Kentucky Consumer Data Protection Act

What you need to know about the KCDPA:

To Whom Does KCDPA Apply?

The KCDPA applies to for-profit entities that:

  1. Conduct business or provide products or services to residents of Kentucky, and 
  2. Annually control or process the personal information of either:
    1. 100,000 consumers; or
    2. 25,000 consumers and derives at least 50% of gross revenue from sale of personal information.
Where Does the KCDPA NOT Apply?

Exempt Entities: Exempt entities include:

  • State government entities;
  • GLBA-covered entities;
  • HIPAA-covered entities and business associates;
  • Higher education Institutions (as defined by the state, excludes for-profit schools);
  • Certain insurance fraud related organizations;
  • First responders in connection with catastrophic events; and
  • Certain utilities.

Exempt Data:  Kentucky exempts a long list of personal information, including but not limited to:

  • Protected Health Information under HIPAA;
  • Various federally and internationally protected health and patient information, including that protected by the Common Rule, human subject data, and more;
  • Various forms of credit data regulated by the FCRA; and
  • Data covered by a wide variety of other federal laws including Fair Credit Reporting Act; and
  • Data covered by a wide variety of other federal laws including the Family Educational Rights and Privacy Act, Farm Credit Act, and Driver’s Privacy Protection Act.

Use-case exceptions: The KCDPA is not applicable in some circumstances, such as:

  • Processing PI in an employment or commercial (B2B) context;
  • Processing PI for emergency contact purposes; and
  • Processing PI of another individual in relation to the provision of benefits.

In addition, the KCDPA specifies that its law should not be construed to restrict a business’s collection, use, or retention of PI for:

  • Conducting internal research for development, improvement, and repair of products, services, and technology (R&D);
  • Product recalls;
  • Identifying and repairing technical errors that impair existing or intended functionality; and
  • Performing internal operations.

Key Components of the KCDPA

What Constitutes PI in Kentucky?

The KCDPA covers “personal data,” also called personal information or PI, which Kentucky defines as: “any information that is linked or reasonably linkable to an identified or identifiable individual.” Like many other states, there is an exception for de-identified and publicly available data.

What Constitutes Sensitive PI?

KCDPA’s definition of sensitive personal information consists of:

  • Racial or ethnic origin;
  • Religious beliefs;
  • Mental or physical diagnosis;
  • Sexual orientation;
  • Citizenship or immigration status;
  • PI about a known child;
  • Precise geolocation data; and
  • Genetic or biometric data processed for identification purposes.
Any Other Categories of Data I Should Think About?

Where a controller processes de-identified data, KCDPA requires it to take reasonable measures to ensure the data cannot be associated with an individual; publicly commit to maintaining such data without an attempt to re-identify it; and contractually obligate any recipients of the data to comply with this law.

Kentucky also exempts pseudonymous data from all privacy rights requests where the controller can show it keeps information that would allow the data to be re-identified to the consumer separate and subject to technical and organizational controls that prevent its use for re-identification.

Notably the right to opt out is covered by the exemption for pseudonymous data, meaning consumers cannot opt out of the processing for sale, targeted advertising, or profiling when the underlying data is pseudonymized.

Is consent needed to Process Sensitive PI?

In a word: YES!

Is Consent Needed for Any Other Processing?

Parental consent is required to process PI about a known child (under 13) in accordance with COPPA. Notably the sale or processing for targeted advertising of the PI of minors above 13 does not need consent, unlike many other state laws.

Consent is also required for secondary use of information that is not necessary or compatible with the purpose for collection and hasn’t been noticed to the consumer.

What Needs to Be Included in the Privacy Notice?

A privacy notice must include:

  • The categories of PI processed;
  • The purpose for processing PI;
  • Categories of PI shared with third parties;
  • Categories of third parties with which PI is shared;
  • The categories of personal information shared with third parties;
  • Description of targeted advertising and selling activities including a procedure for opting out of the processing for these purposes; and
  • The methods for a consumer to exercise their rights (see below) and appeal a decision on their rights request.
What Constitutes “Sale” of PI?

Kentucky follows the narrower definition of ‘sale’ used in some other states as well, defining it as exchange for monetary consideration (as opposed to monetary and other valuable consideration).

There are limits on the definition of “sale” to ensure that certain business functions are not unintentionally impeded by this law. Examples of activities deemed not to be a sale include: the disclosure of PI to provide a product or service requested by the consumer, a disclosure of PI at the direction of the consumer, and the disclosure of PI that the consumer intentionally made available to the public.

How Will the KCDPA Be Enforced?

The Kentucky attorney general (AG) has sole enforcement authority over KCDPA. Under the KCDPA the AG may bring an enforcement action after providing a 30-day notice and an opportunity for the business to cure the alleged violation(s); the cure period has no sunset. Actions can be brought that seek fines up to $7,500.

Data Privacy is Just Good Business