Written by
Achieved Compliance
On April 4, Governor Andy Beshear signed H.B. 15 into law, making Kentucky the 16th state to enact a comprehensive data privacy law. The new state privacy law takes effect on January 1, 2026.
H.B. 15 affects individuals conducting business in Kentucky, producing goods, or providing services aimed at Kentucky residents. This applies in a calendar year if either:
The new law exempts individuals acting in a commercial or employment context. It also exempts entities and data covered by the Health Information Portability and Accountability Act (HIPAA), non-profit organizations, institutions of higher education, and entities subject to the Gramm-Leach-Bliley Act. The law mandates that data controllers must post clear, accessible, and meaningful privacy notices, providing specified information about the organization's data practices. Furthermore, they must limit the collection of personal data to what is reasonably necessary to fulfill the purposes for which the data is collected, implement reasonable data security measures, and process personal data only for purposes reasonably necessary or compatible with those disclosed in the organization's privacy notice.
Controllers must also conduct and document a data impact assessment when processing data for targeted advertising, selling it, or profiling individuals in a manner that could pose reasonably foreseeable risks, such as financial, physical, or reputational risks.
The law does not include a private right of action and will be enforced by the state attorney general. It provides for a 30-day cure period.
Schedule your quick free consultation to review how Achieved Compliance can help you to become fully compliant with local and global regulatory standards. Alternatively, you can reach us at info@achievedcompliance.com for more information on this package and the other services we offer.