Kentucky Consumer Data Protection Act

Who does the Kentucky Consumer Data Privacy Act exempt? 

The Kentucky Consumer Data Privacy Act exempts the following organizations and types of data: 

• Government entities;
• Financial institutions and their affiliates, subject to Title V of the federal Gramm-Leach-Bliley Act;
• Healthcare entities covered by HIPAA;
• Nonprofits;
• Institutions of higher education; 
• Organizations benefiting law enforcement or first responders: this refers to those organizations that do not provide net earnings to, or operate in any manner that benefits, any officer, employee, or shareholder of the entity and that collect, process, use, or share data solely in relation to identifying, investigating, or assisting law enforcement agencies with suspected insurance-related criminal or fraudulent acts or first responders in connection with catastrophic events.
• Small telephone utilities, Tier III CMRS providers, or municipally owned utilities;
• Protected Health Information under HIPAA;
• Health Records and Patient Identifying Information for certain regulatory purposes;
• Human Subjects Research Information;
• Health Care Quality and Patient Safety Information: created for purposes of the federal Health Care Quality Improvement Act of 1986 and patient safety work product for purposes of the federal Patient Safety and Quality Improvement Act;
• De-identified Health Information covered by HIPAA requirements for de-identification;
• Certain Federal Compliance Data: Including information bearing on a consumer's creditworthiness (regulated by the Fair Credit Reporting Act), data compliant with the Driver's Privacy Protection Act of 1994, data regulated by the Family Educational Rights and Privacy Act, and data in compliance with the federal Farm Credit Act;
• Employment related data;
• Data processed by a utility, an affiliate of a utility, or a holding company system for the purpose of providing goods or services to a utility;
• Personal data collected and used for purposes of federal policy under the Combat Methamphetamine Epidemic Act of 2005.

What are the requirements for businesses under the Kentucky Consumer Data Privacy Act? 

In order to be compliant, controllers and processors have a series of obligations listed by the Kentucky Consumer Data Protection Act (HB 15). For controllers these are as follows: 

• Limit Data Collection: to what is adequate, relevant, and reasonably necessary in relation to the disclosed purposes for which the data is processed.
• Purpose Specification: do not process personal data for purposes that are not reasonably necessary to or compatible with the disclosed purposes for which personal data is processed, without obtaining the consumer's consent.
• Apply Data Security Practices: establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
• Do Not Discriminate Consumers: do not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. You cannot discriminate against a consumer for exercising any of the consumer rights provided in the law.
• Obtain Consent for Sensitive Data: do not process sensitive data concerning a consumer without obtaining the consumer's consent. For sensitive data collected from a known child, you must comply with the federal Children's Online Privacy Protection Act.
• Display a Privacy Notice: provide consumers with a clear, meaningful privacy notice that includes:
  • The categories of personal data processed.
  • The purpose for processing personal data.
  • How consumers can exercise their rights under the Kentucky Consumer Data Protection Act (HB 15), including appealing decisions regarding their requests.
  • The categories of personal data shared with third parties.
  • The categories of third parties with whom personal data is shared.
• Disclose Selling or Sharing Data: If you sell personal data to third parties or process personal data for targeted advertising, you must clearly and conspicuously disclose such activities and how consumers can opt out.
• Have in Place a Secure and Reliable Mechanism for Request Submissions: you must establish one or more secure and reliable means for consumers to submit requests to exercise their rights under the Act. You must consider how consumers interact with you and ensure the communication of such requests is secure and reliable.
• Respond to Consumer Requests: you have an obligation to comply with consumer requests in various circumstances, including requests to access, correct, or delete their personal data, or to opt out of data processing for targeted advertising, the sale of personal data, or profiling.
• Conduct Data Protection Impact Assessments: you have to “conduct and document a data protection impact assessment of each of the following processing activities involving personal data:
  • The processing of personal data for the purposes of targeted advertising; 
  • The processing of personal data for the purposes of selling of personal data; 
  • The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of:
    • Unfair or deceptive treatment of consumers or disparate impact on consumers;
    • Financial, physical, or reputational injury to consumers;
    • A physical or other intrusion upon the solitude or seclusion, or the
      private affairs or concerns, of consumers, where an intrusion would
      be offensive to a reasonable person; or
    • Other substantial injury to consumers;
  • The processing of sensitive data; and
  • Any processing of personal data that presents a heightened risk of harm to consumers.”

