Securiti AI Recognized as a Customers’ Choice For DSPM By Gartner Peer Insights


An Overview of Kentucky’s Consumer Data Privacy Act – Senate Bill 15

By Anas Baig | Reviewed By Adeel Hasan
Published May 29, 2024 / Updated June 11, 2024

I. Introduction

Kentucky's Consumer Data Privacy Act (KCDPA), officially titled ‘An Act relating to Consumer Data Privacy’, encapsulated within Senate Bill 15, represents a major advancement in the US State's laws protecting citizens' right to privacy.

With a rising focus on consumer privacy both nationally and internationally, the KCDPA seeks to empower consumers with additional control over their personal data by exercising consumer rights. It also imposes specific obligations for businesses engaged in the collection, processing, and security of consumer data.

With states across the US enacting extensive data privacy laws, Kentucky's effort is a critical first step in tackling the complex challenges and expectations of today’s data-driven digital landscape. This guide delves into the KCDPA’s key provisions, obligations for businesses, data subject rights, and the broader context of the Act.

II. Who Needs to Comply with KCDPA

A. Material Scope

The KCDPA applies to businesses that operate in Kentucky and manufacture goods or services aimed at Kentucky residents. It pertains to individuals who control or process the personal data of at least 50,000 consumers; or 25,000 consumers during a calendar year, and receive more than 50% of their gross revenue from the sale of personal data.

The KCDPA does not apply to:

  • A state agency, as well as any body, commission, board, bureau, district, or agency of a state political subdivision;
  • Financial institutions, their affiliates, or data subject to Title V of the Gramm-Leach-Bliley Act;
  • A covered entity or business associate subject to US Department of Health and Human Services privacy, security, and breach reporting regulations;
  • Nonprofit organization;
  • Institution of higher education;
  • An organization that doesn't provide its officers, employees, or shareholders any net profits or conduct business in a way that benefits them;
  • A legal organization or one of its affiliates conducting research compliant with government guidelines for human subject protection; and
  • National Securities Association.

B. Exemptions

The KCDPA exempts the following information and data:

  • Protected health information;
  • Health records;
  • Patient identifying information;
  • Identifiable private information;
  • Information and documents created for purposes of the federal Health Care Quality Improvement Act;
  • Patient safety work product for purposes of the federal Patient Safety and Quality Improvement Act;
  • Personal data obtained from healthcare-related information, when de-identified according to Health Insurance Portability and Accountability Act's de-identification standards;
  • Personal information similar to or treated similarly with the data exempted from the scope of this Act, maintained by covered entities or business associates as defined in the HIPAA, or by programs or qualified service organizations as defined in Title 42 Code of Federal Regulations;
  • Information used only for public health activities and purposes as authorized by HIPAA;
  • Personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act;
  • Personal data regulated by the federal Family Educational Rights and Privacy Act; and
  • Personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act;
  • Personal data of individuals applying to, employed by, or acting as agents or independent contractors of a controller, processor, or third party, the data of their emergency contact, and the data necessary to retain to administer benefits for another individual relating to them; and
  • Personal data of children when verifiable parental consent is acquired pursuant to the Children's Online Privacy Protection Act (COPPA).

III. Definitions of Key Terms

A. Biometric Data

Data generated by automatic measurements of an individual's biological characteristics, including a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual, but does not include a physical or digital photograph, a video or audio recording, or data generated therefrom, or information collected, used, or stored for health care treatment, payment, or operations under HIPAA.

Any freely given, specific, informed, and unambiguous indication of the consumer's wishes by a clear affirmative act that signifies the consumer’s agreement to the processing of personal data relating to the consumer for a defined purpose.

C. Personal Data

Any information, including sensitive data, that relates to an identified or identifiable natural person. Personal data does not include de-identified data, pseudonymous data, or publicly available information but does include data generated, recorded, or transmitted by a vehicle belonging to an identified or identifiable natural person.

D. Sensitive Data

A category of personal data that includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, except to the extent the data is used to avoid discrimination based on a protected class that would violate a federal or state antidiscrimination law; genetic or biometric data that is processed to uniquely identify a specific natural person; personal data collected from a known child; or precise geolocation data.

IV. Obligations for Organizations Under KCDPA

Organizations must obtain the consumer's consent before processing their personal data. Consent must be freely given, specific, informed, and unambiguous. Controllers must ensure that consent does not include consent obtained by using dark patterns, hovering over, muting, pausing, or closing a specific piece of content, or accepting general or broad terms of use or similar documents that contain descriptions of personal data processing along with other, unrelated information.

