On April 4, 2024, Kentucky became the fifteenth state to enact a comprehensive data privacy law, with Governor Andy Beshear signing the Kentucky Consumer Data Protection Act (KCDPA) into law. The Kentucky law will go into effect on January 1, 2026. This makes Kentucky the third state in 2024 to enact such a law, following New Jersey and New Hampshire.
Among the roster of current state privacy laws, the KCDPA appears most similar to Virginia’s Consumer Data Protection Act (VCDPA) and the Connecticut Data Privacy Act (CTDPA), as opposed to the more unique California Consumer Privacy Act (CCPA) or the more business-friendly Utah Consumer Privacy Act (UCPA) and Iowa Consumer Data Protection Act (ICPA).
Key Provisions
- Controller Requirements – obligations for controllers include: data minimization, data security, nondiscrimination, opt in consent for sensitive data, privacy notices, opt out for sale of data to third parties, agreements with processors and data protection assessments.
- Processor Requirements – obligations for processors include: ensure a duty of confidentiality for each person processing data, written contracts with subcontractors, adhere to controller instructions and assist controller with data security, consumer requests, breach notification and conducting data protection assessments.
- Individual Rights – right to access, right to correct, right to delete, right to portability and right to opt out of certain processing.
- Insurance Fraud & First Responder Exemptions – the law exempts certain entities that collect, process, use or share data solely in connection with assisting either law enforcement with insurance-related crime, or first responders during catastrophic events.
- Exemption for Some Utilities – small telephone utilities and Tier III CMRS providers as defined under state law are exempt, along with municipal owned utilities that do not sell or share personal data with third party processors.
- No Requirement to Recognize Universal Opt-Out – unlike many other state laws, controllers have no obligation to allow consumers to opt-out of targeted advertising via universal opt-out mechanisms.
- 30-day Cure Period – controllers and processors will have a 30-day period to cure violations that do NOT sunset.
Who Must Comply with the KCDPA?
The KCDPA applies to “controllers” and “processors,” much like other comprehensive state privacy laws and the European Union (EU) General Data Protection Regulation (GDPR). Much like other laws, “controllers” are entities that alone or jointly with others determine the purposes and means of processing personal data, while “processors” are entities that process that data on behalf of the controller. The KCDPA applies to any persons conducting business in Kentucky or producing products or services targeted to Kentucky residents (consumers) and during a calendar year:
- Control or process personal data of at least 100,000 consumers.
- Control or process personal data of at least 25,000 consumers while deriving over 50% of gross revenue from the sale of personal data.1
As with many other comprehensive privacy laws, the KCDPA lacks a revenue threshold, meaning that relatively small businesses might be subject to its provisions.
What Information Is Covered?
The KCDPA applies to “personal data,” defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person” excluding information that is de-identified data or publicly available.2
The law’s definition of “sensitive” data is not as broad as in some other recent state laws, such as New Jersey, and includes: data indicating racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, processing genetic or biometric data for the purpose of identifying a specific person, personal data of a known child and precise geolocation data.3
What Are the Notable Exemptions?
The KCDPA contains a variety of both entity- and data-level exemptions, similar to other sate privacy laws.
