What you need to know about Kentucky’s new privacy law
Posted: April 30, 2024
Kentucky has enacted a comprehensive privacy law, the Kentucky Consumer Data Privacy Act (KCDPA), bringing new obligations to companies operating in the state.
The KCDPA (not an official name) started life as HB 15 and closely mirrors the Virginia Consumer Data Protection Act (VCDPA). The law places new obligations on businesses, gives Kentucky consumers new rights over their personal data, and will take effect from January 2026.
Here’s what you need to know about this important new privacy law.
Who is subject to the Kentucky Consumer Data Privacy Act?
The KCDPA applies to businesses either operating in Kentucky or targeting its residents that annually:
- Control or process personal data about at least 100,000 Kentucky consumers, or
- Control or process personal data about at least 25,000 Kentucky consumers, and generate 50% or more of their annual gross revenues from the sale of personal data.
Like other Virginia-style laws, the KCDPA uses GDPR-derived language, applying mostly to “controllers” and the “processors” operating on their behalf.
The KCDPA maintains the same application thresholds as Virginia and certain other copycat states. Exemptions include non-profits, HIPAA-covered entities, and employment data, among others.
What are the consumer rights under this new Kentucky law?
Kentucky residents will enjoy comprehensive privacy rights under the KCDPA, including the right to:
- Verify if a company processes their personal data and access the data
- Correct inaccurate personal data
- Delete their personal data under specific conditions
- Receive their personal data in a portable, machine-readable format
Controllers must facilitate consumer requests within 45 days, with a possible extension of another 45 days if needed. Consumers unhappy with a controller’s response may appeal to the Kentucky Attorney General.
The KCDPA requires that every applicable business provide a secure and reliable method for consumers to exercise their rights and clearly describe these methods in their privacy notices.
Kentucky residents can also opt out of:
- Targeted advertising
- The sale of their personal data
- Profiling that leads to certain significant effects
Unlike the privacy statutes in several other states, Kentucky does not mandate businesses to adhere to opt-outs via a Universal Opt Out Mechanism (UOOM).
What counts as ‘sensitive data’ in Kentucky?
Like most other states with a comprehensive privacy law, Kentucky generally requires opt-in consent before a business may process “sensitive data”.
Sensitive data under the KCDPA includes:
- Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship or immigration status,
- Genetic or biometric data used for unique identification
- Personal data about children
- Precise geolocation data (within a radius of 1,750 feet)
What else does Kentucky’s new privacy law require?
Kentucky’s new law includes many of the obligations present in other, similar states, including:
- Maintaining reasonable security measures to protect personal data
- Establishing contracts with data processors that restrict how they process personal data on behalf of the controller
- Limiting the collection of personal data processing to the extent “reasonably necessary” for disclosed purposes, and prohibiting the of personal data for incompatible further purposes without consent
- Conducting data protection assessments (risk assessments) prior to certain processing activities
A business that violates the KCDPA will get a 30-day period to “cure” the violation from the Kentucky Attorney General before being taken to court. The law does not include a private right of action, so consumers can’t sue a business for violating it.
Preparing for compliance with Kentucky’s upcoming comprehensive privacy law, the KCDPA
The KCDPA is closely aligned with other state laws like the VCDPA in Virginia. Businesses already subject to privacy regulations in other states should prepare to extend similar protections to Kentucky consumers.
The KCDPA will significantly affect online advertising practices. Businesses should be prepared to offer an opt-out to Kentucky consumers once it takes effect.
The law will take effect on January 1, 2026, so covered entities should review their processing activities and service provider contracts in advance.
How consent and preference management can support KCDPA compliance
The introduction of the Kentucky Consumer Data Privacy Act (KCDPA) heralds a significant shift in the way companies handle the personal data of Kentucky residents. Given the rights this new law affords consumers and the obligations it places on businesses, it becomes crucial for companies to implement a consent and preference management platform. Here’s why:
- Managing consent for sensitive data processing
Under the KCDPA, the processing of sensitive data requires explicit opt-in consent from consumers. Sensitive data encompasses a range of information including racial or ethnic origin, health diagnoses, biometric data, and precise geolocation data. A consent and preference management solution will enable companies to collect, manage, and document these consents efficiently, ensuring compliance with the law.
- Facilitating consumer rights
The KCDPA grants Kentucky residents various rights such as the ability to access, correct, delete, and port their personal data. Additionally, consumers can opt out of targeted advertising, the sale of their personal data, and certain types of profiling. Companies will need a system that not only allows consumers to easily exercise these rights but also tracks and automates the response process to ensure requests are addressed within the legally required timeframe.
- Transparent Opt-Out Mechanisms
While the KCDPA does not require a Universal Opt-Out Mechanism (UOOM), businesses still need to provide clear and accessible methods for consumers to opt out of specific data processing activities like targeted advertising and the sale of their data. A consent and preference management solution can simplify this by offering consumers a user-friendly interface to manage their preferences.
- Adhering to data minimization principles
The law emphasizes the importance of limiting data collection and processing to what is “reasonably necessary” for the purposes disclosed to consumers. With a consent and preference management solution, businesses can more easily align their data collection practices with consumer preferences and legal requirements, ensuring that only the necessary data is processed based on explicit consumer consent.
- Avoiding legal repercussions
Non-compliance with the KCDPA can lead to interventions from the Kentucky Attorney General, including potential legal action after a 30-day cure period. To mitigate this risk, companies need robust mechanisms in place to ensure all consumer data interactions comply with the law. A consent and preference management solution helps in maintaining an audit trail of how consumer data is handled, demonstrating compliance in the event of an investigation or audit.
- Building consumer trust
By implementing a transparent and effective consent and preference management system, companies not only comply with the KCDPA but also build trust with their consumers. This can enhance corporate reputation and consumer loyalty, which are crucial in a competitive market landscape.
The enactment of the KCDPA necessitates significant changes in how companies collect and process personal data. By adopting a comprehensive consent and preference management solution, companies can ensure compliance, streamline consumer data requests, manage preferences efficiently, and ultimately safeguard themselves against potential legal challenges. As the January 2026 implementation date approaches, preparing for these requirements will be key to successful compliance and continued operation in Kentucky.
Read our Privacy beyond borders research report
Global organizations aim for seamless cross-border user experiences, demanding a nuanced approach that harmonizes user expectations with diverse regulatory environments.
Our latest research:
- Explores consumer preferences across the US, UK, EU, and Canada in digital experiences
- Examines how privacy laws impact global user interactions
- Assesses consumer awareness of regional privacy regulations
- Investigates variations in privacy concerns across different regions.