UNOFFICIAL COPY 22 RS BR 158
Page 1 of 32
XXXX Jacketed
AN ACT relating to consumer data privacy. 1
Be it enacted by the General Assembly of the Commonwealth of Kentucky: 2
SECTION 1. A NEW SECTION OF KRS CHAPTER 367 IS CREATED TO 3
READ AS FOLLOWS: 4
As used in Sections 1 to 12 of this Act: 5
(1) "Affiliate" means a legal entity that controls, is controlled by, or is under 6
common control with another legal entity or shares common branding with 7
another legal entity. For the purposes of this definition, "control" or 8
"controlled" means: 9
(a) Ownership of, or the power to vote, more than fifty percent (50%) of the 10
outstanding shares of any class of voting security of a company; 11
(b) Control in any manner over the election of a majority of the directors or of 12
individuals exercising similar functions; or 13
(c) The power to exercise controlling influence over the management of a 14
company; 15
(2) "Air carriers" has the same meaning as defined in the Federal Aviation Act 49 16
U.S.C. secs. 40101, et seq., including the Airline Deregulation Act, 49 U.S.C. sec. 17
41713; 18
(3) "Authenticate" means verifying through reasonable means that the consumer 19
entitled to exercise his or her consumer rights under Section 3 of this Act is the 20
same consumer exercising such consumer rights with respect to the personal data 21
at issue; 22
(4) "Biometric data" means data generated by automatic measurements of an 23
individual's biological characteristics, such as a fingerprint, voiceprint, eye 24
retinas, irises, or other unique biological patterns or characteristics that are used 25
to identify a specific individual but does not include a physical or digital 26
photograph, a video or audio recording, or data generated therefrom, or 27 UNOFFICIAL COPY 22 RS BR 158
Page 2 of 32
XXXX Jacketed
information collected, used, or stored for health care treatment, payment, or 1
operations under HIPAA; 2
(5) "Business associate" has the same meaning as established 45 C.F.R. sec. 3
160.103 pursuant to the federal Health Insurance Portability and Accountability 4
Act of 1996, Pub. L. No. 104-191; 5
(6) "Child" has the same meaning as defined in the Children's Online Privacy 6
Protection Act, 15 U.S.C. secs. 6501 et seq.; 7
(7) "Consent" means any freely given, specific, informed, and unambiguous 8
indication of the consumer's wishes by which the consumer signifies agreement 9
to the processing of personal data relating to the consumer for a narrowly 10
defined, particular purpose. Consent does not include: 11
(a) Acceptance of a general or broad terms of use or similar document that 12
contains descriptions of personal data processing along with other, 13
unrelated information; 14
(b) Hovering over, muting, pausing, or closing a given piece of content; or 15
(c) Agreement obtained through the use of dark patterns; 16
(8) "Consumer" means a natural person who is a resident of Kentucky acting only 17
in an individual or household context but does not include a natural person 18
acting in a commercial or employment context; 19
(9) "Controller" means a natural or legal person that, alone or jointly with others, 20
determines the purpose and means of processing personal data; 21
(10) "Covered entity" has the same meaning as established in 45 C.F.R. sec. 160.103 22
pursuant to HIPAA; 23
(11) "Dark pattern" means a user interface designed or manipulated with the 24
substantial effect of subverting or impairing consumer autonomy, decision 25
making, or choice; 26
(12) "De-identified data" means data that cannot reasonably be used to infer 27 UNOFFICIAL COPY 22 RS BR 158
Page 3 of 32
XXXX Jacketed
information about, or otherwise associated with, an identified or identifiable 1
natural person, or a device linked to such person, provided that the controller 2
that possesses the data: 3
(a) Takes reasonable measures to ensure that the data cannot be associated 4
with an identified or identifiable natural person, household, or device linked 5
to such person or household; 6
(b) Publicly commits to maintain and use the data only in de-identified form 7
and not attempt to re-identify the data, except as reasonably required for the 8
controller to test their methods of de-identification; and 9
(c) Contractually obligates any recipients of the de-identified data to comply 10
with Sections 1 to 12 of this Act; 11
(13) "Fund" means the consumer privacy fund established in Section 11 of this Act; 12
(14) "Health record" means a record, other than for financial or billing purposes, 13
relating to an individual, kept by a health care provider as a result of the 14
professional relationship established between the health care provider and the 15
individual; 16
(15) "Health care provider" means: 17
(a) Any health facility as defined in KRS 216B.015; 18
(b) Any person or entity providing health care or health services, including 19
those licensed, certified, or registered under, or subject to, KRS 194A.700 to 20
194A.729 or KRS Chapters 310, 311, 311A, 311B, 312, 313, 314, 314A, 315, 21
319, 319A, 319B, 319C, 320, 327, 333, 334A, or 335; 22
(c) The current and former employers, officers, directors, administrators, 23
agents, or employees of those entities listed in paragraphs (a) and (b) of this 24
subsection; or 25
(d) Any person acting within the course and scope of his or her office, 26
employment, or agency relating to a health care provider; 27 UNOFFICIAL COPY 22 RS BR 158
Page 4 of 32
XXXX Jacketed
(16) "HIPAA" means the federal Health Insurance Portability and Accountability Act 1
of 1996, Pub. L. No. 104-191; 2
(17) "Identified or identifiable natural person" means a person who can be readily 3
identified directly or indirectly, in particular by reference to an identifier such as 4
a name, an identification number, location data, an online identifier, or to one 5
(1) or more factors specific to the physical, physiological, genetic, mental, 6
economic, cultural, or social identity of that natural person; 7
(18) "Institution of higher education" means an educational institution which: 8
(a) Admits as regular students only individuals having a certificate of 9
graduation from a high school, or the recognized equivalent of such a 10
certificate; 11
(b) Is legally authorized in this state to provide a program of education beyond 12
high school; 13
(c) Provides an educational program for which it awards a bachelor's or higher 14
degree, or provides a program which is acceptable for full credit toward 15
such a degree, a program of postgraduate or postdoctoral studies, or a 16
program of training to prepare students for gainful employment in a 17
recognized occupation; and 18
(d) Is a public or other nonprofit institution. 19
(19) "Nonprofit organization" means an incorporated or unincorporated entity that: 20
(a) Is operating for religious, charitable, or educational purposes; and 21
(b) Does not provide net earnings to, or operate in any manner that inures to 22
the benefit of, any officer, employee, or shareholder of the entity; 23
(20) "Personal data" means any information, including pseudonymous data and 24
sensitive data, that relates to an identified or identifiable natural person. 25
"Personal data" does not include de-identified data or publicly available 26
information; 27 UNOFFICIAL COPY 22 RS BR 158
Page 5 of 32
XXXX Jacketed
(21) "Precise geolocation data" means information derived from technology, 1
including but not limited to global positioning system level latitude and longitude 2
coordinates or other mechanisms, that directly identifies the specific location of a 3
natural person with precision and accuracy within a radius of one thousand 4