Additionally, a controller must not process sensitive consumer data without providing the consumer with an opportunity to opt-out or in the case of processing sensitive child data, without obtaining consent from the child's parent or legal guardian, in compliance with the federal Children's Online Privacy Protection Act (COPPA).

B. Data Minimization Requirements

Controllers should only collect personal data that is adequate, relevant, and reasonably necessary for the disclosed processing purpose.

C. Privacy Notice Requirements

Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:

  • The categories of personal data processed by the controller;
  • The purpose for processing personal data;
  • How the consumers may exercise their rights to access, delete, and obtain their personal data and; opt out of the processing of their personal data. One or more reliable and secure methods by which consumers may make requests to exercise their rights. The methods should consider how consumers typically communicate with the controller, how safe and dependable it is for requests to be sent, and how the controller can verify the identity of the consumers submitting the request. For a consumer to exercise their consumer rights, controllers may require them to utilize an already-existing account rather than requiring them to create a new one;
  • The particular categories of personal data that the controller sells to or shares with third parties, if any;
  • The categories of third parties that the controller sells or distributes personal data with, together with each location—domestic or foreign—where each third party keeps the data; the duration of each third party's data retention; and the use(s) that each third party makes of the data;
  • If a data controller sells personal data to third parties or conducts targeted advertising, they are required to clearly and prominently disclose this activity to consumers and must provide information on how consumers can opt out of such data processing;
  • The name and contact details of the controller;
  • The intention for which personal data is processed, as well as any legal basis for processing; and
  • The estimated duration of the controller's retention of the consumer's personal data, or in the event that this is uncertain, the criteria the controller will use to ascertain the duration.

Controllers shall ensure that any privacy notices or disclosures use clear and plain language; are provided in English and any other language in which the controller communicates with the consumer to whom the information pertains; Are understandable to the least sophisticated consumer; and provide an explanation of how the consumer's data will be used by the controller.

D. Security Requirements

Controllers are required to establish, implement, and maintain reasonable administrative, technological, and physical data security protocols to safeguard the privacy, integrity, and accessibility of personal data. Data security procedures must be appropriate for the volume and kind of personal data being processed by the controller.

E. Records of Processing Activities (RoPA) Requirements

When processing personal data, a controller must retain the personal data in a way that it may be linked to a specific consumer for the shortest amount of time required.

F. Non-Discrimination Requirements

A controller must not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer.

G. Data Protection Impact Assessment

A controller must conduct and document a data protection assessment for every one of the following personal data processing activities:

  • Processing personal data for targeted advertising;
  • Selling personal data; and
  • Processing personal data for profiling, where the profiling may result in a reasonably foreseeable risk of:
    • Unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
    • Financial, physical, or reputational injury to consumers;
    • An infringement, whether physical or otherwise, on the privacy, seclusion, or personal matters of consumers where such an infringement would be considered offensive by a reasonable person; or
    • Other substantial injury to consumers.

V. Data Processor Obligations

A processor must comply with a controller's instructions and assist the controller in meeting its obligations. Assistance will involve considering the kind of processing and the data that the processor has access to by implementing the necessary organizational and technological measures, as far as is practically possible, to meet the controller's duty to respond to requests pertaining to consumer rights and assisting the controller in meeting its responsibilities under any applicable state or federal law, including those related to the security of processing personal data, notifying third parties of a breach in the processor's system, and other related duties.

Contract Obligations

The processor's data processing practices with regard to processing carried out on behalf of the controller must be regulated by a contract between the controller and the processor. The contract must specify how personal data is to be processed, its nature and purpose, the kinds of data that are subject to processing, the exact time frame for processing each type of data, and the rights and responsibilities of each party. Additionally, the contract must specify that the processor must:

  • Ensure that each individual processing personal data is obligated to maintain the data's confidentiality;
  • Unless required by the law, delete or return all personal data to the controller as requested at the end of the provision of services by the controller;
  • Provide the controller with access to any data to demonstrate the processor's compliance with the obligations; and
  • Engage any subcontractor in assisting the processor’s obligations with respect to the personal data.

VI. Data Subject Rights

A. Right to Confirm

Consumers have the right to confirm whether or not a controller is processing the consumer's personal data.

B. Right to Access

Consumers have the right to access their personal data.

C. Right to Correction

Consumers have the right to correct inaccuracies in their personal data.

D. Right to Delete

Consumers have the right to request a controller to delete their personal data.

E. Right to Obtain a Copy

A consumer may request a copy of the personal data they previously submitted to the controller in a format that is portable and, to the degree that is technically possible, easily readable.

F. Right to Opt-Out

Consumers have the right to opt-out of targeted advertising, opt-out of tracking, and opt-out of the sale or sharing of personal data.

