Scope

The KCDPA applies to entities conducting business in Kentucky, or producing products or services targeted to Kentucky residents, and that during a calendar year meet one of the following criteria:

• (1) control or process personal data of at least 100,000 Kentucky consumers; or
• (2) control or process personal data of at least 25,000 Kentucky consumers and derive over 50% of gross revenue from the “sale” of personal data.

The KCDPA includes various entity-level exemptions commonly seen in other state privacy laws, which include, but are not limited to:

• Any city, state agency, or political subdivision of the state;
• Financial institutions subject to the Gramm-Leach Bliley Act;
• Covered entities or business associates governed under the Health Insurance Portability and Accountability Act (“HIPAA”);
• Nonprofit organizations; and
• Institutions of higher education.

Like most other state privacy laws, the bill contains data-level exemptions, which include but are not limited to, data processed in accordance with: HIPAA, the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, the Farm Credit Act, and the Children’s Online Privacy Protection Act (“COPPA”).

Key Definitions

The definitions under the KCDPA are generally consistent with those of existing comprehensive state privacy laws, with some of the key definitions mentioned below.

Consumer. A “consumer” means a natural person who is a resident of Kentucky acting only in an individual context. A consumer does not include a natural person acting in an employment context.

Personal Data. “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified data or publicly available information.

Profiling. “Profiling” means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

Sale. Under the KCDPA, “sale of personal data” is limited only to the exchange of personal data for monetary consideration by the controller to a third party.

Sensitive Data. “Sensitive data” means a category of personal data that includes (1) personal data indicating racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; (2) the processing of genetic or biometric data that is processed for the purpose of uniquely identifying a specific natural person; (3) the personal data collected from a known child; or (4) precise geolocation data.

Targeted Advertising. The term “targeted advertising” refers to displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer’s activities over time and across nonaffiliated websites or online applications to predict that consumer’s preferences or interest.

Consumer Rights

Consistent with various other state privacy laws currently in effect, the KCDPA provides consumers with the following rights:

• The right to confirm whether a controller is processing the consumer’s personal data and to access the personal data;
• The right to correct inaccuracies in the consumer’s personal data;
• The right to delete personal data provided by or obtained about the consumer;
• The right to data portability; and
• The right to opt-out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

Consumers also have the right to appeal a controller’s refusal to take action on the consumer’s request. Further, controllers are prohibited from discriminating against a consumer for exercising their rights.

Key Obligations

While most obligations apply to controllers, the KCDPA imposes certain direct obligations on processors, including adhering to the instructions of the controller and assisting the controller in meeting its obligations under the KCDPA.

Consistent with other comprehensive state privacy laws, the KCDPA imposes various key obligations on controllers, as discussed below.

Privacy Notice. Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notices that includes:

•  The categories of personal data processed by the controller;
• The purpose for processing personal data;
• How consumers may exercise their consumers rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request;
• The categories of personal data that the controller shares with third parties, if any; and
• The categories of third parties, if any, with whom the controller shares personal data.

In addition, controllers that “sell” personal data to third parties or processes personal data for targeted advertising are required to conspicuously disclose such activity in the privacy policy, as well as the manner in which a consumer may exercise the right to opt out.

The privacy policy must also include one (1) or more secure and reliable means for consumers to submit a request to exercise their consumers rights.

Consumer Privacy Requests. Under the KCDPA, controllers have 45 days to respond to a consumer’s privacy request, which may be extended an additional 45 days when “reasonably necessary,” provided that the controller informs the consumer of any extension within the initial 45-day response period, together with the reason for the extension.

Data Protection Assessment. The KCDPA requires controllers to conduct and document a data protection impact assessment in the following circumstances:

• If processing personal data for targeted advertising;
• If processing personal data for purposes of selling of personal data;
• If processing personal data for purposes of profiling where the profiling presents a reasonably foreseeable risk to the consumer (i.e., unfair or deceptive treatment, financial, physical or reputational injury, etc.);
• If processing sensitive data; or
• If processing personal data presents a heightened risk of harm.

Notably, data protection assessment requirements apply only to processing activities created or generated on or after June 1, 2026.

Consumer Consent. Under the KCDPA, controllers must obtain consumer’s consent to process sensitive data, and personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which the personal data is processed as disclosed to the consumer.

Collection Limitation. Controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed as disclosed to the consumer.

