Knowledge. Experience. Results.

Kentucky Consumer Data Protection Act: How Does this affect you?

In April 2024, Kentucky Governor Andy Beshear signed the Kentucky Consumer Data Protection Act (KCDPA). By doing this, Kentucky joins an increasing number of states that have enacted comprehensive data privacy laws. The law is set to take effect at the start of 2026. In the meantime, Kentucky business owners have a lot to learn about the innovative KCDPA.

The KCDPA primarily establishes two things. First, the Act grants Kentucky consumers certain rights relating to their personal data. The KCDPA defines personal data as “information that is linked or reasonably linkable to an identified or identifiable natural person”. Personal data includes but is not limited to physical addresses, geolocation data, phone numbers, biometric data, or information related to a consumer’s interaction with the internet and website applications. The act also outlines obligations and requirements for businesses that control and process the personal data of Kentucky consumers. Furthermore, the KCDPA establishes new requirements for privacy notices, impact assessments, and vendor contracts. The time period between Beshear’s 2024 signing date and the 2026 effective date ensures businesses have ample time to comply with new requirements.

Since the KCDPA’s enactment, Kentucky business owners have been asking if the new legislation applies to them. The KDCPA was created to target individuals and companies that either do business in Kentucky, or provide products and services geared towards Kentucky residents. A business may be subject to KCDPA requirements if/when they process the personal data of a specific number of Kentucky residents. Businesses must adhere to the KCDPA if/when the company controls and/or processes the personal data of 100,000+ consumers (that are Kentucky residents); or if a business controls or processes the personal data of 25,000+ consumers (who are Kentucky residents) and earns half of its gross revenue from the sale of personal data.

Under the KCDPA, businesses are labeled as either controllers or processors. Controllers are businesses that determine the purpose and means for processing personal data. On the other hand, a business is considered a processor when it processes personal data for a controller. Controllers are required to provide consumers with a “reasonably accessible, clear, and meaningful” privacy notice before collecting personal data. The KCDPA lists a few additional regulations that controllers must abide by moving forward. (1) Controllers must limit the collection of personal data to only what is necessary and relevant. (2) Controllers must avoid processing personal data for unknown reasons, without consent from consumers. (3) Controllers are obligated to protect the security of personal data processed through administrative, technical, and physical safeguards. (4) Controllers cannot discriminate against consumers for exercising their rights. The KCDPA also states both controllers and processors must obtain consent from consumers before collecting, storing, or processing sensitive data.

Enforcement of the KCDPA will begin in 2026. The Kentucky Attorney General has the exclusive authority to enforce compliance. A private right of action is explicitly prohibited in the KCDPA. This means consumers must report any violations to the Attorney General. According to the KCDPA, businesses will be given a 30-day window to cure any alleged violations. At the conclusion of this 30-day period, enforcement action can proceed. With the consequences of violations in mind, business owners may question how they can best prepare for complying with the KCDPA. First, business owners will want to find out if the KCDPA is applicable to their business. Businesses subject to the Act may need to conduct audits or data mapping. Privacy policies, vendor contracts, and other documents will likely need revising and updating too. Preparation for the KCDPA can be time consuming and complex. Business owners unsure of where to start or how to maintain compliance should seek legal advice/counsel.