A consumer can use user-enabled global privacy controls, like a browser plug-in or privacy setting, device setting, or other mechanism, to communicate or signal their desire to opt-out of the selling or sharing of their personal data. A controller is required to comply with the opt-out request.

Appointment of an Authorized Agent

Consumers have the option to designate an individual to serve as their authorized agent, act on their behalf, or opt-out of the processing of their personal data.

If a controller is able to independently confirm the identity of the consumer and the authorized agent's legal capacity to act on the consumer's behalf, it must comply with the opt-out request received from the authorized agent.

Processing of Minors

When a known child's personal data is processed, the child's parent or legal guardian may use their right to exercise consumer rights on the child's behalf. The guardian or conservator of the consumer may exercise the consumer's rights in the event that processing personal data pertaining to the consumer is subject to a conservatorship, guardianship, or other protective arrangement.

Response Period of Consumer Rights

Upon receipt of the consumer request, a controller is required to respond promptly to the customer, ideally within 45 days. When it is deemed reasonably necessary, taking into account the complexity and volume of the consumer's requests, the response period may be extended once by an additional 45 days. However, the controller must notify the consumer of the extension within the first 45-day response period, along with the reason for the extension.

When a controller decides not to act on a consumer's request, they must notify the consumer in writing of their decision, the reason they chose not to act, and how to appeal the decision. This notification must be sent to the consumer as soon as possible but no later than 45 days after the request is received.

A controller should provide information at no cost to a consumer up to two times a year in response to the consumer's request. The controller may refuse to act upon a consumer request or impose a reasonable price to offset the administrative expenses of complying with the request if it is clearly excessive, repeated, or manifestly unfounded. It will be the controller's responsibility to prove that the request is obviously excessive, repeated, or manifestly unfounded.

Appeal Process

Every controller must set up an appeals procedure that enables a consumer to challenge a controller's decision not to act on a request within a fair amount of time after the consumer receives the decision. The appeals procedure must resemble the procedure for submitting requests to take action.

After receiving an appeal, the controller has 30 days to notify the consumer of any action taken or not taken in response to the appeal, including a documented reason for the decision. If it is deemed reasonable, the time frame may be extended by an additional 60 days, taking into consideration the volume and complexity of the petitions that form the basis of the appeal.

Additionally, controllers must give consumers ways how to make a complaint with the Office of Consumer Protection in the Office of the Attorney General in a clear and conspicuous manner when notifying them of any action taken or not taken in response to an appeal. The controller is required to keep track of all appeals and their responses for a minimum of 24 months. Upon request, the Attorney General may obtain a copy of the data that the controller has compiled with the request.

VII. Regulatory Authority

The Attorney General shall have exclusive authority to enforce the KCDPA.

The Attorney General may file a lawsuit on behalf of residents of the Commonwealth or in the Commonwealth's name to enforce the KCDPA. If a controller or processor is suspected of violating the KCDPA, the Attorney General has the authority to issue a civil investigative demand.

The Attorney General must provide a controller or processor written notice of the precise provisions allegedly violated on behalf of a consumer for 30 days prior to taking any action. No action for damages may be brought against the controller or processor if, within the allotted 30 days, the controller or processor corrects the observed violation and gives the Attorney General a clear written statement that the alleged violations have been resolved and that no new ones will take place.

VIII. Penalties for Non-Compliance

In the event that a controller or processor fails to resolve a violation or breaches a written statement that was submitted to the Attorney General, the Attorney General may file a lawsuit and pursue damages in the amount of up to $7,500.00 for each violation.

IX. How an Organization Can Operationalize KCDPA

Organizations can operationalize Kentucky’s Consumer Data Privacy Act (KCDPA) by:

  • Establishing clearly defined policies and procedures for processing data in compliance with  KCDPA’s provisions;
  • Developing clear and accessible understandable privacy notices that comply with KCDPA’s requirements;
  • Obtaining explicit consent from users before processing their personal data;
  • Developing a robust framework for receiving and processing data requests, complaints, and appeals from consumers; and
  • Train employees who handle the consumers’ data on the organization's policies and procedures, as well as the requirements of the KCDPA.

X. How Securiti Can Help

Securiti’s Data Command Center enables organizations to comply with Kentucky’s Consumer Data Privacy Act – Senate Bill 15 by securing the organization’s data, enabling organizations to maximize data value, and fulfilling an organization’s obligations around data security, data privacy, data governance, and compliance.

Organizations can overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, enabling organizations to swiftly comply with privacy, security, governance, and compliance requirements.

Request a demo to learn more.


Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox