On April 4, 2024, House Bill 15 for an act relating to consumer data privacy and making an appropriation therefor, was signed into law by the Governor of Kentucky and became law. In particular, the Act provides for consumer rights relating to personal data and highlights requirements for data controllers and processors.

Scope and definitions

The Act applies to persons that conduct business in Kentucky or produce products or services that are targeted to residents of Kentucky and that during a calendar year control or process personal data of at least:

• 100,000 consumers; or
• 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

The Act also defines other key terms including, 'biometric data,' 'profiling,' 'sensitive data,' and 'targeted advertising.'

Data subject rights

Under the Act, a consumer is granted the right to:

• confirm whether a controller is processing their personal data and access the same;
• correct inaccuracies in their personal data, considering the nature of the personal data and the purposes of the processing;
• have their personal data deleted;
• obtain a copy of their personal data previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the personal data to another controller without hindrance when the processing is carried out by automated means, provided the controller is not required to reveal any trade secret; and
• opt out of the processing of their personal data for the purposes of:
  • targeted advertising;
  • sale; or
  • profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

Obligations under the Act

The Act imposes obligations on controllers such as the obligation to:

• establish, implement, and maintain reasonable administrative, technical, and physical data security practices;
• limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the personal data is processed; and
• obtain consent from the consumer before processing sensitive data concerning the consumer.

More practically, under the Act, controllers must perform a data protection assessment in connection with processing activities that present a heightened risk of harm to a consumer. The Act also states that data processors must adhere to the controller's instructions and assist controllers in meeting their obligations, with a contract required to govern relations between the parties. Finally, the Act grants the Kentucky Attorney General (AG) the authority to enforce the Act. Under, the Act, the AG must provide a controller or processor 30 days written notice identifying the specific provisions that were violated, and where a controller or processor does not cure a violation within 30 days, the AG may initiate an action and seek damages for up to $7,500 for each violation.

The Act will enter into effect on January 1, 2026. 

You can read the Act here and view its history here.