Skip to main content

Clifford Chance

Clifford Chance
Data<br />

Data

Talking Tech

Kentucky Consumer Data Protection Act: An Overview

Data Privacy Consumer 1 August 2024

On April 4, 2024, Kentucky governor Andy Beshear signed the Kentucky Consumer Data Protection Act (Kentucky Consumer Data Protection Act or KYCDPA), making Kentucky the sixteenth state in the U.S. to enact comprehensive data privacy legislation (together with the KYCDPA, the State Data Privacy Laws).  The KYCDPA is the third law enacted in 2024, building on last year's momentum in states implementing comprehensive privacy laws.  The KYCDPA takes effect on January 1, 2026.  This article summarizes key provisions of the KYCDPA.  

Scope and Applicability

The KYCDPA applies to any entity that conducts business in the state or produces products or services targeted at Kentucky residents and, during a calendar year, controls or processes personal data of:

  • One hundred thousand (100,000) consumers
  • Twenty-five thousand (25,000) consumers and derive over fifty percent (50%) of gross revenue from the sale of personal data. 

Like other State Data Privacy Laws, the KYCDPA provides certain entity-level and data-level exemptions.  The entities that the law exempts from its scope include state agencies and political subdivisions; financial institutions or data subject to the Gramm-Leach-Bliley Act (GLBA); covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA); nonprofit organizations; institutions of higher education; small telephone utilities, and certain organizations that support law enforcement agencies in connection with suspected insurance-related criminal or fraudulent acts or first responders in connection with catastrophic events.  Additionally, the law does not apply to protected health information (PHI) under HIPAA; health records; certain other kinds of patient and health data (including data collected for clinical trials); credit data covered under the Fair Credit Reporting Act (FCRA); personal data covered by the Driver's Privacy Protection Act; personal data covered by the Family Educational Rights and Privacy Act; personal data processed in compliance with the federal Farm Credit Act; emergency contact information; data processed by a utility; and personal data processed in order to combat methamphetamine use.

Finally, in keeping with the majority of other State Data Privacy Laws (other than California), the KYCDPA does not apply to personal data collected and processed in the employment or commercial (business-to-business) context. 

Controller and Processor Obligations

Similar to other State Data Privacy Laws (as well as privacy laws like the EU General Data Protection Regulation), the KYCDPA's regulatory framework distinguishes roles and responsibilities between controllers and processors. The KYCDPA defines a "controller" as a person that, alone or jointly with others, determines the purpose and means of processing personal data and a "processor" as a person who processes personal data on behalf of a controller.

Most of the primary privacy responsibilities under the KYCDPA fall on controllers.  The law requires controllers to provide consumers a reasonably accessible and clear privacy notice that explains:

  • The categories of personal data collected and the purpose for such collection
  • A description of the process for making consumer rights requests, including how to opt out of sales (if applicable)
  • The categories of personal information shared with third parties
  • The categories of third parties with whom the controller shares personal data.

Like other State Data Privacy Laws, the KYCDPA also imposes limits and obligations on the personal data processing activities of controllers, including:

  • Limiting personal data collection and processing to what is adequate, relevant, and reasonably necessary for the disclosed purposes
  • Establishing, implementing, and maintaining reasonable administrative, technical, and physical data security practices to protect personal data
  • Collecting consent before processing sensitive data.

Additionally, the law requires controllers to perform data protection assessments that weigh the benefits of the processing activities against potential risks to the rights of the consumers whose data is being processed.  This must be done before a controller undertakes any data processing that presents a heightened risk of harm to consumers.  The statute specifically lists several such types of processing, including processing for targeted advertising, sale, and certain kinds of profiling, as well as processing of sensitive data (defined below).  To avoid creating duplicative burdens, the KYCDPA provides that this requirement can be satisfied with an assessment conducted for compliance with under other State Data Privacy Laws obligations.   The law provides for a five-month phase-in period for data protection assessments, imposing this assessment obligation only to processing activities occurring on or after June 1, 2026.

The KYCDPA also puts in place express requirements for processors, including adhering to the instructions of a controller and assisting controllers in meeting their obligations under the statute (such as responding to rights requests, protecting personal data, notifying consumers in the event of a breach, and providing information necessary for data protection assessments).  Additionally, controllers and processors are required to have contracts in place that govern a processor's data processing procedures. Similar to other State Data Privacy Laws, the KYCDPA requires that such contracts include provisions that address or describe the following:

  • Clear processing instructions
  • The nature and purpose of processing
  • The type of data subject to processing
  • The duration of processing
  • The rights and obligations of both parties
  • Confidentiality obligations for the processor's employees
  • A requirement to delete or return all personal data once the service is completed
  • A requirement for processors to provide all information necessary to demonstrate compliance with the KYCDPA
  • Cooperation obligations for assessments by the controller
  • Requirements that subprocessors are bound by written contracts with similar obligations. 

