On April 4, 2024, Governor Andy Beshear enacted the Kentucky Consumer Data Protection Act (KCDPA), previously known as House Bill 15. This comprehensive legislation is set to take effect on January 1, 2026, aligning with the privacy regulations of other states across the U.S. The KCDPA establishes rigorous standards for the processing of personal data and significantly expands the rights of Kentucky residents.
Who is Affected by the KCDPA?
The KCDPA’s provisions apply to “controllers,” defined as entities that:
- Engage in business within Kentucky; or
- Offer products or services aimed at Kentucky residents and, during a calendar year, manage or process the personal data of:
- At least 100,000 consumers; or
- At least 25,000 consumers, with over 50% of gross revenues derived from selling personal data.
Notably, the KCDPA excludes certain organizations such as law enforcement, cities, municipalities, nonprofits, HIPAA-covered entities, financial institutions, higher education institutions, and small telephone utilities.
Consumer Protections under the KCDPA
Under this new law, Kentucky consumers can:
- Verify if a controller is using their personal data;
- Correct inaccuracies within their personal data;
- Delete their personal data;
- Retrieve a copy of their personal data;
- Opt out of their data being used for targeted advertising, sold, or used for profiling.
- Consumers can exercise these rights by submitting a request to the controller, and if unsatisfied with the response, they may appeal or contact the state attorney general.
Controller Obligations
Entities subject to the KCDPA are required to provide a transparent, accessible privacy policy that outlines:
- The types of personal data processed;
- The purposes for processing;
- How consumers can exercise their rights;
- The categories of third parties that receive personal data;
- Any involvement in targeted advertising and the corresponding consumer rights.
Scope of Data and Processing Activities
The KCDPA covers all personal data, excluding de-identified or publicly available information. It also mandates affirmative consent for processing sensitive data, which includes racial, health, sexual orientation, genetic, biometric, and children’s data. Controllers must obtain clear, verified consent prior to collecting sensitive data.
Controllers are also guided to manage pseudonymous data carefully to ensure it remains non-identifiable without additional information.
Regulated Business Activities
Kentucky is particularly concerned with the sale of personal data and targeted advertising. The act defines exceptions to these activities and emphasizes the need for transparency and consumer consent.
Compliance Assessments and Enforcement
Controllers must conduct Data Protection Impact Assessments for activities like targeted advertising, selling personal data, and processing sensitive data. Kentucky’s attorney general is tasked with enforcing the KCDPA, with potential penalties reaching $7,500 per violation. Notably, the KCDPA does not provide a private right of action for consumers.
Conclusion
The Kentucky Consumer Data Protection Act represents a significant step in protecting the privacy of Kentucky residents. Businesses operating within Kentucky must prepare to comply with these regulations. For assistance with updating your privacy policies, conducting impact assessments, or any other requirements under the KCDPA, please contact Nick Birkenhauer and our team at DBL Law.