Partner
As stated in Part One of this article, on April 4, 2023, Kentucky became the latest state to enact a consumer data privacy statute called the Kentucky Consumer Data Protection Act (“KCDPA”). In Part One, the Consumer Data Privacy and Compliance Lawyers at Revision Legal discussed how the KCDPA resolved current policy debates and what businesses, organizations and data was covered (or exempt) from application of the KCDPA. In this Part Two, we discuss the obligations that are imposed by the KCDPA.
The KCDPA was toughened up in the final version
Earlier versions of the KCDPA were very mild with respect to the duties imposed on controllers. For example, earlier versions of the statute did not require data assessment reports and went entirely with an “opt-out” regime rather than requiring actual consent from consumers for some purposes. For example, an earlier version of Section 4(1)(e) stated that controllers shall not “… process sensitive data concerning a consumer for a nonexempt purpose without the consumer having been presented with clear notice and an opportunity to opt-out of such processing…” The final version, however, toughened this up by stating that controllers shall not “… process sensitive data concerning a consumer without obtaining the consumer’s consent …”
However, the “opt-out” language still applies if consumers want to opt out of targeted advertising, the sale of their personal data, and for purposes of profiling. Section 4(4) reads:
“If a controller sells personal data to third parties or engages in targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of such processing.”
So, active consent is not required; rather processing can occur as long as an opt out option is provided. Note that there is a language mismatch in the final version of the KCDPA. Section 3(2)(e) added language granting consumers to opt out of profiling, but the profiling language did not get added to Section 4(4).
Aside from these types of inconsistencies, the KCDPA imposes duties that are similar to the ones imposed by other data protection statutes. A privacy notice is required by the KCDPA. This must be provided to the consumer in a manner that is “reasonably accessible, clear, and meaningful.” What must be disclosed is as follows:
(a) The categories of personal data processed by the controller
(b) The purpose for processing personal data
(c) How consumers may exercise their consumer rights to request access, correction, deletion of their personal data and opt-out rights and how a consumer may appeal a controller’s decision with regard to the consumer’s request
(d) The categories of personal data that the controller shares with third parties, if any; and
(e) The categories of third parties, if any, with whom the controller shares personal data
In addition, as discussed above, active consents are required for some purposes and opt-out choices must be given for other circumstances. Controllers must limit the collection/processing of data to what is “adequate, relevant, and reasonably necessary” and cannot process data for undisclosed purposes without consent. In addition, controllers must have reasonable administrative, technical, and physical data security practices to protect personal data, comply with anti-discrimination laws, and not discriminate or retaliate against a consumers for exercising their rights. Controllers must establish an appeal mechanism for consumers in cases where the controller denies a request made by the consumer. Controllers must also have written contractual agreements with processors requiring processors to comply with the KCDPA.
Violations of the KCDPA will be investigated by the Attorney General’s Office. A 30-day cure period is provided by the statute. Civil fines can be imposed of up to $7,500 for each violation and the AG’s Office is empowered to recover reasonable expenses incurred in investigating and preparing the case along with court costs and attorney’s fees. Injunctive relief is also available.
The KCDPA requires controllers to conduct and document data protection assessments for processing activities that present a heightened risk to consumers. These include processing personal data for targeted advertising, selling personal data, processing sensitive data, and profiling that produces legal or similarly significant effects. A data protection assessment is essentially a written analysis that weighs the benefits of the processing activity against the risks it poses to consumers — and that documents the business’s conclusion that the benefits outweigh the risks.
These assessments must be made available to the Kentucky Attorney General’s Office upon request during an investigation. A business that cannot produce an assessment for a high-risk processing activity is in a vulnerable position during an AG investigation — the absence of the assessment is itself evidence of non-compliance. Legal counsel should assist in developing assessment templates and ensuring that each covered processing activity has a documented assessment that can withstand regulatory scrutiny.
The KCDPA requires that controllers have written contracts with their processors — the third-party service providers that process personal data on the controller’s behalf. The contract must specify: (1) the nature and purpose of the processing; (2) the type of data involved and the duration of the processing; (3) the rights and obligations of both parties; and (4) instructions from the controller to the processor regarding how processing is to be conducted.
Processors under the KCDPA must comply with the controller’s instructions, implement adequate security measures, ensure that any subprocessors they engage are also bound by appropriate data protection requirements, and assist the controller in meeting its KCDPA obligations — including responding to consumer rights requests. Controllers who do not have KCDPA-compliant processor agreements in place face liability for data handling by their processors that violates the KCDPA. Businesses should audit all vendor agreements involving personal data processing immediately to ensure written contracts are in place and compliant.
Unlike some other state privacy statutes that have eliminated or limited cure periods, the KCDPA provides a permanent 30-day cure opportunity before penalties can be imposed. This means that if the Kentucky AG’s office opens an investigation and identifies a potential violation, the business has 30 days from the date of notice to remedy the violation and avoid civil penalties of up to $7,500 per violation.
The strategic value of the cure period depends entirely on the speed and quality of the business’s response. A business that has a pre-established privacy compliance program with clear internal accountability can move quickly to investigate the identified issue, document the remediation steps taken, and notify the AG’s office of the cure within the 30-day window. A business without such a program will struggle to respond meaningfully in 30 days. Investing in a compliance program before receiving a notice is far less expensive than attempting to build one under the pressure of a 30-day cure clock.
The KCDPA requires controllers and processors to implement “reasonable administrative, technical, and physical data security practices” appropriate to the volume and nature of the personal data being processed. The statute does not prescribe specific security frameworks, but the FTC’s cybersecurity guidance, ISO 27001, NIST SP 800-53, and SOC 2 Type II certification processes provide widely recognized benchmarks against which “reasonableness” is often measured in regulatory and litigation contexts.
At minimum, covered businesses should ensure that personal data is encrypted at rest and in transit, that access controls limit data access to employees with a legitimate need, that employee training on data handling practices is conducted regularly, and that an incident response plan is in place for responding to data breaches. In the event of a breach, the KCDPA does not eliminate obligations under Kentucky’s existing data breach notification statute, Ky. Rev. Stat. § 365.732, which requires notification to affected consumers and the AG’s office within a reasonable time after discovery of a breach involving Kentucky residents’ personal information.
Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal
For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.
Artificial intelligence has become part of nearly every business operation. Businesses now use AI tools to write marketing copy, generate product images, compose emails, draft social media posts, and produce video and audio content at a scale that was not possible a few years ago. The efficiency gains are real. But so are the legal […]
Read more about The Risks of Using AI-Generated Content in Your Business
Receiving a cease and desist letter can feel alarming. One minute you are running your business as usual, and the next you are staring at a legal demand accusing you of trademark infringement, copyright violation, breach of contract, or some other wrong. The situation can escalate quickly if not handled properly. But receiving a cease […]
Read more about How to Respond to a Cease and Desist Letter
Learn what counts as deceptive pricing in e-commerce, including false discounts, hidden fees, drip pricing, and fake urgency. Revision Legal’s internet law attorneys help online retailers stay compliant with FTC rules.
Read more about What Counts as Deceptive Pricing in E-Commerce?