California lawmakers have passed a critical update to the CCPA, making support for privacy opt-outs mandatory for web browsers and mobile operating systems.
State assemblies are far from finished when it comes to passing privacy legislation. In March 2024, Kentucky became the 16th state to create its own comprehensive privacy law (if you count Florida's very narrow law).
The Kentucky Consumer Data Privacy Act (KCDPA) takes a cautious approach to privacy regulation, largely copying and pasting provisions from the Virginia Consumer Data Protection Act (prior to that law's amendments regarding minors’ data).
Here are the KCDPA's major features and how it could affect businesses.
The Kentucky privacy law goes into effect on January 1, 2026.
The Kentucky Consumer Data Privacy Act applies to any person or organization that does business in the state of Kentucky or targets its products or services toward state residents, and meets at least one of the following requirements:
The KCDPA has many of the same exemptions as other laws, including for government bodies and entities already regulated by federal laws such as the GLBA or HIPAA. It has also a new exemption for data covered by the federal Combat Methamphetamine Epidemic Act.
The KCDPA gives consumers the following rights.
Unlike many of the more recent state privacy laws, the KCDPA has no provisions requiring the recognition of universal opt-out mechanisms (UOOMs), such as Global Privacy Control, on their websites.
Personal data is “any information that is linked or reasonably linkable to an identified or identifiable individual.” Deidentified data or publicly available information is excluded from this definition.
Personal data is more than just names and email addresses, though, and can cover anything from IP addresses to internet cookies to shopping habits.
The KCDPA requires organizations to perform data protection assessments for certain types of processing activities that present a “heightened risk of harm” to consumers. This includes:
The statute provides for damages of up to $7,500 per violation. The Attorney General's Office must give businesses 30 days to cure any alleged violations.
The KCDPA does not grant a private right of action to consumers, meaning they cannot sue an organization over violations. Only the Kentucky Attorney General’s Office has authority to enforce the law.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.