UNOFFICIAL COPY 24 RS BR 1454
Page 1 of 8
XXXX 1/5/2024 11:35 AM Jacketed
AN ACT relating to biometric data. 1
Be it enacted by the General Assembly of the Commonwealth of Kentucky: 2
SECTION 1. A NEW SECTION OF KRS CHAPTER 367 IS CREATED TO 3
READ AS FOLLOWS: 4
As used in Sections 1 to 5 of this Act, unless the context requires otherwise: 5
(1) "Biometric identifier" means the data of an individual generated by 6
measurements of an individual's unique biological characteristics such as 7
faceprint, fingerprint, voiceprint, retina or iris image, or any other biological 8
characteristic that can be used to uniquely identify the individual. "Biometric 9
identifier" does not include: 10
(a) A writing sample of a written signature; 11
(b) A photograph or video, except "biometric identifier" includes data 12
generated, captured, or collected from the biological characteristics of a 13
person depicted in a photograph or video; 14
(c) A human biological sample used for valid scientific testing or screening; 15
(d) Demographic data; 16
(e) A physical description, including height, weight, hair color, eye color, or a 17
tattoo description; 18
(f) Any donated portion of a human body stored on behalf of a recipient or a 19
potential recipient of a living cadaveric transplant and obtained or stored by 20
a federally designated organ procurement agency, including an organ, 21
tissue, eye, bone, artery, blood, and any other fluid or serum; 22
(g) Information collected, used, or stored for health care treatment, payment, or 23
operations under the federal Health Insurance Portability and 24
Accountability Act of 1996; 25
(h) Any image or film of the human anatomy used to diagnose, provide a 26
prognosis for, or treat an illness or other medical condition, or to further 27 UNOFFICIAL COPY 24 RS BR 1454
Page 2 of 8
XXXX 1/5/2024 11:35 AM Jacketed
validate scientific testing or screening, including an X-ray, roentgen 1
process, computed tomography, magnetic resonance imaging image, 2
positron emission tomography scan, and mammography; or 3
(i) Information collected, used, or disclosed for human subject research that is 4
conducted in accordance with the federal policy for the protection of human 5
subjects, 45 C.F.R. pt. 46, or other similar research ethics laws, or with the 6
good clinical practice guidelines issued by the International Council for 7
Harmonisation of Technical Requirements for Pharmaceuticals for Human 8
Use; 9
(2) "Private entity" means any individual acting in a commercial context, 10
partnership, corporation, limited liability company, association, or other group 11
however organized. A private entity does not include a state or local government 12
agency or entity; 13
(3) "Verified request" means a request that is made by a person or by an individual 14
authorized to act as that person's representative and that the private entity can 15
verify, using commercially reasonable methods, to be the person whose biometric 16
identifier the private entity collected; and 17
(4) "Written release" means informed written consent, including written consent 18
provided by electronic means. A valid written release may not be secured through 19
a general release or user agreement. In the context of employment, a written 20
release: 21
(a) Shall only be used to secure consent to collect and use biometric identifiers 22
for the purposes of: 23
1. Permitting access to secure physical locations and to secure electronic 24
hardware and software applications without retaining data that allows 25
for employee location tracking or the tracking of how long an 26
employee spends using a hardware or software application; or 27 UNOFFICIAL COPY 24 RS BR 1454
Page 3 of 8
XXXX 1/5/2024 11:35 AM Jacketed
2. Recording the commencement and conclusion of an employee's full 1
work day and meal or rest breaks in excess of thirty (30) minutes; and 2
(b) May be secured in the form of a written release executed by an employee as 3
a condition of employment. 4
SECTION 2. A NEW SECTION OF KRS CHAPTER 367 IS CREATED TO 5
READ AS FOLLOWS: 6
(1) A private entity in possession of biometric identifiers shall develop a written 7
policy, made available to the public, establishing a retention schedule and 8
