Kentucky Steps Up: HB 15 Signed Into Law
On April 4, 2024, Governor Andy Beshear of Kentucky took a significant step in safeguarding consumer privacy by signing into law HB 15, also known as the Kentucky Consumer Data Protection Act (KCDPA). Kentucky has stepped up to become the 16th US state to enact a comprehensive data privacy law. This legislative move underscores the growing recognition in the US of the need for robust data protection measures.
The Thresholds
The scope of HB 15 extends to entities conducting business in Kentucky or offering products or services directed at Kentucky residents. It applies to those who control or process personal data of a significant number of consumers, setting thresholds at either:
- 100,000 consumers or
- 25,000 consumers with over 50% of gross revenue from personal data sales.
Exemptions are provided for certain entities, including covered entities under HIPAA, non-profit organizations, educational institutions, and financial institutions subject to the Gramm-Leach-Bliley Act, ensuring a balanced approach to regulatory coverage.
Controller Obligations
Under HB 15, controllers are mandated to adhere to stringent data protection practices. This includes limiting data collection to necessary purposes, implementing robust security measures, and obtaining consumer consent for processing sensitive data or for purposes beyond those disclosed.
Controllers must conduct and document data protection impact assessments (DPIAs) for specific processing activities, ensuring that risks to consumers are identified and mitigated effectively.
Consumer Rights
The legislation empowers consumers with a suite of rights to exercise control over their personal data. These rights include the ability to access, correct, and delete personal data, as well as the right to receive a copy of their data in a portable format. Consumers also have the option to opt out of targeted advertising, data sales, or profiling activities with significant consequences.
Enforcement
Enforcement of HB 15 rests with the Kentucky Attorney General, who can initiate actions against non-compliant entities. There is no private right of action for violations of the law. The AG will provide a 30-day notice of violation. This 30-day cure period gives the control or processor 30 days to remediate violations and provide an express written statement that the alleged violation has been cured.
Effective Date
HB 15 is slated to take effect on January 1, 2026, providing affected entities with time to prepare and implement necessary measures to comply with the new requirements effectively.
The Increasing Compliance Obligation
Kentucky’s enactment of HB 15 signifies a significant stride towards enhancing consumer privacy protections within the United States. By aligning with other states with comprehensive data privacy laws, Kentucky demonstrates a commitment to fostering trust and accountability.
As the landscape of data privacy laws in the US continues to evolve and expand, companies must prioritize being proactive and staying ahead of enforcement dates. By staying ahead of enforcement dates, companies can ensure that they have the necessary systems and processes in place to preserve confidence in consumer data collection processes, mitigate risks, and demonstrate their commitment to protecting privacy and data privacy rights.
To learn more about US privacy laws, check out the Clarip US Privacy Law Tracker
Clarip’s Data Privacy Governance Platform ensures compliance with all consumer privacy regulations, including the “Do Not Sell/Do Not Share My Personal Information” solution. Allow customers to submit, revoke and update granular consent with Clarip’s Universal Consent Management. Clarip takes enterprise privacy governance to the next level and helps organizations reduce risks, engage better, and gain customers’ trust! Contact us at www.clarip.com or call Clarip at 1-888-252-5653 for a demo.
Email Now:
Mike Mango, VP of Sales
mmango@clarip.com
Related Articles:
Data Privacy and the Future of Digital Marketing
US Privacy Law Tracker
Understanding US Data Privacy Law Fines
Evolution of digital consent and preferences
What Is GPC (Global Privacy Control), And why does it matter?