npm - open-agreements - Versions diffs - 0.7.7 → 0.8.0 - Mend

open-agreements 0.7.7 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (704) hide show

package/skills/legal-explainers/data-privacy-law-explainer/content/indiana.md ADDED Viewed

@@ -0,0 +1,93 @@
+---
+jurisdiction: "Indiana"
+slug: indiana
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-06"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/indiana
+license: CC BY 4.0
+stale: false
+---
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/indiana · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+# Indiana Consumer Privacy Law (INCDPA)[^about]
+The Indiana Consumer Data Protection Act, effective January 1, 2026, gives Indiana consumers rights over their personal data and imposes notice, contracting, and consent duties on controllers above defined thresholds — it is enforced exclusively by the Attorney General with a permanent 30-day cure period and provides no private right of action, and its entity-level exemptions are unusually broad.
+## At a glance
+| Question | Indiana |
+| --- | --- |
+| **Law coverage** | Comprehensive law |
+| **Summary** | If you meet the 100,000-consumer (or 25,000 plus majority-data-sale) threshold in Indiana, the INCDPA requires a privacy notice, opt-in consent to process sensitive data, and processor contracts — enforced by the Attorney General with a permanent 30-day cure period and no consumer lawsuits. Its broad entity-level exemptions (nonprofits, HIPAA entities, higher education, utilities) keep many organizations out entirely. |
+| **Main law** | Ind. Code §§ 24-15 et seq. (Indiana Consumer Data Protection Act), effective January 1, 2026 |
+| **Privacy policy required?** | Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents |
+| **Who does it cover?** | Persons doing business in Indiana (or targeting residents) that control or process the data of 100,000+ Indiana consumers a year, or 25,000+ while deriving over 50% of gross revenue from selling data — no revenue floor, and entity-level exemptions for nonprofits, HIPAA covered entities, higher education, GLBA institutions, and public utilities |
+| **Can consumers sue?** | No |
+| **Privacy policy rule** | Policy contents fixed by law |
+| **Consent for sensitive data?** | Consent required first |
+| **Browser opt-out signals?** | Not required |
+| **Lawsuit detail** | No — enforcement is exclusively the Attorney General's |
+| **Who enforces it?** | Indiana Attorney General (exclusive) |
+## Does the Indiana Consumer Data Protection Act apply to your business? {#does-incdpa-apply}
+**Short answer.** It turns on Indiana consumer volume, not total revenue. The INCDPA applies to persons that do business in Indiana or target its residents and that, in a calendar year, control or process the personal data of at least 100,000 Indiana consumers, or at least 25,000 Indiana consumers while deriving over 50% of gross revenue from selling personal data [^stat-1-1-apply]. On top of the thresholds, whole categories of organizations are carved out at the entity level [^stat-1-1-exempt].
+Indiana's law took effect on January 1, 2026, and closely follows the structure many other states adopted, so this note reads much like Virginia, Colorado, Connecticut, and Texas. Like those, it sets no dollar revenue floor. What sets Indiana apart is the breadth of its entity-level exemptions: the statute exempts not only state agencies and GLBA-regulated financial institutions, but also any nonprofit organization, any institution of higher education, any HIPAA covered entity or business associate, and public utilities and their affiliated service companies. A consumer is an Indiana resident acting only for a personal, family, or household purpose, not an employee or business contact — so most employee and B2B-contact data falls outside the law as well.
+## What must your Indiana privacy policy contain? {#privacy-policy-contents}
+**Short answer.** A controller must provide a reasonably accessible, clear, and meaningful privacy notice that lists the categories of personal data processed and the purpose for processing, among the statute's required disclosures [^stat-4-3-notice].
+Section 24-15-4-3 is the content checklist for an Indiana privacy policy. Its five required disclosures are the categories of personal data processed, the purpose for processing, how consumers exercise their rights (including how to appeal a controller's decision), the categories of personal data the controller shares with third parties, and the categories of those third parties [^stat-4-3-notice]. Indiana also requires data minimization (collection limited to what is adequate, relevant, and reasonably necessary) and, where a controller sells personal data or processes it for targeted advertising, a clear and conspicuous disclosure of that activity and how to opt out. The notice the policy presents should match the data practices the controller actually carries out.
+## What must your contracts with processors say? {#vendor-contracts}
+**Short answer.** A contract between a controller and a processor must govern the processor's data processing on the controller's behalf — so a data processing agreement is a statutory requirement, not a best practice [^stat-5-2-contract].
+Section 24-15-5-2 then specifies the required terms: processing instructions, the nature and purpose of processing, the type of data and duration, a duty of confidentiality, deletion or return of data at the controller's direction, the information needed to demonstrate compliance, cooperation with reasonable assessments [^stat-5-2-terms], and a requirement to bind subcontractors by written contract to the same obligations [^stat-5-2-terms-subcontractor]. A compliant template data processing agreement tracks each of these.
+## Do you need consent to process sensitive data? {#sensitive-data}
+**Short answer.** Yes. A controller may not process a consumer's sensitive data without first obtaining consent, and for a known child it must instead follow the federal Children's Online Privacy Protection Act [^stat-4-1-consent]. Sensitive data includes data revealing race or ethnicity, religious beliefs, a health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data used to identify a person; data from a known child; and precise geolocation [^stat-2-28-sensitive].
+This is the opt-in model shared by Virginia, Colorado, and Texas — the opposite of a notice-and-opt-out approach. Indiana does not, however, require honoring a universal opt-out preference signal, so an Indiana-only program can rely on its own opt-out mechanisms — though a multi-state template generally has to support universal signals to stay compliant elsewhere. A known child is an individual under 13, tracking the COPPA standard the statute incorporates.
+## Can a consumer sue your business under the INCDPA? {#consumer-lawsuit}
+**Short answer.** No. The Attorney General has exclusive authority to enforce the INCDPA, and the statute expressly provides no private right of action for consumers [^stat-10-1-enforce] [^stat-10-4-no-pra]. Before suing, the Attorney General must give 30 days' written notice of the specific alleged violations and a chance to cure [^stat-10-3-cure].
+Indiana's 30-day cure period has no sunset date — it remains a permanent, built-in off-ramp, unlike states that let an early cure window expire. A controller that cures within the window and certifies in writing that the violation is fixed and will not recur avoids the action; an uncured violation exposes it to civil penalties of up to $7,500 per violation. The practical posture is still to build the notice, consent, and contracting controls up front, but a covered business that receives a notice has a genuine window to fix the issue.