guidelines for permanently destroying a biometric identifier of an individual 9
according to whichever of the following conditions occurs first: 10
(a) The date on which the initial purpose for collecting or obtaining the 11
biometric identifier has been fully satisfied; 12
(b) One (1) year after the individual's last interaction with the private entity; or 13
(c) Thirty (30) days after receiving a verified request to delete the biometric 14
identifiers submitted by the individual or the individual's representative. 15
(2) A private entity in possession of biometric identifiers shall comply with its own 16
published retention schedule and destruction guidelines, except as provided in 17
Section 5 of this Act. 18
(3) A private entity may withhold from publication a written policy that: 19
(a) Applies exclusively to employees of that private entity; and 20
(b) Is used solely within the private entity for operation of the private entity. 21
(4) A private entity shall not collect, capture, purchase, receive through trade, or 22
otherwise obtain a person's biometric identifier, unless it first: 23
(a) Informs the subject or the subject's legally authorized representative in 24
writing: 25
1. That a biometric identifier is being collected or stored; and 26
2. Of the specific purpose and length of term for which a biometric 27 UNOFFICIAL COPY 24 RS BR 1454
Page 4 of 8
XXXX 1/5/2024 11:35 AM Jacketed
identifier is being collected, stored, and used; and 1
(b) Receives a written release executed by the subject of the biometric identifier 2
or the subject's legally authorized representative. 3
(5) A private entity that collects a person's biometric identifier shall not: 4
(a) Sell, lease, or trade the biometric identifier; or 5
(b) Permit any entity to which a biometric identifier is transferred, shared, or 6
provided to sell, lease, or trade that biometric identifier. 7
(6) A private entity that collects a biometric identifier shall not disclose, redisclose, or 8
otherwise disseminate a person's biometric identifier unless the: 9
(a) Subject of the biometric identifier or the subject's legally authorized 10
representative executes a written release consenting to the specific 11
disclosure or redisclosure; 12
(b) Disclosure or redisclosure completes a financial transaction requested or 13
authorized by the subject of the biometric identifier or the subject's legally 14
authorized representative; 15
(c) Disclosure or redisclosure is required by state or federal law or municipal 16
ordinance; or 17
(d) Disclosure is required pursuant to a valid warrant or subpoena issued by a 18
court of competent jurisdiction or a compulsory request or demand issued 19
by a state agency in an investigation of a violation of Sections 1 to 5 of this 20
Act. 21
(7) A private entity shall not: 22
(a) Condition the provision of a good or service on the collection, use, 23
disclosure, transfer, sale, retention, or processing of biometric identifiers 24
unless the biometric identifiers are strictly necessary to provide the good or 25
service; or 26
(b) Charge different prices or rates for goods or services or provide a different 27 UNOFFICIAL COPY 24 RS BR 1454
Page 5 of 8
XXXX 1/5/2024 11:35 AM Jacketed
level of quality of a good or service to any individual who exercises the 1
individual's rights under this section. 2
(8) A private entity in possession of a biometric identifier shall store, transmit, and 3
protect from disclosure all biometric identifiers: 4
(a) Using the reasonable standard of care within the private entity's industry; 5
and 6
(b) In a manner that is equal to or more protective than the manner in which 7
the private entity stores, transmits, and protects other confidential and 8
sensitive information. 9
SECTION 3. A NEW SECTION OF KRS CHAPTER 367 IS CREATED TO 10
READ AS FOLLOWS: 11
(1) At the request of an individual or an individual's legally authorized 12
representative, a private entity that collects biometric identifiers shall disclose to 13
the individual, free of charge, the individual's biometric identifier it collected and 14
information related to its use, including the: 15
(a) Precise type of biometric identifiers that were collected or used; 16
(b) Specific sources from which the private entity collected or captured the 17
