The Governor of Kentucky signed a new bill (HB473) on March 5, 2025. The bill makes several amendments to the state’s privacy law (HB15), which is scheduled to go into effect on January 1, 2026.
This blog will briefly cover each of the changes. For a full run-down of Kentucky’s HB15, such as:
- Who needs to comply with it;
- How the law defines “personal data”;
- Privacy Policy requirements; and
- Penalties for failure to comply,
Check out our Kentucky HB15 Compliance Guide.
Table of Contents
The changes to HB15
For the sake of this blog – and the sanity of most of our readers – we won’t cover every little detail mentioned in HB473. If you’re curious, you can read the full bill’s text here. Warning: It’s not exactly Shakespeare.
However, there are three main changes that we want to draw attention to:
- Changes to who the privacy law applies to;
- Changes to what information is exempt; and
- Changes to impact assessment requirements.
Changes to who the privacy law applies to
According to the new bill, KRS 367.3613 is amended to read as follows:
Kentucky HB15 applies to individuals who do business in the State or produce products or services that are targeted to residents of the State and that during a calendar year:
- Control or process the personal data of at least 100,000 residents of Kentucky; or
- Control or process the personal data of at least 25,000 residents of Kentucky and derive over 50% of their gross revenue from the sale of personal data.
These numbers are significantly smaller than the original text of the law (prior to amendment), which means that more businesses will be required to comply with Kentucky’s privacy law than originally expected.
Changes to what information is exempt
The bill still states that Kentucky’s privacy law will not apply to nonprofit organizations, institutions of higher education, and certain governmental/financial institutions. It also still exempts certain information, such as protected health information under HIPPA as well as various other types of health and patient information.
The new bill has added one bit of information to this list. According to the bill, “information collected by a health care provider who is a covered entity that maintains protected health information in accordance with HIPAA and related regulations” is also now exempt from compliance requirements.
Changes to impact assessment requirements
The bill now requires controllers to conduct and document a data protection impact assessment of each of the following processing activities involving personal data:
- The processing of personal data for the purposes of targeted advertising;
- The processing of personal data for the purposes of selling of personal data;
- The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of:
- Unfair or deceptive treatment of consumers or unlawful, disparate impact on consumers;
- Financial, physical, or reputational injury to consumers;
- A physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where an intrusion would be offensive to a reasonable person; or
- Other substantial injury to consumers;
- The processing of sensitive data; and
- Any processing of personal data that presents a heightened risk of harm to consumers.
Conclusion
That’s it! You’re all caught up on the major changes. Kentucky’s privacy law is still set to go into effect at the beginning of 2026.
This is also a good time to remind everyone that it’s pretty normal for privacy laws to be amended. That’s why tools like Termageddon are subscription-based. We are always monitoring laws and keeping track of new ones. When we see changes, we auto-update our customers’ policies to help them stay compliant with all applicable privacy laws.
