State Privacy Law Tracker: Kentucky

Kentucky Data Privacy Law

Currently, there is no comprehensive Kentucky privacy law in effect. However, the Supreme Court of Kentucky has interpreted that the Constitution of Kentucky inherently recognizes the right to privacy.

Other Privacy-Related Laws in Kentucky

Kentucky has various laws related to privacy such as the Consumer Protection Act which refers to unfair, false, misleading, or deceptive acts or practices in the conduct of any trade or commerce as unlawful. In addition, there is a Kentucky student privacy act in place to protect the personal information of students.

The Kentucky data breach notification law requires that  a personal data breach must be notified to affected Kentucky residents, and, if such a breach affects more than 1,000 Kentucky residents, all consumer reporting agencies and credit bureaus that compile and maintain files on consumers on a nationwide basis

An Attempt at Comprehensive Data Privacy Legislation

In March 2023, there were some fingers crossed in the hope of Kentucky joining the growing number of states that have enacted data privacy legislation. On January 3, 2023, Senator Whitney Westerfield and Senator John Schickel introduced Senate Bill 15, which was proposed to create new sections of the Consumer Protection Act for Kentucky residents relating to personal data. 

Kentucky Senate Bill 15 died in the House on March 30.

Notably, Senate Bill 15 would have applied to business entities conducting business or which produce products or services that target Kentucky residents and that, during a calendar year: control or process personal data of at least 10,000 consumers; or, derive over 40% of gross revenue from the sale of personal data. Senate Bill 15 defines a consumer as a natural person who is a resident of Kentucky acting only in an individual or household context. A consumer does not include a person acting in a commercial or employment context, or as an independent contractor. The law will exempt certain organizations from its application, including, for example, state agencies under certain circumstances, financial institutions subject to the Gramm-Leach-Bliley Act, HIPAA-covered entities, nonprofit organizations, and institutions of higher education.

This is not the first time a data privacy bill has been introduced in the Kentucky legislature. A similar bill was introduced last year but did not receive much traction. If enacted, covered businesses will be tasked with assessing and updating their personal data collection processes, developing a privacy policy, and implementing procedures to comply with the newly established rights by January 1, 2025. The new law would also require certain contract terms to be in place between data controllers and their data processors. This year’s legislative effort has already advanced further than its 2022 counterpart, but it remains to be seen whether the proposed legislation will ultimately pass or fail.

While a uniform consumer data privacy law has been a hot topic in Congress for a number of years, the U.S. currently lacks a comprehensive consumer privacy law. In the meantime, businesses are forced to navigate a myriad of state privacy regulations. The number of states enacting comprehensive data privacy laws continues to grow, with California, Colorado, Connecticut, Utah, and Virginia recently adopting sweeping data privacy laws. Other states, such as Nevada, have enacted more limited consumer privacy protection laws. Kentucky is among 20 states considering new data privacy legislation in 2023. With this ever-changing privacy landscape, it is important for businesses to stay abreast of the privacy laws in the states where they operate and in states where they collect residents’ information.

Centraleyes is committed to updating its readers on the latest state privacy updates.

Sign up for our Data Privacy Tracker with monthly updates on the latest news and developments

Skip to content