Kentucky Enacts Comprehensive Data Privacy Law

On April 4, 2024, Kentucky joined the rapidly growing number of states adopting a comprehensive data privacy law, when Governor Andy Beshear signed, the Kentucky Consumer Data Protection Act ("Kentucky CDPA"). The law will take effect January 1, 2026.

In this latest in our series of articles on US State Data Privacy Laws, we summarize the key components of the Kentucky CDPA.

To whom does the Kentucky CDPA apply?

Kentucky's law imposes obligations on "controllers" – individuals or legal entities that determine the purpose and means of processing personal data – who either conduct business in the Commonwealth of Kentucky or produce products or services targeted to residents of Kentucky and who, within the calendar year, either:

• Control or process personal data of at least 100,000 Kentucky consumers; or
• Control or process personal data of 25,000 Kentucky consumers and derive over 50% of gross revenue from the sale of personal data.

The Kentucky CDPA exempts several categories of entities, including state and city government agencies; financial institutions and data regulated by the Gramm-Leach-Bliley Act; nonprofit organizations; institutions of higher education; and HIPAA-covered entities and business associates. Certain types of information and data are also exempted, including consumer credit-reporting data, data covered by the Drivers' Privacy Protection Act, Family Educational Rights and Privacy Act, Farm Credit Act, data covered by HIPAA and other health care statutes, and data processed or maintained for emergency contact purposes.

What rights does the Kentucky CDPA give to consumers?

Kentucky consumers, defined as a Kentucky resident acting only in an individual context, will gain rights that are largely consistent with other states' data privacy regimes. Consumers may:

• Confirm whether a controller is processing their personal data and access their data, unless providing confirmation and access would require the controller to reveal a trade secret;
• Correct inaccuracies in their personal data;
• Delete their personal data;Obtain a copy of the personal data previously provided to the controller in a readily useable format (i.e., data portability); and
• Opt out of the processing of their personal data for the purposes of targeted advertising, the sale of their personal data, or profiling.

The Kentucky law requires controllers who receive a request from a consumer seeking to exercise these rights to respond to the consumer within 45 days, unless it is reasonably necessary to extend that time and the controller notifies the consumer of the extension within 45 days.

Controllers must also establish a process for consumers to appeal denials of their requests, within a reasonable time after communicating that denial. The appeal process must be "conspicuously available and similar to the process for submitting [initial requests]." If the controller denies an appeal, they must provide an online or other method for the consumer to submit a complaint to the Kentucky Attorney General.

What obligations does the Kentucky CDPA impose on controllers and processors?

Kentucky's law requires controllers to provide consumers a "reasonably accessible, clear, and meaningful" privacy notice that includes: the categories of personal data it processes; its purpose for processing the data; the categories of third parties to which it may disclose the personal data and which categories of data it may disclose; and information on how consumers may securely and reliably exercise their rights and appeal a controller's decisions.

Controllers must also:

• Limit the collection of personal data to what is "adequate, relevant, and reasonably necessary" in relation to the disclosed purposes with which the data is processed – unless the controller obtains the consumer's consent;
• Establish and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity and accessibility of personal data and to secure it from unauthorized access;
• Disclose to consumers if they sell personal data to third parties or process personal data for targeted advertising and provide a clear method for consumers to opt out; "sale" of data is limited to exchange of personal data for "monetary consideration," unlike the California and Connecticut laws that use a broader definition than includes exchange of personal data for "other valuable consideration";
• Not process "sensitive data" without the consumer's express consent, or in the case of a known child, in accordance with COPPA. Sensitive data is defined in the Kentucky CDPA as personal data revealing racial or ethnic origin; religious beliefs; mental or physical health diagnosis; sexual orientation; citizenship or immigration status; genetic or biometric data that could identify an individual; data collected from a known child; and geolocation data;
• Process data in a nondiscriminatory manner as defined under state and federal law;
• Conduct a data protection impact assessment on the processing of personal data created or generated on or after June 1, 2026 that presents a heightened risk of harm to the consumer, including targeted advertising, processing sensitive data, selling personal data, or processing for profiling, if the profiling presents a reasonably foreseeable risk of unfair or deceptive treatment or disparate impact on consumers, financial or physical injury to consumers, or an intrusion offensive to a reasonable consumer upon their "solitude or seclusion, or the private affairs, or concerns." Data protection impact assessments conducted to comply with laws of a similar scope and effect may also be used to comply with this requirement.

Unlike the data privacy laws of some other states, including California, Connecticut, New Jersey and Texas, the Kentucky CDPA does not require controllers to allow consumers to opt out of processing their personal data by using universal opt-out mechanisms ("UOOM").

The Kentucky CDPA requires data processors to "assist the controller in meeting its obligations" under the law. A controller and processor must enter into a binding contract that governs their data processing, including requiring processors to protect confidentiality of the data and to delete or return personal data to the controller when requested.

Enforcement

The Kentucky Attorney General will have exclusive enforcement authority and there is no private right of action available under this act. The Kentucky CDPA provides businesses a 30-day period to cure alleged violations before an enforcement action may proceed. Notably, Kentucky's cure provision is not scheduled to sunset at any time after the law goes into effect. Violations of the Kentucky CDPA may incur civil penalties of up to $7,500 for each violation.

Key Aspects of the Kentucky CDPA

• No Provision for Universal Opt-Outs. Unlike several other states that have passed comprehensive data privacy laws, Kentucky will not require controllers to allow consumers to communicate their privacy preferences through UOOMs.
• Permanent 30-day Cure Provision. Many other state data privacy laws sunset their cure provisions after some months, with the expectation that businesses should have fully implemented the consumer privacy protections by that time. The Kentucky CDPA, on the other hand, will continue to provide an opportunity to rectify alleged deficiencies.

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2024 White & Case LLP}