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-06. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Indiana. This article synthesizes Indiana primary law and is not legal advice from a Indiana-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+[^stat-1-1-apply]: **Ind. Code § 24-15-1-1** — "This article applies to a person that conducts business in Indiana or produces products or services that are targeted to residents of Indiana and that during a calendar year: (1) controls or processes personal data of at least one hundred thousand (100,000) consumers who are Indiana residents; or (2) controls or processes personal data of at least twenty-five thousand (25,000) consumers who are Indiana residents and derives more than fifty percent (50%) of gross revenue from the sale of personal data." *Ind. Code § 24-15-1-1(a).* <https://iga.in.gov/ic/2024/Title_24/Article_15.pdf>
+[^stat-1-1-exempt]: **Ind. Code § 24-15-1-1** — "(4) Any nonprofit organization. (5) Any institution of higher education." *Ind. Code § 24-15-1-1(b).* <https://iga.in.gov/ic/2024/Title_24/Article_15.pdf>
+[^stat-4-3-notice]: **Ind. Code § 24-15-4-3** — "A controller shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: (1) the categories of personal data processed by the controller; (2) the purpose for processing personal data; (3) how consumers may exercise their consumer rights under IC 24-15-3, including how a consumer may appeal a controller's decision with regard to the consumer's request; (4) the categories of personal data that the controller shares with third parties, if any; and (5) the categories of third parties, if any, with whom the controller shares personal data." *Ind. Code § 24-15-4-3.* <https://codes.findlaw.com/in/title-24-trade-regulation/in-code-sect-24-15-4-3/>
+[^stat-5-2-contract]: **Ind. Code § 24-15-5-2** — "A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller." *Ind. Code § 24-15-5-2(a).* <https://iga.in.gov/ic/2024/Title_24/Article_15.pdf>
+[^stat-5-2-terms]: **Ind. Code § 24-15-5-2** — "The contract must be binding and clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract must also include requirements that the processor do the following: (1) Ensure that each individual processing personal data is subject to a duty of confidentiality with respect to the data. (2) At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law. (3) Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations in this chapter. (4) Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor." *Ind. Code § 24-15-5-2(a).* <https://iga.in.gov/ic/2024/Title_24/Article_15.pdf>
+[^stat-5-2-terms-subcontractor]: **Ind. Code § 24-15-5-2** — "(5) Subject to subsection (b), engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data." *Ind. Code § 24-15-5-2(a).* <https://iga.in.gov/ic/2024/Title_24/Article_15.pdf>
+[^stat-4-1-consent]: **Ind. Code § 24-15-4-1** — "A controller shall not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the federal Children's Online Privacy Protection Act (15 U.S.C. 6501 et seq.)." *Ind. Code § 24-15-4-1(5).* <https://iga.in.gov/ic/2024/Title_24/Article_15.pdf>
+[^stat-2-28-sensitive]: **Ind. Code § 24-15-2-28** — "means a category of personal data that includes any of the following: (1) Personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis made by a health care provider, sexual orientation, or citizenship or immigration status. (2) Genetic or biometric data that is processed for the purpose of uniquely identifying a specific individual. (3) Personal data collected from a known child. (4) Precise geolocation data." *Ind. Code § 24-15-2-28.* <https://iga.in.gov/ic/2024/Title_24/Article_15.pdf>
+[^stat-10-1-enforce]: **Ind. Code § 24-15-10-1** — "The attorney general has exclusive authority to enforce the provisions of this article." *Ind. Code § 24-15-10-1.* <https://iga.in.gov/ic/2024/Title_24/Article_15.pdf>
+[^stat-10-4-no-pra]: **Ind. Code § 24-15-10-4** — "Nothing in this article shall be construed as providing the basis for a private right of action for violations of this article or any other law." *Ind. Code § 24-15-10-4.* <https://iga.in.gov/ic/2024/Title_24/Article_15.pdf>
+[^stat-10-3-cure]: **Ind. Code § 24-15-10-3** — "Before initiating an action under section 2 of this chapter, the attorney general shall provide a controller or processor thirty (30) days written notice identifying the specific provisions of this article that the attorney general alleges have been or are being violated." *Ind. Code § 24-15-10-3(a).* <https://iga.in.gov/ic/2024/Title_24/Article_15.pdf>

package/skills/legal-explainers/data-privacy-law-explainer/content/iowa.md ADDED Viewed

@@ -0,0 +1,99 @@
+---
+jurisdiction: "Iowa"
+slug: iowa
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-05"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/iowa
+license: CC BY 4.0
+stale: false
+---
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/iowa · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+# Iowa Consumer Privacy Law (ICDPA)[^about]
+The Iowa Consumer Data Protection Act gives Iowa consumers rights over their personal data and imposes notice, contracting, and sensitive-data duties on controllers above defined thresholds — one of the most business-favorable state privacy laws, it is enforced exclusively by the Attorney General with a 90-day cure period, treats sensitive data on a notice-and-opt-out basis, and provides no private right of action.
+## At a glance
+| Question | Iowa |
+| --- | --- |
+| **Law coverage** | Comprehensive law |
+| **Summary** | If you meet the 100,000-consumer (or 25,000 plus majority-data-sale) threshold in Iowa, the ICDPA requires a privacy notice, processor contracts, and notice plus an opportunity to opt out before processing sensitive data — but not opt-in consent or a universal opt-out signal — enforced by the Attorney General with a 90-day cure period and no consumer lawsuits. |
+| **Main law** | Iowa Code §§ 715D.1 et seq. (Iowa Consumer Data Protection Act) |
+| **Privacy policy required?** | Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents |
+| **Who does it cover?** | Persons conducting business in Iowa (or targeting residents) that, in a calendar year, control or process the data of 100,000+ consumers, or 25,000+ while deriving over 50% of gross revenue from selling data — no revenue floor; nonprofits, government, GLBA and HIPAA entities, and higher-education institutions exempt |
+| **Can consumers sue?** | No |
+| **Privacy policy rule** | Policy contents fixed by law |
+| **Consent for sensitive data?** | Opt-out right or limits instead |
+| **Browser opt-out signals?** | Not required |
+| **Lawsuit detail** | No — enforcement is exclusively the Attorney General's |
+| **Who enforces it?** | Iowa Attorney General (exclusive) |
+## Does the Iowa Consumer Data Protection Act apply to your business? {#does-icdpa-apply}
+**Short answer.** It turns on consumer volume, not revenue. The ICDPA applies to a person conducting business in Iowa or targeting its residents that, in a calendar year, controls or processes the personal data of at least 100,000 consumers, or at least 25,000 consumers while deriving over 50% of gross revenue from selling personal data [^stat-715d2-apply].
+Iowa set no dollar revenue floor, so a large enterprise that processes data for fewer than 100,000 Iowa consumers and does not sell that data falls entirely outside the statute. The exemptions are broad: the chapter does not apply to the state or its political subdivisions, financial institutions and GLBA-regulated data, HIPAA-regulated entities, nonprofit organizations, or institutions of higher education, and a long list of federally regulated data categories is also carved out [^stat-715d2-exempt]. A consumer is an Iowa resident acting in an individual or household context, not an employee or business contact [^stat-715d1-consumer].
+## What must your Iowa privacy policy contain? {#privacy-policy-contents}
+**Short answer.** A controller must provide a reasonably accessible, clear, and meaningful privacy notice that lists the categories of personal data processed, the purpose for processing, how consumers exercise and appeal their rights, the categories of personal data shared with third parties, and the categories of those third parties [^stat-715d4-notice].
+For a template privacy policy, section 715D.4 is the content checklist. If the controller sells personal data or engages in targeted advertising, the notice must clearly and conspicuously disclose that activity and how to opt out [^stat-715d4-optout-disclose]. The policy must also describe a secure and reliable way for consumers to submit rights requests, and the controller may not require a consumer to create a new account to exercise rights [^stat-715d4-request-means]. The notice should match the data practices the controller actually carries out.
+## What must your contracts with vendors and processors include? {#vendor-processor-contracts}
+**Short answer.** A contract between a controller and a processor must govern the processor's data processing on the controller's behalf — so a data processing agreement is a statutory requirement, not a best practice [^stat-715d5-contract].
+Section 715D.5 then specifies the required terms: processing instructions, the nature and purpose of processing, the type of data and duration, the rights and duties of both parties, a duty of confidentiality, deletion or return of data at the controller's direction, the information needed to demonstrate compliance, and a requirement to bind subcontractors by written contract to the same processor duties [^stat-715d5-terms]. A compliant template data processing agreement tracks each of these.
