Kentucky is the fifteenth US state to enact a comprehensive consumer privacy law. The Kentucky Consumer Data Protection Act grants consumers data privacy rights, prescribes obligations for covered companies that process personal data, and follows trends in the US state privacy landscape.
This privacy bill is very similar to others that are already in effect, most notably the Connecticut Data Protection Act.
Being the fifteenth state with a comprehensive privacy law in place means that almost one-third of the states now have a state privacy law. With a few more legislative procedures, it is safe to conclude that the days when the US had no privacy legislation are about to become history.
If you haven't learned about the data protection laws in the US yet, we have a comprehensive blog archive. In summary, it is crucial for you to prioritize data privacy compliance promptly. In this article, we will dive into Kentucky House Bill 15, widely known as the Kentucky Consumer Data Protection Act (KCDPA), and explain what it requires from your business.
What is the Kentucky Consumer Data Protection Act?
The Kentucky Consumer Data Protection Act (KCDPA) is the most comprehensive privacy bill in Kentucky. The Kentucky Senate passed HB 15 to regulate the state's data processing activities and grant consumers rights to their data.
It will come into effect on January 1, 2026.
What is KCDPA Personal Information?
Any information that identifies or could identify a person is personal information.
Aside from obvious data categories, such as personal name, home address, email address, Social Security number, and phone number, information that could indirectly lead to a person is also personal. That includes browsing behavior, purchase behavior patterns, IP addresses, device fingerprints, and similar data.
De-identified data and publicly available data are not considered personal information.
What is KCDPA Sensitive Data?
KCDPA follows the definitions of many other state laws. It entails:
- Genetic or biometric data
- Precise geolocation data
- Racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, unless it is used to avoid discrimination,
- Data of a known child.
Does the Kentucky privacy law apply to my business?
The Kentucky Consumer Data Protection Act (HB 15) applies to your business if you either operate from the state or target Kentucky consumers, and at the same time either:
- Control or process the personal data of a minimum of 100,000 residents in Kentucky.
- Control or process the personal data of at least 25.000 Kentucky residents and derive at least 50% of the revenue from the sale of personal information.
However, the application excludes some entities. They include:
- Entities covered by the GLBA
- Entities covered by HIPAA
- Higher education institutions
- Non-profits
What rights do Kentucky consumers have under the Kentucky Consumer Data Privacy Law?
Kentucky consumers have the right to:
- Know about the processing
- Access their data
- Delete their data
- Data portability
- Opt-out of data sales or processing for targeted advertising purposes
Businesses can and should authenticate the consumer request before responding to it. However, the response time shall not take longer than 45 days, or 90 days in some complex cases.
Businesses should have designated methods for receiving requests. Requests for information must be free of charge, unless it results in excessive expenses for the business.
What duties do businesses have under the Kentucky State Privacy Law?
Every business that needs to comply with the Kentucky comprehensive privacy law must do the following:
- Implement reasonable technical and organizational measures to keep the data safe and protected
- Process only the minimum amount of data
- Do not use the data for purposes other than those for which it has been collected
- Conduct data protection impact assessments, where needed
- Respond timely to consumer data requests
- Not process data without a written data processing agreement in place
- Not process sensitive data without showing the consumer a privacy notice and an opportunity to opt-out
What duties do processors have?
Processors handle personal data on behalf of the controller. Considering their role in the processing, processors must adhere to the controller's instructions on what and why to process, while also assisting the controller in complying with legal requirements.
A written contract that clearly outlines the obligations and demands confidentiality from the processor must govern the relationship between the controller and the processor.
Do I need a privacy policy?
Yes, you need a privacy policy to comply with this law.
At the very least, it should include:
- The purposes of processing
- The categories of data that need collection and processing
- Consumer rights and how to exercise them
- The categories of data shared with third parties
- The categories of third parties with whom data is shared.
You should provide consumers with a privacy notice at the time of data collection.
Do we need to collect cookie consent?
As the state privacy bills from across the US allow, the processing of personal data in Kentucky is allowed based on the opt-out principle, which means that you don't need consent before collecting data. But sensitive data is an exception. To process it, you must obtain consent.
"A clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer" is required for the consent, and it may take the form of a written statement, including one written electronically, or any other unambiguous affirmative action.
What are the Kentucky Data Privacy Bill opt-out requirements?
Kentucky consumers can opt out of the sale of their personal data and from processing data for purposes of targeted advertising.
The sale of personal data means the exchange of personal data for monetary consideration by the controller with a third party.
"Displaying advertisements to a consumer based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict such consumer's preferences or interests" is the definition of targeted advertising.
Do we need data protection impact assessments?
Yes, for high-risk processing activities, you will need to conduct a data protection impact assessment.
In general, you'll need to conduct a DPIA before selling personal information, before processing personal data for targeted advertising, or when processing sensitive information.
The DPIA shall assess the risks of the processing or sale and identify measures for mitigating those risks.
Enforcement and penalties
The Kentucky Attorney General enforces the state's comprehensive data privacy law. Businesses found to be in violation have a 30-day cure period to remedy the violation. If they fail to do so, the fine is USD 7,500 per violation, as in many other US states.
This privacy act does not grant consumers a private right to action but focuses the entire enforcement power on the Attorney General.
