Bench & Bar May/June 2025

FEATURE: INTELLECTUAL PROPERTY

DATA PRIVACY HAS COME TO KENTUCKY. WHAT SHOULD MY ORGANIZATION DO?

BY KYLE MILLER AND DALTON CLINE

O n April 4, 2024, Governor Andy Beshear signed the Ken tucky Consumer Data Protection Act (“ KCDPA ”) into law. On January 1, 2026, Kentucky businesses must be prepared to comply with both the KCDPA and other states’ compre hensive privacy laws such as the Indiana Consumer Data Protection Act (“ ICDPA ”). Although comprehensive data privacy laws have been proliferating around the country since the passage of the Cal ifornia Consumer Privacy Act in 2018, the growing patchwork is now directly applicable to non-exempt for-profit organizations doing business in Kentucky and Indiana that process the personal data of consumers. WHO DO THE ACTS APPLY TO? The KCDPA and ICDPA apply to any “person that conducts busi ness” in the state or that produces products or services “targeted to residents” of the state and meets either of the following thresholds:

Both Acts provide several “entity” exemptions: 1 KEY CONCEPTS TO UNDER STAND THE ACTS The KCDPA and ICDPA impose responsibilities on two categories of entities: • “CONTROLLER” : a person that, alone or jointly with others, de termines the purpose and means of process ing personal data.

ENTITY

GOVERNMENTAL ENTITY

FINANCIAL INSTITUTION

HIPAA COVERED ENTITY

NONPROFIT

HIGHER EDUCATION

“SMALL TELEPHONE UTILITY”

PUBLIC UTILITY INSURANCE SUPPORT ORGANIZATION

REVENUE PERCENTAGE FROM “SALE” OF PERSONAL INFORMATION + PROCESSES MORE THAN THIS NUMBER OF CONSUMERS’ DATA

PROCESSES MORE THAN THIS NUMBER OF CONSUMERS’ DATA

• “PROCESSOR”: a person that processes personal data on be half of a controller.

STATE

CITATION

KRS § 367.3613(1)

KENTUCKY

100,000

50% + 25,000

Whether an entity is a “controller” or “processor” is not just about contractual language; it is a fact-based analysis. 4

INDIANA IC 24-15-1-1(A)

100,000

50% + 25,000

20 may/june 2025