Security and Confidentiality. The KCDPA requires controllers to implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.

Universal Opt-Out Mechanism. Unlike many of the recently enacted state privacy laws, the KCDPA does not require recognizing opt out signals as a way to process opt-out requests.

Enforcement

The Attorney General has exclusive authority to enforce violations of the KCDPA, which includes initiating an action to seek damages for up to $7,500 for each violation. The Attorney General may also recover reasonable expenses incurred in investigating and preparing the case, court costs, attorney’s fees, and any other relief ordered by the court of any action initiated under the KCDPA.

Importantly, the KCDPA contains a right to cure provision, which does not sunset. Prior to initiating an action, the Attorney General is required to provide a controller or processor 30 days’ written notice identifying the specific provisions of the KCDPA the Attorney General alleges have been or are being violated. If the violation is not cured within the 30-day period, the Attorney General may then initiate an enforcement action.

Notably, there is no private right of action under the KCDPA.

For more information about these developments, contact the authors of this blog post, your DLA relationship Partner, or any member of DLA’s Data, Privacy and Cybersecurity team.

• On April 2, 2024, the CPPA Enforcement Division issued its inaugural advisory, emphasizing the importance of data minimization.  (Read more about the enforcement advisory below.)
• In March 2024, the CPPA’s March Board Meeting included several notable developments, including:
  • Draft proposed regulations on risk assessments and automated decision-making technology. Draft updates to existing CCPA Regulations, including updates to the definition of sensitive personal information and requirements relating to verifying and denying consumer requests. A summary of the CPPA’s enforcement priorities for 2024, which include privacy notices, right to delete issues, and the processing of consumer requests.
  • A report on the number of complaints received by the CPPA since July 2023.

(Read more about the March 2024 Board Meeting below.)

• On February 9, 2024, the CPPA won its appeal of a lower court ruling that delayed for one year the enforcement of the updated CCPA Regulations, implemented pursuant to the California Privacy Rights Act of 2020.   
• In January 2024, the CPPA launched https://privacy.ca.gov, a new online resource on California privacy rights for consumers.

In 2024, the CPPA has also weighed in on proposed federal and state privacy legislation, issuing a statement heavily critical of the federal American Privacy Rights Act legislation, and strongly supporting California’s AB 3048, which would expand business requirements regarding privacy preference and opt out signals.

CPPA Enforcement Advisory on Data Minimization

On April 2, 2024, the CPPA issued its inaugural enforcement advisory under the California Consumer Privacy Act (“CCPA”) which focused on the need to apply data minimization principles across its processing activities and its processing of consumer privacy requests, emphasizing:

Data minimization is a foundational principle in the CCPA. Businesses should apply this principle to every purpose for which they collect, use, retain, and share consumers’ personal information.

The CPPA also observed that:

[C]ertain businesses are asking consumers to provide excessive and unnecessary personal information in response to requests that consumers make under the CCPA.

As one of many core principles of the CCPA, data minimization requires businesses to restrict the processing of personal information to that which is “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed.”[1]

Regulations issued pursuant to the CCPA expand on this principle, stating the necessary and proportionate assessment should be based on the following:

1. The minimum personal information that is necessary to achieve the purpose identified, as disclosed to the consumer;
2. The possible negative impacts on consumers posed by the business’s collection or processing of personal information; and
3. Additional safeguards used by the business to address the possible negative impacts on consumers.[2]

Data Minimization in Verifying Consumer Requests. When responding to consumer requests, the CCPA requires businesses to verify that the person making a request to delete, correct, or know is the consumer about whom the business has collected personal information.

The CCPA prohibits businesses from requiring a consumer to verify their identity to make a request to opt-out of the sale/sharing of personal information or to limit use and disclosure of sensitive personal information; however, the business may ask the consumer for information necessary to complete the request.

The CCPA regulations provide businesses with guidance in determining the method by which the business will verify the consumer’s identity:

1. Whenever feasible, match the identifying information provided by the consumer to the consumer’s personal information the business already maintains, or use a third-party identity verification service;
2. Avoid collecting certain types of personal information (such as Social Security number, driver’s license number, financial account numbers, or unique biometric data), unless necessary for the purpose of verifying the consumer; and
3. Consider the following factors, including (i) the type, sensitivity, and value of the personal information collected and maintained about the consumer; (ii) the risk of harm to the consumer; (iii) the likelihood that fraudulent or malicious actors would seek the personal information; (iv) whether the personal information to be provided by the consumer to verify their identity is sufficiently robust to protect against fraudulent requests or being spoofed or fabricated; (v) the manner in which the business interacts with the consumer, and (vi) available technology for verification.[3]

Businesses must generally avoid requesting additional information from the consumer for verification purposes; however, to the extent the business cannot verify the consumer’s identity, the business may request additional information which must only be used for verifying the consumer’s identity, security, or fraud-prevention. The business must delete any new personal information collected for verification purposes as soon as practical after processing the consumer’s request, subject to the CCPA’s record-keeping requirements.

