On April 4, 2024, the Kentucky Governor Andy Brashear signed HB 15, enacting the Kentucky Consumer Data Protection Act (“KCDPA” or the “Act”), to make Kentucky the 15th US state to adopt a comprehensive privacy law. Kentucky joins New Hampshire and New Jersey in a trifecta of states that have enacted privacy legislation in the opening months of 2024. In the days since the KCDPA’s signing, the consumer privacy stakes have been raised, with the Maryland legislature’s passage of its own privacy statute, along with the introduction of the latest federal privacy bill, which would preempt the ever-growing body of state laws.

Much like other states jockeying to enter the privacy space, the Kentucky law adheres to what has become a familiar formula but brings some features that make it more business-friendly than other recent privacy statutes (such as its narrow definition of sale, the absence of Global Privacy Control requirements, and a long list of exemptions).  The KCDPA will become effective on January 1, 2026.

Who does the KCDPA apply to?

The KCDPA applies to organizations that conduct business in Kentucky or produce products or services targeting Kentuckians, and who either:

  1. Process the personal data of at least 100,000 consumers; or
  2. Process the personal data of at least 25,000 and derive more than 50% of their revenue from the sale of data.

As with other privacy legislation, the KCDPA features an extensive list of entity-and data-level exemptions. For example, the Act does not apply to:

  • City and state agencies
  • Non-profit organizations
  • Financial institutions regulated by the entities Gramm-Leach-Bliley Act (GLBA)
  • Institutions of higher education
  • “Covered entities” and “business associates” subject to the Health Insurance Portability and Accountability Act (HIPAA), nor does it apply to protected health information under HIPAA
  • Small telephone utilities
  • Personal data regulated by the Family Educational Rights and Privacy Act (FERPA)
  • The collection, maintenance, disclosure, sale, communication, or use of personal information that is regulated by the Fair Credit Reporting Act (FCRA)
What Is Personal Data Under the KCDPA?

Consistent with most other state consumer privacy laws, “personal data” means “information that is linked or reasonably linkable to an identified or identifiable natural person,” excluding deidentified and publicly available data, and a “consumer” is “a natural person who is a resident of Kentucky acting only in an individual context,” and therefore does not extend to business-to-business or employment contexts. It should also be noted that the KCDPA defines “sale” more narrowly than some other privacy laws, referring only to the exchange of personal data for monetary consideration and therefore excluding the sharing of data for other forms of consideration.

Consumer Rights Under the KCDPA

The KCDPA, like its predecessors, establishes a set of rights that a consumer may invoke in relation to their data. The rights include:

  • Access: Consumers have the right to confirm whether a controller is processing their data and to access the personal data, subject to trade secret restrictions
  • Correction: Consumers can request that a controller correct inaccuracies in their personal data
  • Deletion: Consumers may request deletion of personal data provided by or obtained about them
  • Portability: Consumers may obtain a copy of their personal data in a technically practicable, readily usable format to allow them to transmit the data to another controller, if the processing is conducted by automatic means
  • Opt out rights: Consumers may opt out of the processing of their personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer

The KCDPA does not require controllers to recognize universal opt out (i.e., Global Privacy Control) signals.

Privacy Notice & Disclosure Obligations

The KCDPA also requires controllers to post a reasonably accessible and clear privacy notice that states:

  • The categories of personal data processed by the controller
  • The purpose for processing the personal data
  • How consumers may exercise their consumer rights, along with at least one secure and reliable means for consumers to submit a request to exercise their consumer rights
  • The categories of personal data that the controller shares with third parties
  • The categories of third parties with whom the controller shares personal data
  • If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must also clearly and conspicuously disclose such sale
Other Controller Obligations

In addition to fulfilling consumer requests and publishing a compliant privacy notice, the KCDPA dictates additional requirements for controllers. Specifically, controllers must:

  • Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the stated purposes of the processing
  • Not process personal data for purposes that are neither reasonably necessary nor compatible with the disclosed purposes
  • Employ reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data
  • Not process personal data in violation of laws that prohibit unlawful discrimination against consumers or discriminate against a consumer for exercising their rights under the Act
  • Not process sensitive data concerning a consumer without obtaining the consumer’s consent (or in accordance with COPPA for a child)

Under the KCDPA, “sensitive data” includes data indicating racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, genetic or biometric data, data collected from a known child, and precise geolocation data.