seven hundred fifty (1,750) feet but does not include the content of 5
communications or any data generated by or connected to advanced utility 6
metering infrastructure systems or equipment for use by a utility; 7
(22) "Process" or "processing" means any operation or set of operations performed, 8
whether by manual or automated means, on personal data or on sets of personal 9
data, such as the collection, use, storage, disclosure, analysis, deletion, or 10
modification of personal data; 11
(23) "Processor" means a natural or legal entity that processes personal data on 12
behalf of a controller; 13
(24) "Profiling" means any form of automated processing of personal data to 14
evaluate, analyze, or predict personal aspects concerning an identified or 15
identifiable natural person's economic situation, health, personal preferences, 16
interests, reliability, behavior, location, or movements; 17
(25) "Protected health information" has the same meaning as established in 45 18
C.F.R. sec. 160.103 pursuant to HIPAA; 19
(26) "Pseudonymous data" means personal data that cannot be attributed to a specific 20
natural person without the use of additional information, provided that such 21
additional information is kept separately and is subject to appropriate technical 22
and organizational measures to ensure that the personal data is not attributed to 23
an identified or identifiable natural person; 24
(27) "Publicly available information" means information that is lawfully made 25
available through federal, state, or local government records, or information that 26
a business has a reasonable basis to believe is lawfully made available to the 27 UNOFFICIAL COPY 22 RS BR 158
Page 6 of 32
XXXX Jacketed
general public through widely distributed media, by the consumer, or by a person 1
to whom the consumer has disclosed the information, unless the consumer has 2
restricted the information to a specific audience; 3
(28) "Sale," "sell," or "sold" means the exchange of personal data for monetary or 4
other valuable consideration by the controller to a third party but does not 5
include: 6
(a) The disclosure of personal data to a processor that processes the personal 7
data on behalf of the controller; 8
(b) The disclosure of personal data to a third party with whom the consumer 9
has a direct relationship for purposes of providing a product or service 10
requested by the consumer; 11
(c) The disclosure or transfer of personal data to a commonly branded affiliate 12
of the controller; 13
(d) The disclosure of information that the consumer intentionally made 14
available to the general public via a channel of mass media and did not 15
restrict to a specific audience; 16
(e) The disclosure or transfer of personal data to a third party as an asset that 17
is part of a merger, acquisition, bankruptcy, or other transaction in which 18
the third party assumes control of all or part of the controller's assets; or 19
(f) The disclosure or transfer of personal data to a third party solely for the 20
purposes of facilitating the consumer's exercising his or her right to opt out, 21
as provided in Section 3 of this Act; 22
(29) "Sensitive data" means a category of personal data that includes: 23
(a) Racial or ethnic origin, religious beliefs, mental or physical health 24
diagnosis, sexual orientation, or citizenship or immigration status, except to 25
the extent such data is used in order to avoid discrimination on the basis of 26
a protected class that would violate a federal or state anti-discrimination 27 UNOFFICIAL COPY 22 RS BR 158
Page 7 of 32
XXXX Jacketed
law; 1
(b) Genetic or biometric data that is processed for the purpose of uniquely 2
identifying a specific natural person; 3
(c) The personal data collected from a child; or 4
(d) Precise geolocation data; 5
(30) "Sharing," "share," or "shared" means sharing, renting, releasing, disclosing, 6
disseminating, making available, transferring, or otherwise communicating 7
orally, in writing, or by electronic or other means, personal data by a controller to 8
a third party for targeted advertising or tracking, whether or not for monetary or 9
other valuable consideration, including transactions between a business and a 10
third party for targeted advertising or tracking for the benefit of the controller or 11
a third party in which no money is exchanged. Sharing does not include: 12
(a) The disclosure of personal data to a third party at the consumer's direction; 13
(b) The disclosure or transfer of personal data to a commonly branded affiliate 14
of the controller; 15
(c) The disclosure of information that the consumer intentionally made 16
available to the general public through a channel of mass media and did 17
not restrict to a specific audience; 18
(d) The disclosure or transfer of personal data to a third party as an asset that 19
is part of a merger, acquisition, bankruptcy, or other transaction in which 20
the third party assumes control of all or part of the controller's assets; or 21
(e) The disclosure or transfer of personal data to a third party solely for the 22
purposes of facilitating the consumer's exercising their right to opt out, as 23
provided in Section 3 of this Act: 24
(31) "State agency" means all departments, offices, commissions, boards, institutions, 25
and political and corporate bodies of the state, including the offices of the clerk of 26
the Supreme Court, clerks of the appellate courts, the several courts of the state, 27 UNOFFICIAL COPY 22 RS BR 158
Page 8 of 32
XXXX Jacketed
and the legislature, its committees, or commissions; 1
(32) "Targeted advertising" means displaying advertisements to a consumer where 2
the advertisement is selected based on personal data obtained from that 3
consumer's activities over time and across one (1) or more distinctly branded Web 4
sites or online applications to predict the consumer's preferences or interests. 5
Targeted advertising does not include advertising: 6
(a) Based on activities within a controller's own commonly branded Web sites 7
or online applications when such advertisements promote the controller's 8
own products or services; 9
(b) Based on the context of a consumer's current search query or visit to a Web 10
site or online application; or 11
(c) To a consumer in response to the consumer's request for information or 12
feedback; 13
(33) "Third party" means a natural or legal person, public authority, agency, or body 14
other than the consumer, controller, processor, or an affiliate of the processor or 15
the controller; 16
(34) "Tracking" means combining personal data obtained from a consumer's 17
activities within a controller's own commonly branded Web sites or online 18
applications with personal data obtained from a third party for targeted 19
advertising. Tracking does not include combining personal data obtained from a 20
consumer's activities within a controller's own commonly branded Web sites or 21
online applications with personal data obtained from a third party solely on a 22
consumer's device such that the personal data is not permitted to leave the device 23
in a manner that permits it to be attributed to a consumer; and 24
(35) "Trade secret" means information, including but not limited to a formula, 25
pattern, compilation, program, device, method, technique, or process that: 26
(a) Derives independent economic value, actual or potential, from not being 27 UNOFFICIAL COPY 22 RS BR 158
Page 9 of 32
XXXX Jacketed
generally known to, and not being readily ascertainable by proper means by, 1
other persons who can obtain economic value from its disclosure or use; 2
and 3