The obligations of a processor under the Kentucky Consumer Data Protection Act (HB 15) are as follows:

• Adhere to the Controller’s Instructions: you must adhere to the instructions of the controller and assist them in meeting their obligations under the law, by, for example, helping the controller respond to consumer rights requests and meet data security obligations.
• Provide Assistance With Consumer Requests: Taking into account the nature of processing and the information available to you, you have to assist the controller, through appropriate technical and organizational measures, to fulfill their controller obligations to respond to consumer rights requests. 
• Ensure Data Security: assist controllers in meeting their obligations in relation to the security of processing personal data and in relation to the notification of data breaches, considering the nature of processing and the information available to you.
• Provide the Necessary Information for Data Protection Assessments: you are required to provide necessary information to enable controllers to conduct and document data protection assessments. 
• Have a Processor-Controller Contract in Place: the contract between you and the controller has to govern your data processing procedures on behalf of the controller. This contract will be “be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.”
  
  

What are the consumer rights under the Kentucky Consumer Data Privacy Act? 

Under the Kentucky Consumer Data Privacy Act consumers have the following rights: 

• Right to Know
• Right to Access
• Right to Correct
• Right to Delete
• Right to Data Portability
• Right to Opt-Out of the processing of personal data for the purposes of targeted advertising; the sale of personal data; or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

How to respond to consumer requests under the Kentucky Consumer Data Privacy Act? 

Under the Kentucky consumer privacy law, you have 45 days to respond to a consumer request from the date of receiving the request, and the response period can be extended by an additional 45 days “when reasonably necessary, taking into consideration the complexity and number of the consumer's requests” but you have to inform the consumer of any such extension within the initial 45-day response period and the reason for the extension.

If you refuse to take action regarding the consumer’s request, you have to inform the consumer without undue delay, but no later than 45 days after you received the request, of the justification for declining to take action and instructions for how to appeal the decision.

Unlike other US privacy laws, Kentucky mandates that information provided in response to a consumer request has to be provided “free of charge, up to twice annually per consumer.” If a consumer submits requests that are “excessive, repetitive, technically infeasible, or manifestly unfounded,” you may charge the consumer “a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request” but you are responsible with demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request.

Similar to other privacy laws, if you are unable to authenticate a request using commercially reasonable efforts, you are not required to comply with a request and you “may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer's request.”

You are required to establish a process for consumers to appeal your refusal to take action on their request within a reasonable period of time after they have received your decision, for those cases where you decline to take action regarding a consumer request.

The appeal process has to be conspicuously available and similar to the process for submitting requests and no later than 60 days after you receive an appeal, you have to inform the consumer in writing of any action taken or not taken in response to their appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, you have to also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint.

Kentucky Consumer Data Privacy Act enforcement and penalties

The Attorney General has exclusive enforcement authority of the Kentucky Consumer Data Protection Act (HB 15) and can enforce violations of the Act by initiating actions in the name of the Commonwealth of Kentucky or on behalf of residents of Kentucky. This includes the power to investigate and prosecute any violations under the Act, and to demand information, documentary material, or physical evidence from controllers or processors believed to be in violation.

Prior to initiating any action, the Attorney General will provide a controller or processor with a 30 days cure period. If the controller or processor cures the violation within this period and provides the Attorney General with an express written statement that the violations have been cured and that no further violations will occur, no action for damages will be initiated.

Penalties for violations under the Kentucky Consumer Data Protection Act include a fine of $7,500 for each violation, recovery of expenses incurred during an investigation of violations, including court costs, attorney's fees, and any other relief ordered by the court.

There is no private right of action granted to individuals.  

Data Subject Rights - GDPR vs. Kentucky Consumer Data Privacy Act

FAQs about the Kentucky Consumer Data Protection Act