Alexander / AdobeStockKentucky Gov. Andy Beshear on March 15 signed into law House Bill 473, which amends the Kentucky Consumer Data Protection Act. The amendments will go into effect Jan. 1, 2026.
First, the amendments add the following exemptions to the Act:
- Information collected by a health care provider who is a covered entity that maintains protected health information in accordance with HIPAA and five related regulations, 45 C.F.R. pts. 160, 162, and 164; and
- Information included in a limited data set as described in 45 C.F.R. 164.514(e), to the extent the information is used, disclosed, and maintained as specified in 45 C.F.R. sec. 164.514(e).
Second, the Act currently requires controllers to conduct and document data protection impact assessments for specific processing activities, including those for the purpose of profiling that present certain reasonably foreseeable risks. One risk has been amended as follows: “Unfair or deceptive treatment of consumers or unlawful, disparate impact on consumers.”
