18/04/2024 | Press release | Distributed by Public on 18/04/2024 23:14
Apr 18, 2024
Categories:
The Kentucky Consumer Data Protection Act, or KCDPA, was signed into law by Governor Andy Beshear on April 4, 2024 (previously House Bill 15). The comprehensive law will go into effect January 1, 2026, and follows the trends of most other U.S. state privacy laws[1] enacted to date, mainly by focusing on standards for processing personal data. The KCDPA codifies many consumer rights relating to personal data, including the right to confirm whether an individual consumer's data is being used or otherwise collected or shared; correct any inaccuracies in your personal data; delete personal data provided; obtain a copy of your personal data; and opt out of targeted advertising, data sales, or profiling measures.
KCDPA applies to "controllers," which include entities that:
The KCDPA exempts law enforcement agencies investigating fraud and first responders collecting information in connection to catastrophic events. In addition, there are several distinct entities that are exempt from the KCDPA, such as cities and municipalities, nonprofit organizations, HIPAA-covered entities, financial institutions, institutions of higher education, and small telephone utilities.
The KCDPA protects "consumers," meaning a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumers do not include a natural person acting in a commercial or employment context, and, as such, business-to-business (B2B) and employment-related activities are not within the scope of the KCDPA.
Under the law, a consumer has the right to:
A consumer can invoke the rights authorized to them by submitting a request to a controller specifying the consumer rights that the consumer wishes to invoke. Consumers have the right to appeal a controller's response to a denied request. If the appeal is denied within 60 days, the controller must provide the consumer with an online mechanism, if available, or another method for the consumer to contact the state attorney general to submit a complaint.
Controllers are required to give a clear, reasonably accessible, and meaningful privacy policy to consumers. If a company triggers the KCDPA, it must provide a privacy policy, and that policy, at a minimum, must include notice of:
The privacy policy is a crucial part of data governance for controllers. Failure to provide a comprehensive and effective policy may subject controllers to the penalties and fines described below.
Under the KCDPA, personal data is extremely broad in scope, and means any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified data or publicly available information (provided that such information has lawfully been made public and not otherwise restricted by the consumer).
The KCDPA requires controllers to get affirmative consent from consumers to process their "sensitive data." Sensitive data is a category of personal data that indicates:
If you are considering processing sensitive data, a pop-up disclosure "Click to Accept" button or a verification consent checkbox is recommended to obtain clear, verified consent in advance of the sensitive data collection.
The KCDPA also has separate category for "pseudonymous data." Pseudonymous data means "personal data that cannot be attributed to a specific natural person without the use of additional information, provided that the additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person." To the extent that data can be easily tokenized or otherwise pseudonymized, this is a great option for managing data in compliance with Kentucky's new privacy law.
The "sale of personal data" and "targeted advertising" are some of the main concerns for Kentucky regulators. The sale of personal data is the "exchange of personal data for monetary consideration by the controller to a third party." However, the sale of personal data does not include the following categories:
Targeted advertising means "displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer's activities over time and across nonaffiliated websites or online applications to predict the consumer's preferences or interests. Targeted advertising does not include the following:
Controllers must conduct and document a data protection impact assessment of each of the following processing activities involving personal data:
Kentucky's attorney general has exclusive authority to investigate and enforce violations of the KCDPA. If an identified violation is not rectified within 30 days, the attorney general can seek damages of up to $7,500 for each violation.
Unlike privacy laws in other states, however, there is no private right of action for individual consumers under the KCDPA.
For more information and enforcement guidance, to update your privacy policy to comply with the KCDPA, or to conduct a data protection impact assessment, please contact the authors of this article or any member of Frost Brown Todd's Data Security and Privacy practice.
[1] Notably, KCDPA very closely mirrors the Virginia Consumer Data Protection Act(VCDPA).