Questions to Consider When Responding to Consumer Requests. The advisory includes illustrative scenarios on the application of the data minimization principle to CCPA requests to opt-out of the sale/sharing of personal information and requests to delete personal information.  The advisory also provides a list of questions for businesses to consider when processing consumer requests:

1. What is the minimum personal information that is necessary to achieve this purpose?
2. We already have certain personal information from this consumer. Do we need to ask for more personal information than we already have?
3. What are the possible negative impacts posed if we collect or use the personal information in this manner?
4. Are there additional safeguards we could put in place to address the possible negative impacts?

Businesses should keep the above questions in mind when determining how to verify and process consumer requests.

For more information about these developments, contact the authors of this blog post, your DLA relationship Partner, or any member of DLA’s Data, Privacy and Cybersecurity team.

Takeaways from CPPA March 2024 Board Meeting: Enforcement Priorities and Revised Regulations on the Horizon

On March 8, 2024, the CPPA held a public meeting to discuss, among other things, its enforcement priorities and proposed regulations on risk assessments and automated decisionmaking technology (“ADMT”). This article summaries the key takeaways from the meeting and highlights from the new regulations on the horizon in California.

Enforcement Priorities. During the meeting, Michael Macko the Deputy Director for the Enforcement Division presented on enforcement updates and priorities. The presentation reported the CPPA received 1,208 complaints between July 6, 2023, and February 22, 2024. It may come as no surprise to privacy officers and compliance managers that the most common categories of complaints include right to delete and right to opt-out of sale issues. 

The CPPA reported that its upcoming enforcement priorities will be privacy notices, right to delete issues, and implementation of consumer requests.[4]

ADMT and Risk Assessment Regulations. As we recently reported, in late 2023, the CPPA released its initial draft regulations for ADMT and risk assessments. During the March 8, 2023 meeting, the Board was presented with an updated draft of the ADMT and risk assessment regulations and voted to progress these proposed regulations to formal rulemaking. It is important to note that the regulations are discussion drafts that are still in the preliminary rulemaking phase. Staff will begin preparing the required paperwork to initiate formal rulemaking based on the Board’s vote. During the meeting, CPPA General Counsel, Philip Laird, clarified that the Agency intends to do more public engagement this spring and summer for additional feedback on the draft ADMT and risk assessment regulations. On April 24, 2024, the CPPA announced three stakeholder sessions to take place this May. More information about the sessions and how you can attend is available on the CPPA website. Additional modifications may be made to the draft regulations based on feedback from the Board and the public throughout this process.

The following are notable updates to draft ADMT and risk assessment requirements in these new proposed draft regulations:

