Kentucky Close To Passing Consumer Privacy Law: 10 Things Businesses Need to Know
Insights
3.20.24
Kentucky may soon become the next state to join the growing roster of states passing comprehensive consumer privacy laws, now one step closer to creating a framework that will have a significant impact on how businesses handle data within Kentucky. After the state House originally passed House Bill 15 in February, the state Senate just passed it last week with minor amendments. It will now return to the House for final approval, which is expected quickly, before being sent to the governor’s desk. Here are the top 10 things Kentucky businesses should consider in preparation for new compliance obligations.
1. When Will the Law Take Affect?
If signed into law, HB 15 would take effect on January 1, 2026.
2. Will the Law Apply to My Business?
If HB 15 passes, any for-profit business that conducts business in Kentucky, or targets Kentucky residents for products or services, will be required to comply with the law’s provisions if it either (a) controls or processes the personal data of 100,000 consumers, or (b) controls or processes the personal data of 25,000 consumers and derives over 50% of its revenue from the sale of personal data.
Entities that are subject to the rules established pursuant to the Health Insurance Portability and Accountability Act (HIPPA), as well as protected health information under HIPAA, are excluded. There is a similar exception for financial institutions and data subject to the Gramm-Leach-Bliley Act.
“Consumer” is defined as a person who is a resident of the Commonwealth of Kentucky, but only those that are acting in an individual context.
“Controllers” are defined as person or entity that determines the purpose and means of processing personal data.
3. How Does the Law Define “Personal Data”?
HB 15 defines “personal data” as any information that is linked or reasonably linkable to “an identified or identifiable natural person” – which means that a person that can be readily identified directly or indirectly. This does not include information which is publicly available or de-identified.
4. What Rights Will Consumers Have?
Consumers will have the right to:
- Confirm whether or not a particular data controller is processing their personal data;
- Access the personal data that is being processed by the controller;
- Correct inaccuracies in their personal data;
- Delete the personal data provided by or obtained about them;
- Obtain a copy of their personal data that they previously provided to the controller in a portable and readily usable format; and
- Opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling.
5. What Type of Privacy Notice is Required?
Controllers must give consumers a clear and easily accessible privacy notice that covers:
- What kinds of personal data they handle;
- Why they process it;
- How consumers can use their rights under the law, including appealing decisions;
- Any personal data they share with third parties and what categories those parties fall into; and
- What categories of third parties they share personal data with.
If a controller sells personal data to third parties or uses it for targeted advertising, they must clearly tell consumers about it and explain how to opt out. Controllers must also set up one or more secure ways for consumers to request to use their rights under the law, considering how consumers usually interact with them, the need for secure communication, and verifying the consumer’s identity. They can’t make consumers create new accounts to use their rights, but they can ask them to use existing ones.
6. Will Employees Be Treated as Consumers Under the Law?
No. The current version of HB 15 specifically excludes employees – which means employers do not need to worry about applying this law to the data collected about workers in the normal course of employment.
7. Can an Individual Bring an Action for Violations?
No. HB 15 does not create a private right of action for individuals to enforce its provisions.
8. How Will the Law Be Enforced?
The Attorney General of Kentucky shall have exclusive authority to enforce violations of HB 15, either on behalf of the Commonwealth or a resident. There is a 30-day safe harbor, however. Prior to initiating any action, the Attorney General shall provide a controller or processor 30 days’ written notice of the specific alleged violations. The controller or processor will then have 30 days to rectify the violations before legal action is taken.
9. What Other States Have Passed Similar Laws?
Kentucky’s HB 15 closely mirrors the provisions of Virginia’s privacy statute, which was enacted in 2021 and is currently in effect. California, Connecticut, Colorado, and Utah also have consumer data privacy laws, while Delaware, Indiana, Iowa, New Hampshire, New Jersey, Montana, Oregon, Tennessee, and Texas have passed privacy laws that will take effect either later this year or in the coming years. A number of other states are also currently considering similar legislation.
10. What Should Businesses Do?
2026 may seem like a long way away, but compliance steps to get in line with data privacy laws can take time. If your business will be subject to HB 15, you may want to consider taking these steps sooner rather than later:
- Evaluate your organization’s current data collection and privacy procedures;
- Compile a record of historical consumer data your organization has collected;
- Deliberate on potential future consumer data collection avenues;
- Prepare to perform a data protection assessment in connection with processing activities that present a heightened risk of harm, as required under the law;
- Identify data your organization may gather concerning minors;
- Craft protocols for addressing consumer inquiries; and
- Work with data privacy counsel to ensure that your organization will be able to comply with the law.
Conclusion
For further information, contact your Fisher Phillips attorney, the authors of this Insight, or any attorney on the firm’s Consumer Privacy Team, the Privacy and Cyber Practice Group, or in our Louisville office. Fisher Phillips will continue to monitor consumer privacy law developments and will provide updates as warranted, so make sure that you are subscribed to Fisher Phillips’ Insight System to get the most up-to-date information directly to your inbox.