Kentucky is known for its Derby, but the US data privacy landscape has been like a horse race between states. Kentucky has passed the Kentucky Consumer Data Privacy Act (KY CDPA), becoming the fourteenth state to pass data privacy legislation into law.

The Kentucky legislature passed House Bill 15 on April 4, 2024, which Governor Andy Beshar signed. The KCDPA will go into effect on January 1, 2026.

What is the KY HB 15 Consumer Data Privacy Act (KCDPA)?

The KY HB 15 is not just another data privacy law; it’s a comprehensive and robust legislation enacted by Kentucky. The KCDPA is designed to protect the personal information of Kentucky residents and ensure businesses implement stringent data protection measures. It’s a beacon of transparency, accountability, and consumer rights, setting clear guidelines and requirements across the state.

What Businesses Need to Know About the KCDPA

The KCDPA is highly important in protecting the privacy of KY residents. The law grants individuals rights over their personal information and requires businesses to be transparent about data usage, collection, and processing. These new enhanced privacy measures give consumers more control over their data.

The KCDPA introduces several essential provisions that strengthen data privacy and security within Kentucky. Here are some critical aspects of the law:

Who Must Comply?

KY CDPA applies to businesses that collect, use, or share the personal information of Kentucky residents. Businesses are subject to the KY HB 15 if it:

Conducts business in Kentucky or produces products or services to residents of Kentucky, either:

  • Controls or processes the personal information of at least 100,000 kY consumers, excluding personal data processed to complete a transaction.
  • Controls or processes the personal data of at least 25,000 KY consumers, and the controller gains 50% of gross revenue from selling personal information.
Explore Our Data Privacy Suite

Preparing for KCDPA Compliance

Compliance with the KCDPA is crucial for businesses operating in Kentucky. The law can lead to significant fines, penalties and reputational damage if organizations don’t comply with the legislation. Here are some key considerations to achieve compliance:

Privacy Notice

Kentucky’s law requires organizations to provide consumers an “accessible, clear, and meaningful” privacy notice, which includes:

  • The categories of personal data processed
  • The purpose of processing the data
  • The categories of third parties to which it may disclose the personal data
  • The categories of data it may disclose
  • The information on how consumers may exercise their rights and appeal decisions.

Data Minimization

The legislation requires businesses to limit the collection of personal data to what is considered “adequate, relevant, and reasonably necessary” unless the businesses have obtained the consumer’s consent.

Data Security & Protection

Organizations must establish and maintain data security practices to protect personal data and prevent unauthorized access.

Data Protection & Risk Assessments

The KCDPA currently refers to its data protection assessments (DPAs) as data protection impact assessments (DPIAs), similar to the GDPR. Businesses must conduct a DPA on personal data processed, created, or generated on or after June 1, 2026, that could potentially harm consumers and bring heightened risk, including sensitive data processing, profiling, data sales, and targeted advertising.

KCDPA Enforcement & Fines

The Attorney General (“AG”) has exclusive authority to enforce the Act. The AG may initiate an action and seek damages for up to $7,500 per continued violation. The organization must receive written notice of potential violations and will receive a 30-day cure period.

Download the Forrester Wave Report.

Kentucky Consumer Rights

The KCDPA grants Kentucky residents specific rights over their personal information, including:

  • The right to confirm whether or not a business is processing consumer’s personal data
  • The right to access personal data unless the confirmation and access reveal a trade secret
  • The right to correct inaccuracies in the consumer’s personal data
  • The right to delete personal data about the consumer
  • The right to data portability in which the consumer must be able to obtain a copy of their personal data
  • The right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer
  • The right not to be discriminated against for exercising any consumer rights.
  • Additionally, businesses must not process sensitive data concerning a consumer without obtaining the consent, or, process sensitive data collected from a child, childrens data must be processed in accordance with the federal Children’s Online Privacy Protection Act (COPPA)

Businesses must respond to the consumer without delay, but in all cases within forty-five (45) days of receiving the request. Information provided in response to a consumer request must be provided free of charge, up to twice annually per consumer.

Appeals Process

Businesses need to develop a process for consumers to appeal the refusal to take action on a request within a reasonable period after the consumer receives the decision. The appeal process should be available in a similar process and format for submitting data rights requests to initiate action. Within sixty (60) days of receiving an appeal, a business must inform the consumer in writing of any action taken in response to the appeal, including a written explanation of the reasons for the decisions.

See BigID in Action

How BigID Helps Organizations Comply with Kentucky’s Consumer Data Privacy Act

BigID enables organizations to proactively prepare for KCDPA and achieve compliance with a patented identity-aware privacy automation platform. With BigID, businesses can:

  • Identify All Data: Discover and classify data to build an inventory, map data flows, and gain visibility on all personal and sensitive information subject to KCDPA requirements.
  • Apply Policies: Remediate policy-based risk with controls and workflows to take action on KCDPA requirements.
  • Automate Data Rights Management: Automatically manage privacy requests, preferences, and consent, including opting out of data selling, targeted advertising, and user profiling.
  • Minimize Data: Apply data minimization practices by identifying, categorizing, and deleting unnecessary or excessive personal data to efficiently manage the data lifecycle.
  • Implement Data Protection Controls: Automate data protection controls to enforce data access and other security measures, which are crucial to safeguarding data and complying with KCDPA.
  • Assess Risk: Automate privacy impact assessments, data inventory reports, and remediation workflows to identify and remediate risks to maintain compliance.

Schedule a 1:1 demo to see how BigID can accelerate your compliance with KCDPA.