Kentucky’s upcoming Consumer Data Protection Act, set to take effect on January 1, 2026, will enact robust measures safeguarding consumer privacy.
The Act, which introduces new sections into the Kentucky Revised Statutes Chapter 367, will significantly change how businesses handle and process the personal data of Kentucky residents. It empowers individuals with a suite of rights pertaining to their personal data, ranging from the ability to confirm data processing to the right to opt out of targeted advertising and profiling activities.
Scope of Application
The law applies to businesses operating in Kentucky or targeting Kentucky residents and handling the personal data of a significant number of consumers. Unlike some other state laws, Kentucky does not include a revenue threshold for applicability. However, certain entities, such as governmental bodies, educational institutions, and organizations covered by specific federal laws like HIPAA or GLBA, are exempt from the law’s requirements.
Controllers Obligations
Businesses acting as data controllers must adhere to several obligations, including limiting the collection of personal data to the stated purpose, implementing security measures, and providing clear privacy notices to consumers. They are also prohibited from discriminating against consumers who exercise their rights under the law and must avoid processing sensitive personal or children’s data without appropriate consent.
Consumers Rights
The law grants consumers several rights regarding their personal data, including access, rectification, deleting, and obtaining a copy of their data. Consumers also have the right to opt out of targeted advertising, the sale of personal data, or profiling activities. Businesses must respond to consumer requests within 45 days and provide the requested information free of charge, subject to certain exceptions.
Submitting an Appeal
If a business rejects a consumer’s request, the consumer can appeal the decision. The company must provide a written explanation for the denial, and consumers can escalate the matter to the Kentucky Attorney General if necessary.
Enforcement
The Kentucky Attorney General has exclusive enforcement authority under the law. Before taking any action against a business for non-compliance, the Attorney General must provide a 30-day notice-and-cure period. Violations of the law can result in penalties of up to USD 7,500 per violation.
The law includes a 30-day cure period, which allows businesses to rectify violations within a specified timeframe. This provision offers a degree of leniency by allowing one to address compliance issues before facing penalties. However, it also underscores the importance of prompt action and ongoing compliance efforts to avoid potential enforcement actions by the attorney general.Â
Comparison with Other State Laws
Rep. Josh Branscum, R-Ky, touted HB 15 as a “workable solution” to ensure consumer rights and protections, framing the proposal as “a great starting point” and “a framework for our legislature to improve upon for sessions to come.”
House Bill 15 mirrors Virginia’s opt-out statute closely, with identical coverage thresholds for entities controlling or processing personal data. The bill also aligns with Virginia’s requirements for data protection impact assessments, user opt-outs, and a 30-day cure provision.
However, it also includes some unique provisions, such as its approach to defining biometric data and the narrow definition of “sale” of personal data. The law exempts certain entities and data categories, aligning with the exemptions seen in other state laws.
Implications for Businesses
Businesses operating in Kentucky must assess whether the law applies to them based on the specified processing thresholds and potential exemptions. Determining this requires a careful examination of their data processing activities and whether they meet the criteria outlined in the law. Additionally, businesses must understand the requirements for qualifying for exemptions, which may involve providing evidence or meeting certain conditions.
This is not the first time a data privacy bill has been introduced in the Kentucky legislature. A similar bill was introduced last year but did not receive much traction. If enacted, covered businesses will be tasked with assessing and updating their personal data collection processes, developing a privacy policy, and implementing procedures to comply with the newly established rights by January 1, 2025. The new law would also require specific contract terms to be in place between data controllers and their data processors. This year’s legislative effort has already advanced further than its 2022 counterpart, but whether the proposed legislation will ultimately pass or fail remains to be seen.
While a uniform consumer data privacy law has been a hot topic in Congress for several years, the U.S. lacks a comprehensive one. In the meantime, businesses are forced to navigate many state privacy regulations. The number of states enacting comprehensive data privacy laws continues to grow, with California, Colorado, Connecticut, Utah, and Virginia recently adopting sweeping data privacy laws. Other states like Nevada have enacted more limited consumer privacy protection laws. With this ever-changing privacy landscape, businesses must stay abreast of the privacy laws in the states where they operate and collect residents’ information.