+## How does Iowa treat sensitive data and opt-outs? {#sensitive-data-and-opt-out}
+**Short answer.** Iowa does not require opt-in consent for sensitive data. A controller may process a consumer's sensitive data for a nonexempt purpose only after presenting the consumer with clear notice and an opportunity to opt out, and for a known child it must instead follow the federal Children's Online Privacy Protection Act [^stat-715d4-sensitive]. Sensitive data includes data on race or ethnic origin, religious beliefs, a mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data processed to uniquely identify a person; data collected from a known child; and precise geolocation [^stat-715d1-sensitive].
+This notice-and-opt-out model is one of the features that makes the ICDPA among the most business-favorable state privacy laws. Iowa also does not require controllers to recognize a universal opt-out preference signal, so an Iowa program can rely on its own opt-out mechanisms for sales and targeted advertising.
+## Who enforces the ICDPA, and can consumers sue? {#enforcement-and-lawsuits}
+**Short answer.** No consumer can sue. The Attorney General has exclusive authority to enforce the ICDPA [^stat-715d8-enforce], and the chapter provides no private right of action [^stat-715d8-no-pra]. Before bringing an action, the Attorney General must give 90 days' written notice of the specific alleged violations and a chance to cure [^stat-715d8-cure].
+A controller that cures within the 90-day window and certifies the cure in writing avoids the action; an uncured violation, or a breach of that written statement, exposes the controller to an injunction and civil penalties of up to $7,500 per violation [^stat-715d8-penalty]. The practical posture is still to build the notice, sensitive-data, and contracting controls up front, but a covered business that receives a notice has a long window to fix the issue.
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-05. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Iowa. This article synthesizes Iowa primary law and is not legal advice from a Iowa-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+[^stat-715d2-apply]: **Iowa Code § 715D.2** — "This chapter applies to a person conducting business in the state or producing products or services that are targeted to consumers who are residents of the state and that during a calendar year does either of the following: a. Controls or processes personal data of at least one hundred thousand consumers. b. Controls or processes personal data of at least twenty-five thousand consumers and derives over fifty percent of gross revenue from the sale of personal data." *Iowa Code § 715D.2(1).* <https://www.legis.iowa.gov/docs/code/2025/715D.2.pdf>
+[^stat-715d2-exempt]: **Iowa Code § 715D.2** — "This chapter shall not apply to the state or any political subdivision of the state; financial institutions, affiliates of financial institutions, or data subject to Tit. V of the federal Gramm-Leach-Bliley Act of 1999, 15 U.S.C. §6801 et seq.; persons who are subject to and comply with regulations promulgated pursuant to Tit. II, subtit. F, of the federal Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, and Tit. XIII, subtit. D, of the federal Health Information Technology for Economic and Clinical Health Act of 2009, 42 U.S.C. §17921 – 17954; nonprofit organizations; or institutions of higher education." *Iowa Code § 715D.2(2).* <https://www.legis.iowa.gov/docs/code/2025/715D.2.pdf>
+[^stat-715d1-consumer]: **Iowa Code § 715D.1** — "‘Consumer’ means a natural person who is a resident of the state acting only in an individual or household context and excluding a natural person acting in a commercial or employment context." *Iowa Code § 715D.1(7).* <https://www.legis.iowa.gov/docs/code/2025/715D.1.pdf>
+[^stat-715d4-notice]: **Iowa Code § 715D.4** — "A controller shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes the following: a. The categories of personal data processed by the controller. b. The purpose for processing personal data. c. How consumers may exercise their consumer rights pursuant to section 715D.3, including how a consumer may appeal a controller’s decision with regard to the consumer’s request. d. The categories of personal data that the controller shares with third parties, if any. e. The categories of third parties, if any, with whom the controller shares personal data." *Iowa Code § 715D.4(5).* <https://www.legis.iowa.gov/docs/code/2025/715D.4.pdf>
+[^stat-715d4-optout-disclose]: **Iowa Code § 715D.4** — "If a controller sells a consumer’s personal data to third parties or engages in targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of such activity." *Iowa Code § 715D.4(6).* <https://www.legis.iowa.gov/docs/code/2025/715D.4.pdf>
+[^stat-715d4-request-means]: **Iowa Code § 715D.4** — "A controller shall establish, and shall describe in a privacy notice, secure and reliable means for consumers to submit a request to exercise their consumer rights under this chapter." *Iowa Code § 715D.4(7).* <https://www.legis.iowa.gov/docs/code/2025/715D.4.pdf>
+[^stat-715d5-contract]: **Iowa Code § 715D.5** — "A contract between a controller and a processor shall govern the processor’s data processing procedures with respect to processing performed on behalf of the controller. The contract shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and duties of both parties." *Iowa Code § 715D.5(2).* <https://www.legis.iowa.gov/docs/code/2025/715D.5.pdf>
+[^stat-715d5-terms]: **Iowa Code § 715D.5** — "The contract shall also include requirements that the processor shall do all of the following: a. Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data. b. At the controller’s direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law. c. Upon the reasonable request of the controller, make available to the controller all information in the processor’s possession necessary to demonstrate the processor’s compliance with the obligations in this chapter. d. Engage any subcontractor or agent pursuant to a written contract in accordance with this section that requires the subcontractor to meet the duties of the processor with respect to the personal data." *Iowa Code § 715D.5(2).* <https://www.legis.iowa.gov/docs/code/2025/715D.5.pdf>
+[^stat-715d4-sensitive]: **Iowa Code § 715D.4** — "A controller shall not process sensitive data collected from a consumer for a nonexempt purpose without the consumer having been presented with clear notice and an opportunity to opt out of such processing, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the federal Children’s Online Privacy Protection Act, 15 U.S.C. §6501 et seq." *Iowa Code § 715D.4(2).* <https://www.legis.iowa.gov/docs/code/2025/715D.4.pdf>
+[^stat-715d1-sensitive]: **Iowa Code § 715D.1** — "‘Sensitive data’ means a category of personal data that includes the following: a. Racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, except to the extent such data is used in order to avoid discrimination on the basis of a protected class that would violate a federal or state anti-discrimination law. b. Genetic or biometric data that is processed for the purpose of uniquely identifying a natural person. c. The personal data collected from a known child. d. Precise geolocation data." *Iowa Code § 715D.1(26).* <https://www.legis.iowa.gov/docs/code/2025/715D.1.pdf>
+[^stat-715d8-enforce]: **Iowa Code § 715D.8** — "The attorney general shall have exclusive authority to enforce the provisions of this chapter." *Iowa Code § 715D.8(1).* <https://www.legis.iowa.gov/docs/code/2025/715D.8.pdf>
+[^stat-715d8-no-pra]: **Iowa Code § 715D.8** — "Nothing in this chapter shall be construed as providing the basis for, or be subject to, a private right of action for violations of this chapter or under any other law." *Iowa Code § 715D.8(4).* <https://www.legis.iowa.gov/docs/code/2025/715D.8.pdf>
+[^stat-715d8-cure]: **Iowa Code § 715D.8** — "Prior to initiating any action under this chapter, the attorney general shall provide a controller or processor ninety days’ written notice identifying the specific provisions of this chapter the attorney general alleges have been or are being violated. If within the ninety-day period, the controller or processor cures the noticed violation and provides the attorney general an express written statement that the alleged violations have been cured and that no further such violations shall occur, no action shall be initiated against the controller or processor." *Iowa Code § 715D.8(2).* <https://www.legis.iowa.gov/docs/code/2025/715D.8.pdf>
+[^stat-715d8-penalty]: **Iowa Code § 715D.8** — "If a controller or processor continues to violate this chapter following the cure period in subsection 2 or breaches an express written statement provided to the attorney general under that subsection, the attorney general may initiate an action in the name of the state and may seek an injunction to restrain any violations of this chapter and civil penalties of up to seven thousand five hundred dollars for each violation under this chapter." *Iowa Code § 715D.8(3).* <https://www.legis.iowa.gov/docs/code/2025/715D.8.pdf>

package/skills/legal-explainers/data-privacy-law-explainer/content/kansas.md ADDED Viewed

@@ -0,0 +1,155 @@
+---
+jurisdiction: "Kansas"
+slug: kansas
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-11"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/kansas
+license: CC BY 4.0
+stale: false
+---
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/kansas · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+# Kansas Consumer Privacy Law[^about]
+Kansas has no comprehensive consumer-privacy statute. The operative framework is the 2006 data-breach notification law (K.S.A. 50-7a01 and 50-7a02) plus the Kansas Consumer Protection Act, with a federal and sectoral overlay supplying the rest of a privacy program.
