Earlier this month, the Kentucky legislature passed comprehensive privacy legislation, H.B. 15 (the “Act”), joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Texas, Florida, Delaware, New Jersey, and New Hampshire. The Act is awaiting the Governor’s signature. If signed into law, the Act would take effect on January 1, 2026. This blog post summarizes the statute’s key takeaways.
- Scope: The Act would apply to controllers and processors that conduct business in Kentucky or produce products or services that are targeted to Kentucky residents, and that, during a calendar year either: (i) control or process personal data of at least 100,000 consumers or (ii) control or process data of at least 25,000 consumers and derive more than 50% of their gross revenue from selling personal data.
- Consumer Rights: The Act would, among other things, grant consumers the rights of access, deletion, portability, and correction. The Act would also allow consumers to opt-out of targeted advertising, the sale of personal data, and profiling in furtherance of decisions producing legal or similarly significant effects.
- Sensitive Data: Controllers would be required to obtain consent before processing a consumer’s sensitive data. The Act defines sensitive data as personal data that indicates racial or ethnic origin, religious beliefs, a mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, genetic or biometric data processed to identify unique individuals, personal data collected from a known child, and precise geolocation data.
- DPIAs: The Act would require Data Protection Impact Assessments (“DPIAs”) for processing activities that involve targeted advertising, the sale of personal data, profiling (in limited circumstances), processing of sensitive data, or would otherwise present a heightened risk of harm to consumers.
- Enforcement: The Kentucky Attorney General will have exclusive authority to enforce the Act. The statute would also grant controllers and processors with a 30-day right to cure that does not sunset.