www.loubar.org 8 Louisville Bar Briefs Louisville Businesses Must Prepare for New Data Privacy Obligations Effective January 2026 Dalton Cline PROFESSIONAL EXCELLENCE On April 4, 2024, Gov. Andy Beshear signed the Kentucky Consumer Data Protection Act (KCDPA, codified at KRS §§ 367.3611 to 3629) into law, making Kentucky the 15th state to pass comprehensive consumer data privacy legislation. Indiana passed a nearly identical Consumer Data Protection Act (ICDPA, codified at Ind. Code § 24-15-1-1 to 24-15-11-2)) last year, which, like the KCDPA, goes into effect Jan. 1, 2026. Although data privacy laws have been proliferating around the country since the passage of the California Consumer Privacy Act in 2018, the growing patchwork is now directly applicable to non- exempt for-profit organizations doing busi- ness in Kentucky and Indiana that process the personal data of consumers. Covered businesses in Louisville now have a little more than a year to comply with the requirements imposed by these laws. Both laws apply to any non-exempt “person that conducts business” in the state or that produces products or services “targeted to residents” of the state, and either 1) processes the data of over 100,000 “consumers” or 2) processes the data of 25,000 “consumers” and derives 50% of its revenue from the “sale” of data. Kentucky and Indiana join the minority of jurisdictions in defining “sale” as “the exchange of personal data for monetary consideration by a controller to a third party.” As with the seventeen other comprehensive state consumer privacy laws, the KCDPA and ICDPA offer numerous entity and data exemptions. Governmental entities, financial institutions, Health Insurance Portability and Accountability Act (HIPAA) covered entities, nonprofits, higher education institutions, small telephone utilities and insurance fraud organizations are among the exempt enti- ties. In addition, certain data, such as data regulated under another major federal privacy law like the Health Insurance Portability and Accountability Act (HIPAA), Fair Credit Reporting Act (FCRA), Family Educational Rights and Privacy Act (FERPA), Gramm- Leach-Bliley Act (GLBA), Driver’s Privacy Protection Act, and Farm Credit Act; or employee data, public utility data, and, under the KCDPA, data collected and used “for purposes of federal policy under the Combat Methamphetamine Epidemic Act of 2005” are exempt. Large businesses in Kentucky and Indiana may already be subject to the comprehensive consumer data privacy laws of other states, and thus already have in place many of the processes and policies necessary to be com- pliant with these new laws. For businesses that do not fall under an entity exemption or do not already comply with other state data privacy laws, here is what you need to know. Key Business Responsibilities Under the new laws, covered businesses will have five key responsibilities: 1) effectuate consumer rights requests, 2) provide a pri- vacy notice with required content, 3) adopt personal data processing principles, 4) ex- ecute contracts with third-party processors providing services to the business that have required language, and 5) conduct a data protection impact assessment prior to certain processing activities. The Indiana or Kentucky Attorney General, as applicable, has exclusive authority to enforce their respective state’s law. A covered business must be given notice of alleged vio- lation and provided a 30-day cure period. Uncured violations may lead to damages of up to $7,500 per violation. Consumer Rights The KDCPA and ICDPA grant rights to “consumers,” i.e., natural persons acting in a personal, individual or household capacity. The law doesn’t give rights to persons acting in an employment or commercial capacity. Additionally, recall that that certain types of data are exempt from coverage, like data regulated under another federal privacy law such as HIPAA. Where applicable, consumers must be given the following rights: Right of Access, Right of Correction, Right of Deletion, Right of Data Portability, Right to Opt-Out, and the Right to Appeal the denial of a consumer rights request. A covered business must also have the consumer’s “opt-in” to process “sensitive” personal data. Those data elements constituting “sensitive” personal data are statutorily defined in KRS § 367.3611(28) and Ind. Code § 24-15-2-28. Although there are slight differences in the definition, “sensitive” personal data includes indicating or revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation or citizenship or immigration status, biometric identifiers, data collected from an individual the business knows is under the age of 16 and “precise” geolocation. A covered business must respond within 45 days of receipt of a data subject request. This response can either be a substantive response to the request or a notice that the business has received the request and will respond in an additional 45 days and give an explanation for the delay. Privacy Notice Covered businesses must post a privacy no- tice that includes: • The purposes for processing personal data. • How consumers may exercise their con- sumer rights, specifically including the right to appeal. • The categories of personal data the busi- ness shares with “third parties.” • The categories of “third parties” with whom the business shares personal data. • A clear and conspicuous disclosure of whether the business sells personal data to third parties or processes personal data for “targeted advertising.” The KDCPA and ICDPA define “third par- ties” as a “natural or legal person … other than the consumer, controller, processor, or an affiliate of the processor or the controller.” Therefore, a covered business is not required to disclose the categories of third-party ser- vice providers who qualify as a “processor,” although they are free to do so voluntarily. Adoption of ‘Processing Principles’ The new laws require covered businesses to: • Limit data collection to what is adequate, relevant and reasonably necessary to the disclosed processing purpose. • Limit data processing to what is reason- ably necessary and relevant to the dis- closed processing purpose. • Establish, implement and maintain rea- sonable and administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibil- ity of personal data appropriate to the volume and nature of that data. • Not deny a good or service or charge a difference price or rate if a consumer exercises one of their rights. Data Protection Impact Assessment A data protection impact assessment must be conducted before processing “sensitive” data, or prior to processing personal data where the purpose is for targeted advertising, is a “sale,” or presents a reasonably foreseeable risk of harm. This assessment must: • Identify benefits that may flow from the processing to the business, consumer, other stakeholders and public. • Identify potential risks to the rights of the (continued on next page)
