On January 3, 2024, Senate Bill 15 was referred to the Economic Development, Tourism, & Labor (S) Committee after being introduced to the Kentucky State Senate on January 2, 2024.

What is the scope of the bill?

The bill would apply to persons that conduct business in Kentucky, or produce products or services that are targeted to residents of Kentucky, and that during a calendar year control or process personal data of at least:

• 50,000 consumers; or
• 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

The bill also provides a list and categories of entities to which it would not apply. 

What are the key provisions of the bill?

In particular, the bill would create new sections of Kentucky Revised Statutes (KRS) Chapter 367 to define terms and set the parameters for applicability of the bill. The bill defines, among other things, 'biometric data,' 'child,' 'consent,' 'consumer,' 'controller,' 'dark patterns,' 'de-identified data,' 'personal data,' 'identified or identifiable natural person,' and 'profiling.'

Further, the bill, among other things defines various consumer rights including the right to opt out of targeted advertising, opt out of tracking, and opt out of the sale or sharing of personal data. The bill also provides for the rights of minors. Further, the bill would require a data controller to comply with a consumer request to exercise those rights and require controllers to establish a process for consumers to appeal a controller's refusal to act on a consumer's request to exercise a right. 

Additionally, the bill imposes certain obligations on the controllers and processors and would require a contract between the controller and processor. Moreover, a controller would be required to conduct a Data Protection Impact Assessment (DPIA), implement organizational and security measures, provide an annual report to the Attorney General of Kentucky (AG) as prescribed, provide a privacy notice that contains provisions that would restrict the processing of sensitive data. 

Finally, the bill would establish that the AG has exclusive authority to enforce the bill and shall provide a controller or processor 30 days written notice identifying the specific provisions that were violated and provide that if a controller or processor does not cure a violation within 30 days, the AG may initiate an action and seek damages for up to $7,500 for each violation.

If enacted, the bill would enter into effect on January 1, 2026. 

You can read the bill here and track its progress here.