An Overview of Kentucky’s Consumer Data Privacy Act – Senate Bill 15

I. Introduction

Kentucky's Consumer Data Privacy Act (KCDPA) represents a major advancement in US State laws protecting citizens' right to privacy. Kentucky’s governor, Andy Beshear, signed Senate Bill 15 into law on April 4, 2024, and it will take effect on January 1, 2026.

With a rising focus on national and international consumer privacy, the KCDPA seeks to empower consumers with additional control over their personal data by exercising consumer rights. It also imposes specific obligations on businesses that collect and process consumer data.

With states across the US enacting comprehensive data privacy laws, Kentucky's effort is a critical first step in tackling the complex challenges and expectations of today’s data-driven digital landscape. This guide delves into the KCDPA’s key provisions, obligations for businesses, data subject rights, and the broader context of the Act.

II. Who Needs to Comply with KCDPA

A. Material Scope

The KCDPA applies to persons that conduct business in Kentucky or produce products or services that are targeted to the residents of Kentucky and that, during a calendar year control or process personal data of at least:

1. One hundred thousand (100,000) consumers; or
2. Twenty-five thousand (25,000) consumers and derive over fifty percent (50%) of the gross revenue from the sale of personal data.

B. Exemptions

Like other US State data privacy laws, the KCDPA exempts certain entities and data from its application. The following entities are exempt from the application of its provisions:

• A city, state agency or any political subdivision of the state;
• Financial institutions, their affiliates, or data subject to Title V of the Gramm-Leach-Bliley Act;
• A covered entity or business associate subject to  the Health Insurance Portability and Accountability Act (HIPAA);
• Nonprofit organization;
• Institution of higher education;
• An organization that processes data solely to assist law enforcement with insurance fraud investigations or first responders in catastrophic events, without benefiting officers, employees, or shareholders;
• Small telephone utilities.

In addition, the KCDPA exempts the following information and data from its application:

• Protected health information under HIPAA;
• Health records;
• Patient identifying information;
• Identifiable private information;
• Information and documents created for purposes of the federal Health Care Quality Improvement Act;
• Patient safety work product for purposes of the federal Patient Safety and Quality Improvement Act;
• Personal data obtained from healthcare-related information, when de-identified according to Health Insurance Portability and Accountability Act's de-identification standards;
• Personal information maintained by HIPAA-covered entities, business associates, or programs defined in Title 42 CFR, which is treated similarly to data exempted from the scope of this Act.
• Information used only for public health activities and purposes as authorized by HIPAA;
• Personal data related to a consumer's creditworthiness, as regulated by the federal Fair Credit Reporting Act (FCRA).
• Personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act;
• Personal data regulated by the federal Family Educational Rights and Privacy Act;
• Personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act;
• Personal data processed in relation to an individual's employment, role as an agent or contractor, emergency contact information, or necessary for administering benefits for another individual.;
• Data processed by a utility, its affiliate, or a holding company system organized to provide goods or services to the utility;
• Personal data processed for purposes of federal policy under the Combat Methamphetamine Epidemic Act; and
• Personal data of children when verifiable parental consent is acquired pursuant to the Children's Online Privacy Protection Act (COPPA).

III. Definitions of Key Terms

A. Biometric Data

Data generated by automatic measurements of an individual's biological characteristics, including a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual, but does not include a physical or digital photograph, a video or audio recording, or data generated therefrom, or information collected, used, or stored for health care treatment, payment, or operations under HIPAA.

B. Consent

Any freely given, specific, informed, and unambiguous indication of the consumer's wishes by a clear affirmative act that signifies the consumer’s agreement to the processing of personal data relating to the consumer for a defined purpose.

C. Personal Data

Any information, including sensitive data, that relates to an identified or identifiable natural person. Personal data does not include de-identified data, pseudonymous data, or publicly available information but does include data generated, recorded, or transmitted by a vehicle belonging to an identified or identifiable natural person.

D. Sensitive Data

A category of personal data that includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, except to the extent the data is used to avoid discrimination based on a protected class that would violate a federal or state antidiscrimination law; genetic or biometric data that is processed to uniquely identify a specific natural person; personal data collected from a known child; or precise geolocation data.

E. Processing

Any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, including but not limited to the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.

F. Controller

The natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data.

G. Processor

A natural or legal entity that processes personal data on behalf of a controller.

IV. Obligations for Organizations Under KCDPA

A. Consent Requirements

Controllers must obtain the consumer's consent before processing their sensitive data, and any sensitive data collected from a known child must be processed in accordance with COPPA. Consent must be freely given, specific, informed, and unambiguous.

B. Data Minimization Requirements

Controllers must collect only personal data that is adequate, relevant, and reasonably necessary to fulfill the purpose disclosed to the consumer.

C. Purpose Limitation

A controller must not process personal data for purposes that are not reasonably necessary or compatible with the disclosed purposes unless the consumer's consent is obtained.

D. Privacy Notice Requirements

Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:

• The categories of personal data processed by the controller;
• The purpose for processing personal data;
• How the consumers may exercise their rights under the law, including how to appeal the decision of a controller in response to a consumer’s request; ;
• The categories of personal data that the controller shares with third parties, if any;
• The categories of third parties with whom the controller shares personal data.

Furthermore, if a controller sells personal data to third parties or uses it for targeted advertising, they must clearly and conspicuously disclose this activity to the consumers along with the process to exercise their right to opt out of such processing.

E. Security Requirements

Controllers are required to establish, implement, and maintain reasonable administrative, technological, and physical data security protocols to safeguard the privacy, integrity, and accessibility of personal data. Data security procedures must be appropriate for the volume and kind of personal data being processed by the controller.

