On April 4, 2024, Kentucky took a significant step toward protecting consumer privacy by enacting the Kentucky Consumer Data Protection Act (KCDPA). With Governor Andy Beshear’s signature, Kentucky became the fifteenth state in the U.S. to adopt a comprehensive data privacy law. Set to go into effect on January 1, 2026, the KCDPA will significantly impact businesses operating in Kentucky and those targeting Kentucky residents. The KCDPA aligns closely with similar laws in Virginia and Connecticut but is notably distinct from more consumer-centric laws like California’s CCPA or business-friendly regulations like Utah’s UCPA.
Understanding the Scope of KCDPA
The KCDPA applies to businesses that either operate in Kentucky or target their products and services to Kentucky residents. Specifically, it affects businesses that control or process the personal data of at least 100,000 consumers or those that control or process the personal data of 25,000 consumers and derive more than 50% of their gross revenue from the sale of personal data. Notably, this law does not include a revenue threshold, meaning even smaller businesses could find themselves subject to its requirements.
Defining Personal and Sensitive Data
Under the KCDPA, “personal data” is defined as any information that is linked or reasonably linkable to an identified or identifiable natural person. This includes everything from contact information and addresses to personal ID numbers and cookie IDs. However, the law makes distinctions for certain types of data. For instance, publicly available information and de-identified data are not considered personal data under the KCDPA. Publicly available information is defined as data made accessible to the general public through government records, widely distributed media, or directly by the consumer.
The KCDPA also categorizes certain types of information as “sensitive data.” This includes data that reveals racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship or immigration status, genetic or biometric data, personal data collected from a known child under 13 years, and precise geolocation data. Processing this sensitive data requires a higher level of protection, including obtaining explicit consent from the consumer.
Key Provisions and Requirements
The KCDPA lays out a comprehensive framework for how businesses must handle personal data, with specific obligations for both controllers and processors.
- Controller Requirements: Controllers, or those who determine the purpose and means of processing personal data, must adhere to several critical obligations, including:
- a. Data Minimization: Collect only the personal data necessary for the specified purpose and limit its use to that purpose unless additional consent is obtained.
- b. Data Security: Implement robust administrative, technical, and physical security measures to protect personal data.
- c. Nondiscrimination: Avoid retaliating against consumers who exercise their privacy rights, though offering different prices or goods related to a consumer’s voluntary participation in loyalty programs is allowed.
- d. Consent: Obtain explicit opt-in consent for processing sensitive data, including the personal data of children under 13 years, in compliance with the Children’s Online Privacy Protection Act (COPPA).
- e. Transparency: Provide clear and accessible privacy notices detailing the categories of personal data processed, the purposes of processing, how consumers can exercise their rights, and whether the data is shared with third parties or used for targeted advertising.
- Processor Requirements: Processors, or those who process data on behalf of controllers, must:
- Confidentiality: Ensure that all personnel involved in processing data are bound by a duty of confidentiality.
- Contractual Obligations: Enter into written contracts with controllers that outline processing instructions, data types, and obligations.
- Assistance: Assist controllers in fulfilling their obligations, such as responding to consumer rights requests, ensuring data security, and conducting data protection impact assessments.
Consumer Rights Under KCDPA
The KCDPA empowers Kentucky residents with several rights regarding their personal data:
- Right to Confirm: Consumers can verify whether their personal data is being processed and access that data without revealing trade secrets.
- Right to Correct: Consumers can request corrections to inaccuracies in their personal data.
- Right to Delete: Consumers can request the deletion of their personal data, regardless of its source.
- Right to Obtain: Consumers can obtain a copy of their personal data in a portable and technically feasible format.
- Right to Opt-Out: Consumers can opt out of the processing of their personal data for targeted advertising, the sale of personal data, or profiling that results in significant effects on them.
Exemptions and Exclusions
While the KCDPA applies broadly, it does include several important exemptions. For example, the law does not apply to certain entities, including:
- Government Entities: City, state, or political subdivisions.
- Financial Institutions: Entities subject to the Gramm-Leach-Bliley Act (GLBA).
- Healthcare Entities: Covered entities or business associates under the Health Insurance Portability and Accountability Act (HIPAA).
- Nonprofits: Non-profit organizations and institutions of higher education.
Additionally, the KCDPA exempts certain activities, such as data processing related to insurance fraud detection or assistance provided to first responders during catastrophic events. Small telephone utilities, Tier III Commercial Mobile Radio Service (CMRS) providers, and municipal utilities that do not sell or share personal data with third-party processors are also exempt.
Enforcement and Penalties
The Kentucky Attorney General is the sole authority responsible for enforcing the KCDPA. Unlike California’s CCPA, the KCDPA does not provide a private right of action, meaning consumers cannot sue businesses directly for violations. Instead, businesses have a 30-day period to correct any violations before legal action is taken. This cure period does not have an expiration date, unlike some other state privacy laws. If violations are not corrected within the 30-day window, the Attorney General can impose fines of up to $7,500 per violation.
Preparing for KCDPA Compliance: A Checklist
For businesses preparing to comply with the KCDPA, the following checklist can serve as a helpful guide:
- Data Minimization: Ensure that you are only collecting the personal data necessary for your stated purposes.
- Data Security: Implement adequate security measures to protect personal data.
- Obtain Consent: Secure explicit consent before processing sensitive data or children’s data under 13 years.
- Transparency: Provide a clear and accessible privacy notice to consumers.
- Opt-Out Mechanisms: Establish easy-to-use opt-out mechanisms for consumers.
- Consumer Rights Requests: Create reliable methods for consumers to exercise their rights, and respond to their requests promptly.
- Data Protection Impact Assessments: Conduct regular assessments to identify risks and mitigation measures associated with processing personal data.
- Nondiscrimination: Ensure that consumers are not discriminated against for exercising their rights.
- Contractual Compliance: Maintain contracts with third parties and processors to ensure they comply with the KCDPA.
Frequently Asked Questions (FAQs)
- Who does the KCDPA apply to?
– The KCDPA applies to businesses operating in Kentucky or targeting Kentucky residents, specifically those that control or process the personal data of 100,000 consumers or more, or 25,000 consumers if they derive more than 50% of their revenue from selling personal data.
- What is considered personal data under the KCDPA?
– Personal data includes any information linked or reasonably linkable to an identified or identifiable person, such as contact information, personal ID numbers, and cookie IDs. Publicly available information and de-identified data are not considered personal data.
- What are the penalties for non-compliance with the KCDPA?
– The Kentucky Attorney General can impose fines of up to $7,500 per violation. Businesses have a 30-day period to correct any violations before penalties are applied.
- What rights do Kentucky consumers have under the KCDPA?
– Consumers have the right to confirm, access, correct, delete, and obtain a copy of their personal data, and opt out of targeted advertising, the sale of personal data, or profiling.
- Are there any exemptions under the KCDPA?
– Yes, the KCDPA exempts certain entities, including government bodies, financial institutions, healthcare entities, nonprofits, and specific small utilities. It also excludes publicly available and de-identified data.
Wrapping Up
The Kentucky Consumer Data Protection Act (KCDPA) is a significant step towards stronger privacy protections for Kentucky residents. As the January 2026 effective date approaches, businesses must take proactive steps to ensure they meet all requirements, safeguarding both consumer data and their own compliance with the law.
By understanding the law’s requirements and preparing accordingly, businesses can avoid hefty fines and maintain consumer trust. While the KCDPA aligns with many existing state privacy laws, it introduces unique elements that must be carefully navigated. Staying informed and compliant will be key to thriving in this evolving landscape of data privacy regulations.