On February 2, 2024, House Bill (HB) 15 for an act relating to consumer data privacy and making an appropriation therefor, was introduced to the House of Representatives of Kentucky. The bill provides for consumer rights relating to personal data and highlights requirements for data controllers and processors.

Scope and definitions

The bill would apply to persons that conduct business in Kentucky or produce products or services that are targeted to residents of Kentucky and that during a calendar year control or process personal data of at least:

• 100,000 consumers; or
• 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

The bill also defines other key terms including, 'biometric data,' 'profiling,' 'sensitive data,' and 'targeted advertising.'

Data subject rights

Under the bill, a consumer is granted the right to:

• confirm whether a controller is processing their personal data and access the same;
• correct inaccuracies in their personal data, considering the nature of the personal data and the purposes of the processing;
• have their personal data deleted;
• obtain a copy of their personal data previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the personal data to another controller without hindrance when the processing is carried out by automated means, provided the controller is not required to reveal any trade secret; and
• opt out of the processing of their personal data for the purposes of:
  • targeted advertising;
  • sale; or
  • profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

Obligations under the bill

The bill imposes obligations on controllers such as the obligation to:

• establish, implement, and maintain reasonable administrative, technical, and physical data security practices;
• limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the personal data is processed; and
• obtain consent from the consumer before processing sensitive data concerning the consumer.

More practically, under the bill, controllers must perform a data protection assessment in connection with processing activities that present a heightened risk of harm to a consumer. The bill also states that data processors must adhere to the controller's instructions and assist controllers in meeting their obligations, with a contract between controllers and processors being required to govern data processing procedures performed on the controller's behalf.

Finally, the bill would grant the Kentucky Attorney General (AG) the authority to enforce the bill and shall provide a controller or processor 30 days written notice identifying the specific provisions that were violated and provide that if a controller or processor does not cure a violation within 30 days, the AG may initiate an action and seek damages for up to $7,500 for each violation.

If enacted, the bill would enter into effect on January 1, 2026. 

You can read the bill here and track its progress here.

Update: February 20, 2024

Amendment proposed to bill

On February 16, 2024, a proposed amendment to the bill was filed in the House of Representatives of Kentucky.

In particular, the proposed amendment would change the data and information exemptions under the bill to include:

• data processed by an affiliate of a utility or a holding company system organized for the purpose of providing goods or services to a utility; and
• personal data collected and used for purposes of federal policy under the Combat Methamphetamine Epidemic Act of 2005.

You can read the bill here and track its progress here.

Update: February 23, 2024

Bill passes House of Representatives and moves to Senate

On February 21, 2024, the bill moved to the Senate Committee on Committees after it was passed by the House of Representatives on February 20, 2024. 

You can read the bill here and track its progress here.

Update: February 26, 2024

Bill moves to Senate Committee on Economic Development, Tourism, and Labor

On February 23, 2024, the bill moved to the Senate Standing Committee on Economic Development, Tourism, and Labor.

You can read the bill here and track its progress here.

Update: March 12, 2024

Bill passed by Senate

On March 11, 2024, the bill was read for the third time and passed by the Senate with two amendments. In particular, the bill was amended to specify that:

• the bill shall not apply to the processing of personal data by a person in the course of a purely personal or household activity; and
• the subsequent Act may be cited as the Kentucky Consumer Data Protection Act.

You can read the bill here and track its progress here.

Update: March 20, 2024

Bill moves to House Rules Committee 

On March 12, 2024, the bill moved to the House Rules Committee after it was passed with amendments by the Senate on March 11, 2024.

You can read the bill here and track its progress here.

Update: March 26, 2024

Bill posted for passage in House

On March 25, 2024, the bill was posted for passage in the House for concurrence with the amendments to the bill proposed by the Senate.

You can read the bill here and track its progress here.

Update: March 28, 2024

Bill passes House and Senate and delivered to Governor

On March 27, 2024, the bill was passed by the House with concurrence to the amendments to the bill proposed by the Senate. The bill was then enrolled and signed by the Speaker of the House and the President of the Senate. The bill was then delivered to the Governor for signature.

You can read the bill here and track its progress here.

Update: April 5, 2024

Bill signed by Governor

On April 4, 2024, the bill, was signed into law by the Governor of Kentucky.

You can read the Act here and view its history here.