On April 4, 2024, the Kentucky Consumer Data Protection Act was signed into law by Governor Beshear.  Kentucky is the fifteenth state to enact a comprehensive consumer data privacy law, following California, Virginia, Colorado, Utah, Connecticut,  Iowa, Indiana, Tennessee, Montana, Texas, Oregon,  Delaware,  New Jersey, and New Hampshire.  The Act will go into effect January 1, 2026.

Applicability

The Act applies to persons that conduct business in Kentucky or produce products or services that are targeted to Kentucky residents and that during a calendar year control or process personal data of at least:

  1. 100,000 consumers; or
  2. 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

Exemptions

Exemptions include, but are not limited to:

  1. Financial institutions, their affiliates, or data subject to Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801, et seq.;
  2. Covered entities or business associates governed by the privacy, security, and breach notification rules established pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”);
  3. Protected health information under HIPAA;
  4. The collection, maintenance, disclosure, sale, communication, or use of any personal information to the extent that such activity is regulated by and authorized under the Fair Credit Reporting Act, 15 U.S.C. § 1681, et seq.

Consumer Rights

Consumers have the right to:

  1. Confirm whether a controller is processing their personal data and to access such personal data;
  2. Correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of processing the data;
  3. Delete personal data provided by or obtained about the consumer;
  4. Obtain a portable copy of the personal data that they previously provided to the controller;
  5. Opt-out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

Sensitive Data

“Sensitive data” means a category of personal data that includes:

  1. Personal data indicating racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
  2. The processing of genetic or biometric data that is processed for the purpose of uniquely identifying a specific natural person;
  3. The personal data collected from a known child; or
  4. Precise geolocation data.

A controller cannot process sensitive data concerning a consumer without obtaining the consumer’s consent, or, in the case of the processing of sensitive data collected from a known child, process the data [except] in accordance with the federal Children’s Online Privacy Protection Act 15 U.S.C. § 6501, et seq.

Contract Requirements

A contract between a controller and a processor must govern the processor’s data processing procedures with respect to processing performed on behalf of the controller and clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.  The contract must also require that the processor:

  1. Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
  2. At the controller’s direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;
  3. Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with the obligations in the Act;
  4. Allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor, or the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor’s policies and technical and organizational measures in support of the obligations under the Act, using an appropriate and accepted control standard or framework and assessment procedure for such assessments. The processor must provide a report of the assessment to the controller upon request;
  5. Engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor.

Data Impact Assessments

A controller must conduct and document a data impact assessment of each of the following processing activities:

  1. The processing of personal data for the purposes of targeted advertising;
  2. The processing of personal data for the purposes of selling personal data;
  3. The processing of personal data for the purposes of certain profiling;
  4. The processing of sensitive data; and
  5. Any processing that presents a heightened risk of harm to consumers.

Enforcement

The Act does not include a private right of action, giving the Attorney General the exclusive authority to enforce violations. For any violation that is not cured within 30 days of written notice, the Attorney General may seek damages up to $7,500 for each violation.

For a chart comparing the state comprehensive data privacy laws, visit RMAI’s Privacy and Data Security Resource Center.

RMAI strongly recommends that its members share this Member Alert with those in their organization who are responsible for their operations, compliance, and legal matters.

RMAI previously issued Member Alerts for other states’ comprehensive privacy laws enacted in 2023 and 2024.