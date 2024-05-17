With the Kentucky governor recently signing into law that state's privacy law the US now has 16 states with "comprehensive" privacy laws. This newest one will go into effect on January 1, 2026 – the same day as Indiana. It closely resembles other state privacy laws, in particular, Virginia's privacy law. For a recap of all of the US state privacy laws and their obligations you can visit our interactive tool.

The new Kentucky law will mirror all other states (except California) and define "consumer" to exclude those in an employment context. Key provisions of the law include:

Businesses that engage in targeted advertising, the sale of personal data, or profiling will need to give Kentucky residents notice and the ability to opt out of those activities. Data Protection Impact Assessments. Like all states except Iowa and Utah, businesses must conduct data protection impact assessments if processing data presents a heightened risk to consumers. This includes processing consumer data for targeted advertising, risky profiling, selling consumer data, or processing sensitive information.

Like other states, consumers will not have a private right of action. Instead, the Kentucky Attorney General's office will be responsible for enforcement. The law contains a 30-day cure period which is not set to expire, unlike other states' privacy laws. There are also no provisions for additional rulemaking.

Putting it Into Practice: With the enactment of a sixteenth privacy law, the similarities can obscure important differences. We anticipate more states will pass similar laws in the coming months, and companies will thus want a privacy program approach that is both adaptable and flexible.