(b) Is the subject of efforts that are reasonable under the circumstances to 4
maintain its secrecy. 5
SECTION 2. A NEW SECTION OF KRS CHAPTER 367 IS CREATED TO 6
READ AS FOLLOWS: 7
(1) Sections 1 to 12 of this Act applies to persons that conduct business in this state 8
or produce products or services that are targeted to residents of this state and that 9
during a calendar year: 10
(a) Control or process personal data of at least ten thousand (10,000) 11
consumers; or 12
(b) Derive over forty percent (40%) of gross revenue from the sale of personal 13
data. 14
(2) Sections 1 to 12 of this Act shall not apply to any: 15
(a) State agency, including any body, authority, board, bureau, commission, 16
district, or agency of the state or of any political subdivision of the state; 17
(b) Financial institutions or data subject to Title V of the federal Gramm-18
Leach-Bliley Act, 15 U.S.C. secs. 6801 et seq.; 19
(c) Covered entity or business associate governed by the privacy, security, and 20
breach notification rules issued by the United States Department of Health 21
and Human Services, 45 C.F.R. pts. 160 and 164 established pursuant to 22
HIPAA; 23
(d) Nonprofit organization; or 24
(e) Institution of higher education. 25
(3) The following information and data are exempt from Sections 1 to 12 of this Act: 26
(a) Protected health information; 27 UNOFFICIAL COPY 22 RS BR 158
Page 10 of 32
XXXX Jacketed
(b) Health records; 1
(c) Patient identifying information for purposes of 42 C.F.R. sec. 2.11; 2
(d) Identifiable private information for purposes of the federal policy for the 3
protection of human subjects under 45 C.F.R. pt. 46; identifiable private 4
information that is otherwise information collected as part of human 5
subjects research pursuant to the good clinical practice guidelines issued by 6
the International Council for Harmonisation of Technical Requirements 7
for Pharmaceuticals for Human Use; the protection of human subjects 8
under 21 C.F.R. pts. 50 and 56, or personal data used or shared in research 9
conducted in accordance with the requirements set forth in Sections 1 to 12 10
of this Act, or other research conducted in accordance with applicable law; 11
(e) Information and documents created for purposes of the federal Health Care 12
Quality Improvement Act of 1986, 42 U.S.C. secs. 11101 et seq.; 13
(f) Patient safety work product for purposes of the federal Patient Safety and 14
Quality Improvement Act, 42 U.S.C. secs. 299b-21 et seq.; 15
(g) Information derived from any of the health care-related information listed 16
in this subsection that is de-identified in accordance with the requirements 17
for de-identification pursuant to HIPAA; 18
(h) Information originating from, and intermingled to be indistinguishable 19
from, or information treated in the same manner as information exempt 20
under this subsection that is maintained by a covered entity or business 21
associate as defined by HIPAA or a program or a qualified service 22
organization as defined by 42 C.F.R. sec. 2.11; 23
(i) Information used only for public health activities and purposes as 24
authorized by HIPAA; 25
(j) The collection, maintenance, disclosure, sale, communication, or use of any 26
personal information bearing on a consumer's creditworthiness, credit 27 UNOFFICIAL COPY 22 RS BR 158
Page 11 of 32
XXXX Jacketed
standing, credit capacity, character, general reputation, personal 1
characteristics, or mode of living by a consumer reporting agency, 2
furnisher, or user that provides information for use in a consumer report, 3
and by a user of a consumer report, but only to the extent that such activity 4
is regulated by and authorized under the federal Fair Credit Reporting Act, 5
15 U.S.C. secs. 1681 et seq.; 6
(k) Personal data collected, processed, sold, or disclosed in compliance with the 7
federal Driver's Privacy Protection Act of 1994, 18 U.S.C. secs. 2721 et seq.; 8
(l) Personal data regulated by the federal Family Educational Rights and 9
Privacy Act, 20 U.S.C. secs. 1232g et seq.; 10
(m) Personal data collected, processed, sold, or disclosed in compliance with the 11
federal Farm Credit Act, 12 U.S.C. secs. 2001 et seq.; and 12
(n) Data processed or maintained: 13
1. As the emergency contact information of an individual used for 14
emergency contact purposes; or 15
2. That is necessary to retain to administer benefits for another 16
individual relating to the individual under subparagraph 1. of this 17
paragraph and used for the purposes of administering those benefits; 18
in connection with the gathering, dissemination, or reporting of news or 19
information to the public by news media. 20
(4) Controllers and processors that comply with the verifiable parental consent 21
requirements of the Children's Online Privacy Protection Act, 15 U.S.C. secs. 22
6501 et seq., shall be deemed compliant with any obligation to obtain parental 23
consent under Sections 1 to 12 of this Act. 24
SECTION 3. A NEW SECTION OF KRS CHAPTER 367 IS CREATED TO 25
READ AS FOLLOWS: 26
(1) A consumer may invoke the consumer rights authorized pursuant to this section 27 UNOFFICIAL COPY 22 RS BR 158
Page 12 of 32
XXXX Jacketed
at any time by submitting a request to a controller, via the means specified by the 1
controller pursuant to Section 4 of this Act, specifying the consumer rights the 2
consumer wishes to invoke. A child's parent or legal guardian may invoke such 3
consumer rights on behalf of the child regarding processing personal data 4
belonging to the child. 5
(2) A controller shall comply with an authenticated consumer request to exercise the 6
right: 7
(a) To confirm whether or not a controller is processing the consumer's 8
personal data and to access such personal data; 9
(b) To delete personal data provided by the consumer; 10
(c) To obtain a copy of the consumer's personal data that the consumer 11
previously provided to the controller in a portable and, to the extent 12
technically practicable, readily usable format that allows the consumer to 13
read or transmit the data to another controller without hindrance, where 14
the processing is carried out by automated means; 15
(d) To opt out of targeted advertising; 16
(e) To opt out of tracking; and 17
(f) To opt out of the sale or sharing of personal data. 18
(3) Except as otherwise provided in Subsection (4) of this section and Sections 6 and 19
7 of this Act, a controller shall comply with a request by a consumer to exercise 20
the consumer rights pursuant to this section as follows: 21
(a) A controller shall respond to the consumer without undue delay, but in all 22
cases within thirty (30) days of receipt of the request submitted pursuant to 23
the methods described in this section. The response period may be extended 24
once by fifteen (15) additional days when reasonably necessary, taking into 25
account the complexity and number of the consumer's requests, so long as 26
the controller informs the consumer of any such extension within the initial 27 UNOFFICIAL COPY 22 RS BR 158
Page 13 of 32
XXXX Jacketed
thirty (30) day response period, together with the reason for the extension; 1
(b) If a controller declines to take action regarding the consumer's request, the 2
controller shall inform the consumer without undue delay, but in all cases 3
and at the latest within thirty (30) days of receipt of the request, of the 4
justification for declining to take action; and 5
(c) Information provided in response to a consumer request shall be provided 6
by a controller free of charge, at least twice annually per consumer. If 7
requests from a consumer are excessive, repetitive, technically infeasible, or 8
