Kentucky Poised to Enact State Privacy Law

Written by

Achieved Compliance

On April 4, Governor Andy Beshear signed H.B. 15 into law, making Kentucky the 16th state to enact a comprehensive data privacy law. The new state privacy law takes effect on January 1, 2026.

H.B. 15 affects individuals conducting business in Kentucky, producing goods, or providing services aimed at Kentucky residents. This applies in a calendar year if either: 

  1. They control or process personal data of at least one hundred thousand consumers.
  2. They handle personal data of twenty-five thousand consumers and generate over 50 percent of gross revenue from personal data sales. 

The new law exempts individuals acting in a commercial or employment context. It also exempts entities and data covered by the Health Information Portability and Accountability Act (HIPAA), non-profit organizations, institutions of higher education, and entities subject to the Gramm-Leach-Bliley Act. The law mandates that data controllers must post clear, accessible, and meaningful privacy notices, providing specified information about the organization's data practices. Furthermore, they must limit the collection of personal data to what is reasonably necessary to fulfill the purposes for which the data is collected, implement reasonable data security measures, and process personal data only for purposes reasonably necessary or compatible with those disclosed in the organization's privacy notice.

Controllers must also conduct and document a data impact assessment when processing data for targeted advertising, selling it, or profiling individuals in a manner that could pose reasonably foreseeable risks, such as financial, physical, or reputational risks. 

Consumers are provided with rights similar to those found in other state laws:
  • the right to access information about them, to correct inaccuracies in their data, to delete personal data provided by or obtained about them
  • to opt out of processing the data for certain reasons including its sale and targeted advertising
  • profiling for purposes of automated decisions that may significantly affect the consumer

The law does not include a private right of action and will be enforced by the state attorney general. It provides for a 30-day cure period.

Schedule your quick free consultation to review how Achieved Compliance can help you to become fully compliant with local and global regulatory standards. Alternatively, you can reach us at for more information on this package and the other services we offer.