On April 4, 2024, Kentucky Governor Andy Beshear signed the Kentucky Consumer Data Protection Act (the "KCDPA" or "Act"), which takes effect January 1, 2026. The KCDPA maps in large part to the Virginia Consumer Data Protection Act. Of note, the Act does not require controllers to enable opt-outs through universal opt-out mechanisms, and the Act's provision allowing 30 days to cure alleged violations will not sunset.

We highlight additional key aspects of the Act below.

Application Thresholds

The KCDPA applies to persons who conduct business in Kentucky or produce products or services that are targeted to residents of Kentucky and who during a calendar year either: (1) control or process personal data of at least 100,000 consumers; or (2) process the personal data of 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

Consumer Rights

The KCDPA affords Kentucky residents the rights to do the following:

  • Confirm processing of and obtain access to their personal data;
  • Correct inaccurate personal data;
  • Delete personal data;
  • Port personal data; and
  • Opt out of:
    • targeted advertising;
    • sales of their personal data; and
    • profiling in furtherance of automated decisions that produce legal or similarly significant effects.

Controllers must respond to consumer rights requests within 45 days and establish a process through which consumers can appeal denials of their requests.

Information Security

Like other state privacy laws, the Act requires companies to maintain reasonable and appropriate data security practices but does not enumerate specific safeguards (such as encryption or multifactor authentication).

Exemptions

The Act exempts the following types of entities and their data:

  • Government entities and political subdivisions;
  • Financial institutions and affiliates and data subject to the Gramm-Leach-Bliley Act;
  • Covered entities and business associates governed by the Health Insurance Portability and Accountability Act ("HIPAA");
  • Nonprofits;
  • Institutions of higher education;
  • Organizations that:
    • Do not provide net earnings to, or operate in any manner that inures to the benefit of, any officer, employee, or shareholder, and
    • Process personal data in connection with certain law enforcement and first responder activities;
  • Small telephone utilities or municipally owned utilities that do not sell or share personal data with any third-party processor.

The Act also exempts the following types of data:

  • Personal health information (PHI) under HIPAA;
  • Health records, patient identifying information, human subjects research, data subject to the Health Care Quality Improvement Act;
  • Data derived from any healthcare-related data that is de-identified according to the HIPAA requirements;
  • Data for public health activities and purposes authorized by HIPAA;
  • Data regulated by:
    • the Fair Credit Reporting Act;
    • the Driver's Privacy Protection Act;
    • the Family Educational Rights and Privacy Act; and
    • the federal Farm Credit Act;
  • Data processed or maintained:
    • On job applicants, employees, and independent contractors for controllers, processors, and third parties, and for the administration of benefits to them; and
    • For emergency contact purposes.
  • Data processed by a utility, affiliate of a utility, or holding company system; and
  • Data used under the Combat Methamphetamine Epidemic Act of 2005.

Controllers and processors who comply with verifiable parental consent requirements under COPPA are deemed compliant with any obligation to obtain parental consent under the Act.

Privacy Notices

Like other comprehensive state privacy laws, the Act requires controllers to provide consumers a "reasonably accessible, clear, and meaningful" privacy notice with typical disclosures regarding:

  • Categories of personal data processed;
  • Purpose for processing;
  • How consumers may exercise and appeal decisions regarding their rights;
  • Categories of personal data shared with third parties;
  • Categories of third parties with whom personal data is shared; and
  • Disclosure of sale of personal data or processing for targeted advertising and how to opt out.

Processor Contracts

The Act directs controllers and processors to enter into contracts requiring processors to:

  • Impose a duty of confidentiality on all individuals processing personal data;
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk;
  • Cooperate with responding to consumer rights requests;
  • Delete or return personal data at termination of the agreement;
  • Demonstrate compliance with the Act upon request;
  • Allow and cooperate with the controller's data protection assessments; and
  • Use subcontractors that are subject to the same privacy requirements as processors.

Definition of Sensitive Data

The Act requires opt-in consent to process sensitive data, defined as:

  • Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
  • Genetic or biometric data that is processed for the purpose of uniquely identifying an individual;
  • Personal data collected from a known child; and
  • Precise geolocation data.

Data Protection Assessments

The Act contains typical provisions regarding data protection assessments (DPAs), requiring controllers to conduct DPAs (and processors to cooperate) for the following processing activities:

  • Targeted advertising;
  • Sales of personal data;
  • Profiling, if certain risk factors are met;
  • Processing sensitive data; and
  • Any processing activities that present a "heightened risk of harm."

Sale of Personal Data

Unlike a variety of other state privacy laws, such as those in California, Colorado, and New Jersey, the KCDPA defines the "sale of personal data" to mean exchanges of personal data for monetary consideration only.

Enforcement

The Kentucky Attorney General has exclusive authority to enforce the KCDPA and can impose civil penalties of up to $7,500 per violation.

The Act does not authorize any rulemaking.

No Private Right of Action

The Act expressly precludes a private right of action for violations of the law.

30-Day Cure Period

The Kentucky attorney general must give businesses notice and the opportunity to cure an alleged violation within 30 days of receiving the notice. If a controller cures the alleged violation within the allotted 30-day cure period and provides an express written statement to the attorney general confirming the alleged violations were corrected, then the attorney general may not initiate an action against the controller.

Unlike laws in New Hampshire and New Jersey, the KCDPA's right to cure provisions are permanent and do not sunset.

Looking Ahead

While the KCDPA adds yet another layer of privacy compliance complexity for U.S. businesses, the Act largely does not add new compliance burdens for organizations complying with other U.S., non-California privacy laws.

DWT's privacy and security team regularly counsels clients on how their business practices can comply with state privacy laws. We will continue to monitor the rapid development of other state and new federal privacy laws and regulations.