Processor Obligations

The KCDPA also addresses controllers’ relationship with processors, which must be governed by a binding contract that sets forth instructions for processing of personal data. The contract should specify the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.

The contract should also require the processor to:

  • Ensure that anyone processing personal data is subject to a duty of confidentiality
  • Delete or return all personal data to the controller as requested at the end of the provision of services, if requested by the controller
  • Make available to the controller all information necessary to demonstrate the processor’s compliance with the obligations
  • Allow, and cooperate with, reasonable assessments by the controller or its designated assessor
  • Engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the same obligations of the processor

The processor is under a general obligation to adhere to the instructions of a controller and to assist the controller in meeting its obligations under the Act, such as complying with consumer requests or completing data protection impact assessments.

Data Protection Impact Assessments

The Act creates an obligation for controllers to conduct data protection impact assessments when engaging in certain types of processing, including:

  • Processing of personal data for targeted advertising
  • Processing of personal data for the sale of personal data
  • Processing of personal data for the purposes of profiling that presents a reasonably foreseeable risk of either:
    • Unfair or deceptive treatment of, or disparate impact on, consumers
    • Financial, physical, or reputational injury to consumers
    • Physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where the intrusion would be offensive
    • Other substantial injury
  • Processing of sensitive data
  • Processing the presents a heightened risk of harm to consumers

A data protection impact assessment should identify and weigh the benefits of the processing to the controller, consumer and other stakeholders and the public against the potential risks to the consumer.  The data protection impact assessment requirement applies to processing activities taking place on or after June 1, 2026.

Enforcement

Kentucky’s attorney general holds exclusive authority to enforce the KCDPA. The attorney general may seek damages up to $7500 per violation of the Act, as well as reasonable investigatory costs, court costs, and attorney fees.

The KCDPA provides a 30-day cure period, allowing controllers to address alleged violations for 30 days following notification by the attorney. Unlike some other state consumer privacy laws, the Act’s cure provision will not sunset.

Takeaways

Although the KCDPA adds to a crowded—and expanding—compliance landscape, organizations may be encouraged that it largely conforms to the same overall formula established by the 14 state privacy laws that preceded it. Nevertheless, organizations seeking to rely on existing compliance efforts should reflect on the robustness of their privacy programs, especially with further legislation on the near horizon. As ever, controllers and processors subject to these laws should ensure that they have established processes for receiving and fulfilling consumer requests, post a compliant privacy notice, and review data processing contracts for statutory requirements.

Author

Justine focuses her practice on both proactive and reactive cybersecurity and data privacy services, representing clients in matters related to information governance, diligence in acquisitions and investments, incident preparedness and response, the California Consumer Privacy Act, privacy litigation, and cyber litigation.

Author

Cynthia J. Cole is Chair of Baker McKenzie’s Global Commercial, Tech and Transactions Business Unit, a member of the Firm’s global Commercial, Data, IP and Trade (CDIT) practice group steering Committee and Co-chair of Baker Women California. A former CEO and General Counsel, just before joining the Firm, Cynthia was Deputy Department Chair of the Corporate Section in the California offices of Baker Botts where she built the technology transactions and data privacy practice. An intellectual property transactions attorney, Cynthia also has expertise in AI, digital transformation, data privacy, and cybersecurity strategy.

Author

Helena practices international commercial law with a focus on assisting and advising technology companies with cross-border transactions, drafting and negotiating commercial agreements, and advising on global data privacy law compliance. Helena also advises software developers, e-commerce companies, and global mobile and web gaming developers on regulatory restrictions, intellectual property, contracting and data privacy.

Author

Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.

Author

Rachel Ehlers is a partner in Baker McKenzie's Intellectual Property and Technology Practice Group, based in the Firm's Houston office. Rachel's practice focuses on technology transactions, data privacy and cybersecurity. She has extensive experience advising clients on data incidents and breach response, cross-border transfers, and data privacy and cybersecurity issues related to mergers and acquisitions.

Author

Jonathan Tam is a partner in the San Francisco office focused on global privacy, advertising, intellectual property, content moderation and consumer protection laws. He is a qualified attorney in Canada and the U.S. passionate about helping clients achieve their commercial objectives while managing legal risks. He is well versed in the legal considerations that apply to many of the world’s cutting-edge technologies, including AI-driven solutions, wearables, connected cars, Web3, DAOs, NFTs, VR/AR, crypto, metaverses and the internet of everything.