Kentucky Consumer Data Protection Act
The 16th data privacy law in the United States.
What is the Kentucky Consumer Data Privacy Act?
House Bill 15 (HB 15), or the Kentucky Consumer Data Privacy Act (KCDPA), is the consumer privacy law of the state of Kentucky, passed on March 27, 2024, and signed into law by the state’s Governor on April 4, 2024.
It is the sixteenth consumer privacy law across the United States and the second one to be passed in 2024, after New Hampshire. Similar to Virginia's VCDPA, Kentucky’s consumer privacy law mandates data protection impact assessments, consumer rights to opt-out from targeted advertising and the sale of data, and a 30-day cure period for violations, and is set to become effective January 1, 2026.
Find out more about Kentucky's data privacy law by getting answers to questions such as:
- Does KCDPA apply to my business?
- What consumer rights does KCDPA grant to Kentucky residents?
- What are the penalties for violations of the KCDPA?
Innovative Privacy and Accessibility Scanner for Websites
How does the Kentucky Consumer Data Privacy Act define Personal Information and what are other key definitions?
Under the Kentucky Consumer Data Privacy Act, ‘personal information’ is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person” which does not include “de-identified data or publicly available information,” and ‘sensitive data’ as “a category of personal data that includes:
- Personal data indicating racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
- The processing of genetic or biometric data that is processed for the purpose of uniquely identifying a specific natural person;
- The personal data collected from a known child; or
- Precise geolocation data.”
Same as with New Hampshire’s privacy law, ‘biometric data’ is defined as “data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual” which excludes “ a physical or digital photograph, a video or audio recording or data generated therefrom, unless that data is generated to identify a specific individual or information collected, used, or stored for health care treatment, payment, or operations under HIPAA.”
A ‘consumer’ is “a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context” and not “a natural person acting in a commercial or employment context,” and a ‘child’ is “an individual under the age of 13.”
‘Consent’ under Kentucky’s privacy law is “a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer” which may include “a written statement, written by electronic means or any other unambiguous affirmative action.” Unlike other US privacy laws, Kentucky does not list out any exclusions.
A ‘controller’ and ‘processor’ here are defined the same way as with other consumer privacy laws, namely “the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data” and “a natural or legal entity that processes personal data on behalf of a controller” and the activity of ‘processing’ refers to “any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, including but not limited to the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.”
Last but not least, Kentucky’s privacy law offers a definition for the ‘sale of personal data’ as “the exchange of personal data for monetary consideration by the controller to a third party” which excludes the following:
- “the disclosure of personal data to a processor that processes the personal data on behalf of the controller;
- the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
- the disclosure or transfer of personal data to an affiliate of the controller;
- the disclosure of information that the consumer:
- intentionally made available to the general public via a channel of
mass media; and - did not restrict to a specific audience; or
- intentionally made available to the general public via a channel of
- the disclosure or transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets.”
Who does the Kentucky Consumer Data Privacy Act apply to?
Kentucky’s Consumer Data Privacy Act (KCDPA) applies to persons that conduct business in or produce products or services that are targeted to residents of Kentucky and that during a calendar year control or process personal data of at least:
- One hundred thousand (100,000) consumers; or
- Twenty-five thousand (25,000) consumers and derive over fifty percent (50%) of gross revenue from the sale of personal data.
Who does the Kentucky Consumer Data Privacy Act exempt?
The Kentucky Consumer Data Privacy Act exempts the following organizations and types of data:
- Government entities;
- Financial institutions and their affiliates, subject to Title V of the federal Gramm-Leach-Bliley Act;
- Healthcare entities covered by HIPAA;
- Nonprofits;
- Institutions of higher education;
- Organizations benefiting law enforcement or first responders: this refers to those organizations that do not provide net earnings to, or operate in any manner that benefits, any officer, employee, or shareholder of the entity and that collect, process, use, or share data solely in relation to identifying, investigating, or assisting law enforcement agencies with suspected insurance-related criminal or fraudulent acts or first responders in connection with catastrophic events.
- Small telephone utilities, Tier III CMRS providers, or municipally owned utilities;
- Protected Health Information under HIPAA;
- Health Records and Patient Identifying Information for certain regulatory purposes;
- Human Subjects Research Information;
- Health Care Quality and Patient Safety Information: created for purposes of the federal Health Care Quality Improvement Act of 1986 and patient safety work product for purposes of the federal Patient Safety and Quality Improvement Act;
- De-identified Health Information covered by HIPAA requirements for de-identification;
- Certain Federal Compliance Data: Including information bearing on a consumer's creditworthiness (regulated by the Fair Credit Reporting Act), data compliant with the Driver's Privacy Protection Act of 1994, data regulated by the Family Educational Rights and Privacy Act, and data in compliance with the federal Farm Credit Act;
- Employment related data;
- Data processed by a utility, an affiliate of a utility, or a holding company system for the purpose of providing goods or services to a utility;
- Personal data collected and used for purposes of federal policy under the Combat Methamphetamine Epidemic Act of 2005.