Entity-Level Exemptions
Most of the KCDPA’s exempt entities are typical of other state privacy laws, namely: state and city entities and political subdivisions, financial institutions and their affiliates subject to the Gramm-Leach-Bliley Act (GLBA), covered entities or business associates under the Health Insurance Portability and Accountability Act (HIPAA),4 nonprofits and institutions of higher education.5
Diverging from other state laws, the KCDPA exempts certain organizations that among other things, collect, process, use or share data solely for assisting either law enforcement agencies with insurance-related fraud or first responders with catastrophic events.6 There is also an exemption for certain small telephone utilities, Tier III Commercial Mobile Radio Service (CMRS) providers as defined under state law, and municipal utilities that do not sell or share personal data with third-party processors.7
Data-Level Exemptions
The KCDPA excludes publicly available and de-identified data but does not mention aggregated data. Similar to many state privacy laws, the KCDPA excludes persons acting in a “commercial or employment context” from its definition of “consumer” meaning that employees and businesses-to-business contacts are not covered.8 There is also an exemption for data processed or maintained in the course of an individual applying to, employed by or acting as an agent or independent contractor of a controller, processor or third party if the data is used in the context of that role, along with exemptions for emergency contact information and data necessary to retain or administer benefits for another individual.9
The law exempts personal data under the Fair Credit Reporting Act (FCRA); data subject to the GLBA; data subject to the federal Driver’s Privacy Protection Act (DPPA); data subject to the Family Educational Rights and Privacy Act (FERPA); and data subject to the Farm Credit Act.10 The law contains a separate carve-out for data processed by utilities and their affiliates.11
The KCDPA also contains detailed health-data related carve-outs, including: protected health information under HIPAA along with health records and patient identifying information; identifiable information collected for human subject research, information created for the Health Care Quality Improvement Act (HCQA); patient safety work product regarding the Patient Safety and Quality Improvement Act (PSQIA); information used only for public health activities as authorized by HIPAA; and personal data collected and used under the Combat Methamphetamine Epidemic Act of 2005.12
The KCDPA also provides that controllers and processors that comply with the verifiable parental consent requirements under the Children’s Online Privacy Protection Act (COPPA) will be deemed in compliant with any obligation to obtain parental consent required under the act.13
What Rights Do Kentucky Consumers Have?
Much like other state privacy laws, the KCDPA provides consumers with the right to (1) confirm whether a controller is processing personal data and to access said data (without revealing controller trade secrets); (2) the right to correct inaccuracies in the consumer’s personal data; (3) the right to delete personal data provided by or obtained about the consumer; (4) the right to obtain a portable copy of their personal data to the extent feasible and without revealing trade secrets; and (5) the right to opt out of the processing of data for purposes of targeted advertising, sale of personal data or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.14
Similar to more business-friendly state privacy laws like Virginia and Utah, the KCDPA defines a “sale of personal data” as an exchange for monetary consideration only. A sale of personal data specifically does not include disclosure (1) to a processor; (2) to a third party providing services requested by a consumer; (3) to an affiliate of the controller; (4) that a consumer intentionally made available to the public via mass media and did not restrict the audience for; or (5) to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy or other transaction involving third-party control a controller’s assets.15 The KCDPA also notably does not require controllers to recognize universal opt-out mechanisms as a means for consumers to opt out of processing their personal data.
Controllers have 45 days to respond to a consumer request, extendable by another 45 days when reasonably necessary, so long as the consumer is informed of the reason for the extension. Similar to other state comprehensive privacy laws, the KCDPA also requires controllers to provide consumers with instructions on appealing a decision to decline their request.16 In providing this right, controllers must establish a process that is conspicuously available to the consumer and respond withing 60 days of receipt of an appeal. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint.
What Obligations Do Controllers and Processors Have?
Like other state comprehensive privacy laws and the GDPR, the KCDPA features a range of obligations for both controllers and processors.