manifestly unfounded, such as when the controller reasonably believes that 9
the primary purpose of the requests is not to exercise a consumer right, the 10
controller may charge the consumer a reasonable fee to cover the 11
administrative costs of complying with the request or decline to act on the 12
request. The controller bears the burden of demonstrating the excessive, 13
repetitive, technically infeasible, or manifestly unfounded nature of the 14
request. 15
(4) A controller shall not be required to comply with a request to exercise any of the 16
rights set forth in this section if the controller is unable to authenticate the 17
request using commercially reasonable efforts. In such a case, the controller 18
may, but is not required to, request the provision of additional information 19
reasonably necessary to authenticate the request. 20
(5) A controller shall: 21
(a) Establish an internal process whereby a consumer may appeal a refusal to 22
take action on a request to exercise any of the rights set forth in this section 23
within a reasonable period of time after the controller refuses to take action 24
on such request; 25
(b) Ensure that the appeal process is conspicuously available and as easy to use 26
as the process for submitting a request to exercise a right under this section; 27 UNOFFICIAL COPY 22 RS BR 158
Page 14 of 32
XXXX Jacketed
(c) Inform the consumer of any action taken or not taken in response to the 1
appeal, along with a written explanation of the reasons in support thereof, 2
within thirty (30) days of receipt of an appeal. That period may be extended 3
by sixty (60) additional days where reasonably necessary, taking into 4
account the complexity and number of the requests serving as the basis for 5
the appeal. The controller shall inform the consumer of such an extension 6
within thirty (30) days of receipt of the appeal, together with the reasons for 7
the delay. The controller shall also provide the consumer with an e-mail 8
address or other online mechanism through which the consumer may 9
submit the appeal, along with any action taken or not taken by the 10
controller in response to the appeal and the controller's written explanation 11
of the reasons in support thereof, to the Attorney General; and 12
(d) When informing a consumer of any action taken or not taken in response to 13
an appeal pursuant to this subsection, clearly and prominently provide the 14
consumer with information about how to file a complaint with the 15
Consumer Protection Division of the Attorney General's office. The 16
controller shall maintain records of all such appeals and how it responded 17
to them for at least twenty-four (24) months and shall, upon request, 18
compile and provide a copy of such records to the Attorney General. 19
SECTION 4. A NEW SECTION OF KRS CHAPTER 367 IS CREATED TO 20
READ AS FOLLOWS: 21
(1) A controller shall: 22
(a) Establish, implement, and maintain reasonable administrative, technical, 23
and physical data security practices to protect the confidentiality, integrity, 24
and accessibility of personal data. Such data security practices shall be 25
appropriate to the volume and nature of the personal data at issue; 26
(b) Not process personal data in violation of state and federal laws that prohibit 27 UNOFFICIAL COPY 22 RS BR 158
Page 15 of 32
XXXX Jacketed
unlawful discrimination against consumers. A controller shall not 1
discriminate against a consumer for exercising any of the consumer rights 2
contained in this Section 3 of this Act, including denying goods or services, 3
charging different prices or rates for goods or services, or providing a 4
different level of quality of goods and services to the consumer. However, 5
nothing in this paragraph shall be construed to require a controller to 6
provide a product or service that requires the personal data of a consumer 7
that the controller does not collect or maintain or to prohibit a controller 8
from offering a different price, rate, level, quality, or selection of goods or 9
services to a consumer, including offering goods or services for no fee, if 10
the consumer has exercised his or her right to opt out pursuant to Section 3 11
of this Act or the offer is related to a consumer's informed, voluntary 12
participation in a bona fide loyalty, rewards, premium features, discounts, 13
or club card program; 14
(c) Not process sensitive data concerning a consumer for a non-exempt 15
purpose without the consumer having been presented with clear and 16
conspicuous notice and an opportunity to opt out of such processing, or, in 17
the case of the processing of sensitive data collected from a child, for 18
purposes of delivering a product or service requested by the parent of such 19
child, without processing such data in accordance with the federal 20
Children's Online Privacy Protection Act, 15 U.S.C. secs. 6501 et seq.; and 21
(d) Upon a request made by the Office of the Attorney General pursuant to any 22
investigation or action taken under Section 9 of this Act, provide the 23
Attorney General with the specific third parties, if any, with whom the 24
controller shares or sells personal data relevant to the Attorney General's 25
investigation or action, including: 26
1. Each location, whether domestic or international, at which each third 27 UNOFFICIAL COPY 22 RS BR 158
Page 16 of 32
XXXX Jacketed
party retains the data; 1
2. The length of time each third party retains the data; and 2
3. The use or uses to which the data is put by each third party. 3
(2) Any provision of a contract or agreement of any kind that purports to waive or 4
limit in any way consumer rights pursuant to Section 3 of this Act shall be 5
deemed contrary to public policy and shall be void and unenforceable. 6
(3) Controllers shall provide consumers with a reasonably accessible, clear, and 7
meaningful privacy notice that includes: 8
(a) The specific pieces of personal data processed by the controller; 9
(b) The purpose for processing personal data; 10
(c) How consumers may exercise their consumer rights pursuant to Section 3 11
of this Act; 12
(d) The specific types of personal data that the controller shares with, or sells 13
to, third parties, if any; 14
(e) The categories of third parties, if any, with whom the controller shares or 15
sells personal data, including: 16
1. Each location, whether domestic or international, at which each third 17
party retains the data; 18
2. The length of time each third party retains the data; and 19
3. The use or uses to which the data is put by each third party; 20
(f) The name and contact information of the controller; 21
(g) The purposes for which personal data are processed, as well as the basis for 22
processing as provided in subsection (7) of this section; 23
(h) The estimated period of time for which the controller will retain the 24
consumer's personal data or, if this is not known, the criteria that the 25
controller will use in determining that period of time; and 26
(i) How and where consumers may exercise the rights contained in Section 3 27 UNOFFICIAL COPY 22 RS BR 158
Page 17 of 32
XXXX Jacketed
of this Act, including how a consumer may appeal a controller's action with 1
regard to the consumer's request; 2
(4) If a controller sells or shares personal data to third parties or processes personal 3
data for targeted advertising or tracking, the controller shall clearly and 4
conspicuously disclose the processing, as well as the manner in which a 5
consumer may exercise the right to opt out of the processing. 6
(5) A controller shall establish in clear and plain language in a privacy notice one 7