+## At a glance
+| Question | Kansas |
+| --- | --- |
+| **Law coverage** | No comprehensive law |
+| **Summary** | Kansas has not enacted a comprehensive consumer-privacy law, so there are no general data-rights, notice-at-collection, consent, or processor-contract duties under state law. The operative statutes are the 2006 data-breach notification law — a twice-gated, identity-theft-keyed notice duty with no fixed day-count — and the Kansas Consumer Protection Act, whose deception and unconscionability rules are what make a published privacy policy enforceable against the business that wrote it. Everything else rides the federal and sectoral overlay, so build to FTC Act § 5, GLBA, HIPAA, and COPPA and the program will be easier to adapt if Kansas later enacts an omnibus law. |
+| **Main law** | Kansas data-breach notification statute, K.S.A. 50-7a01 and 50-7a02, plus the Kansas Consumer Protection Act, K.S.A. 50-623 et seq. — Kansas has no comprehensive consumer-privacy law |
+| **Privacy policy required?** | No Kansas statute mandates a consumer privacy policy or fixes its contents; a policy that misstates actual practices is reachable as a deceptive act under the KCPA and FTC Act § 5, and GLBA, HIPAA, and COPPA supply notice duties where they apply |
+| **Who does it cover?** | The breach statute reaches any person that conducts business in Kansas and owns or licenses computerized personal information of Kansas residents; the KCPA reaches any supplier in consumer transactions — no revenue or consumer-volume thresholds |
+| **Can consumers sue?** | Limited path |
+| **Privacy policy rule** | No state policy checklist |
+| **Consent for sensitive data?** | No special rule |
+| **Browser opt-out signals?** | Not required |
+| **Lawsuit detail** | The breach statute creates no express private remedy; the KCPA gives an aggrieved consumer an individual action for damages or a civil penalty, whichever is greater, with damages class actions sharply limited |
+| **Who enforces it?** | Kansas Attorney General (the insurance commissioner has sole authority over breach violations by licensed insurers) |
+## Which privacy laws apply to your business in Kansas? {#which-privacy-laws-apply}
+**Short answer.** There is no comprehensive Kansas consumer-privacy law. The operative state framework is two-part: the 2006 data-breach notification statute, which applies to any person that conducts business in Kansas — or any government unit — that owns or licenses computerized data including personal information [^stat-7a02-scope], and the Kansas Consumer Protection Act (KCPA), which is construed liberally to protect consumers from suppliers who commit deceptive and unconscionable practices [^stat-623-purpose]. Neither statute carries a revenue or consumer-volume threshold.
+Because there is no omnibus statute, Kansas residents have no general state-law rights to access, delete, correct, or port their personal data, no right to opt out of sale or targeted advertising, and no recognized universal opt-out signal; businesses face no state notice-at-collection, consent, data-protection-assessment, or processor-contract duties. The KCPA's scope definitions decide who is exposed to the rules that do exist. A consumer is unusually broad for a consumer-protection statute — it includes an individual, husband and wife, sole proprietor, or family partnership acting for personal, family, household, business, or agricultural purposes [^stat-624-consumer] — while corporations and LLCs fall outside it. A supplier is anyone who, in the ordinary course of business, solicits, engages in, or enforces consumer transactions, whether or not dealing directly with the consumer [^stat-624-supplier]. And a consumer transaction is a disposition of property or services for value within Kansas — expressly excluding insurance contracts regulated under state law [^stat-624-transaction].
+A handful of narrower Kansas and federal sectoral laws may still apply depending on the business model and data involved. The rest of a Kansas-facing privacy program rides the federal overlay: FTC Act § 5 reaches deceptive or unfair privacy practices, GLBA governs financial institutions, HIPAA governs covered health entities, and COPPA governs services directed to children under 13.
+A failed 2026 app-store privacy measure is a watch item, but it creates no current Kansas obligations. Similar app-store or minor-safety language could be reintroduced in a later session.
+## What must your Kansas privacy policy contain? {#privacy-policy-contents}
+**Short answer.** No Kansas statute requires a general consumer privacy policy or fixes what it must say. The constraint that does the work is truthfulness. The KCPA forbids a supplier from engaging in any deceptive act or practice in connection with a consumer transaction [^stat-626-deceptive], and its enumerated deceptive acts include the willful use of falsehood or ambiguity as to a material fact and the willful failure to state — or the willful concealment of — a material fact [^stat-626-omission]. A published privacy policy the business does not follow is the natural target of those rules, and the same conduct is independently a deceptive practice under Section 5 of the FTC Act [^fed-ftc5-deceptive].
+In practice the Kansas drafting question is not what must be included but does the policy match actual practice. Beyond deception, the KCPA separately bans unconscionable acts and practices, and it reaches conduct before, during, or after the transaction [^stat-627-unconscionable] — one-sided data practices buried in terms the consumer cannot reasonably protect against are the privacy-flavored fit. Use the KCPA text as the state-law check rather than assuming Kansas has a privacy-policy template.
+Where a sectoral regime applies, that regime supplies the contents instead. A financial institution may not share nonpublic personal information with nonaffiliated third parties unless it has first given the consumer a GLBA-compliant privacy notice [^fed-glba-notice]. A HIPAA covered entity must give individuals a notice of the uses and disclosures of their protected health information and of their rights and the entity's duties [^fed-hipaa-notice]. COPPA prohibits an operator of a website or online service directed to children under 13 from collecting children's personal information in violation of the FTC's notice and parental-consent regulations [^fed-coppa-notice]. For everyone else, follow best practice — describe the categories of data collected, the purposes, the third parties you share with, and how users exercise any choices you offer — and then honor it, because in Kansas the enforceable obligation is consistency between the statement and the conduct. For any Kansas business selling beyond the state, other states' comprehensive privacy laws are the practical driver of what the policy ends up containing.
+## What must your contracts with vendors say? {#vendor-contracts}
+**Short answer.** Kansas imposes no general data-processing-agreement requirement — no state statute prescribes controller-to-processor terms, audit rights, deletion clauses, or subprocessor flow-downs for ordinary commercial contracts. The one Kansas vendor duty is breach-notice flow-up: an entity that maintains computerized personal information it does not own or license must notify the owner or licensee of the information after discovering a breach, if the personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person [^stat-7a02-vendor-notice].
