Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Kentucky: Bill for consumer data privacy introduced in House of Representatives
On January 2, 2024, House Bill 24 for an act relating to consumer data privacy was introduced to the House of Representatives of Kentucky and on the same date, referred to Committee on Committees.
What is the scope of the bill?
The bill would apply to persons that conduct business in Kentucky or produce products or services that are targeted to residents of Kentucky and that during a calendar year control or process personal data of at least:
- 100,000 consumers; or
- 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.
The bill also provides a list and categories of entities to which it would not apply.
What are the key provisions of the bill?
In particular, the bill would create new sections of Kentucky Revised Statutes (KRS) Chapter 367 to define terms and set the parameters for applicability of the bill. The bill defines, among other things, 'biometric data,' 'child,' 'consent,' 'consumer,' 'controller,' 'dark patterns,' 'de-identified data,' 'personal data,' 'identified or identifiable natural person,' and 'targeted advertising.'
Further, the bill, among other things, defines various consumer rights including the right to opt out of targeted advertising and the sale of personal data. The bill also provides for the rights of minors. Additionally, the bill would require a data controller to comply with a consumer request to exercise those rights and require controllers to establish a process for consumers to appeal a controller's refusal to act on a consumer's request to exercise a right.
Moreover, the bill imposes certain obligations on the controllers and processors and would require a contract between the controller and processor. In addition, a controller would be required to implement organizational and security measures, provide a privacy notice, and not process sensitive personal data unless the requirements of the bill are satisfied.
Finally, the bill would establish that the Kentucky Attorney General (AG) has exclusive authority to enforce the bill and shall provide a controller or processor 30 days written notice identifying the specific provisions that were violated and provide that if a controller or processor does not cure a violation within 30 days, the AG may initiate an action and seek damages for up to $7,500 for each violation.
If enacted, the bill would enter into effect on January 1, 2026.