We aim to highlight the importance of due diligence in lead campaigns and to keep our customers and industry associates up-to-date with the compliance news reported for our industry. This article is reprinted here for our readers, courtesy of JacksonLewis, Jackson Lewis P.C.’s 1,000+ attorneys located in major cities nationwide consistently identify and respond to new ways workplace law intersects business.
Bluegrass State Becomes Third State to Pass a Comprehensive Consumer Privacy Data Law in 2024
By Jason C. Gavejian & Joseph J. Lazzarotti
On April 4, 2024, Kentucky’s Governor signed House Bill 15, which establishes a consumer data privacy law for the state. The state joins New Hampshire and New Jersey in passing comprehensive consumer privacy laws in 2024. Kentucky’s law takes effect January 1, 2026.
To whom does the law apply?
The law applies to persons, hereafter referred to as controllers, that conduct business in Kentucky or produce products or services that are targeted to residents of Kentucky and during a calendar year control or process personal data of at least:
- 100,000 consumers; or
- 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.
Who is protected by the law?
A consumer protected under the new legislation is defined as a natural person who is a resident of Kentucky, acting in an individual context. A consumer does not include a person acting in a commercial or employment context.
What data is protected by the law?
The legislation protects personal data defined as information that is linked or reasonably linkable to an identified or identifiable natural person.
Sensitive data is defined under the law as personal data indicating racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status. It also includes the processing of genetic or biometric data that is processed to uniquely identify a specific natural person; personal data of a minor, or premise geolocation data.
What are the rights of consumers?
Under the law, consumers have the following rights:
- To confirm whether a controller is processing their personal data
- To correct inaccurate personal data
- To delete personal data maintained by the controller
- To opt-out of processing of personal data for targeted advertising, sale, or certain profiling
What obligations do controllers have?
Under the legislation, controllers must:
- Establish, implement, and maintain reasonable administrative, technical, and physical data security practices;
- Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to purpose
- Obtain consent from consumers before processing sensitive data concerning the consumer.
How is the law enforced?
The Attorney General has exclusive authority to enforce violations of the legislation. The law does provide for a 30-day right to cure violations by controllers and processors of data.
Get a recap of the latest contact center compliance news delivered monthly to your inbox. Subscribe here>
DISCLAIMER: The information on this page and related links is provided for general education purposes only and is not legal advice. Convoso does not guarantee the accuracy or appropriateness of this information to your situation. You are solely responsible for using Convoso’s services in a legally compliant way and should consult your legal counsel for compliance advice. Any quotes are solely the views of the quoted person and do not necessarily reflect the views or opinions of Convoso.