(1) or more secure and reliable means for consumers to submit a request to 8
exercise their consumer rights under Section 3 of this Act. Such means shall take 9
into account the ways in which consumers normally interact with the controller, 10
the need for secure and reliable communication of such requests, and the ability 11
of the controller to authenticate the identity of the consumer making the request. 12
Controllers shall not require a consumer to create a new account in order to 13
exercise consumer rights pursuant to Section 3 of this Act but may require a 14
consumer to use an existing account. 15
(6) Controllers shall ensure that any privacy notices or disclosures required under 16
this section: 17
(a) Use clear and plain language; 18
(b) Are provided in English and any other language in which the controller 19
communicates with the consumer to whom the information pertains; and 20
(c) Are understandable to the least sophisticated consumer. 21
(7) Controllers shall not process the personal data of a consumer unless at least one 22
(1) of the following conditions applies: 23
(a) The controller is able to demonstrate that all of the following apply: 24
1. The consumer has provided consent to process his or her personal 25
data for one (1) or more specific purposes or, in the case of processing 26
the personal data of a child, the parent or legal guardian of the child 27 UNOFFICIAL COPY 22 RS BR 158
Page 18 of 32
XXXX Jacketed
has provided such consent; 1
2. The consumer is informed prior to providing consent under this 2
subsection that they may withdraw such consent at any time and how 3
such consent may be withdrawn; 4
3. The consent provided under this subsection is as easy for the 5
consumer to withdraw as it is to give; 6
4. The controller does not require the consumer to provide consent as a 7
condition of using the controller's product or service, unless 8
processing the consumer's personal data is required to provide the 9
product or service to the consumer; and 10
5. If the consumer grants consent as part of a written declaration that 11
also concerns other matters, the request for consent is clearly 12
distinguishable from the other matters in an intelligible and easily 13
accessible form using clear and plain language; 14
(b) The processing is necessary to perform a contract to which the consumer is 15
a party or in order to take steps at the request of the consumer prior to 16
entering into a contract; 17
(c) The processing is necessary for the controller to comply with a legal 18
obligation to which it is subject; 19
(d) The processing is necessary to protect the vital interests of the consumer or 20
another natural person, and the processing cannot be manifestly based on 21
another legal basis; 22
(e) The processing is necessary to perform a task carried out in the public 23
interest or to exercise official authority vested in the controller; or 24
(f) The processing is necessary for the purposes of the legitimate interests 25
pursued by the controller or by a third party, except where such legitimate 26
interests are overridden by the fundamental privacy interests of the 27 UNOFFICIAL COPY 22 RS BR 158
Page 19 of 32
XXXX Jacketed
consumer, in particular when processing the personal data of a child. 1
(8) A controller's collection of personal data shall be limited to what is reasonably 2
necessary in relation to the purposes for which the personal data is processed. 3
(9) A controller shall store or otherwise retain personal data such that it can be 4
attributed to a consumer for no longer than is necessary for the purposes for 5
which the personal data are processed. 6
(10) Except as provided in Sections 1 to 12 of this Act, a controller shall collect and 7
process personal data only for specified and legitimate purposes, and a controller 8
may not further process personal data in a manner that is not reasonably 9
necessary to or compatible with those purposes, unless the controller obtains the 10
consumer's consent and such consent meets the conditions set forth in subsection 11
(7)(a) of this section. 12
(11) A controller shall not process personal data on the basis of a consumer's or a 13
class of consumers' actual or perceived race, color, ethnicity, religion, national 14
origin, sex, gender, gender identity, sexual orientation, family status, lawful 15
source of income, or disability, in a manner that unlawfully discriminates against 16
the consumer or class of consumers with respect to the offering or provision of: 17
(a) Housing; 18
(b) Employment; 19
(c) Credit; 20
(d) Education; or 21
(e) The goods, services, facilities, privileges, advantages, or accommodations of 22
any place of public accommodation. 23
(12) A controller shall not discriminate against a consumer for exercising any of the 24
consumer rights contained in Section 3 of this Act, including denying goods or 25
services, charging different prices or rates for goods or services, or providing a 26
different level of quality of goods and services to the consumer. However, nothing 27 UNOFFICIAL COPY 22 RS BR 158
Page 20 of 32
XXXX Jacketed
in this subsection shall be construed to require a controller to provide a product 1
or service that requires the personal data of a consumer that the controller does 2
not collect or maintain or to prohibit a controller from offering a different price, 3
rate, level, quality, or selection of goods or services to a consumer, including 4
offering goods or services for no fee, if the consumer has exercised his or her 5
right to opt out pursuant to Section 3 of this Act or the offer is related to a 6
consumer's voluntary participation in a bona fide loyalty, rewards, premium 7
features, discounts, or club card program. 8
(13) If a consumer exercises his or her right to opt out pursuant to Section 3 of this 9
Act, a controller shall not sell or share personal data to a third party as part of a 10
bona fide loyalty, rewards, premium features, discounts, or club card program in 11
which the consumer voluntarily participates unless: 12
(a) The sale or sharing of personal data to third parties is reasonably necessary 13
to enable the third party to provide a benefit to which the consumer is 14
entitled as part of such program; 15
(b) The sale or sharing of personal data to third parties is clearly disclosed in 16
the program's terms; 17
(c) The third party uses the personal data only for purposes of facilitating such 18
a benefit to which the consumer is entitled as part of such program; and 19
(d) The third party does not retain or use, transfer, or disclose the personal data 20
for any other purpose. 21
(14) Except as otherwise provided in Sections 1 to 12 of this Act, a controller shall not 22
process sensitive data concerning a consumer without obtaining the consumer's 23
consent pursuant to subsection (7)(a) of this section or, in the case of the 24
processing of sensitive data of a child, without obtaining consent from the child's 25
parent or lawful guardian, in accordance with the requirements set forth in the 26
Children's Online Privacy Protection Act, 15 U.S.C. secs. 6501 et seq. 27 UNOFFICIAL COPY 22 RS BR 158
Page 21 of 32
XXXX Jacketed
(15) Except as otherwise provided in Sections 1 to 12 of this Act, a controller shall not 1
process the personal data of a child for the purposes of targeted advertising or 2
tracking. 3
(16) Except as otherwise provided in Sections 1 to 12 of this Act, a controller shall not 4
process the personal data of a consumer that is not a child and is younger than 5
eighteen (18) years old for the purposes of targeted advertising or tracking or the 6
