On April 4, Governor Andy Beshear signed H.B. 15 into law, making Kentucky the 16th state to enact a comprehensive data privacy law. The new state privacy law takes effect on January 1, 2026.

H.B. 15 applies to persons who conduct business in Kentucky or produce products or offer services targeted to Kentucky residents and that, during a calendar year, either control or process personal data of at least (1) one hundred thousand consumers or (2) twenty-five thousand consumers and derive more than 50 percent of gross revenue from the sale of personal data.

The new law exempts individuals acting in a commercial or employment context. It also exempts entities and data covered by the Health Information Portability and Accountability Act (HIPAA), non-profit organizations, institutions of higher education, and entities subject to the Gramm-Leach-Bliley Act.

The Law Imposes Obligations on Data Controllers

These obligations include posting clear, accessible, and meaningful privacy notices that include specified information about the organization’s data practices. Companies must also limit the collection of personal data to what is reasonably necessary to fulfill the purposes for which they collect the data, implement reasonable data security measures, and process personal data for purposes reasonably necessary or compatible with the purposes disclosed in the organization’s privacy notice. Controllers must carry out and document a data impact assessment when data is to be:

1. Processed for targeted advertising
2. Sold
3. Used to profile individuals in a way that would raise reasonably foreseeable financial, physical, or reputational risks.

Consumers are provided with rights similar to those found in other state laws, including the right to access information about them, to correct inaccuracies in their data, to delete personal data provided by or obtained about them, and to opt out of certain kinds of processing, including its sale, and its use for targeted advertising or profiling for purposes of automated decisions that may significantly affect the consumer. 

The law does not include a private right of action; the state attorney general will enforce it. It provides for a 30-day cure period.

Schedule your quick free consultation to review how Achieved Compliance can help you become fully compliant with local and global regulatory standards. Additionally, you can reach us at info@achievedcompliance.com for more information on this package and the other services we offer.