Get to Know Kentucky’s New Privacy Law
On April 4, 2024, Kentucky’s Governor signed KY HB15 into law. This comprehensive State privacy law will provide State residents with enhanced privacy protections and imposes specific requirements on businesses operating within the State. The law is scheduled to take effect on January 1, 2026, making it important for your business to review and address any compliance gaps.
Who Does This New Privacy Law Affect?
The law applies to businesses (or individuals) operating in the state or providing products or services to its residents. Specifically, it affects those who, in a calendar year:
- Handle or process personal data for at least 100,000 Kentucky residents, or;
- Handle or process personal data for at least 25,000 Kentucky residents and make over 50% of their gross revenue from selling personal data.
This means that even businesses located outside of Kentucky must comply if they meet these criteria. Nonprofits, however, are exempt from this law; only for-profit businesses need to follow these rules.
Additionally, Kentucky’s new privacy law sets requirements for businesses that process personal data on behalf of another business that needs to comply. So, if you provide data processing services to a company that falls under this law, you might also need to comply through contractual obligations, even if your business doesn’t directly meet the criteria.
Personal Data as Defined in Kentucky’s New Privacy Law
The new law focuses on those who manage or handle “personal data,” so it’s important to understand what this term means under the law.
In the new law, personal data is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” This includes data often collected by websites, such as names, emails, phone numbers, physical addresses, and IP addresses. All of these would be considered “personal data” and are therefore subject to the requirements of this privacy law.
Privacy Policy Requirements Under the New Law
Kentucky’s new privacy law mandates that businesses not only respect consumer privacy rights but also maintain a detailed Privacy Policy. This policy must include the following information:
- The types of personal data being processed.
- The reasons for processing the personal data.
- How consumers can exercise their privacy rights, including appealing a privacy rights decision. This must include one or more secure and reliable ways for consumers to submit requests.
- The types of personal data shared with third parties, if any.
- The categories of third parties, if any, with whom the personal data is shared.
- Whether personal data is sold and how consumers can opt out of this sale.
- Whether personal data is used for targeted advertising and how consumers can opt out of this use.
Penalties for Non-Compliance
The Kentucky Attorney General will enforce the new privacy law. Violations can result in fines of up to $7,500 per violation, meaning for each website visitor whose privacy rights were violated.
Stay Ahead of Privacy Compliance with Glimmernet
At Glimmernet, while we aren’t legal experts and don’t offer legal advice, we specialize in designing websites and providing solutions to help our clients stay compliant in the digital space. Reach out to us today and let us help you ensure your website meets and stays in compliance with new privacy laws.
0 Comments