UNOFFICIAL COPY 25 RS BR 352
Page 1 of 6
XXXX 2/7/2025 9:33 AM Jacketed
AN ACT relating to consumer data privacy. 1
Be it enacted by the General Assembly of the Commonwealth of Kentucky: 2
Section 1. KRS 367.3613 (Effective January 1, 2026) is amended to read as 3
follows: 4
(1) KRS 367.3611 to 367.3629 apply to persons that conduct business in the 5
Commonwealth or produce products or services that are targeted to residents of the 6
Commonwealth and that during a calendar year control or process personal data of 7
at least: 8
(a) One hundred thousand (100,000) consumers; or 9
(b) Twenty-five thousand (25,000) consumers and derive over fifty percent (50%) 10
of gross revenue from the sale of personal data. 11
(2) KRS 367.3611 to 367.3629 shall not apply to any: 12
(a) City, state agency, or any political subdivision of the state; 13
(b) Financial institutions, their affiliates, or data subject to Title V of the federal 14
Gramm-Leach-Bliley Act, 15 U.S.C. sec. 6801 et seq.; 15
(c) Covered entity or business associate governed by the privacy, security, and 16
breach notification rules issued by the United States Department of Health 17
and Human Services, 45 C.F.R. pts. 160 and 164 established pursuant to 18
HIPAA; 19
(d) Nonprofit organization; 20
(e) Institution of higher education; 21
(f) Organization that: 22
1. Does not provide net earnings to, or operate in any manner that inures to 23
the benefit of, any officer, employee, or shareholder of the entity; and 24
2. Is an entity such as those recognized under KRS 304.47-060(1)(e), so 25
long as the entity collects, processes, uses, or shares data solely in 26
relation to identifying, investigating, or assisting: 27 UNOFFICIAL COPY 25 RS BR 352
Page 2 of 6
XXXX 2/7/2025 9:33 AM Jacketed
a. Law enforcement agencies in connection with suspected 1
insurance-related criminal or fraudulent acts; or 2
b. First responders in connection with catastrophic events; or 3
(g) Small telephone utility as defined in KRS 278.516, a Tier III CMRS provider 4
as defined in KRS 65.7621, or a municipally owned utility that does not sell 5
or share personal data with any third-party[ processor]. 6
(3) The following information and data are exempt from KRS 367.3611 to 367.3629: 7
(a) Protected health information under HIPAA; 8
(b) Health records; 9
(c) Patient identifying information for purposes of 42 C.F.R. sec. 2.11; 10
(d) Identifiable private information for purposes of the federal policy for the 11
protection of human subjects under 45 C.F.R. pt. 46; identifiable private 12
information that is otherwise information collected as part of human subjects 13
research pursuant to the good clinical practice guidelines issued by the 14
International Council for Harmonisation of Technical Requirements for 15
Pharmaceuticals for Human Use; the protection of human subjects under 21 16
C.F.R. pts. 50 and 56;[,] or personal data used or shared in research conducted 17
in accordance with the requirements set forth in KRS 367.3611 to 367.3629, 18
or other research conducted in accordance with applicable law; 19
(e) Information and documents created for purposes of the federal Health Care 20
Quality Improvement Act of 1986, 42 U.S.C. sec. 11101 et seq.; 21
(f) Patient safety work product for purposes of the federal Patient Safety and 22
Quality Improvement Act, 42 U.S.C. sec. 299b-21 et seq.; 23
(g) Information derived from any of the health care-related information listed in 24
this subsection that is de-identified in accordance with the requirements for 25
de-identification pursuant to HIPAA; 26
(h) Information originating from, and intermingled to be indistinguishable from, 27 UNOFFICIAL COPY 25 RS BR 352
Page 3 of 6
XXXX 2/7/2025 9:33 AM Jacketed
or information treated in the same manner as information exempt under this 1
subsection that is maintained by a covered entity or business associate, or a 2
program or qualified service organization as defined by 42 C.F.R. sec. 2.11; 3
(i) Information collected by a health care provider who is a covered entity that 4
maintains protected health information in accordance with HIPAA and 5
related regulations, 45 C.F.R. pts. 160, 162, and 164; 6
(j) Information included in a limited data set as described in 45 C.F.R. 7
164.514(e), to the extent the information is used, disclosed, and maintained 8
as specified in 45 C.F.R. sec. 164.514(e); 9
(k) Information used only for public health activities and purposes as authorized 10
by HIPAA; 11
(l)[(j)] The collection, maintenance, disclosure, sale, communication, or use of 12
any personal information bearing on a consumer's creditworthiness, credit 13
standing, credit capacity, character, general reputation, personal 14
characteristics, or mode of living by a consumer reporting agency, furnisher, 15
or user that provides information for use in a consumer report, and by a user 16
of a consumer report, but only to the extent that such activity is regulated by 17
and authorized under the federal Fair Credit Reporting Act, 15 U.S.C. sec. 18
1681 et seq.; 19
(m)[(k)] Personal data collected, processed, sold, or disclosed in compliance with 20
