On April 4, 2024, the Kentucky Consumer Data Protection Act (KCDPA) was passed, making Kentucky the third U.S. state in 2024 to enact a comprehensive privacy law, following New Jersey and New Hampshire. It’s the 15th state overall to do so. Passing such laws is at an all-time high, with several other states – including New York, Pennsylvania, North Carolina, and Ohio – also currently considering similar comprehensive privacy legislation.
The surge in data privacy laws at the state level in the U.S. stems from various factors, mirroring the dynamic evolution of technology and escalating apprehensions regarding data privacy and security. Several other key drivers underpin the enactment of these laws across numerous states, including the absence of comprehensive federal legislation and the alignment with global standards.
Like the General Data Protection Regulation (GDPR) implemented in Europe, the recent legislation in Kentucky aims to bolster transparency and accountability concerning the gathering, utilizing, and disseminating of personal data. Many of its stipulations resemble those introduced in various other U.S. states over recent years. Notably, the Kentucky Consumer Data Protection Act closely mirrors the framework of Virginia’s legislation, along with similar laws in states like Tennessee and Indiana.
Unlike some state privacy laws that may have limited scope or focus, Kentucky’s legislation covers a wide range of data protection measures. It addresses key areas such as data processing, consumer rights, and enforcement mechanisms, ensuring a holistic approach to privacy regulation.
What is the Kentucky Consumer Data Protection Act?
The Kentucky Consumer Data Protection Act encompasses several pivotal components, rendering it a substantial legislative measure. It mandates that businesses secure explicit consent from consumers before gathering or processing sensitive personal data, and before selling consumers’ personal information. The KCDPA also affords consumers the right to access, delete, and rectify their personal data.
Under the KCDPA, personal data is defined as any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified data or publicly available information.
Additionally, federal regulations impose stringent mandates on businesses engaged in the collection and processing of personal information, including obligatory data protection assessments and protocols for notifying individuals in the event of data breaches.
The ramifications of the KCDPA are extensive and will profoundly affect businesses operating within Kentucky. Entities entrusted with personal data must scrutinize their data management procedures and adhere to the dictates of the new legislation. Failure to do so may incur substantial fines and legal repercussions.
Who does the Kentucky Consumer Data Protection Act apply to?
The KCDPA applies to any person who conducts business in Kentucky or who produces products or services that target residents of the state, and during a calendar year controls or processes data of at least:
- 100,000 consumers; or
- 25,000 consumers and derives over 50 per cent of gross revenue from the sale of personal data.
Similar to preceding data privacy statutes, the KCDPA extends its jurisdiction to both controllers – entities that define the purpose and methods of data processing – and processors: entities engaged in processing personal data on behalf of controllers, such as third-party vendors tasked with data analysis. This distinction between controllers and processors serves to definitively allocate duties for data governance among the entities involved in the acquisition and handling of consumer data.
Who is exempt from the KCDPA?
To mitigate potential conflicts with existing regulations across various sectors, the KCDPA includes exemptions for specific organizations and categories of data. These exemptions primarily apply to entities and data already subject to regulation under federal laws.
The organizational exemptions outlined in Kentucky’s privacy legislation encompass:
- Municipalities, state agencies, or governmental subdivisions.
- Financial institutions, their affiliates, or data governed by the Gramm-Leach-Bliley Act.
- Entities covered by HIPAA privacy regulations, including covered entities and business associates.
- Non-profit organizations.
- Institutions of higher education.
- Entities involved in the collection, processing, utilization, or sharing of data exclusively for the identification or investigation of insurance fraud or in support of first responders.
- Small-scale telephone utilities, Tier III CMRS providers, or municipal utilities that do not engage in the sale or dissemination of personal data.
When considering exemptions at the data level, health data emerges as the most substantial category affected. This encompasses data regulated under the Health Insurance Portability and Accountability Act (HIPAA), health records, patient identifiers, data from human subjects research, and information utilized for quality improvement and patient safety initiatives.
