Published:

Kentucky HB15 Compliance Guide

General

Photo of author

Donata Stroink-Skillrud

Co-founder and President of Termageddon

Kentucky HB15 Compliance Guide

On April 4, 2024, the Governor of Kentucky signed KY HB15, establishing a comprehensive privacy law for the State. This new law will provide privacy rights to residents of Kentucky, helping them protect their personal data and will impose certain requirements on businesses that need to comply with this law. This new law will go into effect on January 1st, 2026 and businesses should start to prepare their compliance programs now to ensure that they are ready for this law prior to its effective date. In this Compliance Guide, we will discuss Kentucky‚Äôs new privacy law, including: 

  1. Who needs to comply with KY HB15; 
  2. How this law defines ‚Äúpersonal data‚ÄĚ;¬†
  3. The privacy rights of Kentucky residents; 
  4. The Privacy Policy requirements of Kentucky’s new privacy law; 
  5. Penalties for failure to comply; and 
  6. How Termageddon will handle Privacy Policy updates for this new law. 

Who needs to comply with KY HB15

Kentucky HB15 applies to individuals who do business in the State or produce products or services that are targeted to residents of the State and that during a calendar year: 

  1. Control or process the personal data of at least 100,000 residents of Kentucky; or 
  2. Control or process the personal data of at least 25,000 residents of Kentucky and derive over 50% of their gross revenue from the sale of personal data. 

As you can see from the above, Kentucky‚Äôs new privacy law can apply to businesses outside of Kentucky if they meet the criteria above. However, the law specifically exempt nonprofits, meaning that only for profit businesses will need to comply. In addition, KY HB15 imposes requirements on businesses processing personal data on behalf of a business that needs to comply with this law. This means that if you offer data processing services for a business that needs to comply with this law, you may need to comply via contract as well, even if you do not meet the criteria above. 

How KY HB15 defines ‚Äúpersonal data‚ÄĚ

Since Kentucky‚Äôs privacy law applies to those controlling or processing ‚Äúpersonal data‚ÄĚ, it is important to determine how this term is defined by the law. KY HB15 defines ‚Äúpersonal data‚ÄĚ as ‚Äúany information that is linked or reasonably linkable to an identified or identifiable natural person.‚ÄĚ This means that data commonly collected by websites such as names, emails, phone numbers, physical addresses and IP addresses would be considered ‚Äúpersonal data‚ÄĚ and thus would be covered under this privacy law. 

Privacy rights provided to residents of Kentucky

KY HB15 aims to protect the privacy of residents of Kentucky by providing them with the following privacy rights: 

  1. Confirm whether or not a business is processing the individual’s personal data and to access such data; 
  2. Correct inaccuracies in the consumer’s personal data; 
  3. Delete the personal data; 
  4. Obtain a copy of the consumer’s personal data in a portable and, to the extent technically practicable, a readily usable format that allows the consumer to transmit the data to another business; 
  5. Opt out of the processing of personal data for purposes of targeted advertising; 
  6. Opt out of sales of personal data; 
  7. Opt out of the processing of personal data for purposes of profiling in furtherance of decisions that produce a legal or similarly significant effect concerning the consumer; 
  8. Not be discriminated against based upon the exercise of privacy rights. 

Businesses will have 45 days to respond to a consumer privacy rights request, though this period may be extended by an additional 45 days in certain circumstances. Consumers will also have the ability to appeal a privacy rights decision if they are not satisfied with the business‚Äô response. 

Privacy Policy requirements of Kentucky‚Äôs privacy law 

In addition to requiring businesses to respect consumer privacy rights, Kentucky‚Äôs new privacy law also requires businesses to have a comprehensive Privacy Policy that includes the following disclosures: 

  1. The categories of personal data processed; 
  2. The purpose for processing the personal data; 
  3. How consumers can exercise their privacy rights, including how they can appeal a privacy rights decision. This disclosure must include one or more secure and reliable means for consumers to submit a request to exercise their rights; 
  4. The categories of personal data shared with third parties, if any; 
  5. The categories of third parties, if any, with whom the personal data is shared; 
  6. Whether personal data is sold and how consumers can opt out of such sale; 
  7. Whether personal data is used for targeted advertising and how consumers can opt out of such use.

Penalties for failure to comply 

Kentucky‚Äôs new privacy law will be enforced by the Kentucky Attorney General. Violations of this law will garner damages of up to $7,500 per violation, meaning per website visitor whose privacy rights were infringed upon. 

How Termageddon will handle Privacy Policy updates for this new law 

We have been tracking this law since its inception as a bill and will continue to track it for any amendments, rules or regulations. We will also update customers’ Privacy Policies prior to the law’s effective date. If you are not currently a Termageddon customer and do not have a strategy to keep your Privacy Policy up to date with changes such as this one, make sure to check out the Termageddon Privacy Policy generator.

Photo of author
About the Author
Donata Stroink-Skillrud

Donata is the Co-founder and President of Termageddon and a licensed attorney and Certified Information Privacy Professional. She serves as the Vice-Chair of the American Bar Association's ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals.

Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy

Culture

Disclaimer

EULA

How To's

Privacy Policy

Terms of Service

Subscribe for Updates