On April 4, 2024, Kentucky’s Governor Beshear signed the recently enacted Kentucky Consumer Data Protection Act (“KCDPA”). The KCDPA will become effective on January 1, 2026. Kentucky is the most recent state to pass a consumer data privacy statute. The various statutes have now converged and are quite similar in their framework, scope, and coverage. The KCDPA is well within these boundaries and opens no new legal ground. In this two-part series, the Consumer Data Privacy and Compliance Lawyers at Revision Legal provide an overview of the KCDPA for businesses, which businesses and what types of data are covered, and what is mandated by the KCDPA for businesses that collect, control, and process consumer data.

The KCDPA uses the standard data privacy framework

As noted, the KCDPA uses the standard framework, in that, the KCDPA is:

• Aimed at controllers and processors of personal and sensitive consumer data
• Consumers are given certain rights with respect to their data
• Controllers and processors must comply with various KCDPA mandates (such as supplying notices to and obtaining consent from or allowing opt-outs for consumers) and
• Enforcement is through the State’s Attorney General’s Office

How the KCDPA resolves current policy debates

That being said, within the standard data privacy framework, there are still a number of nuanced policy debates that are ongoing as of early 2024. Many of these policy debates are listed below along with how the KCDPA resolves those debates for consumers in Kentucky:

• Whether documented data assessment reports are required — the KCDPA DOES require these
• Whether the statute applies to out-of-state businesses because they target in-state consumers or because they provide goods and services to in-state consumers — the KCDPA uses the word “target”
• Whether data processed exclusively for payment purposes is included or excluded when determining thresholds for coverage — the KCDPA includes such data processing
• Whether data related to employment and employment applications are included or excluded from coverage — the KCDPA excludes such data
• Whether nonprofit entities are exempt from coverage — nonprofits ARE exempt under the KCDPA
• Whether businesses are required to accept global or universal consumer privacy choices established through apps, browser settings, and the like — the KCDPA does NOT require this
• Whether an appeal mechanism is mandated if a controller refuses/fails to take an action requested by a consumer — the KCDPA DOES mandate such a mechanism
• Whether non-action can be deemed “consent” — the KCDPA is silent on whether non-action can be deemed consent
• Whether an affirmative consent must be obtained or whether an opt-out choice is sufficient – the final version of the KCDPA says that consent is needed in some cases whereas an opt-out choice is sufficient in others

Coverage

The KCDPA applies to any business or individual that:

• Conducts business in Kentucky OR who produces products or services that target residents of the state AND
• Controls or processes data of at least 100,000 Kentucky consumers OR
• Controls and processes data for at least 25,000 Kentucky consumers AND derives over 50% of gross revenue from the sale of personal data

Unlike other similar statutes, the list of exemptions for organizations is short. The exemptions include government agencies and subdivisions, nonprofits, financial institutions regulated by federal law (Gramm-Leach-Bliley Act), health entities governed by the federal HIPAA privacy rules, institutions of higher education, fraud investigation entities, first responder entities and certain small telecommunication utilities.

Certain types of data are also excluded. This list is about the same length as the lists found in other data privacy statutes. Data that is excluded include health data, data when a person is acting in an employment or commercial capacity, pseudonymous data, de-identified data, data used for credit reporting, and more.

See Part Two for more information.

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.