Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Kentucky: Off to the races - Bluegrass State passes privacy law
Kentucky has joined the growing count of states to enact a comprehensive data privacy law. The law, passed as House Bill 15 and titled the Kentucky Consumer Data Protection Act (KCDPA), was passed by the Kentucky legislature on March 27, 2024, and signed by Governor Andy Beshear on April 4, 2024. The KCDPA comes into effect on January 1, 2026.
The requirements of the KCDPA should look familiar to those who have tracked other US state comprehensive privacy laws. This is no accident: Kentucky legislators stated during the legislative process that the KCDPA was modeled after neighboring Virginia's comprehensive privacy law. In this Insight article, Jonathan Ende, Partner at McDermott Will & Emery, examines the KCDPA and its key requirements.
Who does the KCDPA apply to?
The KCDPA applies to any person that conducts business in Kentucky or produces products or services that are targeted to Kentucky residents and meet specific data processing thresholds. This distinguishes it from certain other US state comprehensive privacy laws, such as California's, which can apply to businesses that simply meet a revenue threshold, and Texas, which has no data processing thresholds. To be subject to the Kentucky Consumer Data Protection Act, a person must, during a calendar year, either:
- control or process the personal data of at least 100,000 Kentucky consumers; or
- control or process the personal data of at least 25,000 Kentucky consumers and derive more than 50% of their gross revenue from the sale of personal data.
The KCDPA defines 'sale' consistent with common usage of the word: an exchange of personal data for monetary consideration. This stands in contrast to certain other US state comprehensive privacy laws, which include exchanges of personal data for any valuable consideration.
Who does the KCDPA exclude?
Like most other US state comprehensive privacy laws, the KCDPA includes both entity-level and data-level exclusions. The entity-level exclusions include city or state government bodies or agencies; nonprofit organizations; higher education institutions; covered entities and business Associates under the Health Insurance Portability and Accountability Act (HIPAA); and financial institutions subject to the Gramm-Leach-Bliley Act (GLBA).
Distinct from Virginia, the KCDPA includes a narrow entity-level exemption for organizations that do not provide net earnings to or benefit anyone within the organization entity and process data solely in connection with assisting KCDPA enforcement agencies with suspected insurance-related criminal acts or fraud or assisting first responders.
The data-level exclusions include protected health information under HIPAA and other health and medical records, identifiable private information under the Common Rule, and information regulated by the Fair Credit Reporting Act (FCRA).
What does the KCDPA protect?
The KCDPA protects 'personal data,' which is defined as information that is linked or reasonably linkable to an identified or identifiable individual. The definition specifically excludes de-identified data and publicly available information. As with other US state comprehensive privacy laws, data is only considered to be 'de-identified' if the controller takes certain affirmative steps to ensure that data cannot be associated with a natural person, including publicly committing to maintaining and using the data without attempting to re-identify it.
Who does the KCDPA protect?
The KCDPA regulates the personal data of 'consumers.' A 'consumer' is an individual who is a resident of Kentucky acting only in the individual context. The definition of 'consumer' expressly excludes individuals acting in a commercial or employment context, meaning that individuals acting on behalf of an employer or as an employee, contractor, or job applicant are not protected by the KCDPA.
General obligations of controllers
The KCDPA imposes general data processing obligations on 'controllers,' the persons that determine the purpose and means of personal data processing. Among other requirements, controllers must:
- limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed;
- avoid processing personal data for purposes that are neither reasonably necessary to nor compatible with the initial disclosed purposes without the consumer's prior consent; and
- establish, implement, and maintain reasonable administrative, technical, and physical data security practices.
Controllers have more specific obligations in a number of areas, which are described in more detail below.
Privacy notice
Controllers are required to provide consumers with a reasonably accessible privacy notice that contains specific information. The required information is similar to what is required under other US state comprehensive privacy laws: the categories of personal data processed by the controller; the purposes of the processing; how consumers can exercise their rights, including the right to appeal; the categories of personal data shared with third parties; and the categories of third parties who receive personal data. Like many other state comprehensive privacy laws, the KCDPA also requires controllers that sell personal data or process it for targeted advertising to clearly and conspicuously disclose such activity in the privacy notice.
Consumer rights
Consumers are granted the following rights by the Kentucky Consumer Data Protection Act:
- confirm whether the controller is processing the consumer's personal data and to access that data;
- correct inaccuracies in personal data;
- delete personal data;
- data portability where processing is carried out by automated means, i.e., obtain a copy of personal data the consumer previously provided to the controller in a portable and, to the extent technically practicable, readily usable format that can be transmitted to another controller; and
- opt-out of targeted advertising, the sale of personal data, and profiling to produce a legal or similarly significant effect.
Controllers are required to provide at least one secure means for consumers to submit rights requests, fewer than the two methods required by comprehensive privacy laws in certain other states. The KCDPA allows a child's parent or legal guardian to exercise rights requests on the child's behalf but does not allow agents to exercise rights on behalf of consumers generally.
The process requirements for responding to consumer rights requests mirror those in most other state consumer privacy laws. Controllers must authenticate a request using commercially reasonable effort and respond to a request within 45 days (extendable for another 45 days when reasonably necessary). If a controller declines to complete a rights request, it must provide a justification and provide instructions for appealing the request. Appeals requests must be completed within 60 days of receipt, and if an appeal is denied, the controller must provide the consumer with an online or other mechanism for contacting the Kentucky Attorney General (AG) to submit a complaint.
Sensitive data
The KCDPA treats the following categories of personal data as sensitive: racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying an individual; personal data collected from a child known to be under age 13; or precise geolocation data (e.g., within a 1,750-foot radius).
Controllers are required to obtain the consumer's consent prior to processing their sensitive data. For personal data collected from a known child, controllers must comply with the verifiable consent requirements of the Children's Online Privacy Protection Act (COPPA).
DPIA
Like its predecessors in other states, the KCDPA requires controllers to conduct data protection impact assessments (DPIAs) of the following activities: processing personal data for targeted advertising; selling personal data; processing sensitive data; processing personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk of substantial injury to consumers; or any other processing of personal data that presents a heightened risk of harm to consumers.
A DPIA must explain the benefits to involved parties and risks to consumer rights that may flow, both directly and indirectly, from the processing activity. The KCDPA permits DPIAs of comparable scope and effect that are performed to comply with other laws to satisfy the requirements of the Kentucky Consumer Data Protection Act.
Data protection assessment requirements only will apply to processing activities conducted on or after June 1, 2026.
Enforcement
The AG has exclusive enforcement power. The AG must provide businesses with a 30-day notice-and-cure period prior to taking any action in response to a violation, the cost of which can accrue at a rate of up to $7,500 per violation.
Jonathan Ende Partner
[email protected]
McDermott Will & Emery, Washington, DC