+That flow-up duty is worth writing into the contract anyway: the statute does not set a deadline for the vendor's notice to you, so a well-drafted agreement converts the statutory duty into a fixed notification window with cooperation obligations, since it is your business — as the data owner — that then carries the consumer-notice duty to Kansas residents. Where a federal or sectoral regime is in scope, it supplies the rest of the contracting obligations. The GLBA Safeguards Rule requires financial institutions to oversee service providers — selecting providers capable of maintaining appropriate safeguards, requiring those safeguards by contract, and periodically reassessing the providers [^fed-glba-safeguards]. HIPAA requires a written business-associate contract establishing the permitted uses and disclosures of protected health information before a covered entity shares it [^fed-hipaa-baa].
+Outside those verticals, carry the same protections forward as best practice even though no Kansas statute compels them: processing limited to documented instructions, confidentiality, reasonable security, breach notification back to your business on a contractual clock, and return or deletion of data at the end of the engagement.
+## When must you notify people of a data breach in Kansas? {#breach-notification}
+**Short answer.** After a two-step determination, and then quickly but with no fixed day-count. When a business becomes aware of a security breach it must conduct a good-faith, reasonable, and prompt investigation into the likelihood that personal information has been or will be misused; if the investigation determines that misuse has occurred or is reasonably likely to occur, it must notify the affected Kansas residents as soon as possible, in the most expedient time possible and without unreasonable delay [^stat-7a02-notice-trigger]. The duty is also gated at the definition: a security breach means the unauthorized access and acquisition of unencrypted or unredacted computerized data that compromises personal information and that causes — or that the business reasonably believes has caused or will cause — identity theft to a Kansas consumer [^stat-7a01-breach-def]. If notice goes to more than 1,000 consumers at one time, the business must also notify the nationwide consumer reporting agencies without unreasonable delay [^stat-7a02-cra].
+Kansas's trigger is unusually narrow — twice gated. Most states key the notice duty to acquisition of personal information alone; Kansas requires both access and acquisition, ties the very existence of a breach to actual or reasonably believed identity theft, and then adds the misuse-investigation gate on top. The conservative operational posture is to run the investigation promptly and document the misuse determination either way, because the statute gives no safe harbor for guessing wrong. The data elements are also a short list: personal information means a consumer's first name or first initial and last name linked to an unencrypted, unredacted Social Security number, driver's license or state ID number, or financial-account or payment-card number with any code permitting account access [^stat-7a01-pi-def] — no medical, biometric, or online-credential elements, and encryption or redaction takes the data out of scope entirely.
+The mechanics are flexible by national standards. Notice may be written or electronic, and substitute notice is allowed where the cost of notice would exceed $100,000, the affected class exceeds 5,000 consumers, or the business lacks sufficient contact information [^stat-7a01-substitute]; when used, substitute notice means email where available, conspicuous website posting, and notification to major statewide media [^stat-7a01-substitute-methods]. Notice may be delayed at a law-enforcement agency's request if the agency determines that notice will impede a criminal investigation [^stat-7a02-law-delay]. Notably, the statute requires no notification to the Kansas Attorney General at any threshold — an outlier among state breach laws — so the only regulator-adjacent notice is the consumer-reporting-agency duty above. Two compliance safe harbors close the loop: a business that follows its own consistent notification procedures under an information-security policy is deemed compliant, and so is a regulated entity that follows the breach procedures of its primary or functional state or federal regulator [^stat-7a02-safe-harbors] — though for licensed insurers, enforcement of this section belongs solely to the insurance commissioner rather than the Attorney General.
+## Can a consumer sue your business in Kansas over privacy? {#consumer-lawsuit}
+**Short answer.** It depends on the statute. The breach-notification law creates no express private remedy — it empowers the Attorney General to bring an action in law or equity, while providing that the section is not exclusive and does not relieve a business from complying with all other applicable law [^stat-7a02-ag-action]. The KCPA, by contrast, carries a real private right of action: an aggrieved consumer may recover, in an individual action but not in a class action, damages or a civil penalty, whichever is greater [^stat-634-individual].
+The KCPA's class-action architecture is the detail that shapes real exposure. Consumers may bring a class action for declaratory or injunctive relief and ancillary remedies — but not damages — against any violating practice [^stat-634-class-injunctive]. A damages class action is available only in a narrower band: where the act or practice violates the specifically proscribed deceptive, unconscionable, or door-to-door provisions, was declared unlawful by a published final judgment ten days before the transactions at issue, or was prohibited by a prior consent judgment binding the supplier [^stat-634-class-damages]. Because the deceptive-acts and unconscionable-acts sections are within that per-se band, a privacy-policy misrepresentation theory could in principle support a damages class; the exposure is structural rather than established. The KCPA also has two-way fee-shifting: a prevailing consumer can recover reasonable attorney fees where the supplier committed a violation, and a supplier can recover fees where the consumer maintained a groundless action.
+Whether a breach-notification failure could itself be repackaged as a private KCPA claim is an open question — the breach statute names only public enforcers, but its non-exclusivity sentence preserves other law. One scope question to keep in view for online services: the KCPA hinges on a consumer transaction, defined as a disposition of property or services for value within Kansas [^q5-stat-624-transaction]. That makes no-cash, ad-supported services a harder fit than paid services.
+## Who enforces Kansas privacy law, and what are the penalties? {#enforcement-penalties}
+**Short answer.** The Kansas Attorney General, with one carve-out: for breach-notification violations by an insurance company licensed in Kansas, the insurance commissioner has the sole enforcement authority [^stat-7a02-enforcement-split]. Under the KCPA, any violation exposes the business to a civil penalty of up to $10,000 per violation, recoverable by the aggrieved consumer, the Attorney General, or a county or district attorney [^stat-636-penalty] — and a continuing practice not tied to a specific transaction counts as a separate violation each day it exists [^stat-636-daily].
+The penalty mechanics reward early correction. A supplier that willfully violates a court order issued under the KCPA forfeits up to $20,000 per violation on top of other penalties [^stat-636-willful], and the per-day accrual rule means a non-compliant practice left running — an inaccurate privacy policy, an undisclosed data practice — compounds rather than sits still. The KCPA has no pre-suit cure period: there is no statutory notice-and-cure mechanism a business can invoke before the Attorney General or a consumer files. The breach statute, for its part, sets no civil-penalty schedule at all — the Attorney General proceeds in law or equity for whatever relief is appropriate, which in practice means injunctions, consent terms, and equitable monetary relief shaped case by case.
+Enforcement posture follows the statutes rather than a standalone privacy agency. County and district attorneys share KCPA enforcement, with recovered penalties flowing to the county where the proceedings were brought. For licensed insurers, the commissioner's exclusive breach-enforcement lane is the Kansas-specific privacy enforcement rule to build into incident-response routing.
