Kentucky Enacts New Consumer Data Privacy Act

nsreenan Data Privacy & Security, FTC Enforcement, Privacy & Security, State Consumer Privacy Protection Laws, , , , , , , ,

Written by: Margaret Young Levi, Kathie McDonald-McClure and Drayden Burton (Wyatt Summer Associate)

On April 4, 2024, Governor Andy Beshear added Kentucky to the growing list of states with comprehensive data privacy legislation by signing House Bill 15 into law. The Kentucky Consumer Data Protection Act (“KCDPA”) will become effective on January 1, 2026. The KCDPA creates rights for Kentucky consumers as well as imposes requirements on certain businesses that handle consumer data.

What rights does the KCDPA create for consumers?

The KCDPA provides “consumers,” which it defines as natural persons residing in Kentucky who are acting solely in an individual context, with a swathe of rights concerning their personal data. These rights mirror the laws of other states that have passed similar legislation. These rights include:

  • Access: Consumers can confirm whether a “controller,” which is defined as a natural or legal person that determines the purpose and means of processing personal data, is processing their personal data and may access this data, unless such access would reveal trade secrets.
  • Correction: Consumers can correct inaccuracies in their personal data.
  • Deletion: consumers can request the deletion of personal data provided by or obtained about them.
  • Data Portability: Consumers can obtain a copy of their personal data in a portable format.
  • Opt-Out: Consumers can opt-out of data processing for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
  • Mandatory Opt-In: Consumers must provide prior consent before a business can process any data identifying race, ethnicity, religion, mental or physical health, sexual orientation, citizenship or immigration status, genetic or biometric characteristics, the data of a child under the age of 13, or data concerning a person’s precise geolocation.

Importantly, these rights do not apply to persons who fall outside the “consumer” definition. These rights are also inapplicable in situations involving internal data collection by businesses about their own employees.

Who and what does the KCDPA apply to?

Although there are certain exceptions, the KCDPA generally applies to a business that processes the personal data of 100,000 or more consumers annually, or 25,000 consumers if the business derives more than 50% of its revenue from the sale of personal data. “Personal data” is defined as “information that is linked or reasonably linkable to an identified or identifiable natural person.” It includes data like phone numbers, precise geolocation data, and internet history but does not include any data that has been scrubbed of any personalized identifiers. The KCDPA defines “processing” as the “collection, use, storage, disclosure, analyses, deletion, or modification of personal data.”

The KCDPA does not apply to non-profit organizations, institutions of higher education, any political subdivision of the state, financial institutions subject to the Gramm-Leach Bliley Act, covered entities subject to requirements under the Health Insurance Portability & Accountability Act (“HIPAA”), and organizations that do not “provide net earnings to, or operate in any manner that inures to the benefit of, any officer, employee, or shareholder of the entity” such as those recognized under KRS 304.47-060(1)(e) which use data to assist law enforcement or first responders, small telephone utilities or municipally owned utilities.

The KCDPA also does not apply to data regulated by the Fair Credit Reporting Act, protected health information under HIPAA, information regulated by the Farm Credit Act, or information regulated by the Family Educational Rights and Privacy Act (“FERPA”).

What are the “next steps” for non-exempted entities?

Businesses operating in Kentucky or targeting Kentucky residents should begin preparing for compliance with the KCDPA if they do not meet any of the aforementioned exemptions. Businesses can prepare in the following ways:

  • Review Data Practices: Assess current data collection and processing activities to ensure they meet the standards set forth by the KCDPA. Businesses should determine what kind of data they are collecting or processing and create protocols for retrieval and packaging in the event that data is requested by a consumer.
  • Update Privacy Policies: Ensure privacy notices are clear, accessible, and comprehensive and detail all necessary information required by the KCDPA. The website privacy notice should align with the website’s actual data collection practices.
  • Implementing Security Measures: Strengthen data security practices to ensure the protection of consumer data.
  • Conducting Impact Assessments: Regularly perform and document data protection impact assessments for high-risk processing activities.

By proactively addressing the KCDPA’s requirements, businesses can not only avoid possible penalties of up to $7,500 per violation, but can build trust with consumers through enhanced data privacy protection. Businesses found to be in violation are afforded a 30-day cure period to remedy violations before penalties are initiated.

Website Ad Trackers are a Focus Area for Federal Agencies Too

Kentucky became the fifteenth state to follow California’s lead by enacting laws to protect consumer privacy online. The thrust of these laws is to protect consumers from commonly used website cookies, pixels and other online digital technologies (“Ad Trackers”). Most Ad Trackers are free for the website owner to use but share data with the technology company that developed the tracker. These technology companies may sell the consumer data to other third parties or use it themselves for the purpose of creating online profiles of consumers based on their browsing and social media activities.  The consumer can then be targeted with advertising (or for other reasons) based on their online profile.

At the federal level, the Federal Trade Commission (“FTC”) and the Department of Health & Human Services (“HHS”) have increased enforcement efforts focused on the use of Ad Trackers that run afoul of the FTC Act Section 5 and HIPAA. In 2023, HHS joined forces with the FTC to make clear that online digital tracking technologies, including Google Analytics, the Meta Pixel (formerly called the Facebook Pixel), and other Ad Trackers embedded in websites of HIPAA-covered entities may violate HIPAA absent proof of either express consent by the consumer or proof that the consumer was not visiting the website for its own healthcare purposes. On July 20, 2023, HHS and FTC sent a joint letter to over 100 healthcare companies alleging that their websites may be in violation of HIPAA due to the use of online analytics tools and other digital tracking technologies. HHS and FTC published a 387-page PDF document compiling these letters to providers.  In March 2024, HHS updated its online tracking guidance (first issued December 2022) to make clear its position regarding the intersection of HIPAA and the use of Ad Trackers.

In April 2024, one of the largest U.S. healthcare companies, Kaiser Permanente, self-reported a HIPAA violation to HHS due to the use of online tracking technologies on its webpages, impacting 13.4 million website visitors (see The HIPAA Journal article, April 26, 2024, Kaiser Permanente Website Tracker Breach Affects 13.4 Million Individuals).

Pointer: Businesses should have a clear understanding of all analytics tools, cookies, pixels, ad trackers and online digital technologies embedded in their websites. Businesses can scan their websites for these online digital technologies using free scanners available from BuiltWith or The Markup’s Blacklight. The business can then use the results of such website scans as a guide in discussions with their website developer. Having a clear understanding of the data being collected by your website is essential to ensuring that your website privacy notice accurately describes to consumers the data your website is collecting about them.

If you need assistance updating your privacy policies and practices for compliance with this new law, we regularly work with clients and their IT team in the preparation and updating of information procedures. Learn more about Wyatt’s data privacy and cyber security practice by visiting the Wyatt Data Privacy & Cyber Security webpage.