Support Centre

Kentucky

Summary

Law: Kentucky Act relating to Consumer Data Privacy and Making an Appropriation Therefor ('KCDPA')

Regulator: The Kentucky Attorney General ('AG')

On April 4, 2024, the Governor of Kentucky signed into law House Bill 15 for an act relating to consumer data privacy and making an appropriation therefor, enacting the KCDPA which will enter into effect on January 1, 2026. The KCDPA regulates the processing of personal data and introduces obligations for data controllers and processors related to consent, disclosure, and data security. Additionally, the KCDPA establishes new consumer rights such as the right to access, delete, and to opt out of targeted advertising and the sale of personal data. Furthermore, the KCDPA provides the Kentucky AG with enforcement powers but does not provide a private right of action.

In addition, under the Kentucky data breach notification law (§365.732 of Title XXIX of the Kentucky Revised Statutes), a personal data breach must be notified to affected Kentucky residents, and if such a breach affects more than 1,000 Kentucky residents, all consumer reporting agencies and credit bureaus that compile and maintain files on consumers on a nationwide basis.

Insights

Kentucky's Governor Andy Beshear signed the Act Relating to Consumer Data Privacy as an addition to Kentucky's Consumer Protection Act (under Chapter 367 of the Kentucky Revised Statutes) on April 4, 2024. Kentucky's new privacy law is the 16th state consumer privacy law enacted in the US and the third in 2024. It shares many of the same features as the other comprehensive US state privacy laws. Julia Jacobson and Alexandra Kiosse, from Squire Patton Boggs, compare 2024's first three new consumer privacy laws.

Three states - Kentucky, Maryland, and Nebraska - welcomed Spring 2024 by passing comprehensive consumer privacy laws, joining the laws in New Hampshire and New Jersey1 enacted earlier this year. With the five new laws enacted in early Q2 2024, more than one-third of states have consumer privacy laws on the books.

In this part one Insight article, Julia Jacobson, Alexandra Kiosse, and Alan Friel, from Squire Patton Boggs, answer common questions such as the scope of protection, effective dates, and applicability, about the three newest state consumer privacy laws.

On 8 April 2022, the Kentucky Governor signed into law House Bill ('HB') 502 for the Genetic Information Privacy Act ('the Act'). In particular, the Act grants consumers greater control over their genetic materials by regulating the collection, use, and disclosure of genetic data, among others. The Act will go into effect on 1 June 2022. As such, OneTrust DataGuidance highlights some of its key provisions, focusing on areas such as consumer rights, business obligations, and what to expect with regard to enforcement.