On April 4, 2024, Kentucky's Governor signed the Kentucky Consumer Data Protection Act (the “Act”) making Kentucky the latest state to join the trend of states enacting a comprehensive privacy law. The Act will take effect on January 1, 2026 and is substantially similar to other state comprehensive privacy laws, including in particular, the Virginia Consumer Data Protection Act.
Applicability
The Act applies to persons or entities conducting business in Kentucky or producing products or services that are targeted to residents of Kentucky and that during a calendar year either:
- control or process the personal data of at least 100,000 consumers; or
- control or process the personal data of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal data.
The Act's applicability thresholds mirror those in the Virginia Consumer Data Protection Act. Unlike some other recently enacted state comprehensive privacy laws, there is no carve out in the Act for personal data processed solely for the purpose of completing a payment transaction. Of note, the Act does not apply to non-profit organizations and institutions of higher education. Currently, state comprehensive privacy laws are split on whether they apply to non-profit organizations, with states recently trending towards including them. This distinction may create unique compliance challenges for non-profit organizations.
Additionally, the Act does not apply to certain other entities, such as governmental entities, financial institutions governed by the Gramm-Leach-Bliley Act, and HIPAA covered entities and business associates. It also includes exemptions for certain types of information such as protected health information under HIPAA, personal data processed by a consumer reporting agency under the Fair Credit Reporting Act, and personal data regulated by the Family Educational Rights and Privacy Act.
Key Definitions
Like the vast majority of state comprehensive privacy laws, the Act narrowly defines “consumer” to mean an individual who is a Kentucky resident acting only in an individual context, excluding individuals acting in a commercial or employment context. As a result, employee personal data and business-to-business personal data are not within the scope of the Act.
As with the other state comprehensive privacy laws, the Act governs consumers' “personal data” in addition to a special category of personal data known as “sensitive data,” which it defines as (i) personal data indicating racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; (ii) genetic or biometric data processed for the purpose of uniquely identifying a specific natural person; (iii) personal data of a known child (i.e., an individual under thirteen); or (iv) precise geolocation data. The Act requires data controllers to obtain consent from consumers prior to processing their sensitive data or, in the case of processing of sensitive data of a known child, to process such data in accordance with the federal Children's Online Privacy Protection Act (COPPA).
Under the Act, the “sale” of personal data means the exchange of personal data for monetary consideration by the controller to a third party, which aligns with a minority of other state comprehensive privacy laws. The definitions of “sale” in a majority of state comprehensive privacy laws includes the exchange of personal data for not only monetary consideration but also for any “other valuable consideration.” The Act also includes broad exceptions to the definition of “sale” that are similar to exceptions in other state comprehensive privacy laws that likely exclude from the Act's requirements many ordinary business activities such as disclosure of personal data to a processor who processes the personal data on behalf of a controller, transfers of personal data to an affiliate or a controller, or disclosure of personal data to a third party for the purpose of providing a product or service requested by a consumer.
Compliance
Generally, the Act contains compliance obligations that are substantially similar to those found in the other state comprehensive privacy laws, including the requirement for controllers to provide a compliant privacy notice to consumers and to enter into contracts with processors that process personal data on their behalf. Further, like the privacy laws in Colorado, Connecticut, Delaware, Florida, Indiana, Montana, New Hampshire, New Jersey, Oregon, Tennessee, Texas, and Virginia, the Act requires controllers to conduct and document data protection assessments of any processing activities that involve personal data used in targeting advertising, the sale of personal data, the processing of sensitive data, profiling (in certain instances), or processing that presents a “heightened risk of harm” to consumers, which the Act does not define. Although the Act takes effect on January 1, 2026, data protection assessment requirements apply to processing activities created or generated after June 1, 2026, giving businesses time to meet this requirement.
Consumer Rights and Requests
Like the other state comprehensive privacy laws, the Act grants consumers the right to request a controller to (1) confirm whether the controller is processing the consumer's personal data and access such personal data, unless it would require the controller to reveal a trade secret; (2) correct inaccuracies in their personal data (taking into account the nature of the personal data and the purposes of processing such data); (3) delete their personal data; (4) provide a copy of their personal data; and (5) opt out of the processing of the consumer's personal data for targeted advertising, the sale of personal data, or certain types of profiling.
The Act grants a controller 45 days to respond to such requests, which may be extended once by an additional 45 days when reasonably necessary considering the complexity and number of the consumer's requests, provided that the controller informs the consumer of any extension within the initial 45-day response period, together with the reason for the extension. Additionally, a controller must provide consumers with an appeals process if it denies a consumer's request, and a controller has 60 days to respond to an appeal. Such an appeal process is now common, although the state comprehensive privacy laws in California and Utah do not contain a right to appeal.
Enforcement and Rulemaking Authority
Like most other state comprehensive privacy laws, the Act has no private right of action. Rather, the Kentucky Attorney General's Office has exclusive authority to enforce violations of the Act. The Kentucky Attorney General may seek damages for up to $7,500 for each continued violation of the Act. However, prior to initiating an enforcement action, the Act requires the Kentucky Attorney General to issue a notice and grant a controller a 30-day cure period. The requirement to provide an opportunity to cure does not sunset, unlike in some other state comprehensive privacy laws.
Conclusion
As the number of state comprehensive privacy laws continue to increase and their effective dates span the next few years, businesses should remain cognizant of both ongoing and forthcoming compliance efforts. Although the laws contain similarities, there are also differences of which business should be mindful. Developing and maintaining compliance efforts designed to account and adapt for the state comprehensive privacy laws in place today and those that will take effect in the future is critical for all covered businesses.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