the federal Driver's Privacy Protection Act of 1994, 18 U.S.C. sec. 2721 et 21
seq.; 22
(n)[(l)] Personal data regulated by the federal Family Educational Rights and 23
Privacy Act, 20 U.S.C. sec. 1232g et seq.; 24
(o)[(m)] Personal data collected, processed, sold, or disclosed in compliance with 25
the federal Farm Credit Act, 12 U.S.C. sec. 2001 et seq.; 26
(p)[(n)] Data processed or maintained: 27 UNOFFICIAL COPY 25 RS BR 352
Page 4 of 6
XXXX 2/7/2025 9:33 AM Jacketed
1. In the course of an individual applying to, employed by, or acting as an 1
agent or independent contractor of a controller, processor, or third party, 2
to the extent that the data is collected and used within the context of that 3
role; 4
2. As the emergency contact information of an individual used for 5
emergency contact purposes; or 6
3. That is necessary to retain to administer benefits for another individual 7
relating to the individual under subparagraph 1. of this paragraph and 8
used for the purposes of administering those benefits; 9
(q)[(o)] Data processed by a utility, an affiliate of a utility, or a holding company 10
system organized specifically for the purpose of providing goods or services 11
to a utility as defined in KRS 278.010. For purposes of this paragraph, 12
"holding company system" means two (2) or more affiliated persons, one (1) 13
or more of which is a utility; and 14
(r)[(p)] Personal data collected and used for purposes of federal policy under the 15
Combat Methamphetamine Epidemic Act of 2005. 16
(4) Controllers and processors that comply with the verifiable parental consent 17
requirements of the Children's Online Privacy Protection Act, 15 U.S.C. sec. 6501 18
et seq., shall be deemed compliant with any obligation to obtain parental consent 19
under KRS 367.3611 to 367.3629. 20
Section 2. KRS 367.3621 (Effective January 1, 2026) is amended to read as 21
follows: 22
(1) Controllers shall conduct and document a data protection impact assessment of each 23
of the following processing activities involving personal data: 24
(a) The processing of personal data for the purposes of targeted advertising; 25
(b) The processing of personal data for the purposes of selling of personal data; 26
(c) The processing of personal data for the purposes of profiling, where the 27 UNOFFICIAL COPY 25 RS BR 352
Page 5 of 6
XXXX 2/7/2025 9:33 AM Jacketed
profiling presents a reasonably foreseeable risk of: 1
1. Unfair or deceptive treatment of consumers or unlawful, disparate 2
impact on consumers; 3
2. Financial, physical, or reputational injury to consumers; 4
3. A physical or other intrusion upon the solitude or seclusion, or the 5
private affairs or concerns, of consumers, where an intrusion would be 6
offensive to a reasonable person; or 7
4. Other substantial injury to consumers; 8
(d) The processing of sensitive data; and 9
(e) Any processing of personal data that presents a heightened risk of harm to 10
consumers. 11
(2) Data protection impact assessments conducted under this section shall identify and 12
weigh the benefits that may flow, directly and indirectly, from the processing to the 13
controller, the consumer, other stakeholders, and the public against the potential 14
risks to the rights of the consumer associated with such processing, as mitigated by 15
safeguards that can be employed by the controller to reduce such risk. The use of 16
de-identified data and the reasonable expectations of consumers, as well as the 17
context of the processing of personal data and the relationship between the 18
controller and the consumer whose personal data will be processed, shall be 19
factored into this assessment by the controller. 20
(3) The Attorney General may request, pursuant to an investigative demand, that a 21
controller disclose any data protection impact assessment that is relevant to an 22
investigation conducted by the Attorney General, and the controller shall make the 23
data protection impact assessment available to the Attorney General. The Attorney 24
General may evaluate the data protection impact assessments for compliance with 25
the requirements of KRS 367.3611 to 367.3629. 26
(4) Data protection impact assessments are confidential and exempt from disclosure, 27 UNOFFICIAL COPY 25 RS BR 352
Page 6 of 6
XXXX 2/7/2025 9:33 AM Jacketed
public inspection, and copying under KRS 61.870 to 61.884. 1
(5) The disclosure of a data protection impact assessment pursuant to a request from 2
the Attorney General under subsection (3) of this section does not constitute a 3
waiver of the attorney-client privilege or work product protection with respect to 4
the assessment and any information contained in the assessment. 5
(6) A single data protection assessment may address a comparable set of processing 6
operations that include similar activities. 7
(7) Data protection assessments conducted by a controller for the purpose of 8
compliance with other laws or regulations may comply under this section if the 9
assessments have a reasonably comparable scope and effect. 10
(8) Data protection assessment requirements shall apply to processing activities created 11
or generated on or after June 1, 2026. 12