Consumer Rights and Requests

In line with similar rights found in most other State Data Privacy Laws, the KYCDPA provides state residents with the right to:

  •  Confirm processing (right to know)
  •  Correct inaccuracies
  • Request deletion of personal data
  • Obtain a portable copy of personal data (data portability)
  • Opt out of processing for targeted advertising, sale, or profiling.

Controllers must provide consumers with at least one (1) method to submit a request to exercise their rights. Such methods must take into account the ways in which the controllers normally interact with their consumers (e.g., providing an online mechanism if the controller maintains a website).

As mentioned above, the KYCDPA also specifically restricts processing of sensitive data, requiring controllers to obtain consent before doing so—in effect creating an "opt-in" regime for sensitive data processing similar to that found in the majority of other State Data Privacy Laws. 

The KYCDPA defines "sensitive data" to include personal data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis
  • Sexual orientation
  • Citizenship or immigration status
  • Genetic or biometric data processed for the purpose of uniquely identifying a consumer
  • Personal data collected from a known child (defined as an individual under the age of thirteen (13))
  • Precise geolocation data (within 1,750 feet).

With regards to children's data, the KYCDPA adopts the verifiable parental consent processes and requirements set out in the Children's Online Privacy Protection Act (COPPA).

Controllers are prohibited from discriminating against consumers for making rights requests (although this does not restrict offers of discounts, loyalty programs, or other incentives that are reasonably related to the value of the personal data).

Under the KYCDPA, controllers must respond to verified requests within forty-five (45) days of receipt, with an additional forty-five (45) day extension available upon notice to the consumer if reasonably necessary for complex or numerous requests.  

Right to Appeal

Like with most other State Data Privacy Laws, the KYCDPA requires controllers to establish a process to allow consumers to appeal a denial of their request to exercise a privacy right.  If a controller denies a consumer's rights request, it must provide the consumer with justification for such denial and conspicuously available instructions on how to appeal in a manner similar to the original process for submitting the rights request.  Once the controller receives an appeal, it must respond within sixty (60) days with the result of the appeal, including a written explanation of the rationale for the controller's decision.  If the appeal also denies the consumer's rights request, then the controller must provide a mechanism through which the consumer may submit a complaint to the Kentucky Attorney General. 

Definition of "Sale"

The KYCDPA defines the "sale" of personal data as the "exchange" of personal data with a third party for "monetary consideration"—a slightly narrower definition than those found in other State Data Privacy Laws.  The KYCDPA provides exceptions to the "sale" of personal data in line with a number of other State Data Privacy Laws, including a controller's disclosure of personal data:

  • To a processor that processes personal data on behalf of the controller
  • To a third party for purposes of providing a product or service requested by the consumer
  • To the controller's affiliates
  • That the consumer intentionally made available to the general public and did not restrict to a specific audience
  • To a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or similar transaction. 

As noted above, controllers must provide consumers with the ability to opt-out of the selling of their personal data. However, unlike many other State Data Privacy Laws, the KYCDPA does not impose obligations on controllers to recognize universal opt-out or browser signals to effectuate opt-out of the sale of personal data.

Definition of "Targeted Advertising"

The KYCDPA defines "targeted advertising" similarly to the way the term is defined into other State Data Privacy Laws: "displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from the consumer's activities over time and across nonaffiliated websites or online applications to predict the consumer's preferences or interests." Notably, however, the definition expressly excludes activities that are:

  • Based on activities within a controller's own (or affiliated) web sites or online applications
  • Based on the context of a consumer's current search query, visit to a web site, or online application
  • Directed to a consumer in response to the consumer's request for information or feedback
  • Used to measure or report the performance, reach, or frequency of an advertisement.

The KYCDPA imposes the same opt-out requirements on controllers in connection with targeted advertising as it does with respect to the sale of personal data.   

De-identified and Pseudonymous Data

Like other State Data Privacy Laws, the KYCDPA includes definitions for "de-identified data" and "pseudonymous data" that expressly exclude such data from "personal data."  Data is "de-identified" if it cannot reasonably be linked to an identified or identifiable individual, or a device linked to such an individual.  Data is "pseudonymous" if it cannot be attributed to a specific resident without the use of additional information (provided the additional information is kept separate and subject to appropriate technical and organizational measures preventing its use to reidentify the data). 

The KYCDPA requires controllers to put reasonable measures in place to ensure that the data cannot be associated with an individual.  Controllers in possession of deidentified data are required to publicly commit to maintaining and using such data without attempting to reidentify it.  Controllers must have contracts in place with terms that require all recipients of such data to comply with the KYCDPA.  Controllers must also monitor such third parties for compliance and take appropriate steps to address any breaches of relevant contractual commitments. 

Enforcement and Penalties

The KYCDPA will be enforced solely by the Kentucky state government through the Kentucky Attorney General; there is no private right of action for consumers.  Before the state is permitted to bring a claim against a controller or processor for violating the statute, it must provide a thirty (30) day cure period (following notice) that gives the controller or processor the opportunity to remedy the alleged violation.  If the violation is still not addressed, the state can seek a civil penalty of up to $7,500 dollars for each violation—a figure that aggregates quickly depending on the number of data subject records are involved in the violation.