Kentucky may soon join the expanding list of states with comprehensive privacy laws. Kentucky House Bill 15, an act related to Kentucky consumer data privacy (KCDPA), made its way through the Kentucky Senate with a unanimous vote on March 11, 2024. The bill is back with the Kentucky House, which will now have the opportunity to sign off on minor amendments. Pending passage in the House and Governor Andy Beshear’s subsequent signature, regulated entities will have until January 1, 2026, to prepare for the KCDPA to take effect.
As has become the trend, and similar to the recently passed New Hampshire law, the KCDPA closely resembles the Virginia model. This article summarizes the primary components and highlights key differences of the Kentucky bill.
IN DEPTH
WHO DOES THE KCDPA APPLY TO?
The KCDPA, which does not include a revenue threshold, applies to any person that conducts business in Kentucky or produces products or services that are targeted to Kentucky residents and, during a calendar year, either:
- Controls or processes the personal data of at least 100,000 Kentucky consumers, or
- Controls or processes the personal data of at least 25,000 Kentucky consumers and derives more than 50% of their gross revenue from the sale of personal data
WHO IS A “CONSUMER”?
The KCDPA considers a consumer to be an individual who is a resident of Kentucky, acting only in the individual context (excluding employment or commercial).
WHAT IS “PERSONAL DATA”?
The definition of personal data under the KCDPA directly reflects Virginia: information that is linked or reasonably linkable to an identified or identifiable individual, specifically excluding de-identified data or publicly available information. As with “personal data,” the KCDPA’s definitions of de-identified data and publicly available information also mirror Virginia’s language.
WHO CAN ENFORCE?
Kentucky’s attorney general has exclusive enforcement power. The attorney general must provide businesses with a 30-day notice-and-cure period prior to taking any action in response to a violation, the cost of which can accrue at a rate of up to $7,500 per violation.
WHO IS EXEMPT?
The KCDPA includes several broad entity-level exemptions, including common ones for:
- Any city or state government body or agency
- Nonprofit organizations
- Higher education institutions
- Covered Entities and Business Associates under the Health Insurance Portability and Accountability Act (HIPAA), and
- Any financial institution subject to the Gramm-Leach-Bliley Act
Distinct from Virginia, the KCDPA includes an unusual entity-level exemption for organizations that do not provide net earnings to or benefit anyone within the organization entity and that process data solely in connection with assisting law enforcement agencies with suspected insurance-related criminal acts or fraud or assisting first responders.
The KCDPA also includes the now standard plethora of data-level exemptions for data processed in accordance with a litany of federal laws including, but not limited to, HIPAA, federal research laws and regulations (such as the Common Rule), the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, the Farm Credit Act and the Children’s Online Privacy Protection Act (COPPA).
WHAT OBLIGATIONS ARE IMPOSED?
The obligations imposed on the controllers under the KCDPA should not surprise anyone with familiarity of the other state privacy laws. For example, such obligations include requirements to:
- Limit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed
- Avoid processing personal data for secondary reasons (purposes that are neither reasonably necessary to nor compatible with the initial disclosed purposes) without the consumer’s prior consent
- Establish, implement and maintain reasonable administrative, technical and physical data security practices
- Not process personal data in violation of laws that prohibit unlawful discrimination against consumers, and refrain from discriminating against consumers that exercise their rights
- Not process the consumer’s sensitive data without the consumer’s consent, or in the case of sensitive data collected from a known child (under 13 years old), without parental consent in accordance with COPPA requirements, and
- Provide consumers with a reasonably accessible, clear and meaningful privacy notice that includes the disclosures now common under state consumer privacy laws
WHAT CONSUMER RIGHTS ARE CREATED BY THE KCDPA?
The KCDPA will require controllers to provide Kentucky consumers the following rights:
- The right to confirm whether or not the controller is processing the consumer’s personal data and to access that data, unless access would require the controller to reveal a trade secret
- The right to correct personal data, considering the nature of the personal data and the purposes for processing the personal data
- The right to delete personal data, with respect to the data provided by or obtained about the consumer
- The right to data portability
- Opt-out rights for targeted advertising, the sale of personal data and profiling, where profiling is being used to produce a legal or similarly significant effect, and
- The right to appeal rights requests that have not been fulfilled
SENSITIVE DATA
The KCDPA has a familiar definition of sensitive data, including information that reveals:
- Racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status
- The processing of genetic or biometric data for the purpose of uniquely identifying an individual
- Personal data collected from a known child (under 13), or
- Precise geolocation data (within a 1,750-foot radius)
As mentioned above, controllers are required to obtain consumer’s consent prior to processing sensitive data (or, in line with COPPA, obtaining a parent’s consent where processing data collected from a known child).
RESPONSE TO CONSUMER REQUESTS
Under the KCDPA, controllers must respond to a data subject request within 45 days after receipt, with a 45-day extension available as reasonably necessary. If denied, the controller must provide a method to appeal the denial of a request and make the process conspicuously available. A decision on the appeal must be provided within 60 days of receipt of the consumer’s appeal. If an appeal is denied, the decision must include a method for the consumer to submit a complaint with the attorney general.
DATA PROTECTION ASSESSMENTS
Like its predecessors in other states, the KCDPA requires controllers to conduct “data protection impact assessments” whenever the controller is:
- Processing personal data for targeted advertising
- Selling personal data
- Processing personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of consumers or results in other substantial injury to consumers
- Processing sensitive data, and/or
- Processing personal data that presents a heightened risk of harm to consumers
These assessments must explain the benefits to involved parties and risks to consumer rights that may flow, both directly and indirectly, from this processing activity. Reflecting its peer laws in other states, the KCDPA permits impact assessments performed for other state privacy laws to satisfy the assessment requirements under this law.
Data protection assessment requirements only will apply to processing activities created on or after June 1, 2026.
WHEN DOES THE KCDPA TAKE EFFECT?
The KCDPA is slated to take effect January 1, 2026.