As stated in Part One of this article, on April 4, 2023, Kentucky became the latest state to enact a consumer data privacy statute called the Kentucky Consumer Data Protection Act (“KCDPA”). In Part One, the Consumer Data Privacy and Compliance Lawyers at Revision Legal discussed how the KCDPA resolved current policy debates and what businesses, organizations and data was covered (or exempt) from application of the KCDPA. In this Part Two, we discuss the obligations that are imposed by the KCDPA.

The KCDPA was toughened up in the final version

Earlier versions of the KCDPA were very mild with respect to the duties imposed on controllers. For example, earlier versions of the statute did not require data assessment reports and went entirely with an “opt-out” regime rather than requiring actual consent from consumers for some purposes. For example, an earlier version of Section 4(1)(e) stated that controllers shall not “… process sensitive data concerning a consumer for a nonexempt purpose without the consumer having been presented with clear notice and an opportunity to opt-out of such processing…” The final version, however, toughened this up by stating that controllers shall not “… process sensitive data concerning a consumer without obtaining the consumer’s consent …”

However, the “opt-out” language still applies if consumers want to opt out of targeted advertising, the sale of their personal data, and for purposes of profiling. Section 4(4) reads:

“If a controller sells personal data to third parties or engages in targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of such processing.”

So, active consent is not required; rather processing can occur as long as an opt out option is provided. Note that there is a language mismatch in the final version of the KCDPA. Section 3(2)(e) added language granting consumers to opt out of profiling, but the profiling language did not get added to Section 4(4).

Aside from these types of inconsistencies, the KCDPA imposes duties that are similar to the ones imposed by other data protection statutes. A privacy notice is required by the KCDPA. This must be provided to the consumer in a manner that is “reasonably accessible, clear, and meaningful.” What must be disclosed is as follows:

(a) The categories of personal data processed by the controller

(b) The purpose for processing personal data

(c) How consumers may exercise their consumer rights to request access, correction, deletion of their personal data and opt-out rights and how a consumer may appeal a controller’s decision with regard to the consumer’s request

(d) The categories of personal data that the controller shares with third parties, if any; and

(e) The categories of third parties, if any, with whom the controller shares personal data

In addition, as discussed above, active consents are required for some purposes and opt-out choices must be given for other circumstances. Controllers must limit the collection/processing of data to what is “adequate, relevant, and reasonably necessary” and cannot process data for undisclosed purposes without consent. In addition, controllers must have reasonable administrative, technical, and physical data security practices to protect personal data, comply with anti-discrimination laws, and not discriminate or retaliate against a consumers for exercising their rights. Controllers must establish an appeal mechanism for consumers in cases where the controller denies a request made by the consumer. Controllers must also have written contractual agreements with processors requiring processors to comply with the KCDPA.

Violations of the KCDPA will be investigated by the Attorney General’s Office. A 30-day cure period is provided by the statute. Civil fines can be imposed of up to $7,500 for each violation and the AG’s Office is empowered to recover reasonable expenses incurred in investigating and preparing the case along with court costs and attorney’s fees. Injunctive relief is also available.

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.