Kentucky Strengthens Data Privacy with New Amendments – What Businesses Need to Know
Kentucky is sharpening its focus on data privacy. On March 15, 2025, Governor Andy Beshear signed House Bill 473 (HB 473) into law, introducing targeted amendments to the Kentucky Consumer Data Protection Act (“KCDPA”). Though the KCDPA doesn’t go into effect until January 1, 2026, businesses that handle personal data should begin preparing now.
HB 473 introduces technical updates and important clarifications, especially for organizations in healthcare and businesses using data-driven profiling. Here’s what you need to know.
Key Exemptions for Healthcare Data.
HB 473 adds two new categories of data exempt from the KCDPA, aiming to eliminate overlap with federal regulations, particularly HIPAA:
-
Protected Health Information (“PHI”) handled by HIPAA-covered entities is now excluded.
-
Limited Data Sets (as defined under 45 C.F.R. § 164.514(e)) are also exempt. These datasets, often used in research and public health, remove key personal identifiers and are already regulated by HIPAA.
Why this matters.
If your organization is a covered entity or business associate under HIPAA, you’ll no longer need to duplicate compliance efforts for data already governed by federal law. This amendment brings Kentucky’s privacy framework more in line with national standards and eases compliance burdens on healthcare providers.
Revised Requirements for Data Protection Impact Assessments (“DPIAs”).
Originally, the KCDPA required DPIAs when personal data was processed for profiling that might significantly affect consumers. HB 473 now clarifies and narrows that requirement.
Now, businesses must conduct a DPIA if the profiling presents a foreseeable risk of causing unlawful disparate impact on consumers, such as discrimination based on race, gender, or other protected characteristics.
Key takeaway.
If your organization uses automated decision-making tools, including AI, for things like credit decisions, pricing, or hiring, you must evaluate whether these tools could unintentionally lead to biased or unfair outcomes. This amendment reflects growing concern around algorithmic transparency and fairness.
Compliance Checklist Ahead of 2026.
To stay ahead of the law’s implementation, businesses should:
-
Review data inventories to identify PHI and Limited Data Sets that are now exempt.
-
Reassess profiling practices, especially those influencing decisions that affect consumers.
-
Update DPIA templates to incorporate the clarified standard around disparate impact.
Need Help Getting Ready?
We offer privacy tools, checklists, and compliance templates tailored for the KCDPA. If your organization needs help reviewing profiling systems, mapping your data, or updating privacy notices before 2026, explore our comprehensive CLIClaw Kentucky Consumer Data Protection Act Compliance Library for in-depth resources and insights.
(Image Credit: iStock Photo)
This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.