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-11. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Kansas. This article synthesizes Kansas primary law and is not legal advice from a Kansas-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+[^stat-7a02-scope]: **K.S.A. 50-7a02** — "A person that conducts business in this state, or a government, governmental subdivision or agency that owns or licenses computerized data that includes personal information shall, when it becomes aware of any breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused." *K.S.A. 50-7a02(a).* <https://www.ksrevisor.gov/statutes/chapters/ch50/050_007a_0002.html>
+[^stat-623-purpose]: **K.S.A. 50-623** — "This act shall be construed liberally to promote the following policies: (a) To simplify, clarify and modernize the law governing consumer transactions; (b) to protect consumers from suppliers who commit deceptive and unconscionable practices;" *K.S.A. 50-623.* <https://ksrevisor.gov/statutes/chapters/ch50/050_006_0023.html>
+[^stat-624-consumer]: **K.S.A. 50-624 (consumer)** — "‘Consumer’ means an individual, husband and wife, sole proprietor, or family partnership who seeks or acquires property or services for personal, family, household, business or agricultural purposes." *K.S.A. 50-624(b).* <https://ksrevisor.gov/statutes/chapters/ch50/050_006_0024.html>
+[^stat-624-supplier]: **K.S.A. 50-624 (supplier)** — "‘Supplier’ means a manufacturer, distributor, dealer, seller, lessor, assignor, or other person who, in the ordinary course of business, solicits, engages in or enforces consumer transactions, whether or not dealing directly with the consumer." *K.S.A. 50-624(l).* <https://ksrevisor.gov/statutes/chapters/ch50/050_006_0024.html>
+[^stat-624-transaction]: **K.S.A. 50-624 (consumer transaction)** — "‘Consumer transaction’ means a sale, lease, assignment or other disposition for value of property or services within this state, except insurance contracts regulated under state law, to a consumer; or a solicitation by a supplier with respect to any of these dispositions." *K.S.A. 50-624(c).* <https://ksrevisor.gov/statutes/chapters/ch50/050_006_0024.html>
+[^stat-626-deceptive]: **K.S.A. 50-626** — "No supplier shall engage in any deceptive act or practice in connection with a consumer transaction." *K.S.A. 50-626(a).* <https://ksrevisor.gov/statutes/chapters/ch50/050_006_0026.html>
+[^stat-626-omission]: **K.S.A. 50-626(b)** — "(2) the willful use, in any oral or written representation, of exaggeration, falsehood, innuendo or ambiguity as to a material fact; (3) the willful failure to state a material fact, or the willful concealment, suppression or omission of a material fact;" *K.S.A. 50-626(b)(2)–(3).* <https://ksrevisor.gov/statutes/chapters/ch50/050_006_0026.html>
+[^fed-ftc5-deceptive]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* <https://www.law.cornell.edu/uscode/text/15/45#:~:text=Unfair%20methods%20of%20competition%20in,commerce%2C%20are%20hereby%20declared%20unlawful.>
+[^stat-627-unconscionable]: **K.S.A. 50-627** — "No supplier shall engage in any unconscionable act or practice in connection with a consumer transaction. An unconscionable act or practice violates this act whether it occurs before, during or after the transaction." *K.S.A. 50-627(a).* <https://ksrevisor.gov/statutes/chapters/ch50/050_006_0027.html>
+[^fed-glba-notice]: **GLBA privacy notice** — "Except as otherwise provided in this subchapter, a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 6803 of this title." *15 U.S.C. § 6802(a).* <https://www.law.cornell.edu/uscode/text/15/6802#:~:text=Except%20as%20otherwise%20provided%20in,section%206803%20of%20this%20title.>
+[^fed-hipaa-notice]: **HIPAA Notice of Privacy Practices** — "an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information" *45 C.F.R. § 164.520(a)(1).* <https://www.law.cornell.edu/cfr/text/45/164.520#:~:text=an%20individual%20has%20a%20right,respect%20to%20protected%20health%20information>
+[^fed-coppa-notice]: **COPPA** — "It is unlawful for an operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child, to collect personal information from a child in a manner that violates the regulations prescribed under subsection (b)." *15 U.S.C. § 6502(a)(1).* <https://www.law.cornell.edu/uscode/text/15/6502#:~:text=It%20is%20unlawful%20for%20an,regulations%20prescribed%20under%20subsection%20(b).>
+[^stat-7a02-vendor-notice]: **K.S.A. 50-7a02(b)** — "An individual or a commercial entity that maintains computerized data that includes personal information that the individual or the commercial entity does not own or license shall give notice to the owner or licensee of the information of any breach of the security of the data following discovery of a breach, if the personal information was, or is reasonably believed to have been, accessed and acquired by an unauthorized person." *K.S.A. 50-7a02(b).* <https://www.ksrevisor.gov/statutes/chapters/ch50/050_007a_0002.html>
+[^fed-glba-safeguards]: **GLBA Safeguards Rule** — "Oversee service providers, by: (1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; (2) Requiring your service providers by contract to implement and maintain such safeguards; and (3) Periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards." *16 C.F.R. § 314.4(f).* <https://www.law.cornell.edu/cfr/text/16/314.4#:~:text=Oversee%20service%20providers%2C%20by%3A%20(1),continued%20adequacy%20of%20their%20safeguards.>
+[^fed-hipaa-baa]: **HIPAA Business Associate Contracts** — "A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate." *45 C.F.R. § 164.504(e)(2).* <https://www.law.cornell.edu/cfr/text/45/164.504#:~:text=A%20contract%20between%20the%20covered,information%20by%20the%20business%20associate.>
+[^stat-7a02-notice-trigger]: **K.S.A. 50-7a02(a)** — "If the investigation determines that the misuse of information has occurred or is reasonably likely to occur, the person or government, governmental subdivision or agency shall give notice as soon as possible to the affected Kansas resident. Notice must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system." *K.S.A. 50-7a02(a).* <https://www.ksrevisor.gov/statutes/chapters/ch50/050_007a_0002.html>
+[^stat-7a01-breach-def]: **K.S.A. 50-7a01(h)** — "‘Security breach’ means the unauthorized access and acquisition of unencrypted or unredacted computerized data that compromises the security, confidentiality or integrity of personal information maintained by an individual or a commercial entity and that causes, or such individual or entity reasonably believes has caused or will cause, identity theft to any consumer." *K.S.A. 50-7a01(h).* <https://www.ksrevisor.gov/statutes/chapters/ch50/050_007a_0001.html>
+[^stat-7a02-cra]: **K.S.A. 50-7a02(f)** — "In the event that a person discovers circumstances requiring notification pursuant to this section of more than 1,000 consumers at one time, the person shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined by 15 U.S.C. § 1681a(p), of the timing, distribution and content of the notices." *K.S.A. 50-7a02(f).* <https://www.ksrevisor.gov/statutes/chapters/ch50/050_007a_0002.html>
+[^stat-7a01-pi-def]: **K.S.A. 50-7a01(g)** — "‘Personal information’ means a consumer's first name or first initial and last name linked to any one or more of the following data elements that relate to the consumer, when the data elements are neither encrypted nor redacted: (1) Social security number; (2) driver's license number or state identification card number; or (3) financial account number, or credit or debit card number, alone or in combination with any required security code, access code or password that would permit access to a consumer's financial account." *K.S.A. 50-7a01(g).* <https://www.ksrevisor.gov/statutes/chapters/ch50/050_007a_0001.html>