sale or sharing of personal data without obtaining consent from such consumer 7
pursuant to subsection (7)(a) of this section. 8
SECTION 5. A NEW SECTION OF KRS CHAPTER 367 IS CREATED TO 9
READ AS FOLLOWS: 10
(1) A processor shall adhere to the instructions of a controller and shall assist the 11
controller in meeting its obligations under Sections 1 to 12 of this Act. Such 12
assistance shall include: 13
(a) Taking into account the nature of processing and the information available 14
to the processor, by appropriate technical and organizational measures, 15
insofar as this is reasonably practicable, to fulfill the controller's obligation 16
to respond to consumer rights requests pursuant to Section 3 of this Act; 17
and 18
(b) Taking into account the nature of processing and the information available 19
to the processor, by assisting the controller in meeting the controller's 20
obligations in relation to the security of processing the personal data and in 21
relation to the notification of a breach of the security of the system of the 22
processor pursuant to KRS 365.732 or any other applicable state and 23
federal law in order to meet the controller's obligations. 24
(2) A contract between a controller and a processor shall govern the processor's data 25
processing procedures with respect to processing performed on behalf of the 26
controller. The contract shall be binding and shall clearly set forth instructions 27 UNOFFICIAL COPY 22 RS BR 158
Page 22 of 32
XXXX Jacketed
for processing personal data, the nature and purpose of processing, the type of 1
data subject to processing, the specific, fixed duration of processing for each type 2
of data to be processed, and the rights and obligations of both parties. The 3
contract shall also include requirements that the processor shall: 4
(a) Ensure that each person processing personal data is subject to a duty of 5
confidentiality with respect to the data; 6
(b) At the controller's direction, delete or return all personal data to the 7
controller as requested at the end of the provision of services, unless 8
retention of the personal data is required by law; 9
(c) Upon the reasonable request of the controller, make available to the 10
controller information in its possession necessary to demonstrate the 11
processor's compliance with the obligations in this section; and 12
(d) Engage any subcontractor pursuant to a written contract in accordance 13
with this subsection that requires the subcontractor to meet the obligations 14
of the processor with respect to the personal data. 15
(3) Determining whether a person is acting as a controller or processor with respect 16
to a specific processing of data is a fact-based determination that depends upon 17
the context in which personal data is to be processed. A processor that continues 18
to adhere to a controller's instructions with respect to a specific processing of 19
personal data remains a processor. 20
SECTION 6. A NEW SECTION OF KRS CHAPTER 367 IS CREATED TO 21
READ AS FOLLOWS: 22
(1) Nothing in Sections 1 to 12 of this Act shall be construed to require a controller 23
or processor to: 24
(a) Re-identify de-identified data or pseudonymous data; 25
(b) Maintain de-identified or pseudonymous data in an identifiable form; or 26
(c) Collect, obtain, retain, or access any data or technology, in order to be 27 UNOFFICIAL COPY 22 RS BR 158
Page 23 of 32
XXXX Jacketed
capable of associating an authenticated consumer request with personal 1
data. 2
(2) Nothing in Sections 1 to 12 of this Act shall be construed to require a controller 3
or processor to comply with an authenticated consumer rights request, pursuant 4
to Section 3 of this Act, if all of the following are true: 5
(a) The controller is not reasonably capable of associating the request with the 6
personal data or it would be unreasonably burdensome for the controller to 7
associate the request with the personal data; 8
(b) The controller does not use the personal data to recognize or respond to the 9
specific consumer who is the subject of the personal data, or associate the 10
personal data with other personal data about the same specific consumer; 11
and 12
(c) The controller does not sell or share the personal data to any third party or 13
otherwise voluntarily disclose the personal data to any third party other 14
than a processor, except as otherwise permitted in this section. 15
(3) A controller that discloses pseudonymous data or de-identified data shall exercise 16
reasonable oversight to monitor compliance with any contractual commitments to 17
which the pseudonymous data or de-identified data is subject. 18
SECTION 7. A NEW SECTION OF KRS CHAPTER 367 IS CREATED TO 19
READ AS FOLLOWS: 20
(1) Nothing in Sections 1 to 12 of this Act shall be construed to restrict a controller's 21
or processor's ability to: 22
(a) Comply with federal, state, or local laws or regulations; 23
(b) Comply with a civil, criminal, or regulatory inquiry, investigation, 24
subpoena, or summons by federal, state, local, or other governmental 25
authorities; 26
(c) Cooperate with law-enforcement agencies concerning conduct or activity 27 UNOFFICIAL COPY 22 RS BR 158
Page 24 of 32
XXXX Jacketed
that the controller or processor reasonably and in good faith believes may 1
violate federal, state, or local laws, rules, or regulations; 2
(d) Investigate, establish, exercise, prepare for, or defend legal claims; 3
(e) Provide a product or service specifically requested by a consumer or a 4
parent or guardian of a child, perform a contract to which the consumer or 5
parent or guardian of a child is a party, including fulfilling the terms of a 6
written warranty, or take steps at the request of the consumer or parent or 7
guardian of a child prior to entering into a contract; 8
(f) Take immediate steps to protect an interest that is essential for the life or 9
physical safety of the consumer or of another natural person, and where the 10
processing cannot be manifestly based on another legal basis; 11
(g) Prevent, detect, protect against, or respond to security incidents, identity 12
theft, fraud, harassment, malicious or deceptive activities, or any illegal 13
activity; preserve the integrity or security of systems; or investigate, report, 14
or prosecute those responsible for any such action; 15
(h) Engage in public or peer-reviewed scientific or statistical research in the 16
public interest that adheres to all other applicable ethics and privacy laws 17
and is approved, monitored, and governed by an institutional review board, 18
or similar independent oversight entities that determine: 19
1. If the information is likely to provide substantial benefits that do not 20
exclusively accrue to the controller; 21
2. The expected benefits of the research outweigh the privacy risks; and 22
3. If the controller has implemented reasonable safeguards to mitigate 23
privacy risks associated with research, including any risks associated 24
with re-identification; or 25
(i) Assist another controller, processor, or third party with any of the 26
obligations under this subsection. 27 UNOFFICIAL COPY 22 RS BR 158
Page 25 of 32
XXXX Jacketed
(2) The obligations imposed on controllers or processors under this Sections 1 to 12 1
of this Act shall not restrict a controller's or processor's ability to collect, use, or 2
retain data to: 3
(a) Conduct internal research to develop, improve, or repair products, services, 4
or technology; 5
(b) Effect a product recall; 6
(c) Identify and repair technical errors that impair existing or intended 7
functionality; or 8
(d) Perform solely internal operations that are reasonably aligned and 9
