Bench & Bar May/June 2025

EFFECTUATE CONSUMER RIGHTS REQUESTS: 11 Covered businesses must provide and honor the following consumer rights through a Data Subject Request Procedure: • Right of access • Right of correction • Right of deletion • Right of data portability • Right to opt out of targeted ad vertising • Right to opt out of the sale of per sonal data • Right to opt out of “profiling in the furtherance of decisions that produce legal or similarly signif icant effects” 12 • Right to appeal denial of a data subject request Once a consumer exercises one of his or her rights under the KCDPA or ICDPA (a “data subject request” or “DSR”), a business has a limited amount of time to act, and a formal process must be followed. There are a variety of intake methods a business could establish for a DSR. Some businesses choose to direct the consumer to email a specific inbox, such as “privacy@domain. com.” Others use a webform that is linked in the privacy notice. This webform could be either developed in-house using a survey tool or could be licensed from a third-party service-provider. A consumer is permitted one free data subject request per business per 12-month period in Indiana. In Kentucky, a consumer is permitted two free requests per business per 12-month period. A business may charge a “reasonable fee” to cover “exces sive, repetitive, technically infeasible, or manifestly unfounded” requests, or choose to deny the request. 13 As of now, there is no guidance as to what the threshold is for “excessive” or “repetitive” requests that would permit denial or charging a fee. A business must respond within 45 days of receipt of a data subject request. This response can either be a substantive response to the request, or a notice that the

means, on personal data or on sets of personal data, such as the collec tion, use, storage, disclosure, anal ysis, deletion, or modification of personal data. 5 • A “CONSUMER” is a natural per son who is a resident of the state acting in an individual, personal, or household context. These laws do not apply to other kinds of person al data, for example, personal data processed in employment or com mercial contexts. 6 • “PERSONAL DATA” is information that is linked or reasonably link able to an identified or identifiable individual. This broad definition may be contrasted with data breach notification laws, which provide an enumerated list of data elements that qualify as personal data. 7 Kentucky and Indiana fall into the minority of states that define the “SALE” of personal data as the exchange of personal data for monetary consideration by a controller to

a third party. 8 For covered busi nesses operating exclusively in Kentucky and Indiana, this defi nition profoundly narrows the scope of disclosures which must be made in the privacy notice, as well as limits the types of disclosures that consumers have the right to opt out of. KEY REQUIREMENTS FOR COVERED BUSINESSES Under the new laws, covered businesses will have five key responsibilities: effectuate con sumer rights requests, provide a privacy notice, adopt processing principles, execute compliant contracts with third-party pro

KENTUCKY

INDIANA

KRS § 367.3613(2)(A)

IC 24-15-1-1(B)(1)(A) 2

KRS § 367.3613(2)(B)

IC 24-15-1-1(B)(2)

KRS § 367.3613(2)(C)

IC 24-15-1-1(B)(3)

KRS § 367.3613(2)(D)

IC 24-15-1-1(B)(4)

KRS § 367.3613(2)(E)

IC 24-15-1-1(B)(5)

KRS § 367.3613(2)(G)

-

-

IC 24-15-1-1(B)(6)

KRS § 367.3613 (2)(F) 3

-

cessors, and conduct a data protection impact assessment prior to certain pro cessing activities. The Indiana or Kentucky attorney general has exclusive authority to enforce each respective state’s law. A covered business must be given notice of alleged violation and provided a 30-day cure period. 9 Uncured violations may lead to damages of up to $7,500 per violation. 10

Both the KCDPA and ICDPA impose obli gations surrounding, and grant rights to individuals regarding, the “processing” of a “consumer’s “personal data.” • “PROCESSING” is any operation or set of operations performed, whether by manual or automated

21 bench & bar