On April 4, 2024, Kentucky Governor Andy Beshear signed House Bill 15, an act related to Kentucky consumer data privacy (“KCDPA”). Kentucky now joins the expanding list of states with comprehensive state privacy legislation, with the KCDPA set to take effect January 1, 2026.

Scope

The KCDPA applies to entities conducting business in Kentucky, or producing products or services targeted to Kentucky residents, and that during a calendar year meet one of the following criteria:

  • (1) control or process personal data of at least 100,000 Kentucky consumers; or
  • (2) control or process personal data of at least 25,000 Kentucky consumers and derive over 50% of gross revenue from the “sale” of personal data.

The KCDPA includes various entity-level exemptions commonly seen in other state privacy laws, which include, but are not limited to:

  • Any city, state agency, or political subdivision of the state;
  • Financial institutions subject to the Gramm-Leach Bliley Act;
  • Covered entities or business associates governed under the Health Insurance Portability and Accountability Act (“HIPAA”);
  • Nonprofit organizations; and
  • Institutions of higher education.

Like most other state privacy laws, the bill contains data-level exemptions, which include but are not limited to, data processed in accordance with: HIPAA, the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, the Farm Credit Act, and the Children’s Online Privacy Protection Act (“COPPA”).

Key Definitions

The definitions under the KCDPA are generally consistent with those of existing comprehensive state privacy laws, with some of the key definitions mentioned below.

Consumer. A “consumer” means a natural person who is a resident of Kentucky acting only in an individual context. A consumer does not include a natural person acting in an employment context.

Personal Data. “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified data or publicly available information.

Profiling. “Profiling” means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

Sale. Under the KCDPA, “sale of personal data” is limited only to the exchange of personal data for monetary consideration by the controller to a third party.

Sensitive Data. “Sensitive data” means a category of personal data that includes (1) personal data indicating racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; (2) the processing of genetic or biometric data that is processed for the purpose of uniquely identifying a specific natural person; (3) the personal data collected from a known child; or (4) precise geolocation data.

Targeted Advertising. The term “targeted advertising” refers to displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer’s activities over time and across nonaffiliated websites or online applications to predict that consumer’s preferences or interest.

Consumer Rights

Consistent with various other state privacy laws currently in effect, the KCDPA provides consumers with the following rights:

  • The right to confirm whether a controller is processing the consumer’s personal data and to access the personal data;
  • The right to correct inaccuracies in the consumer’s personal data;
  • The right to delete personal data provided by or obtained about the consumer;
  • The right to data portability; and
  • The right to opt-out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

Consumers also have the right to appeal a controller’s refusal to take action on the consumer’s request. Further, controllers are prohibited from discriminating against a consumer for exercising their rights.

Key Obligations

While most obligations apply to controllers, the KCDPA imposes certain direct obligations on processors, including adhering to the instructions of the controller and assisting the controller in meeting its obligations under the KCDPA.

Consistent with other comprehensive state privacy laws, the KCDPA imposes various key obligations on controllers, as discussed below.

Privacy Notice. Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notices that includes:

  •  The categories of personal data processed by the controller;
  • The purpose for processing personal data;
  • How consumers may exercise their consumers rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request;
  • The categories of personal data that the controller shares with third parties, if any; and
  • The categories of third parties, if any, with whom the controller shares personal data.

In addition, controllers that “sell” personal data to third parties or processes personal data for targeted advertising are required to conspicuously disclose such activity in the privacy policy, as well as the manner in which a consumer may exercise the right to opt out.

The privacy policy must also include one (1) or more secure and reliable means for consumers to submit a request to exercise their consumers rights.

Consumer Privacy Requests. Under the KCDPA, controllers have 45 days to respond to a consumer’s privacy request, which may be extended an additional 45 days when “reasonably necessary,” provided that the controller informs the consumer of any extension within the initial 45-day response period, together with the reason for the extension.

Data Protection Assessment. The KCDPA requires controllers to conduct and document a data protection impact assessment in the following circumstances:

  • If processing personal data for targeted advertising;
  • If processing personal data for purposes of selling of personal data;
  • If processing personal data for purposes of profiling where the profiling presents a reasonably foreseeable risk to the consumer (i.e., unfair or deceptive treatment, financial, physical or reputational injury, etc.);
  • If processing sensitive data; or
  • If processing personal data presents a heightened risk of harm.

Notably, data protection assessment requirements apply only to processing activities created or generated on or after June 1, 2026.

Consumer Consent. Under the KCDPA, controllers must obtain consumer’s consent to process sensitive data, and personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which the personal data is processed as disclosed to the consumer.

Collection Limitation. Controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed as disclosed to the consumer.

Security and Confidentiality. The KCDPA requires controllers to implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.

Universal Opt-Out Mechanism. Unlike many of the recently enacted state privacy laws, the KCDPA does not require recognizing opt out signals as a way to process opt-out requests.

Enforcement

The Attorney General has exclusive authority to enforce violations of the KCDPA, which includes initiating an action to seek damages for up to $7,500 for each violation. The Attorney General may also recover reasonable expenses incurred in investigating and preparing the case, court costs, attorney’s fees, and any other relief ordered by the court of any action initiated under the KCDPA.

Importantly, the KCDPA contains a right to cure provision, which does not sunset. Prior to initiating an action, the Attorney General is required to provide a controller or processor 30 days’ written notice identifying the specific provisions of the KCDPA the Attorney General alleges have been or are being violated. If the violation is not cured within the 30-day period, the Attorney General may then initiate an enforcement action.

Notably, there is no private right of action under the KCDPA.

For more information about these developments, contact the authors of this blog post, your DLA relationship Partner, or any member of DLA’s Data, Privacy and Cybersecurity team.