Kentucky is the Most Recent State to Pass Consumer Data Privacy Legislation
The Kentucky Consumer Data Protection Act (“KCDPA”) was passed by the Kentucky legislature on March 27, 2024, becoming the fifteenth state to enact consumer data privacy legislation. The bill, which is expected to be signed into law, does not require additional compliance burdens for entities already complying with other non-California privacy laws. It limits the definition of “sale of personal data” to include only exchanges of personal data for monetary consideration, does not require that controllers recognize opt-out requests submitted via opt-out preference signals or global privacy controls, does not establish a private right of action or privacy-focused regulator, does not grant the Attorney General any rulemaking authority, and it does include a permanent 30-day cure period provision. The KCDPA is slated to take effect January 1, 2026.
The KCDPA, applies to any person that conducts business in Kentucky or produces products or services that are targeted to Kentucky residents and, during a calendar year, either: (a) controls or processes the personal data of at least 100,000 Kentucky consumers, or (b) controls or processes the personal data of at least 25,000 Kentucky consumers and derives more than 50% of their gross revenue from the sale of personal data.
The KCDPA provides what have become standard exemptions for various entities and information types, including state, city, and political subdivision entities, financial institutions, nonprofit organizations, higher education institutions, and certain employment-related data. It also includes information governed by the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Educational Rights, and Privacy Act, and the Farm Credit Act. The bill also includes an insurance fraud-related exemption for organizations that do not provide net earnings to or benefit any officer, employee, or shareholder, as long as they collect, process, use, or share data solely for identifying, investigating, or assisting law enforcement agencies with suspected insurance-related criminal or fraudulent acts or assisting first responders in catastrophic events.
It is important to note two definitions given in the bill. The KCDPA defines “personal data” as any information that is linked or reasonably linkable to “an identified or identifiable natural person” – which means that a person that can be readily identified directly or indirectly. This does not include information which is publicly available or de-identified. The KCDPA states that a video or audio recording or data generated therefrom is not biometric data unless it is used to identify a specific individual.
The KCDPA defines “sensitive data”, including information that reveals: Racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status; The processing of genetic or biometric data for the purpose of uniquely identifying an individual; Personal data collected from a known child (under 13), or Precise geolocation data (within a 1,750-foot radius).
The obligations imposed on the controllers under the KCDPA include requirements to:
1. Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed.
2. Avoid processing personal data for secondary reasons (purposes that are neither reasonably necessary to nor compatible with the initial disclosed purposes) without the consumer’s prior consent.
3. Establish, implement, and maintain reasonable administrative, technical, and physical data security practices.
4. Not process personal data in violation of laws that prohibit unlawful discrimination against consumers, and refrain from discriminating against consumers that exercise their rights
5. Not process the consumer’s sensitive data without the consumer’s consent, or in the case of sensitive data collected from a known child (under 13 years old), without parental consent in accordance with COPPA requirements.
6. Provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes the disclosures now common under state consumer privacy laws.
The KCDPA will require that controllers provide consumers with a privacy notice that includes:
1. The categories of personal data processed;
2. The purpose for said processing;
3. A description of how consumers may exercise their consumer data rights, including appealing decisions;
4. The categories of personal data shared with third parties; and
5. The categories of third-parties with which personal data is shared.
The notice must be “clear and conspicuous” and include their processing of personal data for targeted advertising or sale of personal data, as well as the manner in which consumers may opt-out of such processing.
The KCDPA creates rights for Kentucky consumers, including:
1. The right to confirm whether a controller is processing a consumer’s personal data and to access said data;
2. The right to correct inaccurate personal data;
3. The right to delete personal data; the right to data portability;
4. The right to opt-out of the processing of personal data for purposes of targeted advertising, sale of personal data, or “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer”; and
5. The right to appeal a rights request denial to the processor.
For vendors (identified in the statute as “controllers”), the KCDPA requires controllers to conduct “data protection impact assessments” whenever the controller is:
1. Processing personal data for targeted advertising;
2. Selling personal data;
3. Processing personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of consumers or results in other substantial injury to consumers;
4. Processing sensitive data; and processing personal data that presents a heightened risk of harm to consumers.
The assessments must explain the benefits to involved parties and risks to consumer rights that may flow, both directly and indirectly, from this processing activity. The KCDPA permits impact assessments performed for other state privacy laws to satisfy the assessment requirements under this law. Data protection assessment requirements only will apply to processing activities created on or after June 1, 2026. A processor’s data processing activities on behalf of a controller must be governed by a data processing agreement.
Kentucky’s attorney general has exclusive enforcement power and there is no private right of action. The attorney general must provide businesses with a 30-day notice and-cure period before initiating an enforcement action. The cure period does not sunset. The attorney general is authorized to seek civil penalties of up to $7,500 per violation.
Explore our comprehensive CLIClaw Privacy Compliance Library for essential resources and step-by-step guidance to ensure your business is fully compliant.
(Image Credit: iStock Photo)
This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.