UNOFFICIAL COPY 25 RS BR 352 Page 1 of 6 XXXX 2/7/2025 9:33 AM Jacketed AN ACT relating to consumer data privacy. 1 Be it enacted by the General Assembly of the Commonwealth of Kentucky: 2 Section 1. KRS 367.3613 (Effective January 1, 2026) is amended to read as 3 follows: 4 (1) KRS 367.3611 to 367.3629 apply to persons that conduct business in the 5 Commonwealth or produce products or services that are targeted to residents of the 6 Commonwealth and that during a calendar year control or process personal data of 7 at least: 8 (a) One hundred thousand (100,000) consumers; or 9 (b) Twenty-five thousand (25,000) consumers and derive over fifty percent (50%) 10 of gross revenue from the sale of personal data. 11 (2) KRS 367.3611 to 367.3629 shall not apply to any: 12 (a) City, state agency, or any political subdivision of the state; 13 (b) Financial institutions, their affiliates, or data subject to Title V of the federal 14 Gramm-Leach-Bliley Act, 15 U.S.C. sec. 6801 et seq.; 15 (c) Covered entity or business associate governed by the privacy, security, and 16 breach notification rules issued by the United States Department of Health 17 and Human Services, 45 C.F.R. pts. 160 and 164 established pursuant to 18 HIPAA; 19 (d) Nonprofit organization; 20 (e) Institution of higher education; 21 (f) Organization that: 22 1. Does not provide net earnings to, or operate in any manner that inures to 23 the benefit of, any officer, employee, or shareholder of the entity; and 24 2. Is an entity such as those recognized under KRS 304.47-060(1)(e), so 25 long as the entity collects, processes, uses, or shares data solely in 26 relation to identifying, investigating, or assisting: 27 UNOFFICIAL COPY 25 RS BR 352 Page 2 of 6 XXXX 2/7/2025 9:33 AM Jacketed a. Law enforcement agencies in connection with suspected 1 insurance-related criminal or fraudulent acts; or 2 b. First responders in connection with catastrophic events; or 3 (g) Small telephone utility as defined in KRS 278.516, a Tier III CMRS provider 4 as defined in KRS 65.7621, or a municipally owned utility that does not sell 5 or share personal data with any third-party[ processor]. 6 (3) The following information and data are exempt from KRS 367.3611 to 367.3629: 7 (a) Protected health information under HIPAA; 8 (b) Health records; 9 (c) Patient identifying information for purposes of 42 C.F.R. sec. 2.11; 10 (d) Identifiable private information for purposes of the federal policy for the 11 protection of human subjects under 45 C.F.R. pt. 46; identifiable private 12 information that is otherwise information collected as part of human subjects 13 research pursuant to the good clinical practice guidelines issued by the 14 International Council for Harmonisation of Technical Requirements for 15 Pharmaceuticals for Human Use; the protection of human subjects under 21 16 C.F.R. pts. 50 and 56;[,] or personal data used or shared in research conducted 17 in accordance with the requirements set forth in KRS 367.3611 to 367.3629, 18 or other research conducted in accordance with applicable law; 19 (e) Information and documents created for purposes of the federal Health Care 20 Quality Improvement Act of 1986, 42 U.S.C. sec. 11101 et seq.; 21 (f) Patient safety work product for purposes of the federal Patient Safety and 22 Quality Improvement Act, 42 U.S.C. sec. 299b-21 et seq.; 23 (g) Information derived from any of the health care-related information listed in 24 this subsection that is de-identified in accordance with the requirements for 25 de-identification pursuant to HIPAA; 26 (h) Information originating from, and intermingled to be indistinguishable from, 27 UNOFFICIAL COPY 25 RS BR 352 Page 3 of 6 XXXX 2/7/2025 9:33 AM Jacketed or information treated in the same manner as information exempt under this 1 subsection that is maintained by a covered entity or business associate, or a 2 program or qualified service organization as defined by 42 C.F.R. sec. 2.11; 3 (i) Information collected by a health care provider who is a covered entity that 4 maintains protected health information in accordance with HIPAA and 5 related regulations, 45 C.F.R. pts. 160, 162, and 164; 6 (j) Information included in a limited data set as described in 45 C.F.R. 7 164.514(e), to the extent the information is used, disclosed, and maintained 8 as specified in 45 C.F.R. sec. 164.514(e); 9 (k) Information used only for public health activities and purposes as authorized 10 by HIPAA; 11 (l)[(j)] The collection, maintenance, disclosure, sale, communication, or use of 12 any personal information bearing on a consumer's creditworthiness, credit 13 standing, credit capacity, character, general reputation, personal 14 characteristics, or mode of living by a consumer reporting agency, furnisher, 15 or user that provides information for use in a consumer report, and by a user 16 of a consumer report, but only to the extent that such activity is regulated by 17 and authorized under the federal Fair Credit Reporting Act, 15 U.S.C. sec. 18 1681 et seq.; 19 (m)[(k)] Personal data collected, processed, sold, or disclosed in compliance with 20 the federal Driver's