+[^stat-7a01-substitute]: **K.S.A. 50-7a01(c)** — "substitute notice, if the individual or the commercial entity required to provide notice demonstrates that the cost of providing notice will exceed $100,000, or that the affected class of consumers to be notified exceeds 5,000, or that the individual or the commercial entity does not have sufficient contact information to provide notice." *K.S.A. 50-7a01(c)(3).* <https://www.ksrevisor.gov/statutes/chapters/ch50/050_007a_0001.html>
+[^stat-7a01-substitute-methods]: **K.S.A. 50-7a01(e)** — "‘Substitute notice’ means: (1) E-mail notice if the individual or the commercial entity has e-mail addresses for the affected class of consumers; (2) conspicuous posting of the notice on the web site page of the individual or the commercial entity if the individual or the commercial entity maintains a web site; and (3) notification to major statewide media." *K.S.A. 50-7a01(e).* <https://www.ksrevisor.gov/statutes/chapters/ch50/050_007a_0001.html>
+[^stat-7a02-law-delay]: **K.S.A. 50-7a02(c)** — "Notice required by this section may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation. Notice required by this section shall be made in good faith, without unreasonable delay and as soon as possible after the law enforcement agency determines that notification will no longer impede the investigation." *K.S.A. 50-7a02(c).* <https://www.ksrevisor.gov/statutes/chapters/ch50/050_007a_0002.html>
+[^stat-7a02-safe-harbors]: **K.S.A. 50-7a02(d)–(e)** — "Notwithstanding any other provision in this section, an individual or a commercial entity that maintains its own notification procedures as part of an information security policy for the treatment of personal information, and whose procedures are otherwise consistent with the timing requirements of this section, is deemed to be in compliance with the notice requirements of this section if the individual or the commercial entity notifies affected consumers in accordance with its policies in the event of a breach of security of the system. (e) An individual or a commercial entity that is regulated by state or federal law and that maintains procedures for a breach of the security of the system pursuant to the laws, rules, regulations, guidances or guidelines established by its primary or functional state or federal regulator is deemed to be in compliance with this section." *K.S.A. 50-7a02(d)–(e).* <https://www.ksrevisor.gov/statutes/chapters/ch50/050_007a_0002.html>
+[^stat-7a02-ag-action]: **K.S.A. 50-7a02(g)** — "For violations of this section, except as to insurance companies licensed to do business in this state, the attorney general is empowered to bring an action in law or equity to address violations of this section and for other relief that may be appropriate. The provisions of this section are not exclusive and do not relieve an individual or a commercial entity subject to this section from compliance with all other applicable provisions of law." *K.S.A. 50-7a02(g).* <https://www.ksrevisor.gov/statutes/chapters/ch50/050_007a_0002.html>
+[^stat-634-individual]: **K.S.A. 50-634(b)** — "A consumer who is aggrieved by a violation of this act may recover, but not in a class action, damages or a civil penalty as provided in subsection (a) of K.S.A. 50-636 and amendments thereto, whichever is greater." *K.S.A. 50-634(b).* <https://ksrevisor.gov/statutes/chapters/ch50/050_006_0034.html>
+[^stat-634-class-injunctive]: **K.S.A. 50-634(c)** — "Whether a consumer seeks or is entitled to recover damages or has an adequate remedy at law, a consumer may bring a class action for declaratory judgment, an injunction and appropriate ancillary relief, except damages, against an act or practice that violates this act." *K.S.A. 50-634(c).* <https://ksrevisor.gov/statutes/chapters/ch50/050_006_0034.html>
+[^stat-634-class-damages]: **K.S.A. 50-634(d)** — "A consumer who suffers loss as a result of a violation of this act may bring a class action for the damages caused by an act or practice: (1) Violating any of the acts or practices specifically proscribed in K.S.A. 50-626, 50-627 and 50-640, and amendments thereto, or (2) declared to violate K.S.A. 50-626 or 50-627, and amendments thereto, by a final judgment of any district court or the supreme court of this state that was either officially reported or made available for public dissemination under subsection (a)(3) of K.S.A. 50-630 and amendments thereto by the attorney general 10 days before the consumer transactions on which the action is based, or (3) with respect to a supplier who agreed to it, was prohibited specifically by the terms of a consent judgment which became final before the consumer transactions on which the action is based." *K.S.A. 50-634(d).* <https://ksrevisor.gov/statutes/chapters/ch50/050_006_0034.html>
+[^q5-stat-624-transaction]: **K.S.A. 50-624 (consumer transaction)** — "‘Consumer transaction’ means a sale, lease, assignment or other disposition for value of property or services within this state, except insurance contracts regulated under state law, to a consumer; or a solicitation by a supplier with respect to any of these dispositions." *K.S.A. 50-624(c).* <https://ksrevisor.gov/statutes/chapters/ch50/050_006_0024.html>
+[^stat-7a02-enforcement-split]: **K.S.A. 50-7a02(g)–(h)** — "For violations of this section, except as to insurance companies licensed to do business in this state, the attorney general is empowered to bring an action in law or equity to address violations of this section and for other relief that may be appropriate. The provisions of this section are not exclusive and do not relieve an individual or a commercial entity subject to this section from compliance with all other applicable provisions of law. (h) For violations of this section by an insurance company licensed to do business in this state, the insurance commissioner shall have the sole authority to enforce the provisions of this section." *K.S.A. 50-7a02(g)–(h).* <https://www.ksrevisor.gov/statutes/chapters/ch50/050_007a_0002.html>
+[^stat-636-penalty]: **K.S.A. 50-636(a)** — "The commission of any act or practice declared to be a violation of this act shall render the violator liable to the aggrieved consumer, or the state or a county as provided in subsection (c), for the payment of a civil penalty, recoverable in an individual action, including an action brought by the attorney general or county attorney or district attorney, in a sum set by the court of not more than $10,000 for each violation." *K.S.A. 50-636(a).* <https://ksrevisor.gov/statutes/chapters/ch50/050_006_0036.html>
+[^stat-636-daily]: **K.S.A. 50-636(d)** — "Any act or practice declared to be a violation of this act not identified to be in connection with a specific identifiable consumer transaction but which is continuing in nature shall be deemed a separate violation each day such act or practice exists." *K.S.A. 50-636(d).* <https://ksrevisor.gov/statutes/chapters/ch50/050_006_0036.html>
+[^stat-636-willful]: **K.S.A. 50-636(b)** — "Any supplier who willfully violates the terms of any court order issued pursuant to this act shall forfeit and pay a civil penalty of not more than $20,000 per violation, in addition to other penalties that may be imposed by the court, as the court shall deem necessary and proper." *K.S.A. 50-636(b).* <https://ksrevisor.gov/statutes/chapters/ch50/050_006_0036.html>

package/skills/legal-explainers/data-privacy-law-explainer/content/kentucky.md ADDED Viewed

@@ -0,0 +1,87 @@
+---
+jurisdiction: "Kentucky"
+slug: kentucky
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-06"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/kentucky
+license: CC BY 4.0
+stale: false
+---
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/kentucky · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+# Kentucky Consumer Privacy Law (KCDPA)[^about]
+The Kentucky Consumer Data Protection Act, effective January 1, 2026, gives Kentucky consumers rights over their personal data and imposes notice, contracting, and consent duties on controllers above defined thresholds — closely modeled on Virginia, it is enforced exclusively by the Attorney General with a permanent 30-day cure period and provides no private right of action.
