Kentucky Passed a Comprehensive Privacy Law: Here’s What You Need to Know
A comprehensive privacy bill, HB 15, has passed both houses of Kentucky’s legislature and will become law once signed by the state’s governor.
- HB 15 is nearly identical to the Virginia Consumer Data Protection Act (VCDPA), which has set the standard for all comprehensive state privacy laws outside California.
- The bill will give Kentucky residents new rights allowing them to access, correct, and delete their personal data and to opt out of targeted advertising, the sale of their personal data, and certain forms of profiling.
- Other requirements in HB 15 include conducting data protection assessments before undertaking certain risky processing activities, implementing contracts with data processors, and obtaining consent before processing sensitive data.
Who has to comply with HB 15?
HB 15 applies to companies doing business in Kentucky or producing goods and services targeting Kentucky residents that, per calendar year:
- Process or control personal data about at least 100,000 Kentucky consumers (around 2.2% of the state’s 4.5 million residents)
- Both:
- Process or control personal data about at least 25,000 Kentucky consumers, and
- Derive 50% or more of gross annual revenues from selling personal data.
Note that HB 15 has exactly the same application thresholds as Indiana, Iowa, and Virginia. Kentucky’s bill also includes the same carve-outs for non-profits, HIPAA-covered entities, and employment data, among other exemptions.
What rights do consumers have under Kentucky’s new law?
Kentucky will provide the full range of privacy rights to Kentucky consumers, including the right to:
- Confirm whether a company is processing their personal data
- Access their personal data
- Correct inaccuracies in their personal data
- Delete their personal data under certain conditions
- Obtain a portable, machine-readable copy of their personal data
Businesses must comply with a consumer’s request within 45 days and can extend this period by 45 more days where reasonably necessary. If a consumer is unhappy with a company’s response, they can appeal to the Kentucky Attorney General.
What about opt-out rights?
Kentucky consumers will have the right to opt out:
- Targeted advertising
- The sale of their personal data
- Profiling in furtherance of decisions that produce “legal or similarly significant effects”
Unlike privacy laws in nine other states, including California, Colorado, and Connecticut, Kentucky’s law will not require businesses to respect opt-out requests made via a Universal Opt Out Mechanism (UOOM), such as the Global Privacy Control (GPC).
However, HB 15 will require every covered business to provide at least one “secure and reliable means” for consumers to submit requests to exercise any of their rights—and to explain these methods in its privacy notice.
What about sensitive data?
Like all other comprehensive privacy law states except Utah and Iowa, Kentucky is an “opt-in” state when it comes to sensitive data.
Sensitive data under HB 15 includes:
- Personal data indicating:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnosis
- Sexual orientation
- Citizenship or immigration status
- Genetic or biometric data processed to uniquely identify an individual
- Personal data collected from a known child
- Precise geolocation data.
Companies will be barred from processing these types of sensitive data without obtaining a consumer’s “freely given, specific, informed, and unambiguous agreement.”
What else does HB 15 require?
Kentucky’s new privacy law includes most of the other privacy obligations that are becoming standard practice across the US, including:
- Implementing contracts to control how processors process personal data on their behalf
- Conducting data protection assessments before undertaking certain processing activities
- Not processing more personal data than reasonably necessary for the purposes disclosed to consumers
- Not processing personal data for further incompatible purposes
- Implementing reasonable data security measures
If a company violates HB 15, the Kentucky Attorney General will offer the company 30 days to “cure” the violation—to put things right for any consumers harmed by the company’s non-compliance.
But as we saw in the recent California case against Doordash, “curing” a violation can be difficult or even impossible for a business that has lost control of a consumer’s data.
That’s why proactive compliance with HB 15 and all other state privacy laws is crucial.
Key takeaways on Kentucky’s upcoming comprehensive privacy law, HB 15
- Kentucky’s HB 15 closely mirrors other state privacy laws like Virginia’s VCDPA. If you’re covered by other state privacy laws, be ready to offer Kentucky consumers the same sorts of privacy protections.
- As in other states, Kentucky’s law will have a significant impact on many companies’ online advertising activities. Make sure you can offer Kentucky consumers an opt-out from targeted advertising once the law kicks in.
- Once signed by the state’s governor, the law is due to take effect on January 1, 2026. Consider reviewing your processing activities and service provider contracts in advance.