Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Kentucky: Bill for consumer data privacy introduced in House of Representatives

On January 2, 2024, House Bill 24 for an act relating to consumer data privacy was introduced to the House of Representatives of Kentucky and on the same date, referred to Committee on Committees. 

What is the scope of the bill?

The bill would apply to persons that conduct business in Kentucky or produce products or services that are targeted to residents of Kentucky and that during a calendar year control or process personal data of at least:

  • 100,000 consumers; or
  • 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

The bill also provides a list and categories of entities to which it would not apply. 

What are the key provisions of the bill?

In particular, the bill would create new sections of Kentucky Revised Statutes (KRS) Chapter 367 to define terms and set the parameters for applicability of the bill. The bill defines, among other things, 'biometric data,' 'child,' 'consent,' 'consumer,' 'controller,' 'dark patterns,' 'de-identified data,' 'personal data,' 'identified or identifiable natural person,' and 'targeted advertising.'

Further, the bill, among other things, defines various consumer rights including the right to opt out of targeted advertising and the sale of personal data. The bill also provides for the rights of minors. Additionally, the bill would require a data controller to comply with a consumer request to exercise those rights and require controllers to establish a process for consumers to appeal a controller's refusal to act on a consumer's request to exercise a right. 

Moreover, the bill imposes certain obligations on the controllers and processors and would require a contract between the controller and processor. In addition, a controller would be required to implement organizational and security measures, provide a privacy notice, and not process sensitive personal data unless the requirements of the bill are satisfied. 

Finally, the bill would establish that the Kentucky Attorney General (AG) has exclusive authority to enforce the bill and shall provide a controller or processor 30 days written notice identifying the specific provisions that were violated and provide that if a controller or processor does not cure a violation within 30 days, the AG may initiate an action and seek damages for up to $7,500 for each violation.

If enacted, the bill would enter into effect on January 1, 2026. 

You can read the bill here and track its progress here.