On April 4, 2024, Kentucky’s Governor signed House Bill 15, which establishes a consumer data privacy law for the state. The state joins New Hampshire and New Jersey in passing comprehensive consumer privacy laws in 2024. Kentucky’s law takes effect January 1, 2026.

To whom does the law apply?

The law applies to persons, hereafter referred to as controllers, that conduct business in Kentucky or produce products or services that are targeted to residents of Kentucky and during a calendar year control or process personal data of at least:

  • 100,000 consumers; or
  • 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

Who is protected by the law?

A consumer protected under the new legislation is defined as a natural person who is a resident of Kentucky, acting in an individual context. A consumer does not include a person acting in a commercial or employment context.  

What data is protected by the law?

The legislation protects personal data defined as information that is linked or reasonably linkable to an identified or identifiable natural person.

Sensitive data is defined under the law as personal data indicating racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status. It also includes the processing of genetic or biometric data that is processed to uniquely identify a specific natural person; personal data of a minor, or premise geolocation data.

What are the rights of consumers?

Under the law, consumers have the following rights:

  • To confirm whether a controller is processing their personal data
  • To correct inaccurate personal data
  • To delete personal data maintained by the controller
  • To opt-out of processing of personal data for targeted advertising, sale, or certain profiling

What obligations do controllers have?

Under the legislation, controllers must:

  • Establish, implement, and maintain reasonable administrative, technical, and physical data security practices;
  • Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to purpose
  • Obtain consent from consumers before processing sensitive data concerning the consumer.

How is the law enforced?

The Attorney General has exclusive authority to enforce violations of the legislation. The law does provide for a 30-day right to cure violations by controllers and processors of data.

If you have questions about Kentucky’s privacy law or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.

Tags: consumers, controllors, HB15, Kentucky, New Hampshire, New Jersey, personal data, processors, sensitive data
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jason C. Gavejian Jason C. Gavejian

Jason C. Gavejian is the office managing principal of the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. and a member of the firm’s Board of Directors. He is also a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy…

Jason C. Gavejian is the office managing principal of the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. and a member of the firm’s Board of Directors. He is also a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy Professionals.

As a Certified Information Privacy Professional (CIPP/US), Jason focuses on the matrix of laws governing privacy, security, and management of data. Jason is co-editor of, and a regular contributor to, the firm’s Privacy blog.

Jason’s work in the area of privacy and data security includes counseling international, national, and regional companies on the vast array of privacy and security mandates, preventive measures, policies, procedures, and best practices. This includes, but is not limited to, the privacy and security requirements under state, federal, and international law (e.g., HIPAA/HITECH, GDPR, California Consumer Privacy Act (CCPA), FTC Act, ECPA, SCA, GLBA etc.). Jason helps companies in all industries to assess information risk and security as part of the development and implementation of comprehensive data security safeguards including written information security programs (WISP). Additionally, Jason assists companies in analyzing issues related to: electronic communications, social media, electronic signatures (ESIGN/UETA), monitoring and recording (GPS, video, audio, etc.), biometrics, and bring your own device (BYOD) and company owned personally enabled device (COPE) programs, including policies and procedures to address same. He regularly advises clients on compliance issues under the Telephone Consumer Protection Act (TCPA) and has represented clients in suits, including class actions, brought in various jurisdictions throughout the country under the TCPA.

Read more about Jason C. Gavejian
Show more Show less
Photo of Joseph J. Lazzarotti Joseph J. Lazzarotti

Joseph J. Lazzarotti is a principal in the Tampa, Florida, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the…

Joseph J. Lazzarotti is a principal in the Tampa, Florida, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Read more about Joseph J. Lazzarotti
Show more Show less
Related Posts
Top 10 Privacy, AI & Cybersecurity Issues for 2026
January 28, 2026
Florida’s Digital Wiretapping Surge: What Businesses Need to Know About FSCA Litigation
January 27, 2026
The Hidden Legal Minefield: Compliance Concerns with AI Smart Glasses, Part 2 – Two-Party Consent and AI Note-Taking
December 15, 2025