COOKIES. CONSENT. COMPLIANCE
secure privacy badge logo
April 5, 2024

Kentucky Consumer Data Protection Act: Kentucky Nears Passing a Comprehensive Consumer Data Privacy Law

Learn about the Kentucky Consumer Data Protection Act, the latest comprehensive consumer privacy law in the United States. Discover its implications for businesses, consumer rights, obligations, and enforcement. Stay informed about the changing landscape of data privacy.

Kentucky is the fifteenth US state to enact a comprehensive consumer privacy law. The Kentucky Consumer Data Protection Act grants consumers data privacy rights, prescribes obligations for covered companies that process personal data, and follows trends in the US state privacy landscape.

This privacy bill is very similar to others that are already in effect, most notably the Connecticut Data Protection Act

Being the fifteenth state with a comprehensive privacy law in place means that almost one-third of the states now have a state privacy law. With a few more legislative procedures, it is safe to conclude that the days when the US had no privacy legislation are about to become history.

If you haven't learned about the data protection laws in the US yet, we have a comprehensive blog archive. In summary, it is crucial for you to prioritize data privacy compliance promptly. In this article, we will dive into Kentucky House Bill 15, widely known as the Kentucky Consumer Data Protection Act (KCDPA), and explain what it requires from your business.

What is the Kentucky Consumer Data Protection Act?

The Kentucky Consumer Data Protection Act (KCDPA) is the most comprehensive privacy bill in Kentucky. The Kentucky Senate passed HB 15 to regulate the state's data processing activities and grant consumers rights to their data. 

It will come into effect on January 1, 2026.

What is KCDPA Personal Information?

Any information that identifies or could identify a person is personal information.

Aside from obvious data categories, such as personal name, home address, email address, Social Security number, and phone number, information that could indirectly lead to a person is also personal. That includes browsing behavior, purchase behavior patterns, IP addresses, device fingerprints, and similar data.

De-identified data and publicly available data are not considered personal information.

What is KCDPA Sensitive Data?

KCDPA follows the definitions of many other state laws. It entails:

  • Genetic or biometric data
  • Precise geolocation data
  • Racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, unless it is used to avoid discrimination,
  • Data of a known child.

Does the Kentucky privacy law apply to my business?

The Kentucky Consumer Data Protection Act (HB 15) applies to your business if you either operate from the state or target Kentucky consumers, and at the same time either:

  • Control or process the personal data of a minimum of 100,000 residents in Kentucky.
  • Control or process the personal data of at least 25.000 Kentucky residents and derive at least 50% of the revenue from the sale of personal information.

However, the application excludes some entities. They include:

  • Entities covered by the GLBA
  • Entities covered by HIPAA
  • Higher education institutions
  • Non-profits

What rights do Kentucky consumers have under the Kentucky Consumer Data Privacy Law?

Kentucky consumers have the right to:

  • Know about the processing
  • Access their data
  • Delete their data
  • Data portability
  • Opt-out of data sales or processing for targeted advertising purposes

Businesses can and should authenticate the consumer request before responding to it. However, the response time shall not take longer than 45 days, or 90 days in some complex cases.

Businesses should have designated methods for receiving requests. Requests for information must be free of charge, unless it results in excessive expenses for the business.

What duties do businesses have under the Kentucky State Privacy Law?

Every business that needs to comply with the Kentucky comprehensive privacy law must do the following:

  • Implement reasonable technical and organizational measures to keep the data safe and protected
  • Process only the minimum amount of data
  • Do not use the data for purposes other than those for which it has been collected
  • Conduct data protection impact assessments, where needed
  • Respond timely to consumer data requests
  • Not process data without a written data processing agreement in place
  • Not process sensitive data without showing the consumer a privacy notice and an opportunity to opt-out

What duties do processors have?

Processors handle personal data on behalf of the controller. Considering their role in the processing, processors must adhere to the controller's instructions on what and why to process, while also assisting the controller in complying with legal requirements.

A written contract that clearly outlines the obligations and demands confidentiality from the processor must govern the relationship between the controller and the processor.

Do I need a privacy policy?

Yes, you need a privacy policy to comply with this law.

At the very least, it should include:

  • The purposes of processing
  • The categories of data that need collection and processing
  • Consumer rights and how to exercise them
  • The categories of data shared with third parties
  • The categories of third parties with whom data is shared.

You should provide consumers with a privacy notice at the time of data collection.

Do we need to collect cookie consent?

As the state privacy bills from across the US allow, the processing of personal data in Kentucky is allowed based on the opt-out principle, which means that you don't need consent before collecting data. But sensitive data is an exception. To process it, you must obtain consent.

"A clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer" is required for the consent, and it may take the form of a written statement, including one written electronically, or any other unambiguous affirmative action.

What are the Kentucky Data Privacy Bill opt-out requirements?

Kentucky consumers can opt out of the sale of their personal data and from processing data for purposes of targeted advertising.

The sale of personal data means the exchange of personal data for monetary consideration by the controller with a third party.

"Displaying advertisements to a consumer based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict such consumer's preferences or interests" is the definition of targeted advertising.

Do we need data protection impact assessments?

Yes, for high-risk processing activities, you will need to conduct a data protection impact assessment.

In general, you'll need to conduct a DPIA before selling personal information, before processing personal data for targeted advertising, or when processing sensitive information.

The DPIA shall assess the risks of the processing or sale and identify measures for mitigating those risks.

Enforcement and penalties

The Kentucky Attorney General enforces the state's comprehensive data privacy law. Businesses found to be in violation have a 30-day cure period to remedy the violation. If they fail to do so, the fine is USD 7,500 per violation, as in many other US states.

This privacy act does not grant consumers a private right to action but focuses the entire enforcement power on the Attorney General.

logo

Get Started For Free with the
#1 Cookie Consent Platform.

tick

No credit card required

Sign-up for FREE

Image

What the Australia Privacy Act Reforms Mean for Your Business

The privacy landscape in Australia is changing dramatically. With the Privacy and Other Legislation Amendment Act 2024 now law and more reforms on the horizon, businesses face new compliance challenges and obligations. These changes represent the most substantial overhaul of Australia's privacy rules since they began, bringing the country closer to global standards like the EU's GDPR. Is your business ready for these sweeping changes? Let's break down what you need to know.

  • Legal & News
  • Cookie Consent
  • Cookie banner
Image

UK Data Protection Reform: A Deep Dive

You need to understand this reform represents a deliberate balance: promoting innovation and economic growth while maintaining robust protections for individuals and—crucially—preserving the UK's data adequacy status with the European Union. For businesses operating across borders, this delicate balance could determine whether data continues to flow smoothly between the UK and EU markets or becomes subject to costly additional safeguards.

  • Legal & News
  • Cookie Consent
  • Cookie banner
Image

Managing Data Privacy with Consent Management Platforms (CMPs): A Guide For Marketers

The contemporary privacy environment presents marketers with a significant challenge: balancing effective data use with user privacy rights and complex regulatory requirements. Consent Management Platforms (CMPs) have become essential tools in addressing this challenge, providing systematic methods for obtaining, documenting, and handling user consent throughout the customer journey. This guide explores how CMPs can transform your marketing approach from compliance burden to strategic advantage.

  • Legal & News
  • Cookie Consent
  • Cookie banner