What are the requirements for businesses under the Kentucky Consumer Data Privacy Act?
In order to be compliant, controllers and processors have a series of obligations listed by the Kentucky Consumer Data Protection Act (HB 15). For controllers these are as follows:
- Limit Data Collection: to what is adequate, relevant, and reasonably necessary in relation to the disclosed purposes for which the data is processed.
- Purpose Specification: do not process personal data for purposes that are not reasonably necessary to or compatible with the disclosed purposes for which personal data is processed, without obtaining the consumer's consent.
- Apply Data Security Practices: establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
- Do Not Discriminate Consumers: do not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. You cannot discriminate against a consumer for exercising any of the consumer rights provided in the law.
- Obtain Consent for Sensitive Data: do not process sensitive data concerning a consumer without obtaining the consumer's consent. For sensitive data collected from a known child, you must comply with the federal Children's Online Privacy Protection Act.
- Display a Privacy Notice: provide consumers with a clear, meaningful privacy notice that includes:
- The categories of personal data processed.
- The purpose for processing personal data.
- How consumers can exercise their rights under the Kentucky Consumer Data Protection Act (HB 15), including appealing decisions regarding their requests.
- The categories of personal data shared with third parties.
- The categories of third parties with whom personal data is shared.
- Disclose Selling or Sharing Data: If you sell personal data to third parties or process personal data for targeted advertising, you must clearly and conspicuously disclose such activities and how consumers can opt out.
- Have in Place a Secure and Reliable Mechanism for Request Submissions: you must establish one or more secure and reliable means for consumers to submit requests to exercise their rights under the Act. You must consider how consumers interact with you and ensure the communication of such requests is secure and reliable.
- Respond to Consumer Requests: you have an obligation to comply with consumer requests in various circumstances, including requests to access, correct, or delete their personal data, or to opt out of data processing for targeted advertising, the sale of personal data, or profiling.
- Conduct Data Protection Impact Assessments: you have to “conduct and document a data protection impact assessment of each of the following processing activities involving personal data:
- The processing of personal data for the purposes of targeted advertising;
- The processing of personal data for the purposes of selling of personal data;
- The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of:
- Unfair or deceptive treatment of consumers or disparate impact on consumers;
- Financial, physical, or reputational injury to consumers;
- A physical or other intrusion upon the solitude or seclusion, or the
private affairs or concerns, of consumers, where an intrusion would
be offensive to a reasonable person; or - Other substantial injury to consumers;
- The processing of sensitive data; and
- Any processing of personal data that presents a heightened risk of harm to consumers.”
The obligations of a processor under the Kentucky Consumer Data Protection Act (HB 15) are as follows:
- Adhere to the Controller’s Instructions: you must adhere to the instructions of the controller and assist them in meeting their obligations under the law, by, for example, helping the controller respond to consumer rights requests and meet data security obligations.
- Provide Assistance With Consumer Requests: Taking into account the nature of processing and the information available to you, you have to assist the controller, through appropriate technical and organizational measures, to fulfill their controller obligations to respond to consumer rights requests.
- Ensure Data Security: assist controllers in meeting their obligations in relation to the security of processing personal data and in relation to the notification of data breaches, considering the nature of processing and the information available to you.
- Provide the Necessary Information for Data Protection Assessments: you are required to provide necessary information to enable controllers to conduct and document data protection assessments.
- Have a Processor-Controller Contract in Place: the contract between you and the controller has to govern your data processing procedures on behalf of the controller. This contract will be “be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.”
What are the consumer rights under the Kentucky Consumer Data Privacy Act?
Under the Kentucky Consumer Data Privacy Act consumers have the following rights:
- Right to Know
- Right to Access
- Right to Correct
- Right to Delete
- Right to Data Portability
- Right to Opt-Out of the processing of personal data for the purposes of targeted advertising; the sale of personal data; or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
Kentucky Consumer Data Protection Act (KCDPA) compliant website with Clym
How to respond to consumer requests under the Kentucky Consumer Data Privacy Act?
Under the Kentucky consumer privacy law, you have 45 days to respond to a consumer request from the date of receiving the request, and the response period can be extended by an additional 45 days “when reasonably necessary, taking into consideration the complexity and number of the consumer's requests” but you have to inform the consumer of any such extension within the initial 45-day response period and the reason for the extension.
If you refuse to take action regarding the consumer’s request, you have to inform the consumer without undue delay, but no later than 45 days after you received the request, of the justification for declining to take action and instructions for how to appeal the decision.
Unlike other US privacy laws, Kentucky mandates that information provided in response to a consumer request has to be provided “free of charge, up to twice annually per consumer.” If a consumer submits requests that are “excessive, repetitive, technically infeasible, or manifestly unfounded,” you may charge the consumer “a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request” but you are responsible with demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request.
Similar to other privacy laws, if you are unable to authenticate a request using commercially reasonable efforts, you are not required to comply with a request and you “may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer's request.”
