of the business. The contract must include:

instructions for processing personal data;
the nature and purpose of processing;
the type of data subject to processing;
the duration of processing; and
the rights and duties of both parties.

Furthermore, such contracts also require processors to:

ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
at the business’ direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;
upon the reasonable request of the business, make available all information in its possession necessary to demonstrate the processor’s compliance with the obligations of the KCDPA;
allow, and cooperate with, reasonable assessments by the business or the business’ designated assessor, or the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor’s policies and technical and organizational measures in support of the obligations under the KCDPA. This assessment must be available to the business upon request; and
engage any subcontractor under a written contract that requires the subcontractor to comply with the same privacy requirements as the processor.

De-identified and Pseudonymous Data

Similar to other states’ data privacy laws, the KCDPA includes several requirements for entities that process “de-identified data”. The law defines "de-identified data" as data that cannot reasonably be linked to an identified or identifiable individual or a device linked to the individual. The definition of “personal data” explicitly excludes de-identified data.

Businesses in possession of de-identified data must take reasonable measures to ensure that the data cannot be associated with an individual, and must contractually require any recipients of the de-identified data to comply with the KCDPA. Like Minnesota and a handful of other states, the KCDPA also requires entities to “publicly commit” to maintain and process data without attempting to re-identify it.

In addition, the KCDPA defines “pseudonymous data” as personal data that cannot be attributed to a specific individual without additional information. As with other states, the KCDPA notes that a consumer’s right to access, delete, and opt-out will not be available for pseudonymous data where entities can demonstrate that additional information that could help identify a specific individual is kept separately and is subject to appropriate technical and organizational measures. Businesses that disclose pseudonymous data must take reasonable steps to ensure compliance with the provisions of the KCDPA, including providing appropriate assistance to address any breaches.

Enforcement

Like other states, the KCDPA does not provide consumers with a private right of action. The Kentucky Attorney General will have exclusive authority to enforce violations of the KCDPA.

The KCDPA includes a “right to cure” provision that will grant entities a 30-day window to correct any alleged violations of the law. Pursuant to this provision, the Kentucky Attorney General must provide written notice to violating entities prior to initiating any legal action against them. The entities will have thirty days to cure the violations or else face fines and penalties. Unlike other states, this “right to cure” provision is permanent and will not expire after a specified period of time. This means that if businesses are allegedly violating the law, they will always have an opportunity to cure such violations before facing further enforcement actions.

Fines and Penalties

If violations are left uncured, the Kentucky Attorney General may initiate enforcement actions against entities to recover up to $7,500 in civil penalties per violation. Entities should be aware that fines may aggregate quickly depending on how much data an alleged violation involves.