F. Record Keeping

Controllers are required to maintain a record of their data protection impact assessments, which must be made available to the attorney general upon request during any investigation.

G. Non-Discrimination Requirements

A controller must not process personal data violating state and federal laws prohibiting unlawful discrimination against consumers. A controller must not discriminate against a consumer for exercising any of the consumer rights, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer.

H. Data Protection Impact Assessment

A controller must conduct and document a data protection impact assessment for each of the following personal data processing activities:

• Processing personal data for targeted advertising;
• Selling personal data; and
• Processing personal data for profiling, where the profiling may result in a reasonably foreseeable risk of:
  • Unfair or deceptive treatment of or unlawful disparate impact on consumers;
  • Financial, physical, or reputational injury to consumers;
  • An infringement, whether physical or otherwise, on the privacy, seclusion, or personal matters of consumers where such an infringement would be considered offensive by a reasonable person; or
  • Other substantial injury to consumers.
• Processing of sensitive data; and
• Any other processing activity that presents a heightened risk of harm to consumers.

V. Data Processor Obligations

A processor must comply with a controller's instructions and assist the controller in fulfilling its obligations, such as responding to consumer requests, implementing measures to protect personal information and notifying consumers in the event of a data breach. Moreover, controllers and processors must have binding contracts that govern the processor's data processing procedures for activities performed on behalf of the controller.

VI. Data Subject Rights

Similar to other state privacy laws, the KCDPA also grants these rights to consumers.

A. Right to Access

Consumers have the right to confirm whether or not a controller is processing their personal data and accessing their personal data.

B. Right to Correction

Consumers have the right to correct inaccuracies in their personal data.

C. Right to Delete

Consumers have the right to request a controller to delete the personal data provided by or obtained about them.

D. Right to Obtain a Copy

A consumer has the right to request a copy of the personal data they previously submitted to the controller in a portable, easily readable format so that the consumer may send it to another controller without hindrance.

E. Right to Opt-Out

Consumers have the right to opt-out of the processing of personal data for the purpose of targeted advertising, sale of personal data or profiling.

Exercising Consumer Requests on Behalf of a Child 

When a known child's personal data is processed, the child's parent or legal guardian may exercise consumer rights on the child's behalf.

Response Period for Consumer Requests

Upon receipt of the consumer request, a controller is required to respond within 45 days. When it is deemed reasonably necessary, taking into account the complexity and volume of the consumer's requests, the response period may be extended once by an additional 45 days. However, the controller must notify the consumer of the extension within the first 45-day response period, along with the reason for the extension.

When a controller decides not to act on a consumer's request, they must notify the consumer in writing of their decision, the reason they chose not to act, and how to appeal the decision. This notification must be sent to the consumer as soon as possible but no later than 45 days after the request is received.

Administrative Cost of Complying with Consumer Requests

A controller should provide information at no cost to a consumer up to two times a year in response to the consumer's request. However, if the request is clearly excessive, repeated, or manifestly unfounded, the controller may refuse to act or charge a reasonable fee to offset the administrative expenses of complying with it. The controller is responsible for proving that the request is excessive, repeated, or manifestly unfounded.

Means to Submit Consumer Requests

A controller must provide one or more secure and reliable methods for consumers to submit requests to exercise their rights.  These methods should reflect how consumers typically engage with the controller. Controllers cannot require consumers to create a new account to exercise their rights, but they may ask consumers to use an existing account.

Appeal Process

A controller must set up an appeal process that enables a consumer to challenge a controller's decision not to act on a request within a reasonable period of the receipt of the decision.  The appeal process must be clearly accessible and similar to the process for submitting consumer requests.

Within sixty (60) days of receiving an appeal, a controller must inform the consumer in writing about any action taken or not taken in response and explain the reasons for the decision in writing. If the appeal is denied, the controller must also provide the consumer with a mechanism to submit a complaint to the Attorney General.

VII. Regulatory Authority

The Attorney General has the exclusive authority to enforce the KCDPA.

The Attorney General may file a lawsuit to enforce the KCDPA on behalf of residents of the Commonwealth or in the Commonwealth's name. If a controller or processor is suspected of violating the KCDPA, the Attorney General has the authority to issue a civil investigative demand.

VIII. Cure Period

The Attorney General must provide a controller or processor written notice of the precise provisions allegedly violated 30 days prior to taking any action. No action for damages may be brought against the controller or processor if, within the allotted 30 days, the controller or processor corrects the observed violation and gives the Attorney General a clear written statement that the alleged violations have been resolved and no new ones will occur.

IX. Penalties for Non-Compliance

In the event that a controller or processor fails to resolve a violation or breaches a written statement that was submitted to the Attorney General, the Attorney General may initiate an action and seek damages in the amount of up to $7,500 for each violation.

X. How an Organization Can Operationalize KCDPA

Organizations can operationalize KCDPA by:

• Establishing clearly defined policies and procedures for processing data in compliance with KCDPA’s provisions;
• Developing clear and accessible privacy notices that comply with KCDPA’s requirements;
• Obtaining explicit consent from users before processing their sensitive data;
• Developing a robust framework for receiving and processing data requests, complaints, and appeals from consumers; and
• Train employees who handle the consumers’ data on the organization's policies and procedures, as well as the requirements of the KCDPA.

XI. How Securiti Can Help

Securiti’s Data Command Center enables organizations to comply with Kentucky’s Consumer Data Privacy Act by securing the organization’s data, enabling organizations to maximize data value, and fulfilling an organization’s obligations around data security, data privacy, data governance, and compliance.

Delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS can help organizations overcome challenges in hyperscale data environments. This will enable organizations to swiftly comply with privacy, security, governance, and compliance requirements.

Request a demo to learn more.