Kentucky may soon join the growing number of states that have enacted data privacy legislation. On January 3, 2023, Senator Whitney Westerfield and Senator John Schickel introduced Senate Bill 15, which, if passed, will create new sections of KRS Chapter 367 to establish consumer protection rights for Kentucky residents relating to personal data.

Notably, Senate Bill 15 would apply to business entities conducting business or which produce products or services that target Kentucky residents and that, during a calendar year: control or process personal data of at least 10,000 consumers; or, derive over 40% of gross revenue from the sale of personal data. Senate Bill 15 defines a consumer as a natural person who is a resident of Kentucky acting only in an individual or household context. A consumer does not include a person acting in a commercial or employment context, or as an independent contractor. The law will exempt certain organizations from its application, including, for example, state agencies under certain circumstances, financial institutions subject to the Gramm-Leach-Bliley Act, HIPAA covered entities, nonprofit organizations, and institutions of higher education.

New data privacy rights for consumers

Under proposed Senate Bill 15, covered businesses will be required to provide consumers with a privacy notice outlining the personal data the business collects, the purpose for its collection, third parties which may receive disclosure of the information, and how consumers can exercise their individual rights with respect to personal information. Senate Bill 15's proposed rights include the following:

  • Right to confirm whether their personal data has been processed;
  • Right to delete the consumer's personal data;
  • Right to correct inaccuracies in the consumer's personal data;
  • Right to receive a copy of their personal data previously provided by the consumer to the entity in a “portable and, to the extent technically practicable, readily usable format” to enable the consumer to easily review the transmittal of their information to a third party; and
  • Right to “opt out” of targeted advertisements, profiling, and the sale of personal data.

New obligations for covered businesses

Additionally, under Senate Bill 15, covered businesses will need to:

  • Respond to consumers' requests without undue delay, no later than 45 days after the receipt of a request to exercise a right;
  • Provide consumers with the requested information at no charge, at least twice annually per consumer, unless the consumer request is “excessive, repetitive, technically infeasible, or manifestly unfounded,” in which case a reasonable fee to cover administrative costs can be charged;
  • Establish, implement, and maintain sufficient administrative, technical, and physical data practices to safeguard consumers' personal data;
  • Establish an internal process whereby a consumer may appeal a refusal to take action on a request to exercise any of the consumer's rights; and
  • Commit not to process sensitive data concerning a consumer for a non-exempt purpose without the consumer having been presented with clear and conspicuous notice and an opportunity to opt-out of such processing.

Similar to the enforcement measures under other state data privacy laws, Kentucky's Senate Bill 15 provides that the State Attorney General would have the exclusive authority to enforce the Act and may issue a civil investigative demand to any data controller or data processor, and additionally, would initiate a civil claim seeking damages for up to $7,500 for each continued violation of Kentucky's new data privacy law.

This is not the first time a data privacy bill has been introduced in the Kentucky legislature. A similar bill was introduced last year, but did not receive much traction. If enacted, covered businesses will be tasked with assessing and updating their personal data collection processes, developing a privacy policy, and implementing procedures to comply with the newly established rights by January 1, 2025. The new law would also require certain contract terms to be in place between data controllers and their data processors. This year's legislative effort has already advanced further than its 2022 counterpart, but it remains to be seen whether the proposed legislation will ultimately pass or fail.

While a uniform consumer data privacy law has been a hot topic in Congress for a number of years, the U.S. currently lacks a comprehensive consumer privacy law. In the meantime, businesses are forced to navigate a myriad of state privacy regulations. The number of states enacting comprehensive data privacy laws continues to grow with California, Colorado, Connecticut, Utah, and Virginia recently adopting sweeping data privacy laws. Other states, such as Nevada, have enacted more limited consumer privacy protection laws. Kentucky is among 20 states considering new data privacy legislation in 2023. With this ever-changing privacy landscape it is important for businesses to stay apprised of the privacy laws in states where they operate and in states where the business collects residents' information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.