+## At a glance
+| Question | Kentucky |
+| --- | --- |
+| **Law coverage** | Comprehensive law |
+| **Summary** | If you meet the 100,000-consumer (or 25,000 plus majority-data-sale) threshold in Kentucky, the KCDPA requires a privacy notice, opt-in consent to process sensitive data, and processor contracts — enforced by the Attorney General with a permanent 30-day cure period and no consumer lawsuits. |
+| **Main law** | KRS 367.3611 to 367.3629 (Kentucky Consumer Data Protection Act), effective January 1, 2026 |
+| **Privacy policy required?** | Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents |
+| **Who does it cover?** | Persons doing business in Kentucky (or targeting residents) that control or process the data of 100,000+ consumers a year, or 25,000+ while deriving over 50% of gross revenue from selling data — no revenue floor; nonprofits and higher-education institutions exempt |
+| **Can consumers sue?** | No |
+| **Privacy policy rule** | Policy contents fixed by law |
+| **Consent for sensitive data?** | Consent required first |
+| **Browser opt-out signals?** | Not required |
+| **Lawsuit detail** | No — enforcement is exclusively the Attorney General's |
+| **Who enforces it?** | Kentucky Attorney General (exclusive) |
+## Does the Kentucky Consumer Data Protection Act apply to your business? {#does-kcdpa-apply}
+**Short answer.** It turns on consumer volume, not revenue. The KCDPA applies to persons that do business in Kentucky or target its residents and that, in a calendar year, control or process the personal data of at least 100,000 consumers, or at least 25,000 consumers while deriving over 50% of gross revenue from selling personal data [^stat-3613-apply].
+Kentucky's law took effect January 1, 2026, later than most of the early movers, and it is closely patterned on Virginia — so this note reads much like Virginia, Colorado, Connecticut, and Texas. Like those, it sets no dollar revenue floor; it also exempts nonprofit organizations and institutions of higher education, along with state and local government and GLBA-, HIPAA-, and FCRA-regulated data. A consumer is a Kentucky resident acting only in an individual context, not an employee or business contact.
+## What must your Kentucky privacy policy contain? {#privacy-policy-contents}
+**Short answer.** A controller must provide a reasonably accessible, clear, and meaningful privacy notice that lists the categories of personal data processed, the purpose for processing, how consumers exercise their rights (including how to appeal), the categories of personal data shared with third parties, and the categories of those third parties [^stat-3617-notice].
+For a template privacy policy, KRS 367.3617 is the content checklist. Kentucky also requires data minimization (collection limited to what is adequate, relevant, and reasonably necessary) and, where a controller sells personal data or processes it for targeted advertising, a clear and conspicuous disclosure of that activity and how to opt out. The notice the policy presents should match the data practices the controller actually carries out.
+## What must your contracts with processors say? {#vendor-contracts}
+**Short answer.** A contract between a controller and a processor must govern the processor's data processing on the controller's behalf — so a data processing agreement is a statutory requirement, not a best practice [^stat-3619-contract].
+KRS 367.3619 then specifies the required terms: processing instructions, the nature and purpose of processing, the type of data and duration, a duty of confidentiality, deletion or return of data at the controller's direction, the information needed to demonstrate compliance, cooperation with reasonable assessments, and a requirement to bind subcontractors by written contract to the same obligations [^stat-3619-terms]. A compliant template DPA tracks each of these.
+## Do you need consent to process sensitive data? {#sensitive-data}
+**Short answer.** Yes. A controller may not process a consumer's sensitive data without first obtaining consent, and for a known child it must instead follow the federal Children's Online Privacy Protection Act [^stat-3617-consent]. Sensitive data includes data indicating race or ethnicity, religious beliefs, a mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data processed to uniquely identify a person; data from a known child; and precise geolocation.
+This is the opt-in model shared by Virginia, California, Colorado, and Texas — the opposite of Utah's notice-and-opt-out approach. Kentucky does not, however, require honoring a universal opt-out preference signal the way California, Colorado, and Connecticut do, so a Kentucky-only program can rely on its own opt-out mechanisms — though a multi-state template generally has to support universal signals to stay compliant elsewhere.
+## Can a consumer sue your business under the KCDPA? {#consumer-lawsuit}
+**Short answer.** No. The Attorney General has exclusive authority to enforce the KCDPA [^stat-3627-enforce], so there is no private right of action for consumers [^stat-3627-no-pra]. Before suing, the Attorney General must give 30 days' written notice of the specific alleged violations and a chance to cure [^stat-3627-cure].
+Like Virginia, and unlike Colorado and Connecticut, Kentucky's 30-day cure period has not sunset — it remains a permanent, built-in off-ramp. A controller that cures within the window and certifies it in writing avoids the action; an uncured violation exposes it to damages of up to $7,500 per continued violation, plus the Attorney General's expenses and costs. The practical posture is still to build the notice, consent, and contracting controls up front, but a covered business that receives a notice has a genuine window to fix the issue.
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-06. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Kentucky. This article synthesizes Kentucky primary law and is not legal advice from a Kentucky-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+[^stat-3613-apply]: **KRS 367.3613** — "KRS 367.3611 to 367.3629 apply to persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that during a calendar year control or process personal data of at least: (a) One hundred thousand (100,000) consumers; or (b) Twenty-five thousand (25,000) consumers and derive over fifty percent (50%) of gross revenue from the sale of personal data." *KRS 367.3613(1).* <https://apps.legislature.ky.gov/law/statutes/statute.aspx?id=56648>
+[^stat-3617-notice]: **KRS 367.3617** — "reasonably accessible, clear, and meaningful privacy notice that includes: (a) The categories of personal data processed by the controller; (b) The purpose for processing personal data;" *KRS 367.3617(3).* <https://apps.legislature.ky.gov/law/statutes/statute.aspx?id=55839>
+[^stat-3619-contract]: **KRS 367.3619** — "A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller." *KRS 367.3619(2).* <https://apps.legislature.ky.gov/law/statutes/statute.aspx?id=55840>
+[^stat-3619-terms]: **KRS 367.3619** — "The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: (a) Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data; (b) At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; (c) Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations prescribed in KRS 367.3611 to 367.3629; (d) Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations in KRS 367.3611 to 367.3629 using an appropriate and accepted control standard or framework and assessment procedure for assessments. The processor shall provide a report of the assessment to the controller upon request; and (e) Engage any subcontractor pursuant to a written contract in accordance with this section that requires the subcontractor to meet the obligations of the processor with respect to the personal data." *KRS 367.3619(2).* <https://apps.legislature.ky.gov/law/statutes/statute.aspx?id=55840>
+[^stat-3617-consent]: **KRS 367.3617** — "Not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data collected from a known child, process the data in accordance with the federal Children's Online Privacy Protection Act, 15 U.S.C. sec. 6501 et seq." *KRS 367.3617(1)(e).* <https://apps.legislature.ky.gov/law/statutes/statute.aspx?id=55839>
+[^stat-3627-enforce]: **KRS 367.3627** — "The Attorney General shall have exclusive authority to enforce violations of KRS 367.3611 to 367.3629." *KRS 367.3627(1).* <https://apps.legislature.ky.gov/law/statutes/statute.aspx?id=55844>
+[^stat-3627-no-pra]: **KRS 367.3627** — "Nothing in KRS 367.3611 to 367.3629 or any other law, regulation, or the equivalent shall be construed as providing the basis for, or give rise to, a private right of action for violations of KRS 367.3611 to 367.3629." *KRS 367.3627(4).* <https://apps.legislature.ky.gov/law/statutes/statute.aspx?id=55844>
+[^stat-3627-cure]: **KRS 367.3627** — "the Attorney General shall provide a controller or processor thirty (30) days' written notice identifying the specific provisions of KRS 367.3611 to 367.3629, the Attorney General alleges have been or are being violated." *KRS 367.3627(2).* <https://apps.legislature.ky.gov/law/statutes/statute.aspx?id=55844>