Financial Services Law Developments: 3/31/24

Saturday, April 6, 2024

FYI: Kentucky Becomes 15th State to Enact a Comprehensive Consumer Data Privacy Law

Kentucky Gov. Andy Beshear recently signed into law House Bill 15, the Kentucky Consumer Data Protection Act, making Kentucky the 15th state to enact a comprehensive consumer data privacy law following California, Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, Tennessee, Montana, Texas, Oregon, Delaware, New Jersey, and New Hampshire.

The new Kentucky law will go into effect Jan. 1, 2026.

APPLICABILITY

The Act applies to persons that conduct business in Kentucky or produce products or services that are targeted to Kentucky residents and that during a calendar year control or process personal data of at least:

100,000 consumers; or

25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

EXEMPTIONS

Exemptions include, but are not limited to:

Financial institutions, their affiliates, or data subject to Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801, et seq.;

Covered entities or business associates governed by the privacy, security, and breach notification rules established pursuant to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA");

Protected health information under HIPAA;

The collection, maintenance, disclosure, sale, communication, or use of any personal information to the extent that such activity is regulated by and authorized under the Fair Credit Reporting Act, 15 U.S.C. § 1681, et seq.

CONSUMER RIGHTS

Consumers have the right to:

Confirm whether a controller is processing their personal data and to access such personal data;

Correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of processing the data;

Delete personal data provided by or obtained about the consumer;

Obtain a portable copy of the personal data that they previously provided to the controller;

Opt-out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

SENSITIVE DATA

A controller may not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data collected from a known child, process the data [except] in accordance with the federal Children's Online Privacy Protection Act 15 U.S.C. § 6501, et seq.

"Sensitive data" means a category of personal data that includes:

Personal data indicating racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;

The processing of genetic or biometric data that is processed for the purpose of uniquely identifying a specific natural person;

The personal data collected from a known child; or

Precise geolocation data.

CONTRACT REQUIREMENTS

A contract between a controller and a processor must govern the processor's data processing procedures with respect to processing performed on behalf of the controller and clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract must also require that the processor:

Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;

At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;

Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations in the Act;

Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor, or the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations under the Act, using an appropriate and accepted control standard or framework and assessment procedure for such assessments. The processor must provide a report of the assessment to the controller upon request;

Engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor.

DATA IMPACT ASSESSMENTS

A controller must conduct and document a data impact assessment of each of the following processing activities:

The processing of personal data for the purposes of targeted advertising;

The processing of personal data for the purposes of selling personal data;

The processing of personal data for the purposes of certain profiling;

The processing of sensitive data; and

Any processing that presents a heightened risk of harm to consumers.

ENFORCEMENT

The Attorney General has exclusive authority to enforce violations. For any violation that is not cured within 30 days of notice, the Attorney General may seek damages up to $7,500 for each violation.

IMPRESSION

The Kentucky Consumer Data Protection Act is sensible legislation that balances the rights of consumers with the impact on businesses. The Act follows the pattern of many post-California comprehensive data privacy laws and should not present overly burdensome compliance challenges for those that must comply with one or more of the other laws.

For a chart comparing the state comprehensive data privacy acts, and more information and insight from Maurice Wutscher on data privacy and security laws and legislation, click here.

Ralph T. Wutscher
Maurice Wutscher LLP
20 N. Clark Street, Suite 3300
Chicago, Illinois 60602
Direct: (312) 551-9320

Mobile: (312) 493-0874
Email: rwutscher@MauriceWutscher.com

Admitted to practice law in Illinois

NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.

Our updates and webinar presentations are available on the internet, in searchable format, at:

Financial Services Law Updates

and

The Consumer Financial Services Blog™

and

Webinars

PLEASE NOTE:

The editor and sponsoring law firm of this blog represent and serve banks, lenders, loan buyers, loan servicers, debt collectors, and other financial services companies. We do not represent consumers.

Any communications or information obtained may be provided to our clients, including for the purpose of debt collection.

The information in this blog and related updates is general in nature, and should not be considered legal advice.

Legal advice requires a full and complete understanding of a particular situation. Your situation may involve material facts that prevent the direct application of the information in this blog and related updates.

You will not become a client of the editor or sponsoring law firm simply by reading this blog.

In order to become a client of the editor or sponsoring law firm, the editor or sponsoring law firm must agree to represent you in writing.

Until we agree to represent you in writing, we are not prevented from representing any other party.

Until you are a client of the editor or sponsoring law firm, any communications with us will not be confidential.

The Editor's Bio

Ralph T. Wutscher
Maurice Wutscher LLP
20 N. Clark Street, 33rd Floor
Chicago, Illinois 60602
Direct: (312) 493-0874
RWutscher@MauriceWutscher.com
https://www.MauriceWutscher.com/

Ralph Wutscher's practice focuses primarily on representing depository and non-depository mortgage lenders and servicers, as well as mortgage loan investors, distressed asset buyers and sellers, loss mitigation companies, automobile and other personal property secured lenders and finance companies, credit card and other unsecured lenders, and other consumer financial services providers. He represents the consumer lending industry as a litigator, and as regulatory compliance counsel.

Ralph has substantial experience in defending private consumer finance lawsuits, including cases ranging from large interstate putative class actions to localized single-asset cases, as well as in responding to regulatory investigations and other governmental proceedings. His litigation successes include not only victories at the trial court level, but also on appeal, and in various jurisdictions. He has successfully defended numerous putative class actions asserting violations of a wide range of federal and state consumer protection statutes. He is frequently consulted to assist other law firms in developing or improving litigation strategies in cases filed around the country.

Ralph also has substantial experience in counseling clients regarding their compliance with federal laws, and with state and local laws primarily of the Midwestern United States. For example, he regularly provides assistance in connection with portfolio or program audits, consumer lending disclosure issues, the design and implementation of marketing and advertising campaigns, licensing and reporting issues, compliance with usury laws and other limitations on pricing, compliance with state and local “predatory lending” laws, drafting or obtaining opinion letters on a single- or multi-state basis, interstate branching and loan production office licensing, evaluations and modifications of new or existing products and procedures, debt collection and servicing practices, proper methods of responding to consumer inquiries and furnishing consumer information, as well as proposed or existing arrangements with settlement service providers and other vendors, and the implementation of procedural or other operational changes following developments in the law.

Ralph is a member of the Governing Committee of the Conference on Consumer Finance Law. He is also the immediate past Chair of the Preemption and Federalism Subcommittee for the ABA's Consumer Financial Services Committee. He served on the Law Committee for the former National Home Equity Mortgage Association, and completed two terms as Co-Chair of the Consumer Credit Committee of the Chicago Bar Association.

Ralph received his Juris Doctor from the University of Illinois College of Law, and his undergraduate degree from the University of California at Los Angeles (UCLA). He is a member of the national Mortgage Bankers Association, the American Bankers Association, the Conference on Consumer Finance Law, DBA International, the ACA International Members Attorney Program, as well as the American and Chicago Bar Associations.

Ralph is admitted to practice in Illinois, as well as in the United States Court of Appeals for the Seventh Circuit, the United States District Courts for the Northern and Southern Districts of Illinois, and the United States District Court for the Eastern District of Wisconsin, and has been admitted pro hac vice in various jurisdictions around the country.