You are required to establish a process for consumers to appeal your refusal to take action on their request within a reasonable period of time after they have received your decision, for those cases where you decline to take action regarding a consumer request.
The appeal process has to be conspicuously available and similar to the process for submitting requests and no later than 60 days after you receive an appeal, you have to inform the consumer in writing of any action taken or not taken in response to their appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, you have to also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint.
Kentucky Consumer Data Privacy Act enforcement and penalties
The Attorney General has exclusive enforcement authority of the Kentucky Consumer Data Protection Act (HB 15) and can enforce violations of the Act by initiating actions in the name of the Commonwealth of Kentucky or on behalf of residents of Kentucky. This includes the power to investigate and prosecute any violations under the Act, and to demand information, documentary material, or physical evidence from controllers or processors believed to be in violation.
Prior to initiating any action, the Attorney General will provide a controller or processor with a 30 days cure period. If the controller or processor cures the violation within this period and provides the Attorney General with an express written statement that the violations have been cured and that no further violations will occur, no action for damages will be initiated.
Penalties for violations under the Kentucky Consumer Data Protection Act include a fine of $7,500 for each violation, recovery of expenses incurred during an investigation of violations, including court costs, attorney's fees, and any other relief ordered by the court.
There is no private right of action granted to individuals.
Data Subject Rights - GDPR vs. Kentucky Consumer Data Privacy Act
GDPR
- Right to access data
- Right to correct inaccurate data
- Right to the portability of data
- Right to delete personal information
- Right to information about how entities are sharing your data
- Right to restrict processing
- Right to object to processing
- Right to object to automated processing
Kentucky Consumer Data Privacy Act
- The Right to Know
- The Right to Access
- The Right to Correct
- The Right to Delete
- Right to data portability
- Right to Opt Out of the processing of personal data for the purposes of targeted advertising; the sale of personal data; or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
How can Clym help?
Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Customizable branding;
- ReadyCompliance™: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.
You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.
FAQs about the Kentucky Consumer Data Protection Act
What does the Kentucky Consumer Data Privacy Act apply to?
Kentucky’s Consumer Data Privacy Act applies to persons that conduct business in or produce products or services that are targeted to residents of Kentucky and that during a calendar year control or process personal data of at least:
- One hundred thousand (100,000) consumers; or
- Twenty-five thousand (25,000) consumers and derive over fifty percent (50%) of gross revenue from the sale of personal data.
What is exempt under Kentucky's data privacy law?
The Kentucky Consumer Data Privacy Act exempts the following organizations and types of data:
- Government entities;
- Financial institutions and their affiliates, subject to Title V of the federal Gramm-Leach-Bliley Act;
- Healthcare entities covered by HIPAA;
- Nonprofits;
- Institutions of higher education;
- Organizations benefiting law enforcement or first responders: this refers to those organizations that do not provide net earnings to, or operate in any manner that benefits, any officer, employee, or shareholder of the entity and that collect, process, use, or share data solely in relation to identifying, investigating, or assisting law enforcement agencies with suspected insurance-related criminal or fraudulent acts or first responders in connection with catastrophic events.
- Small telephone utilities, Tier III CMRS providers, or municipally owned utilities;
- Protected Health Information under HIPAA;
- Health Records and Patient Identifying Information for certain regulatory purposes;
- Human Subjects Research Information;
- Health Care Quality and Patient Safety Information: created for purposes of the federal Health Care Quality Improvement Act of 1986 and patient safety work product for purposes of the federal Patient Safety and Quality Improvement Act;
- De-identified Health Information covered by HIPAA requirements for de-identification;
- Certain Federal Compliance Data: Including information bearing on a consumer's creditworthiness (regulated by the Fair Credit Reporting Act), data compliant with the Driver's Privacy Protection Act of 1994, data regulated by the Family Educational Rights and Privacy Act, and data in compliance with the federal Farm Credit Act;
- Employment related data;
- Data processed by a utility, an affiliate of a utility, or a holding company system for the purpose of providing goods or services to a utility;
- Personal data collected and used for purposes of federal policy under the Combat Methamphetamine Epidemic Act of 2005.
What data subject rights does the Kentucky Consumer Data Privacy Act (KCDPA ) grant Kentucky residents?
Under the Kentucky Consumer Data Privacy Act consumers have the following rights:
- Right to Know
- Right to Access
- Right to Correct
- Right to Delete
- Right to Data Portability
- Right to Opt-Out of the processing of personal data for the purposes of targeted advertising; the sale of personal data; or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
What are the penalties for non-compliance with the Kentucky Consumer Data Privacy Act?
Penalties for violations under the Kentucky Consumer Data Protection Act include a fine of $7,500 for each violation, recovery of expenses incurred during an investigation of violations, including court costs, attorney's fees, and any other relief ordered by the court.
Table of contents
Questions?
If you would like to learn more, our compliance experts are happy to support you.
Leave us a Message