Privacy Protection Act of 1994, 18 U.S.C. sec. 2721 et 21 seq.; 22 (n)[(l)] Personal data regulated by the federal Family Educational Rights and 23 Privacy Act, 20 U.S.C. sec. 1232g et seq.; 24 (o)[(m)] Personal data collected, processed, sold, or disclosed in compliance with 25 the federal Farm Credit Act, 12 U.S.C. sec. 2001 et seq.; 26 (p)[(n)] Data processed or maintained: 27 UNOFFICIAL COPY 25 RS BR 352 Page 4 of 6 XXXX 2/7/2025 9:33 AM Jacketed 1. In the course of an individual applying to, employed by, or acting as an 1 agent or independent contractor of a controller, processor, or third party, 2 to the extent that the data is collected and used within the context of that 3 role; 4 2. As the emergency contact information of an individual used for 5 emergency contact purposes; or 6 3. That is necessary to retain to administer benefits for another individual 7 relating to the individual under subparagraph 1. of this paragraph and 8 used for the purposes of administering those benefits; 9 (q)[(o)] Data processed by a utility, an affiliate of a utility, or a holding company 10 system organized specifically for the purpose of providing goods or services 11 to a utility as defined in KRS 278.010. For purposes of this paragraph, 12 "holding company system" means two (2) or more affiliated persons, one (1) 13 or more of which is a utility; and 14 (r)[(p)] Personal data collected and used for purposes of federal policy under the 15 Combat Methamphetamine Epidemic Act of 2005. 16 (4) Controllers and processors that comply with the verifiable parental consent 17 requirements of the Children's Online Privacy Protection Act, 15 U.S.C. sec. 6501 18 et seq., shall be deemed compliant with any obligation to obtain parental consent 19 under KRS 367.3611 to 367.3629. 20 Section 2. KRS 367.3621 (Effective January 1, 2026) is amended to read as 21 follows: 22 (1) Controllers shall conduct and document a data protection impact assessment of each 23 of the following processing activities involving personal data: 24 (a) The processing of personal data for the purposes of targeted advertising; 25 (b) The processing of personal data for the purposes of selling of personal data; 26 (c) The processing of personal data for the purposes of profiling, where the 27 UNOFFICIAL COPY 25 RS BR 352 Page 5 of 6 XXXX 2/7/2025 9:33 AM Jacketed profiling presents a reasonably foreseeable risk of: 1 1. Unfair or deceptive treatment of consumers or unlawful, disparate 2 impact on consumers; 3 2. Financial, physical, or reputational injury to consumers; 4 3. A physical or other intrusion upon the solitude or seclusion, or the 5 private affairs or concerns, of consumers, where an intrusion would be 6 offensive to a reasonable person; or 7 4. Other substantial injury to consumers; 8 (d) The processing of sensitive data; and 9 (e) Any processing of personal data that presents a heightened risk of harm to 10 consumers. 11 (2) Data protection impact assessments conducted under this section shall identify and 12 weigh the benefits that may flow, directly and indirectly, from the processing to the 13 controller, the consumer, other stakeholders, and the public against the potential 14 risks to the rights of the consumer associated with such processing, as mitigated by 15 safeguards that can be employed by the controller to reduce such risk. The use of 16 de-identified data and the reasonable expectations of consumers, as well as the 17 context of the processing of personal data and the relationship between the 18 controller and the consumer whose personal data will be processed, shall be 19 factored into this assessment by the controller. 20 (3) The Attorney General may request, pursuant to an investigative demand, that a 21 controller disclose any data protection impact assessment that is relevant to an 22 investigation conducted by the Attorney General, and the controller shall make the 23 data protection impact assessment available to the Attorney General. The Attorney 24 General may evaluate the data protection impact assessments for compliance with 25 the requirements of KRS 367.3611 to 367.3629. 26 (4) Data protection impact assessments are confidential and exempt from disclosure, 27 UNOFFICIAL COPY 25 RS BR 352 Page 6 of 6 XXXX 2/7/2025 9:33 AM Jacketed public inspection, and copying under KRS 61.870 to 61.884. 1 (5) The disclosure of a data protection impact assessment pursuant to a request from 2 the Attorney General under subsection (3) of this section does not constitute a 3 waiver of the attorney-client privilege or work product protection with respect to 4 the assessment and any information contained in the assessment. 5 (6) A single data protection assessment may address a comparable set of processing 6 operations that include similar activities. 7 (7) Data protection assessments conducted by a controller for the purpose of 8 compliance with other laws or regulations may comply under this section if the 9 assessments have a reasonably comparable scope and effect. 10 (8) Data protection assessment requirements shall apply to processing activities created 11 or generated on or after June 1, 2026. 12