• Revised Definition of ADMT. The CPPA has revised the definition of AMDT to mean “any technology that processes personal information and uses computation to execute a decision, replace human decisionmaking, or substantially facilitate human decisionmaking.” For purposes of this definition, the CPPA clarified that to “substantially facilitate human decisionmaking” means using the output of the technology as a key factor in a human’s decisionmaking. This includes, for example, using AMDT to generate a score about a consumer that the human reviewer uses as a primary factor to make a significant decision about them.
• ADMT Exclusions. The CPPA has clarified that ADMT does not include the following technologies, provided these technologies do not execute a decision, replace human decisionmaking, or substantially facilitate human decisionmaking: web hosting, domain registration, networking, caching, website-loading, data storage, firewalls, anti-virus, anti-malware, spam and robocall-filtering, spellchecking, calculators, databases, spreadsheets, or similar technologies.
• Revised Definition of Profiling. The CPPA has expanded the definition of profiling to include automated processing of personal information to analyze or predict an individual’s intelligence, ability, aptitude, mental health and predispositions.
• New Trigger for Notice, Opt-Out and Access. The CPPA has revised the triggers for pre-use notice, opt-out, and access requirements by adding the use of ADMT for “profiling a consumer for behavioral advertising” as a trigger.
• Updated Pre-Use Notice Requirements for ADMT. The CPPA has updated the pre-use notice requirements to streamline the information that a business must provide, and to allow for greater flexibility in how the business presents the information. The proposed revisions also include tailoring pre-notice requirements to specific uses of ADMT and requiring that the business disclose that they cannot retaliate against consumers.
• Opt-Out Exceptions for ADMT. Under the proposed regulations, businesses would not be required to provide a consumer with the ability to opt-out of a business’s use of ADMT for a significant decision concerning the consumer if the business provides consumers with the ability to appeal to a human decisionmaker (the “human appeal exception”). To qualify for the human appeal exception, the business must satisfy certain requirements, including but not limited to, designating a qualified human reviewer who must consider relevant information, clearly describing how consumers can submit an appeal, and enabling the consumer to provide information for the human reviewer to consider. The proposed regulations also include an “evaluation exception” where a business does not need to provide a consumer with the ability to opt-out (subject to certain conditions) for purposes of admission, acceptance, or hiring decisions, allocation/assignment of work and compensation decisions, and work or educational profiling. Businesses would also not be required to provide a consumer with the ability to opt-out if the business’s use of the ADMT is necessary for security, fraud prevention, or safety purposes.
• Revised Risk Assessment Thresholds. The CPPA has revised the risk assessment thresholds to clarify that risk assessments are required when the business (1) sells or shares personal information; (2) processes sensitive personal information (including the personal information of consumers that the business has actual knowledge are less than 16 years of age); (3) uses ADMT for a significant decision or “extensive profiling” (i.e., work or educational profiling, public profiling, or profiling a consumer for behavioral advertising); or (4) processes personal information to train ADMT or artificial intelligence that is capable of being used for a significant decision, to establish identity, for physical or biological profiling, for generating deepfakes, or for operating generative models.
• Revised Risk Assessment Requirements. The CPPA’s proposed revisions include clarifying which operational elements must be identified in a risk assessment, which negative impacts to a consumers’ privacy a business may consider, and which safeguards a business must identify for ADMT to ensure the ADMT works as intended and does not discriminate.
• Revised Risk Assessment Submission Requirements. The CPPA has streamlined what must be included in an abridged risk assessment and further clarified exemptions to the risk assessment submission requirements. For example, a business is not required to submit a risk assessment if the business has previously conducted and submitted to the CPPA an abridged risk assessment for a given processing activity, and there were no material changes to that processing during a subsequent submission period (however, the business must still submit a certification of compliance to the Agency).

Draft Updates to Existing CCPA Regulations. In addition to the initial draft regulations for ADMT and risk assessments, the CPPA also discussed revisions to the pre-existing CCPA regulations. Similar to the Risk Assessment and ADMT regulations discussed above, formal rulemaking proceedings are still pending for these proposed amendments, which include the following notable updates:

• Revised Definition of Sensitive Personal Information. The CPPA proposed revising the definition of sensitive personal information to include “[p]ersonal information of consumers that the business has actual knowledge are less than 16 years of age.” The proposed revisions further clarify that businesses that willfully disregard the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age.
• Denying Consumer Requests. Under the revised regulations, if the business denies a consumer’s request to know, correct, delete, opt-out of the sale/sharing of personal information, or limit use and disclosure of sensitive personal information, the business must, among other things, inform the consumer that they can file a complaint with the Agency and the Attorney General and provide links to the complaint forms available on their respective websites.
• Verification of Consumer Requests. Under the revised regulations, businesses would be required to match identifying information provided by the consumer to the personal information of the consumer already maintained by the business before requesting additional information from the consumer (emphasis added).
• Service Providers and Contractors. The CPPA proposed adding a requirement that any retention, use, or disclosure of personal information by service providers or contractors pursuant to its written contract with a business must be “reasonably necessary and proportionate” for the purposes stated in the contract.

For more information about these developments, contact your DLA Piper relationship partner, the authors of this alert, or any member of our Data Protection, Privacy and Security team.

[1] Civil Code § 1798.100(c)

[2] 11 CCR § 7002(d)

[3] 11 CCR § 7060(c)

[4] See the CPPA Enforcement Update & Priorities presentation available at https://cppa.ca.gov/meetings/materials/20240308_item6_enforcement_update.pdf.