Kentucky HB15 Compliance Guide

On April 4, 2024, the Governor of Kentucky signed KY HB15, establishing a comprehensive privacy law for the State. This new law will provide privacy rights to residents of Kentucky, helping them protect their personal data and will impose certain requirements on businesses that need to comply with this law. This new law will go into effect on January 1st, 2026 and businesses should start to prepare their compliance programs now to ensure that they are ready for this law prior to its effective date. In this Compliance Guide, we will discuss Kentucky’s new privacy law, including: 

1. Who needs to comply with KY HB15; 
2. How this law defines “personal data”; 
3. The privacy rights of Kentucky residents; 
4. The Privacy Policy requirements of Kentucky’s new privacy law; 
5. Penalties for failure to comply; and 
6. How Termageddon will handle Privacy Policy updates for this new law. 

Who needs to comply with KY HB15

Kentucky HB15 applies to individuals who do business in the State or produce products or services that are targeted to residents of the State and that during a calendar year: 

1. Control or process the personal data of at least 100,000 residents of Kentucky; or 
2. Control or process the personal data of at least 25,000 residents of Kentucky and derive over 50% of their gross revenue from the sale of personal data. 

As you can see from the above, Kentucky’s new privacy law can apply to businesses outside of Kentucky if they meet the criteria above. However, the law specifically exempt nonprofits, meaning that only for profit businesses will need to comply. In addition, KY HB15 imposes requirements on businesses processing personal data on behalf of a business that needs to comply with this law. This means that if you offer data processing services for a business that needs to comply with this law, you may need to comply via contract as well, even if you do not meet the criteria above. 

How KY HB15 defines “personal data”

Since Kentucky’s privacy law applies to those controlling or processing “personal data”, it is important to determine how this term is defined by the law. KY HB15 defines “personal data” as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” This means that data commonly collected by websites such as names, emails, phone numbers, physical addresses and IP addresses would be considered “personal data” and thus would be covered under this privacy law. 

Privacy rights provided to residents of Kentucky

KY HB15 aims to protect the privacy of residents of Kentucky by providing them with the following privacy rights: 

1. Confirm whether or not a business is processing the individual’s personal data and to access such data; 
2. Correct inaccuracies in the consumer’s personal data; 
3. Delete the personal data; 
4. Obtain a copy of the consumer’s personal data in a portable and, to the extent technically practicable, a readily usable format that allows the consumer to transmit the data to another business; 
5. Opt out of the processing of personal data for purposes of targeted advertising; 
6. Opt out of sales of personal data; 
7. Opt out of the processing of personal data for purposes of profiling in furtherance of decisions that produce a legal or similarly significant effect concerning the consumer; 
8. Not be discriminated against based upon the exercise of privacy rights. 

Businesses will have 45 days to respond to a consumer privacy rights request, though this period may be extended by an additional 45 days in certain circumstances. Consumers will also have the ability to appeal a privacy rights decision if they are not satisfied with the business’ response. 

Privacy Policy requirements of Kentucky’s privacy law 

In addition to requiring businesses to respect consumer privacy rights, Kentucky’s new privacy law also requires businesses to have a comprehensive Privacy Policy that includes the following disclosures: 

1. The categories of personal data processed; 
2. The purpose for processing the personal data; 
3. How consumers can exercise their privacy rights, including how they can appeal a privacy rights decision. This disclosure must include one or more secure and reliable means for consumers to submit a request to exercise their rights; 
4. The categories of personal data shared with third parties, if any; 
5. The categories of third parties, if any, with whom the personal data is shared; 
6. Whether personal data is sold and how consumers can opt out of such sale; 
7. Whether personal data is used for targeted advertising and how consumers can opt out of such use.

Penalties for failure to comply 

Kentucky’s new privacy law will be enforced by the Kentucky Attorney General. Violations of this law will garner damages of up to $7,500 per violation, meaning per website visitor whose privacy rights were infringed upon. 

How Termageddon will handle Privacy Policy updates for this new law 

We have been tracking this law since its inception as a bill and will continue to track it for any amendments, rules or regulations. We will also update customers’ Privacy Policies prior to the law’s effective date. If you are not currently a Termageddon customer and do not have a strategy to keep your Privacy Policy up to date with changes such as this one, make sure to check out the Termageddon Privacy Policy generator.