On April 4, 2024, Kentucky’s Governor signed House Bill 15, which establishes a consumer data privacy law for the state. The state joins New Hampshire and New Jersey in passing comprehensive consumer privacy laws in 2024. Kentucky’s law takes effect January 1, 2026.

To whom does the law apply?

The law applies to persons, hereafter referred to as controllers, that conduct business in Kentucky or produce products or services that are targeted to residents of Kentucky and during a calendar year control or process personal data of at least:

• 100,000 consumers; or
• 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

Who is protected by the law?

A consumer protected under the new legislation is defined as a natural person who is a resident of Kentucky, acting in an individual context. A consumer does not include a person acting in a commercial or employment context.

What data is protected by the law?

The legislation protects personal data defined as information that is linked or reasonably linkable to an identified or identifiable natural person.

Sensitive data is defined under the law as personal data indicating racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status. It also includes the processing of genetic or biometric data that is processed to uniquely identify a specific natural person; personal data of a minor, or premise geolocation data.

What are the rights of consumers?

Under the law, consumers have the following rights:

• To confirm whether a controller is processing their personal data
• To correct inaccurate personal data
• To delete personal data maintained by the controller
• To opt-out of processing of personal data for targeted advertising, sale, or certain profiling

What obligations do controllers have?

Under the legislation, controllers must:

• Establish, implement, and maintain reasonable administrative, technical, and physical data security practices;
• Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to purpose
• Obtain consent from consumers before processing sensitive data concerning the consumer.

How is the law enforced?

The Attorney General has exclusive authority to enforce violations of the legislation. The law does provide for a 30-day right to cure violations by controllers and processors of data.