compatible with the purposes of processing as disclosed to the consumer 10
and with the expectations of the consumer based on such purposes, or are 11
otherwise compatible with processing in furtherance of the provision of a 12
product or service specifically requested by the consumer or the 13
performance of a contract to which the consumer is a party when those 14
internal operations are performed during, and not following, the 15
consumer's relationship with the controller. 16
(3) The obligations imposed on controllers or processors under Sections 1 to 12 of 17
this Act shall not apply where compliance by the controller or processor with 18
Sections 1 to 12 of this Act would violate an evidentiary privilege under the laws 19
of this Commonwealth. Nothing in Sections 1 to 12 of this Act shall be construed 20
to prevent a controller or processor from providing personal data concerning a 21
consumer to a person covered by an evidentiary privilege under the laws of this 22
Commonwealth as part of a privileged communication. 23
(4) Nothing in Sections 1 to 12 of this Act shall be construed as an obligation 24
imposed on controllers and processors that: 25
(a) Adversely affects the privacy or other rights or freedoms of any persons, 26
such as exercising the right of free speech pursuant to the First Amendment 27 UNOFFICIAL COPY 22 RS BR 158
Page 26 of 32
XXXX Jacketed
to the United States Constitution; or 1
(b) Applies to personal data by a person in the course of a purely personal or 2
household activity. 3
(5) Personal data processed by a controller pursuant to this section shall not be 4
processed for any purpose other than those expressly listed in this section unless 5
otherwise allowed by Sections 1 to 12 of this Act. 6
(6) Personal data processed by a controller pursuant to this section may be processed 7
solely to the extent that such processing is: 8
(a) Reasonably necessary and proportionate to the purposes listed in this 9
section; 10
(b) Adequate, relevant, and limited to what is necessary in relation to the 11
specific purposes listed in this section; and 12
(c) Insofar as possible, taking into account the nature and purpose of 13
processing the personal data, subjected to reasonable administrative, 14
technical, and physical measures to protect the confidentiality, integrity, 15
and accessibility of the personal data and to reduce reasonably foreseeable 16
risks of harm to consumers. 17
(7) If a controller processes personal data pursuant to an exemption in this section, 18
the controller bears the burden of demonstrating that such processing qualifies 19
for the exemption and complies with the requirements in this section. 20
(8) Processing personal data for the purposes expressly identified in subsection (1) of 21
this section shall not by itself make an entity a controller with respect to such 22
processing. 23
(9) Nothing in Sections 1 to 12 of this Act shall require a controller, processor, third 24
party, or consumer to disclose trade secrets. 25
(10) A controller or processor that discloses personal data to a third party controller 26
or processor, in compliance with the requirements of sections 1 to 12 of Act, shall 27 UNOFFICIAL COPY 22 RS BR 158
Page 27 of 32
XXXX Jacketed
not be in violation of Sections 1 to 12 of this Act if the third party controller or 1
processor that receives and processes such personal data is in violation of 2
Sections 1 to 12 of this Act, provided that, at the time of disclosing the personal 3
data, the disclosing controller or processor did not have actual knowledge that 4
the recipient intended to commit a violation. 5
(11) A third party controller or processor that receives personal data from a controller 6
or processor, in compliance with the requirements of Sections 1 to 12 of this Act, 7
is not in violation of Sections 1 to 12 of this Act if the controller or processor that 8
discloses such personal data is in violation of Sections 1 to 12 of this Act, 9
provided that, at the time of receiving the personal data, the receiving controller 10
or processor did not have actual knowledge that the disclosing controller or 11
processor intended to commit a violation. 12
SECTION 8. A NEW SECTION OF KRS CHAPTER 367 IS CREATED TO 13
READ AS FOLLOWS: 14
(1) Controllers shall conduct and document a data protection impact assessment of 15
each of the following processing activities involving personal data: 16
(a) The processing of personal data for the purposes of targeted advertising or 17
tracking; 18
(b) The processing of personal data for the purposes of selling or sharing the 19
personal data; 20
(c) The processing of personal data for the purposes of profiling, where such 21
profiling presents a reasonably foreseeable risk of: 22
1. Unfair or deceptive treatment of consumers or disparate impact on 23
consumers; 24
2. Financial, physical, or reputational injury to consumers; 25
3. A physical or other intrusion upon the solitude or seclusion, or the 26
private affairs or concerns, of consumers, where such intrusion would 27 UNOFFICIAL COPY 22 RS BR 158
Page 28 of 32
XXXX Jacketed
be offensive to a reasonable person; or 1
4. Any other substantial injury to consumers; 2
(d) The processing of sensitive data; and 3
(e) Any processing of personal data that presents a heightened risk of harm to 4
consumers. 5
(2) Data protection impact assessments conducted under this section shall take into 6
account the type of personal data to be processed by the controller, including the 7
extent to which the personal data are sensitive data, and the context in which the 8
processing is to occur. 9
(3) Data protection impact assessments conducted under this section shall identify 10
and weigh the benefits that may flow directly and indirectly from the processing 11
of personal data to the controller, consumer, other stakeholders, and the public 12
against the potential risks to the rights of the consumer associated with such 13
processing, as mitigated by safeguards that can be employed by the controller to 14
reduce such risk. The use of de-identified data and the reasonable expectations of 15
consumers, as well as the context of the processing of personal data and the 16
relationship between the controller and the consumer whose personal data will be 17
processed, shall be factored into this assessment by the controller. 18
(4) The Attorney General may request, in writing, that a controller disclose any data 19
protection impact assessment that is relevant to an investigation conducted by the 20
Attorney General, and the controller shall make the requested data protection 21
impact assessment available to the Attorney General upon such request. The 22
Attorney General may evaluate the data protection impact assessments for 23
compliance with the requirements of Sections 1 to 12 of this Act. 24
(5) Data protection impact assessments are confidential and exempt from public 25
inspection and copying under KRS 61.870 to KRS 61.884. 26
(6) The disclosure of a data protection impact assessment pursuant to a request from 27 UNOFFICIAL COPY 22 RS BR 158
Page 29 of 32
XXXX Jacketed
the Attorney General under subsection (4) of this section does not constitute a 1
waiver of the attorney-client privilege or work product protection with respect to 2
the assessment and any information contained in the assessment, unless 3
otherwise subject to case law regarding the applicability of the attorney-client 4
privilege or work product protections. 5
(7) Data protection assessments conducted by a controller for the purpose of 6
compliance with other laws or regulations may fulfill a controller's obligations 7
