To print this article, all you need is to be registered or login on Mondaq.com.
On April 4, 2024, Kentucky’s Governor signed House Bill 15, which establishes a consumer
data privacy law for the state. The state joins New Hampshire and New Jersey in passing comprehensive consumer
privacy laws in 2024. Kentucky’s law takes effect January 1,
2026.
To whom does the law apply?
The law applies to persons, hereafter referred to as
controllers, that conduct business in Kentucky or produce products
or services that are targeted to residents of Kentucky and during a
calendar year control or process personal data of at least:
- 100,000 consumers; or
- 25,000 consumers and derive over 50% of gross revenue from the
sale of personal data.
Who is protected by the law?
A consumer protected under the new legislation is defined as a
natural person who is a resident of Kentucky, acting in an
individual context. A consumer does not include a person acting in
a commercial or employment context.
What data is protected by the law?
The legislation protects personal data defined as information
that is linked or reasonably linkable to an identified or
identifiable natural person.
Sensitive data is defined under the law as personal data
indicating racial or ethnic origin, religious beliefs, mental or
physical health diagnosis, sexual orientation, or citizenship or
immigration status. It also includes the processing of genetic or
biometric data that is processed to uniquely identify a specific
natural person; personal data of a minor, or premise geolocation
data.
What are the rights of consumers?
Under the law, consumers have the following rights:
- To confirm whether a controller is processing their personal
data - To correct inaccurate personal data
- To delete personal data maintained by the controller
- To opt-out of processing of personal data for targeted
advertising, sale, or certain profiling
What obligations do controllers have?
Under the legislation, controllers must:
- Establish, implement, and maintain reasonable administrative,
technical, and physical data security practices; - Limit the collection of personal data to what is adequate,
relevant, and reasonably necessary in relation to purpose - Obtain consent from consumers before processing sensitive data
concerning the consumer.
How is the law enforced?
The Attorney General has exclusive authority to enforce
violations of the legislation. The law does provide for a 30-day
right to cure violations by controllers and processors of data.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from United States
#Bluegrass #State #State #Pass #Comprehensive #Consumer #Privacy #Data #Law #Data #Protection