biometric identifiers; 18
(c) Specific purpose for which the private entity used the biometric identifiers 19
and personal information; 20
(d) Identities of third parties with whom the private entity shares the biometric 21
identifiers and the purposes for sharing; and 22
(e) Specific biometric identifiers that the business discloses to third parties. 23
(2) Subsection (1) of this section shall apply exclusively to: 24
(a) A sole proprietorship, partnership, limited liability company, corporation, 25
association, or other legal entity that: 26
1. Does business in Kentucky; 27 UNOFFICIAL COPY 24 RS BR 1454
Page 6 of 8
XXXX 1/5/2024 11:35 AM Jacketed
2. Is organized or operated for the financial benefit of its shareholders or 1
other owners; 2
3. Collects consumers' biometric identifiers or has such identifiers 3
collected on its behalf; and 4
4. Had annual gross revenues in excess of ten million dollars 5
($10,000,000) in the preceding calendar year; 6
(b) 1. Any entity that controls or is controlled by a business, as identified in 7
paragraph (a) of this subsection, and that shares common branding 8
with the business and with whom the business shares consumers' 9
personal information. 10
2. As used in this paragraph: 11
a. "Control" or "controlled" means: 12
i. Ownership of, or the power to vote, more than fifty percent 13
(50%) of the outstanding shares or any class of voting 14
security of a business; 15
ii. Control in any manner over the election of a majority of 16
the directors or of individuals exercising similar functions; 17
or 18
iii. Power to exercise a controlling influence over the 19
management of a company; and 20
b. "Common branding" means a shared name, service mark, or 21
trademark such that the average consumer would understand 22
that two (2) or more entities are commonly owned; and 23
(c) A joint venture or partnership composed of businesses in which each 24
business has at least a forty percent (40%) interest. For purposes of Sections 25
1 to 5 of this Act, the joint venture or partnership and each business that 26
composes the joint venture or partnership shall separately be considered a 27 UNOFFICIAL COPY 24 RS BR 1454
Page 7 of 8
XXXX 1/5/2024 11:35 AM Jacketed
single business, except that personal information in the possession of each 1
business and disclosed to the joint venture or partnership shall not be 2
shared with the other business. 3
SECTION 4. A NEW SECTION OF KRS CHAPTER 367 IS CREATED TO 4
READ AS FOLLOWS: 5
(1) An individual who sustains damages by any violation of Sections 1 to 5 of this Act 6
shall have a civil cause of action in Circuit Court to enjoin further violations and 7
to recover actual damages, including punitive damages, together with the costs of 8
the action and reasonable attorney's fees. 9
(2) The Attorney General may bring an action against a private entity who violates 10
any provisions of Sections 1 to 5 of this Act, and shall be entitled to seek any 11
forms of relief and remedies available to private plaintiffs, including the 12
collection of damages as a civil penalty. 13
SECTION 5. A NEW SECTION OF KRS CHAPTER 367 IS CREATED TO 14
READ AS FOLLOWS: 15
Nothing in Sections 1 to 5 of this Act shall be construed to: 16
(1) Impact the admission or discovery of biometric identifiers of any kind in any 17
court, or before any tribunal, board, or agency; 18
(2) Conflict with the Health Insurance Portability and Accountability Act of 1996 19
and the administrative regulations promulgated thereunder; 20
(3) Apply to information collected, processed, sold, or disclosed pursuant to the 21
Gramm-Leach-Bliley Act of 1999 and the administrative regulations promulgated 22
thereunder; or 23
(4) Apply to a contractor, subcontractor, or agent of a Kentucky public agency or 24
unit of local government working for a public agency, except when the biometric 25
identifier collection, retention, and use is in direct service of the purpose for 26
which the Kentucky public agency or local unit of government retained the 27 UNOFFICIAL COPY 24 RS BR 1454
Page 8 of 8
XXXX 1/5/2024 11:35 AM Jacketed
services of the contractor, subcontractor, or agent. 1
Section 6. This Act may be cited as the Biometric Identifiers Privacy Act. 2