Kentucky amends Consumer Data Protection Act with new exemptions

On March 15, Kentucky passed HB 473, which revises the Kentucky Consumer Data Protection Act to include new data exemptions and technical enhancements in advance of its Jan. 1, 2026, effective date.

What happened

Kentucky passed HB 473 on March 15, 2025, revising the Kentucky Consumer Data Protection Act (KCDPA) ahead of its effective date of Jan. 1, 2026. The new revisions include two categories of data that are exempted under the Act. These exemptions cover health data collected by HIPAA-covered providers and data within limited data sets as per HIPAA regulations. The bill also modifies the data protection impact assessment process to address profiling practices most likely to have discriminatory effects on consumers. The modifications aim to make data protection requirements easier to comply with while maintaining federal health privacy standards alignment.

The backstory

The Kentucky Consumer Data Protection Act was enacted initially to strengthen consumer privacy protections in the state. The recent amendments are an ongoing attempt to clarify and improve provisions as the effective date of the legislation approaches. HB 473 reaffirms Kentucky's commitment to aligning state data protection standards with federal standards, particularly in the healthcare sector, where data privacy concerns are increasingly prevalent.

What was said

Representative Josh Branscomb introduced House Bill 473 as a “minor cleanup” bill related to last year's bipartisan consumer data privacy legislation. He emphasized the significance of the previous bill, noting that it has served as a model for other states.

Why it matters

The revisions show Kentucky's proactive approach to addressing privacy concerns. By aligning state code with federal health data standards, the revisions will simplify compliance and enable businesses to more effectively manage risk while preserving consumer privacy protections.

The bottom line

Kentucky's HB 473 makes substantial changes to its Consumer Data Protection Act, finding a balance between requirements for consumer privacy and reasonable compliance for businesses. The amendments target health data protection, privacy, and profiling protections to maintain the Act up-to-date with new technology and changing regulatory demands.

FAQs

Why were these amendments made?

The amendments were made to clarify provisions and align the Kentucky Consumer Data Protection Act with federal standards, particularly regarding health data and profiling practices.

How do the revisions affect businesses?

The revisions aim to simplify compliance for businesses by ensuring that state requirements align with federal health privacy standards, particularly for data handling in the healthcare sector.

How do these amendments affect health data privacy?

These amendments ensure that Kentucky’s data privacy laws are consistent with federal health data protection standards, which will help protect consumer privacy while simplifying compliance for healthcare providers.

What are the main goals of the revisions in HB 473?

The main goals of the revisions are to simplify compliance for businesses, enhance consumer privacy protections, and ensure alignment with federal standards, particularly in the healthcare sector.