Law: Kentucky Act relating to Consumer Data Privacy and Making an Appropriation Therefor ('KCDPA')

Regulator: The Kentucky Attorney General ('AG')

On April 4, 2024, the Governor of Kentucky signed into law House Bill 15 for an act relating to consumer data privacy and making an appropriation therefor, enacting the KCDPA which will enter into effect on January 1, 2026. The KCDPA regulates the processing of personal data and introduces obligations for data controllers and processors related to consent, disclosure, and data security. Additionally, the KCDPA establishes new consumer rights such as the right to access, delete, and to opt out of targeted advertising and the sale of personal data. Furthermore, the KCDPA provides the Kentucky AG with enforcement powers but does not provide a private right of action.

In addition, under the Kentucky data breach notification law (§365.732 of Title XXIX of the Kentucky Revised Statutes), a personal data breach must be notified to affected Kentucky residents, and if such a breach affects more than 1,000 Kentucky residents, all consumer reporting agencies and credit bureaus that compile and maintain files on consumers on a nationwide basis.