Kentucky Enacts Consumer Data Privacy Law

Kentucky recently enacted a comprehensive consumer data privacy law, the Kentucky Consumer Data Protection Act (the Act), following multiple other states, most recently New Jersey.  The Act will become effective on January 1, 2026.

Scope

The Act applies to persons doing business in Kentucky or targeting products or services towards Kentucky consumers that (during a calendar year) control or process either, (i) at least 100,000 consumers, or (ii) at least 25,000 consumers if over 50% of the person’s gross revenue is from selling personal data.  “Personal data” is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person,” but excludes “de-identified data or publicly available information.”

Certain entities are exempt from the Act, including, among others, (i) financial institutions, their affiliates, or data that are subject to Title V of the Gramm-Leach-Bliley Act; and (ii) covered entities and business associates governed by 45 C.F.R. parts 160 and 164 of HIPAA.  Certain kinds of data are also exempt, such as, protected health information under HIPAA, and personal information related to credit, if regulated and authorized by the Fair Credit Reporting Act.

Consumer Rights

The Act grants Kentucky consumers certain rights with respect to their personal data.  Consumers may request, (i) confirmation of whether the controller is processing the consumer’s data and access to that data, except where doing so would expose trade secrets; (ii) correction of inaccuracies, (iii) deletion of the data obtained; (iv) a copy of the personal data the consumer provided; and (v) an opt-out for targeted advertising, for any processing or automated profiling of personal data that produce significant or legal effects on the consumer, or for sale of the consumer’s data.

The controller must reply to a consumer’s request within 45 days of receipt, but can extend this time once by 45 days, if reasonably necessary and the consumer is informed of the extension within the original 45-day time period.  Responses to a consumer’s reasonable requests are required to be provided for free up to twice a year.

Notice Requirements and Other Obligations

Among other duties under the Act, the controller must provide a privacy notice that includes certain information, such as the categories of personal data that it processes, the reason it is processing personal data, how a consumer can exercise rights under the Act, and, if shared, any categories of personal data that are shared with third parties and categories of third parties receiving the shared data.  Additionally, the Act imposes certain requirements on contracts between controllers and processors, and on controllers to conduct and document a data protection impact assessment.

Penalties and Enforcement

There is no private right of action in the Act.  The Kentucky Attorney General has exclusive enforcement authority.  The Act does provide for a notice and 30-day cure period, if the attorney general finds violations.