On April 4, 2024, Governor Andy Beshear signed into law the Kentucky Consumer Data Protection Act (the KCDPA). Currently, fifteen other states have also enacted a comprehensive privacy law. Like other comprehensive privacy laws, the KCDPA primarily (1) establishes certain rights of Kentucky consumers with respect to personal data; and (2) establishes obligations for businesses that control and process the personal data of Kentucky consumers. Additionally, the KCDPA sets forth requirements for privacy notices, vendor contracts, and impact assessments.
Most provisions of the law are set to take effect on January 1, 2026, allowing businesses time to prepare for compliance with the new requirements. Below is a summary of what Kentucky businesses need to know about the KCDPA.
Which Businesses Are Subject to the KCDPA?
Generally speaking, the KCDPA applies to businesses that process the personal data of a certain requisite number of Kentucky residents. Specifically, companies or individuals that conduct business in Kentucky or produce products or services targeted to Kentucky residents may be subject to the requirements of the KCDPA if (1) the business controls or processes the personal data of 100,000 consumers who are Kentucky residents; or (2) the business controls or processes the personal data of 25,000 consumers who are Kentucky residents and also earns 50% of its gross revenues from the sale of personal data. For purposes of the KCDPA, “personal data” is defined broadly as “information that is linked or reasonably linkable to an identified or identifiable natural person.” Personal data may include information such as physical addresses, geolocation data, phone numbers, biometric data, or information regarding a consumer’s interaction with an internet website application. Personal data does not include deidentified data so long as the information remains deidentified. The KCDPA defines “processing” as the “collection, use, storage, disclosure, analyses, deletion, or modification of personal data.”
The KCDPA expressly exempts certain businesses and types of information from its requirements, however. Among those exemptions include businesses and/or information that are already subject to compliance requirements under other federal privacy laws, including the following:
- Financial institutions subject to the requirements under the Gramm-Leach-Bliley Act;
- Covered entities or business associates subject to the requirements under HIPAA;
- Protected health information under HIPAA;
- Information regulated by the Fair Credit Reporting Act;
- Information regulated by the Family Educational Rights and Privacy Act; and
- Information regulated by the Farm Credit Act.
Other notable exemptions from the KCDPA include cities, state agencies, or political subdivisions; institutions of higher education; nonprofit companies; and information processed by a utility or an affiliate of a utility for the purposes of providing goods or services to a utility.
What Are the New Consumer Rights Established by the KCDPA?
The KCDPA gives consumers certain rights to control and manage their personal data being collected by businesses. It should be noted, however, that the rights extend only to “consumers,” which are defined under the KCDPA as natural persons residing in Kentucky. Accordingly, the rights do not apply to information collected about companies or other business entities. Moreover, the rights do not extend to information collected by a business regarding the business’s own employees in the context of their employment.
Where the KCDPA applies, consumers will have the following rights:
- the right to confirm that a business has processed their personal data;
- the right to correct any inaccuracies in personal data being processed by a business;
- the right to have their personal data deleted;
- the right to obtain a copy of their personal data being processed by a business; and
- the right to opt out of having their personal data processed for the purposes of targeted advertising, selling their personal data, or profiling in connection with making decisions that have a legal or other significant effect on a consumer.
When consumers exercise one of the above-listed rights to access or control their data, businesses will typically have approximately 45 days under the KCDPA to respond. The KCDPA further provides that consumers may not waive their rights and that any purported waiver agreements will be considered invalid.
What Are the Obligations of a Business That Controls or Processes Personal Data?
Businesses may be considered controllers or processors. A business is a “controller” under the KCDPA if the business determines the purpose and means for processing personal data. A business is considered to be a processor if the business processes personal data on behalf of a controller.
Controllers under the KCDPA have several obligations with respect to the personal data that they process (or that is being processed on their behalf) including the following:
- Limit the collection of personal data to what is necessary and relevant to the services and products being provided;
- Avoid processing personal data for undisclosed purposes without consumer consent;
- Protect the security of personal data processed through appropriate administrative, technical, and physical safeguards; and
- Not discriminate against consumers for exercising their rights under KCDPA.
Additionally, controllers and processors are obligated to obtain consumer consent before collecting, storing, or other processing of “sensitive data,” which is defined under KCDPA as including (1) information indicating a person’s race, ethnicity, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship, or immigration status; (2) genetic or biometric data used for the purpose of identifying a specific person; (3) data collected from a child; and (4) precise geolocation data.
What about Privacy Notices, Vendor Contracts, and Impact Assessments?
The KCDPA requires subject businesses to provide consumers with a privacy notice and establishes specific requirements for the content of privacy notices, including, among other things, identifying categories of data provided to third parties and specific notice if consumer data is provided to third parties for targeted advertising. Additionally, if businesses are processing personal data for purposes of targeted advertising, selling, or profiling and/or processing sensitive data, they are required under the KCDPA to conduct a data protection impact assessment weighing the benefits and risks to the consumer of such processing. The KCDPA also establishes certain requirements for the content of contracts between businesses controlling personal data and vendors processing such data.
How Will the KCDPA Be Enforced?
The Kentucky Attorney General will have the exclusive authority to enforce the requirements of the KCDPA including bringing a civil action against violators for recovery of money damages and attorney fees. The KCDPA expressly prohibits private rights of actions, meaning that consumers will need to report any alleged violations to the Attorney General.
What Should Businesses Do Now to Prepare for Compliance with the KCDPA?
Importantly, Kentucky businesses should not wait to prepare for compliance with the KCDPA. Right now, businesses can begin preparing by first determining whether they will be subject to the requirements of the KCDPA or whether they fall within an exemption. If a business will be subject to the KCDPA requirements, it should take steps now to conduct an audit or engage in data mapping to determine the types of personal data that it collects, stores, or otherwise processes about Kentucky consumers and how and where such data is collected and stored. Processes may need to be developed for how the business will access, retrieve, and provide consumers with their personal data in a timely manner upon request. Privacy policies and vendor contracts may also need to be reviewed and revised or updated, and, depending upon the purposes for processing such personal data, businesses may need to conduct an impact assessment. Businesses that are unsure whether they are subject to the KCDPA requirements should consult with a privacy lawyer.