Furthermore, personal data utilized in specific contexts and governed by statutes such as the Fair Credit Reporting Act, FERPA, the Driver’s Privacy Protection Act, and the Farm Credit Act are also exempted.
Moreover, data collected for law enforcement, public health, emergency response, and compliance with the Combat Methamphetamine Epidemic Act fall under exemptions from Kentucky’s data privacy legislation.
Additionally, the law acknowledges that entities already in compliance with parental consent requisites as outlined in the Children’s Online Privacy Protection Act (COPPA) are automatically deemed compliant with obligations regarding parental consent.
Compliance with the Kentucky Consumer Data Protection Act
Kentucky’s privacy legislation delineates a comprehensive set of obligations for controllers concerning data handling, encompassing security measures, consent protocols, privacy policies, and procedures for addressing consumer rights requests.
Aligned with privacy laws in other states, the KCDPA mandates controllers to:
- Restrict the collection of personal data to what is deemed adequate, relevant, and reasonably necessary.
- Refrain from processing personal data for undisclosed purposes without obtaining consent.
- Establish, implement, and uphold reasonable administrative, technical, and physical measures to safeguard personal data.
- Adhere to anti-discrimination statutes when handling personal data and refrain from discriminatory practices against consumers who exercise their rights.
- Obtain consent before processing sensitive data and comply with the Children’s Online Privacy Protection Act (COPPA) when dealing with children’s data.
- Furnish a comprehensive privacy notice encompassing categories of processed personal data, purposes of processing, avenues for consumers to exercise their rights, categories of personal data shared with third parties, and the categories of third parties with whom personal data is shared.
What are Data Protection Impact Assessments (DPIAs)?
Data Protection Impact Assessments (DPIAs) serve as crucial instruments for assessing and mitigating potential risks linked to the processing of personal data. According to Kentucky’s privacy legislation, data controllers are obligated to conduct DPIAs for activities that pose elevated risks to individuals’ privacy rights. These assessments entail identifying and evaluating potential risks, scrutinizing the necessity and proportionality of data processing, and instituting measures to alleviate identified risks.
Similar to California, Colorado, Virginia, and Indiana, the KCDPA mandates controllers to conduct and meticulously document a Data Protection Assessment (DPA) for various processing activities involving personal data. These encompass processing personal data for:
- Targeted advertising.
- Sale of personal data.
- Profiling, particularly if it carries a risk of unfair or deceptive treatment, potential harm to consumers, or intrusion into their privacy.
- Handling sensitive data.
- Managing personal data that poses an elevated risk of harm to consumers.
A single DPIA may cover a comparable range of processing operations if they entail similar activities.
Penalties for non-compliance with KCDPA
Violating the KCDPA carries a penalty of up to $7,500 for each infringement, with the fines collected directed into a fund at the disposal of the Office of the Attorney General for the enforcement of the KCDPA.
Additionally, the enacted legislation establishes a consumer privacy fund, highlighting the state’s dedication to safeguarding consumers’ rights and offering recourse in instances of privacy breaches.
Noteworthy is the absence of a private right of action within the KCDPA, with enforcement exclusively under the purview of Kentucky’s Attorney General. The law also incorporates a 30-day cure period, during which controllers and processors, if utilized, must furnish a written declaration confirming the rectification of alleged violations and the commitment to refrain from future infractions. This cure provision remains in effect indefinitely.
What are key Kentucky Consumer Data Protection Act dates?
The Kentucky Consumer Data Protection Act was passed on March 27, 2024. Businesses will become subject to the law as of January 1, 2026.
TrustArc U.S. State Data Privacy Resources
TrustArc is committed to helping organizations understand and manage their compliance obligations for all existing and emerging U.S. state privacy laws.
Cookie Consent Manager
Manage essential processes to achieve cookie compliance with state and international privacy laws.
Learn more
Nymity Research
Stay up to date on hundreds of global privacy laws, regulations, and standards.
Start today
