Kentucky Passes a Comprehensive Privacy Law Becoming the Next State to Join the Privacy Race
On April 4, 2024, Governor Andy Beshear signed into law Kentucky's comprehensive privacy legislation, H.B. 15 (the Act), officially placing Kentucky as the nation's sixteenth state to join the privacy legislation race. The Act, which mirrors Virginia's comprehensive privacy law, is set to take effect January 1, 2026.
The Act applies to entities that conduct business in Kentucky or produce products/services targeted to Kentucky residents and that annually (1) control or process personal data of 100,000 consumers or, (2) control or process personal data of 25,000 consumers, if over 50% of gross revenue is derived from the sale of personal data. Notably, exemptions exist for government entities, certain financial institutions, HIPAA covered entities, and nonprofit organizations, institutions of higher education to name a few.
Following the steps of other states, the Act grants consumers the rights of access, deletion, portability, correction, and opt-out of targeted advertising, sale of data, and profiling. It also required processors to obtain consent for the processing of sensitive personal data. Like Virginia, Kentucky requires Data Protection Impact Assessments (DPIAs) for processing activities that involve targeted advertising, the sale of personal data, profiling under specific circumstances, processing of sensitive data, or would present a heightened risk to consumers. The Kentucky Attorney General has been tasked with enforcement and controllers and processors have a 30-day cure period.
Kentucky’s new law adds to the growing complexity of compliance with U.S. privacy laws. For further information about the Act or privacy laws in general, please contact John Landolfi, Chris Ingram, Chris LaRocco, Gretchen Rutz Leist, Nikkia Knudsen, or your Vorys attorney.