under this section if they have a similar scope and effect. 8
SECTION 9. A NEW SECTION OF KRS CHAPTER 367 IS CREATED TO 9
READ AS FOLLOWS: 10
(1) Except as provided in Section 10 of this Act, the Attorney General shall have 11
exclusive authority to enforce the provisions of Sections 1 to 12 of this Act. 12
(2) The Attorney General may enforce Sections 1 to 12 of this Act by bringing an 13
action in the name of the Commonwealth, or on behalf of persons residing in the 14
Commonwealth. The Attorney General may issue a civil investigative demand to 15
any controller or processor believed to be engaged in, or about to engage in, any 16
violation of Sections 1 to 12 of this Act. The provisions of KRS 367.240 shall 17
apply to civil investigative demands issued under this section. 18
(3) Prior to initiating any action under Sections 1 to 12 of this Act, the Attorney 19
General shall provide a controller or processor thirty (30) days' written notice 20
identifying the specific provisions of Sections 1 to 12 of this Act the Attorney 21
General, on behalf of a consumer, alleges have been or are being violated. If 22
within the thirty (30) days the controller or processor cures the noticed violation 23
and provides the Attorney General an express written statement that the alleged 24
violations have been cured and that no further violations shall occur, no action 25
for statutory damages shall be initiated against the controller or processor. 26
(4) If a controller or processor continues to violate Sections 1 to 12 of this Act in 27 UNOFFICIAL COPY 22 RS BR 158
Page 30 of 32
XXXX Jacketed
breach of an express written statement provided to the Attorney General under 1
this section, the Attorney General may initiate an action and seek damages for up 2
to seven thousand five hundred dollars ($7,500) for each continued violation 3
under Sections 1 to 12 of this Act. 4
(5) The Attorney General may recover reasonable expenses incurred in investigating 5
and preparing the case, including attorneys’ fees, of any action initiated under 6
Sections 1 to 12 of this Act. 7
(6) In determining a civil penalty under this section, the court shall consider, as 8
mitigating factors, a controller's or processor's good faith efforts to comply with 9
the requirements of Sections 1 to 12 of this Act and any actions to cure or remedy 10
the violations before an action is filed. 11
(7) All receipts from the imposition of civil penalties under this section shall be 12
deposited into the consumer privacy fund created in Section 11 of this Act. 13
SECTION 10. A NEW SECTION OF KRS CHAPTER 367 IS CREATED TO 14
READ AS FOLLOWS: 15
(1) Except as provided in subsection (3) of this section, nothing in Sections 1 to 12 of 16
this Act creates an independent cause of action, except for those actions brought 17
by the Attorney General to enforce Sections 1 to 12 of this Act. 18
(2) Except as provided in subsection (3) of this section, no person, except for the 19
Attorney General, may enforce the rights and protections created by Sections 1 to 20
12 of this Act in any action. However, nothing in Sections 1 to 12 of this Act shall 21
limit any other independent causes of action enjoyed by any person, including 22
any constitutional, statutory, administrative, or common law rights or causes of 23
action. The rights and protections in Sections 1 to 12 of this Act are not exclusive, 24
and to the extent that a person has the rights and protections in this chapter 25
because of another law other than Sections 1 to 12 of this Act, the person 26
continues to have those rights and protections notwithstanding the existence of 27 UNOFFICIAL COPY 22 RS BR 158
Page 31 of 32
XXXX Jacketed
Sections 1 to 12 of this Act. 1
(3) A consumer alleging a violation of Section 3, subsection (11) of Section 4, or 2
subsections (14) to (16) of Section 4 of this Act may bring a civil action in any 3
court of competent jurisdiction. Remedies shall be limited to appropriate 4
injunctive relief. The court shall also award reasonable attorneys' fees and costs 5
to any prevailing plaintiff. 6
SECTION 11. A NEW SECTION OF KRS CHAPTER 367 IS CREATED TO 7
READ AS FOLLOWS: 8
There is hereby created a restricted fund to be known as the consumer privacy fund. 9
The fund shall be administered by the Office of the Attorney General. All civil penalties 10
collected under Section 9 of this Act shall be deposited into the fund. Interest earned 11
on the moneys in the fund shall accrue to the fund. Moneys in the fund shall be used 12
by the Office of the Attorney General to enforce the provisions of Sections 1 to 12 of 13
this Act. Notwithstanding KRS 45.229, any moneys remaining in the fund at the close 14
of the fiscal year shall not lapse but shall be carried forward into the succeeding fiscal 15
year to be used by the Office of the Attorney General for the purposes set forth in 16
Sections 1 to 12 of this Act. 17
SECTION 12. A NEW SECTION OF KRS CHAPTER 367 IS CREATED TO 18
READ AS FOLLOWS: 19
(1) Sections 1 to 12 of this Act is a matter of statewide concern and supersedes and 20
preempts all rules, regulations, codes, ordinances, and other laws adopted by a 21
city, county, city and county, municipality, or local agency regarding the 22
processing of personal data by controllers or processors. 23
(2) Any reference to federal, state, or local law or statute in Sections 1 to 12 of this 24
Act shall be deemed to include any accompanying rules or regulations or 25
exemptions thereto. 26
Section 13. KRS 367.240 is amended to read as follows: 27 UNOFFICIAL COPY 22 RS BR 158
Page 32 of 32
XXXX Jacketed
(1) When the Attorney General has reason to believe that a person has engaged in, is 1
engaging in, or is about to engage in any act or practice declared to be unlawful by 2
KRS 367.110 to 367.300 or Sections 1 to 12 of this Act, or when he believes it to 3
be in the public interest that an investigation should be made to ascertain whether a 4
person in fact has engaged in, is engaging in or is about to engage in, any act or 5
practice declared to be unlawful by KRS 367.110 to 367.300 or Sections 1 to 12 of 6
this Act, he may execute in writing and cause to be served upon any person who is 7
believed to have information, documentary material or physical evidence relevant to 8
the alleged or suspected violation, an investigative demand requiring such person to 9
furnish, under oath or otherwise, a report in writing setting forth the relevant facts 10
and circumstances of which he has knowledge, or to appear and testify or to 11
produce relevant documentary material or physical evidence for examination, at 12
such reasonable time and place as may be stated in the investigative demand, 13
concerning the advertisement, sale or offering for sale of any goods or services or 14
the conduct of any trade or commerce that is the subject matter of the investigation. 15
Provided however, that no person who has a place of business in Kentucky shall be 16
required to appear or present documentary material or physical evidence outside of 17
the county where he has his principal place of business within the Commonwealth. 18
(2) At any time before the return date specified in an investigative demand, or within 19
twenty (20) days after the demand has been served, whichever period is shorter, a 20
petition to extend the return date, or to modify or set aside the demand, stating good 21
cause, may be filed in the Circuit Court where the person served with the demand 22
resides or has his principal place of business or in the Franklin Circuit Court. 23
Section 14. The provisions of this Act takes effect on January 1, 2024. 24