On March 27, 2024, the Kentucky legislature passed the Kentucky Consumer Data Protection Act (HB 15). The bill unanimously passed the House on February 20. The Senate passed the bill on March 11, but with two minor floor amendments. On March 27, the House unanimously concurred in the Senate floor amendments. The bill now heads to Kentucky Governor Andy Beshear. Assuming the bill becomes law, Kentucky will become the fifteenth state to enact consumer data privacy legislation.

The Kentucky bill largely tracks the Virginia Consumer Data Protection Act (VCDPA) but without this year’s VCDPA amendments relating to children’s data. For entities already complying with other non-California privacy laws, the Kentucky bill will not require any additional compliance burdens. The bill does contain small variations from the VCDPA, which we discuss below.

As with prior bills, we have added the Kentucky bill to our chart providing a detailed comparison of laws enacted to date.

Given that the Kentucky bill largely tracks the VCDPA we will not provide an overview of its requirements and instead will only point out notable variations. Again, those looking for a more detailed analysis of its provisions can see our comparison chart here.

Biometric data

The bill uses Connecticut’s more consumer-friendly definition of biometric data, which states that a video or audio recording or data generated therefrom is not biometric data unless it is used to identify a specific individual. Virginia’s law lacks the emphasized language.

Treatment of Non-Profits

The bill does not include Virginia’s updated definition of nonprofit organization, which includes political organizations.

Additional Exemptions

The bill contains a few unique exemptions that are not found in the VCDPA. Specifically, the bill contains an insurance fraud-related exemption which states that the bill does not apply to an organization that “[d]oes not provide net earnings to, or operate in any manner that inures to the benefit of, any officer, employee, or shareholder of the entity and [i]s an entity such as those recognized under KRS 304.47-060(1)(e), so long as the entity collects, processes, uses, or shares data solely in relation to identifying, investigating, or assisting: a. Law enforcement agencies in connection with suspected insurance-related criminal or fraudulent acts; or b. First responders in connection with catastrophic events.”

The bill also does not apply to a small telephone utility, a Tier III CMRS provider, or a municipally owned utility that does not sell or share personal data with any third-party processor.

Further, the bill does not apply to data processed by a utility, an affiliate of a utility, or a holding company system organized specifically for the purpose of providing goods or services.

Finally, the bill does not apply to personal data collected and used for purposes of federal policy under the Combat Methamphetamine Epidemic Act of 2005.

[View source.]