216.696.8700

Overview:

Kentucky Privacy Law

Please note that this is intended to be a summary. It is not a complete recitation of the applicable laws and/or regulations and is not intended to be used as legal advice.

Kentucky Governor Andy Beshear signed the Kentucky Consumer Data Privacy Act, (the “Kentucky Online Data Privacy Act” or “KDPA”) into law on April 4, 2024. The KDPA’s main provisions become effective on January 1, 2026.

The Kentucky law creates obligations on “controllers” and “processors” of personal data; defined as a natural or legal person that, alone or jointly with others, determines the purposes and means of processing personal data, and the natural or legal entity that processes personal data on behalf of a controller, respectively.

Controllers and processors subject to the KDPA are any persons who conduct business in Kentucky, or who produce a product or offer a service to Kentucky residents, and during a calendar year controls or processes personal data of at least: 100,000 “consumers” (defined as natural persons who are residents of Kentucky, but does not include a natural person acting in a commercial or employment context); or (2) 25,000 consumers and derives over 50% of gross revenue from the sale of personal data.

Information and data exempt from the KDPA include, among other types, personal data subject to regulation under the FCRA, HIPAA, and GLBA.  

Controllers have the following obligations under the KDPA:

  • Privacy Notice: controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice which specifies: (i) the categories of personal data processed; (ii) the purposes for which the personal data is processed; (iii) the categories of personal data that the controller shares with third parties and the categories of those third parties; and (iv) how consumers may exercise their rights, including how a consumer may appeal a controller’s decision on his/her request.
  • Restraint: controllers shall limit the controller’s collection of personal data to what is adequate, relevant and reasonably necessary in relation to the disclosed purposes for which the data is processed.
  • Security: establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of the personal data and secure it from unauthorized access.
  • Rights Request Mechanism: controllers must provide an effective and conspicuously available means by which a consumer may exercise the consumer’s rights and establish a process for the consumer to appeal the controller’s decision on the consumer’s request.

Consumer rights under the KDPA include the right to:

  • Confirm whether a controller processes personal data concerning the consumer and access the consumer’s personal data and allow the consumer to obtain a copy of the consumer’s personal data that the controller has processed or is processing;
  • Require a controller to correct inaccuracies in personal data about the consumer;
  • Require a controller to delete personal data concerning the consumer;
  • Opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling the consumer.

Controllers must respond to a consumer’s rights request within 45 days of receipt of the consumer’s request, with an option to extend such response by an additional 45 days with notice to the consumer.

Like the privacy laws in Utah and Iowa, the KDPA does not provide a private right of action, with violations exclusively enforceable by the Kentucky Attorney General’s office. Controllers are allowed a 30-day period to cure alleged violations before an enforcement action may proceed, the outcome of which may result in civil penalties of up to $7,500 per violation.

Have more Questions?