Controller Requirements
- Data Minimization and Purpose Specification: Controllers must limit collection of personal data to what is adequate, relevant and reasonably necessary in relation to the disclosed purposes for which the data is processed. Unless they obtain consumer consent, controllers may not process personal data for purposes not reasonably necessary for, nor compatible with, the disclosed purpose for which the data is processed.17
- Data Security: Controllers must establish and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data, appropriate to the volume and nature of the data in question.18
- Nondiscrimination: Controllers must not process personal data in violation of state or federal laws against unlawful discrimination against consumers. This does not preclude controllers from offering different prices or goods related to a consumer’s voluntary participation in a loyalty or rewards program.19
- Sensitive Data: Controllers must acquire consumers’ opt-in consent before processing their sensitive data. For sensitive data of a known child, processing must be done in accordance with the COPPA.20
- Transparency: Controllers must provide clear, meaningful and reasonably accessible privacy notices that disclose (1) the categories of personal data processed by the controller; (2) the purpose for processing; (3) how consumers may exercise their rights under the law including how to appeal a decision regarding a consumer request; (4) the categories of personal data shared with third parties; (5) the categories of third parties with whom personal data is shared; and (6) one or more means for consumer to submit requests to exercise their rights.21 If a controller is either selling personal data to third parties or processing it for targeted advertising, it must clearly and conspicuously disclose the activity and the manner in which a consumer may opt out.22
- Processor Agreements: Similar to other state laws, controllers are required to enter into binding contracts with processors that, among other things, detail the instructions for the processing, the nature and purpose of the processing, the type of data, and the rights and obligations of both parties. Processors under this contract have several requirements, such as deleting or returning all personal data to the controller at the controller’s request at the end of the provision of services.23
- De-identified Data: Controllers in possession of de-identified data must (1) take reasonable measures to ensure the data cannot be associated with a natural person; (2) publicly commit to maintaining and using de-identified data without attempting to reidentify it; and (3) contractually obligate recipients of the data to comply with the provisions of the KCDPA.24
- Data Protection Impact Assessments: Controllers must conduct data protection impact assessments for any of the following data processing activities involving personal data: (1) processing for targeted advertising; (2) selling personal data; (3) processing for purposes of profiling if the profiling presents certain reasonably foreseeable risks;25 (4) processing sensitive data; and (5) any processing of personal data that presents a heightened risk of harm to consumers.26 These assessments will apply to processing created or generated on or after June 1, 2026. The law specifies that controllers may use data protection impact assessments they conducted for compliance with other reasonably comparable laws and regulations.27
Processor Requirements
Much like other state comprehensive privacy laws, processors must adhere to controller instructions and assist controllers with their obligations, including (1) responding to consumer rights requests; (2) data security and breach notification; and (3) conducting data protection impact assessments. Processors are also required to ensure each person processing the personal data is subject to a duty of confidentiality for that data pursuant to their contract with the controller, and engage with subcontractors under a written contract requiring the subcontractor to meet the processor’s obligations with respect to the personal data.28
Who Enforces the Law and Issues Regulations?
The KCDPA is exclusively enforced by the Kentucky Attorney General (AG) and does not provide a private right of action.29 The AG may seek damages for up to $7,500 per violation.30 Before any enforcement action commences, companies will have a 30-day period to cure any violations, which does not sunset like some cure periods in other state privacy laws.31
1 Ky. Rev. Stat. § 367 (2024).
2 Id. at § 367.1(19).
3 Id. at § 367.1(28).
4 “HIPAA” refers to the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and their implementing regulations (codified at 45 C.F.R. parts 160 and 164).
5 Id. at § 367.2(2).
6 Id. at § 367.2(2)(f). Specifically, the law exempts “an entity such as those recognized under KRS 304.47-060(1)(e), so long as the entity collects, processes, uses, or shares data solely in relation to identifying, investigating, or assisting:
- Law enforcement agencies in connection with suspected insurance-related criminal or fraudulent acts; or
- First responders in connection with catastrophic events.”
7 Id. at § 367.2(2)(g).
8 Id. at § 367.1(7).
9 Id. at § 367.2(3)(n).
10 Id. at § 367.2(3).
11 Id. at § 367.2(3)(o).
12 Id. at § 367.2(3).
13 Id. at § 367.2(4).
14 Id. at § 367.3(2).
15 Id. at § 367.1(27).
16 Id. at § 367.3(3).
17 Id. at § 367.4(1)(a-b).
18 Id. at § 367.4(1)(c).
19 Id. at § 367.4(1)(d).
20 Id. at § 367.4(1)(e).
21 Id. at § 367.4(3), (5).
22 Id. at § 367.4(4).
23 Id. at § 367.5(2).
24 Id. at § 367.7(1).
25 Id. at § 367.6(1)(c). These are the risks of: unfair or deceptive treatment or disparate impact; injury that is financial, physical or reputational; physical or other intrusion upon solitude or seclusion or intrusion offensive to a reasonable person; or other substantial injury.
26 Id. at § 367.6(1).
27 Id. at § 367.6(7-8).
28 Id. at § 367.5(1-2).
29 Id. at § 367.9(1).
30 Id. at § 367.9(3).
31 Id. at § 367.9(2).