Kentucky Passes Consumer Privacy Bill

On March 27, 2024, the state of Kentucky passed the Kentucky Consumer Data Protection Act (HB 15), which was signed into law on April 4, 2024, by Governor Andy Beshear. 

Similar to Virginia's VCDPA, Kentucky’s consumer privacy law mandates data protection impact assessments, the handling of de-identified or pseudonymous data, and consumer rights to opt-out from targeted advertising and the sale of data, along with a 30-day cure period for violations, and is set to become effective  January 1, 2026.

Short summary of the Kentucky Consumer Data Protection Act:

• Effective Date: January 1, 2026
• Applicability:
  • Applies to entities conducting business in Kentucky or targeting products and services to Kentucky residents, with specific thresholds:
  • Control or process personal data of at least 100,000 consumers; or
  • Control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.
• Controller Obligations:
  • Limit data collection to what is necessary for disclosed purposes.
  • Do not process personal data for purposes not disclosed to consumers without consent.
  • Implement and maintain data security practices to protect personal data.
  • Do not process personal data in a way that discriminates unlawfully against consumers.
  • Obtain consent before processing sensitive data.
  • Provide clear privacy notices including categories of processed data, purposes, and consumer rights.
  • Establish means for consumers to submit rights requests.
• Consumer Rights:
  • Confirm if a controller is processing their personal data and access it.
  • Correct inaccuracies in their personal data.
  • Delete personal data provided by or obtained about them.
  • Obtain a portable copy of their personal data.
  • Opt-out of data processing for targeted advertising, sale of personal data, or profiling.
• Enforcement Authority: The Attorney General of Kentucky has exclusive authority to enforce the Act.
• Penalties:
  • Civil penalties for violations can be up to $7,500 for each violation.
  • The Attorney General may recover expenses incurred in investigating and preparing the case, including attorney's fees.

Similarities to other US consumer privacy laws

The Kentucky Consumer Data Protection Act bears a strong resemblance to other state privacy laws in the United States, such as the California Consumer Privacy Act (CCPA), Virginia's Consumer Data Protection Act (VCDPA), and Colorado's Privacy Act (CPA). 

Both Kentucky's law and these other state laws have similar definitions and criteria for applicability, based on either the number of consumers affected or the revenue generated from selling personal data. 

They all highlight the importance of data minimization, the need for consent in processing sensitive data, the provision of transparent privacy notices, and the implementation of data protection impact assessments for certain processing activities.

Distinctive features

The Kentucky Consumer Data Protection Act grants exclusive enforcement authority to the Kentucky Attorney General, establishes civil penalties for non-compliance, and notably prohibits private rights of action, a provision that differs from California's allowance for limited private rights of action in data breach cases. 

Additionally, Kentucky introduces a consumer privacy fund for collected penalties to support enforcement, alongside specific exemptions for data processing under certain conditions. 

Key takeaway? 

While Kentucky's law mirrors the broader movement towards strengthening data privacy across the U.S., it also adapts to the unique context of Kentucky, illustrating the state's commitment to protecting its residents' data privacy rights while acknowledging the practicalities of business compliance.