Kentucky Becomes Fifteenth State to Enact Privacy Law

Read Time: 7 minutes
Key Takeaways: Kentucky became the fifteenth state to enact comprehensive consumer data privacy legislation. The Kentucky Consumer Data Protection Act (the “Kentucky Act”) was passed by the Kentucky Legislature on March 27, 2024, and signed into law by Gov. Andy Beshear on April 4, 2024. The Kentucky Act bears notable similarities to Virginia’s Consumer Data Protection Act (“VCDPA”), which was enacted in 2021. The Kentucky Act has an effective date of January 1, 2026.

Applicability and Scope

The Kentucky Act defines “controller” as the individual or legal entity that determines the purposes and means of processing personal data. The Kentucky Act is applicable to businesses operating in Kentucky or offering products or services targeted towards Kentucky consumers that either:

  1. control or process the personal data of 100,000 or more Kentucky consumers annually, or
  2. control or process the personal data of 25,000 or more Kentucky residents while deriving over 50 percent of their gross revenue from the sale of personal data annually.

There is no revenue threshold for applicability. 

"Personal data," as defined in the Kentucky Act, encompasses information that can be directly linked or reasonably linked to an identified natural person and excludes deidentified or publicly available information. Like all other state laws except for the California Consumer Privacy Act, “consumer” does not include employees or business-to-business contacts.

There are two primary categories of exemptions under the Kentucky Act: entity-level exemptions and data-level exemptions. The following types of entities are exempted from the Kentucky Act: a city, agency or any political subdivision; entities subject to the Gramm-Leach-Bliley Act (“GLBA”) or the Health Insurance Portability and Accountability Act (“HIPAA”); nonprofit organizations; institutions of higher education; certain nonprofits recognized under Kentucky law that collect, process, use, or share data solely in connection with assistance to law enforcement or first responders for specific activities; and certain utility providers.

There are sixteen categories of data level exemptions, including exemptions for information regulated by the GLBA, HIPAA, the Fair Credit Reporting Act, the Drivers Privacy Protection Act, the Farm Credit Act, and the Family Educational Rights and Privacy Act.

Privacy Notice

The Kentucky Act requires controllers to provide a privacy notice that discloses the following: the categories of personal data collected, the purpose of processing, how consumers can exercise their rights regarding their personal data, the categories of personal data shared with third parties, the identities of these third parties, whether personal data is sold to third parties and how consumers can opt-out, and clear and concise methods for consumers to submit requests to exercise their rights.

Requirements for Processors

The Kentucky Act defines a processor as an individual or legal entity that processes personal data on behalf of a controller. The processor is required to meet the instructions that the controller provides, and assist in meeting with the controller’s obligations, including by:

  1. Taking appropriate and organizational measures to assist the controller’s obligation to respond to consumer requests;
  2. Assisting the controller with the security of processing the personal data, including obligations related to data breach notification requirements under Kentucky law; and
  3. Providing information to the controller to enable the controller to conduct and document any data protection assessments.

Consumer Rights

The Kentucky Act includes consumer rights consistent with those provided by most other state privacy laws. These rights are summarized as follows:

  1. Right to Access
  2. Right to Correct
  3. Right to Delete
  4. Right to Obtain a Copy
  5. Right to Opt-Out of data processing used for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce “legal or similarly significant effects” concerning the consumer.

Notably, the Kentucky Act does not allow individuals to exercise their opt-out right via authorized agents or universal opt-out mechanisms.

The Kentucky Act mandates a forty-five-day deadline upon receipt of a request for response. However, this response period may be extended once by an additional forty-five days, if deemed reasonably necessary due to factors such as complexity or volume of consumer requests. In such cases, businesses must notify consumers of the extension and provide reasons for it within the initial forty-five days.

Businesses are not obligated to fulfill requests if they are unable to authenticate them using commercially reasonable efforts. However, the Kentucky Act sets forth an appeal process for consumers in instances where a business refuses to act on a request within a reasonable timeframe. The business must respond to the appeal within sixty days in writing. If the appeal is denied, the business must furnish the consumer with a means to contact the Kentucky Attorney General to file a complaint, if desired.

Similar to the VCDPA, the Kentucky Act incorporates a provision restricting data collection to information that is “adequate, relevant, and reasonably necessary” for the intended processing purposes. Businesses are prohibited from processing personal data for purposes that are not reasonably necessary or compatible with the disclosed purposes without obtaining the consumer's consent, as disclosed to them.

Opt-In Consent Required for Processing of Sensitive Data

The Kentucky Act defines sensitive data as data revealing racial or ethnic origin, religious beliefs, mental or physical health condition, sex life, sexual orientation, citizenship, or immigration status, as well as genetic or biometric data, personal data of a known child, and precise geolocation data (location within a radius of 1,750 feet). Further, the controller may not process the personal data of a consumer for purposes of targeted advertising, or sell the consumer’s personal data without the consumer’s consent, where the controller has actual knowledge, and willfully disregards, that the consumer is between thirteen and sixteen years old.

Opt-in consent from the consumer (or from a parent, in the case of a known child under the age of 13) is required in order to process sensitive data.

Data Protection Impact Assessment

Under the Kentucky Act, controllers are required to conduct a Data Protection Impact Assessment (“DPIA”) for the following processing activities:

  1. The processing of personal data for targeted advertising.
  2. The processing of personal data for sale.
  3. The processing of personal data for profiling where the profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of consumers or disparate impact on consumers; financial, physical, or reputational injury to consumers; a physical or other intrusions upon the solitude or seclusion, or the private affair of concerns, of consumers, where such an intrusion would be offensive to a reasonable person; or other substantial injuries of consumers.
  4. The processing of sensitive data.
  5. Any processing of personal data presenting a heightened risk of harm to consumers.

DPIAs will be required for processing activities initiated on or after June 1, 2026.

Enforcement

The Kentucky Attorney General is granted exclusive authority to enforce violations of the Kentucky Act. Before initiating any action for violations of the Kentucky Act, the Kentucky Attorney General must provide businesses with a thirty-day notice and cure period.

Following the notice period, the business is granted thirty days to remedy any alleged violations. Upon expiration of the cure period, if the business persists in violating any sections of the Kentucky Act, the Attorney General may take action and seek damages of up to $7,500 for each continued violation under the Kentucky Act.

The United States is undergoing a significant shift in area of the data privacy. With an increasing number of states enacting legislation on data privacy, the landscape of data privacy compliance continues to rapidly evolve. It is imperative to proactively assess your company's data privacy obligations and take proactive measures toward compliance. Koley Jessen is committed to staying informed about developments related to state privacy laws and will offer guidance as new information emerges. If you are unsure about your business's compliance needs or the steps required to adhere to state privacy laws, don't hesitate to contact one of the specialists in Koley Jessen's Data Privacy and Security Practice Area for expert assistance.

*Special thanks to Data Privacy & Cybersecurity Support Specialist Briseyda Garcia-Ticas for her contributions to this article.

This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Related Services

Explore Our

Newsroom


Learn about the latest legal news, firm announcements, and upcoming events on the topics important to you and your business.

Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.