Support Centre

Kentucky

Summary

Law: Kentucky Act relating to Consumer Data Privacy and Making an Appropriation Therefor ('KCDPA')

Regulator: The Kentucky Attorney General ('AG')

Summary: On April 4, 2024, the Governor of Kentucky signed into law House Bill 15 for an act relating to consumer data privacy and making an appropriation therefor, enacting the KCDPA which will enter into effect on January 1, 2026. The KCDPA regulates the processing of personal data and introduces obligations for data controllers and processors related to consent, disclosure, and data security. Additionally, the KCDPA establishes new consumer rights such as the right to access, delete, and to opt out of targeted advertising and the sale of personal data. Furthermore, the KCDPA provides the Kentucky Attorney General (AG) with enforcement powers but does not provide a private right of action.

In addition, under the Kentucky data breach notification law (§365.732 of Title XXIX of the Kentucky Revised Statutes), a personal data breach must be notified to affected Kentucky residents, and if such a breach affects more than 1,000 Kentucky residents, all consumer reporting agencies and credit bureaus that compile and maintain files on consumers on a nationwide basis.

Other key privacy laws in Kentucky include the Act relating to insurance data security (the Insurance Data Security Act), creating a new Section of §304-3 of the KRS, and §367.170 of Chapter 367 of Title XXIX of the KRS (the Consumer Protection Act) which criminalizes unfair, misleading, or deceptive trade practices.

You can follow legislative developments in the US through the USA State Law Tracker.

News

Insights

July 2024

Kentucky: Off to the races - Bluegrass State passes privacy law

Kentucky has joined the growing count of states to enact a comprehensive data privacy law. The law, passed as House Bill 15 and titled the Kentucky Consumer Data Protection Act (KCDPA), was passed by the Kentucky legislature on March 27, 2024, and signed by Governor Andy Beshear on April 4, 2024. The KCDPA comes into effect on January 1, 2026.

The requirements of the KCDPA should look familiar to those who have tracked other US state comprehensive privacy laws. This is no accident: Kentucky legislators stated during the legislative process that the KCDPA was modeled after neighboring Virginia's comprehensive privacy law. In this Insight article, Jonathan Ende, Partner at McDermott Will & Emery, examines the KCDPA and its key requirements.

May 2024

USA: New privacy laws in Kentucky, New Hampshire, and New Jersey: More of the same, only different

Kentucky's Governor Andy Beshear signed the Act Relating to Consumer Data Privacy as an addition to Kentucky's Consumer Protection Act (under Chapter 367 of the Kentucky Revised Statutes) on April 4, 2024. Kentucky's new privacy law is the 16th state consumer privacy law enacted in the US and the third in 2024. It shares many of the same features as the other comprehensive US state privacy laws. Julia Jacobson and Alexandra Kiosse, from Squire Patton Boggs, compare 2024's first three new consumer privacy laws.

May 2024

USA: Comparing Kentucky, Maryland, and Nebraska's newest consumer privacy laws - part one

Three states - Kentucky, Maryland, and Nebraska - welcomed Spring 2024 by passing comprehensive consumer privacy laws, joining the laws in New Hampshire and New Jersey1 enacted earlier this year. With the five new laws enacted in early Q2 2024, more than one-third of states have consumer privacy laws on the books.

In this part one Insight article, Julia Jacobson, Alexandra Kiosse, and Alan Friel, from Squire Patton Boggs, answer common questions such as the scope of protection, effective dates, and applicability, about the three newest state consumer privacy laws.

May 2022

Kentucky: Genetic Information Privacy Act - What you need to know

On 8 April 2022, the Kentucky Governor signed into law House Bill ('HB') 502 for the Genetic Information Privacy Act ('the Act'). In particular, the Act grants consumers greater control over their genetic materials by regulating the collection, use, and disclosure of genetic data, among others. The Act will go into effect on 1 June 2022. As such, OneTrust DataGuidance highlights some of its key provisions, focusing on areas such as consumer rights, business obligations, and what to expect with regard to enforcement.

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.