| Last Action | 03/16/23: returned to Committee on Committees (H) |
|---|---|
| Title | AN ACT relating to consumer data privacy. |
| Bill Documents |
Current/Final
Introduced |
| Fiscal Impact Statements |
Local Mandate
Additional Fiscal Impact Statements Exist |
| Bill Request Number | 2 |
| Sponsors | W. Westerfield, D. Carroll, C. McDaniel, J. Schickel, A. Southworth, L. Tichenor |
| Summary of Original Version | Create new sections of KRS Chapter 367 to define terms; set the parameters for applicability of this Act; define various consumer rights related to data collection; require a data controller to comply with a consumer request to exercise those rights, including confirming whether or not a controller is processing the consumer's data and providing the consumer access to his or her data, deleting his or her personal data, providing a copy of the consumer's data that he or she previously provided in a portable and usable format, opting out of targeted advertising, opting out of tracking, and opting out of the sale or sharing of his or her personal data; require controllers to establish a process for consumers to appeal a controller's refusal to act on a consumer's request to exercise a right; set forth requirements for persons or entities that control or process personal data; require persons who control data to conduct data protection impact assessments; establish that the Attorney General has exclusive authority to enforce, with the exception of a private right of action by which consumers can seek injunctive relief for specific violations if the data controller or processor received an written notice of violation from the Attorney General and failed to cure the violation within 30 days; create a consumer privacy fund in the State Treasury to be administered by the Office of the Attorney General and direct that all civil penalties collected with regard to enforcement actions be deposited in the fund; set forth that this Act supersedes and preempts all rules, regulations, codes, ordinances, and other laws adopted by a city, county, charter county, urban-county government, consolidated local government, unified local government, or local agency regarding the processing of personal data; amend KRS 367.240 to conform; allow the Act to be cited as the Kentucky Consumer Protection Data Act; EFFECTIVE January 1, 2025. |
| Index Headings of Original Version |
Data Processing - Personal data protection, consumer data privacy rights Effective Dates, Delayed - Kentucky Consumer Data Protection Act, effective January 1, 2025 Short Titles and Popular Names - Kentucky Consumer Data Protection Act Trade Practices and Retailing - Personal data protection, consumer data privacy rights Consumer Affairs - Personal data protection, consumer data privacy rights Local Mandate - Personal data protection, prescription drug monitoring programs, exemptions Local Mandate - Kentucky Consumer Data Protection Act |
| Jump to Proposed Amendments |
Senate Committee Substitute 1 with Fiscal Impact Statements Senate Floor Amendment 1 Senate Floor Amendment 2 Senate Floor Amendment 3 |
| Votes | Vote History |
| 01/03/23 |
|
|---|---|
| 01/05/23 |
|
| 02/23/23 |
|
| 02/24/23 |
|
| 03/02/23 |
|
| 03/09/23 |
|
| 03/15/23 |
|
| 03/16/23 |
|
| Amendment | Senate Committee Substitute 1 |
|---|---|
| Fiscal Impact Statement | Local Mandate to Senate Committee Substitute 1 |
| Summary | Retain original provisions; exempt a small telephone utility or a Tier III CMRS provider from the provisions of this Act; exempt information held by a prescription drug monitoring program from the provisions of this Act; limit civil remedies to appropriate injunctive relief solely for the violation of the rights and obligations pursuant to this Act. |
| Index Headings |
Data Processing - Personal data protection, prescription drug monitoring programs, exemption Trade Practices and Retailing - Personal data protection, prescription drug monitoring programs, exemption Consumer Affairs - Personal data protection, prescription drug monitoring programs, exemption |
| Amendment | Senate Floor Amendment 1 |
|---|---|
| Sponsor | D. Thayer |
| Summary | Retain most of the original provisions except this amendment: now defines "decisions that produce legal or similarly significant effects concerning a consumer,"; redefines "consent," "de-identified data," "identified or identifiable natural person," "personal data," "profiling," ""sale," "sell," or "sold"," "targeted advertising"; removes the definition of "dark pattern," ""sharing," "share," or "shared"," and "tracking,"; requires the controller to comply with additional consumer requests related to correcting inaccuracies in the consumer's personal data and opting out of profiling; remove a consumer's right to opt out of selling or sharing personal data; remove the consumer's ability to authorize another person to exercise the rights in Section 2 on his or her behalf; change the controller response period from fifteen days to forty-five; require the controller provide a written explanation to the consumer within sixty days of receipt of an appeal instead of thirty days; create a new subsection relating to the controller obtaining personal data from a source other than the consumer and update the controller's compliance requirements with a consumer's request to delete data; prohibit the controller from altering the characteristics of service to the consumer in response to a consumer exercising his or her rights pursuant to Section 3 of this Act; remove requirement for controller to comply with the Office of the Attorney General investigations; remove categories related to personal data shared with third parties; remove prohibition on controllers processing consumer personal data pursuant to one of the conditions; remove the "no longer than necessary" reference to the controller retention of consumer data; remove reference to controller processing data on the basis of consumer characteristics; remove prohibition on controller processing personal data of a child for the purposes of targeting advertising and tracking; require an additional requirements for processors assisting a controller; require additional contract requirements between the controller and processor; include additional statutory construction provisions; clarify provision related to data protection assessments; remove the court's option to increase a penalty for a judicial finding of the controller's willful and reckless behavior; clarify that nothing creates an independent cause of action in this Act or any other provision of Kentucky law; effective January 1, 2025. |
| Index Headings |
Data Processing - Personal data protection, consumer data privacy rights Effective Dates, Delayed - Kentucky Consumer Data Protection Act, effective January 1, 2025 Local Mandate - Kentucky Consumer Data Protection Act Local Mandate - Personal data protection, prescription drug monitoring programs, exemptions Short Titles and Popular Names - Kentucky Consumer Data Protection Act Trade Practices and Retailing - Personal data protection, consumer data privacy rights Consumer Affairs - Personal data protection, consumer data privacy rights |
| Amendment | Senate Floor Amendment 2 |
|---|---|
| Sponsor | D. Thayer |
| Summary | Retain most of the original provisions except this amendment: now defines "decisions that produce legal or similarly significant effects concerning a consumer"; redefines "consent," "de-identified data," "identified or identifiable natural person," "personal data," "profiling," "sale," "sell," or "sold"," "targeted advertising"; removes the definition of "dark pattern," "sharing," "share," or "shared"," and "tracking,"; requires the controller to comply with additional consumer requests related to correcting inaccuracies in the consumer's personal data and opting out of profiling; remove a consumer's right to opt out of selling or sharing personal data; remove the consumer's ability to authorize another person to exercise the rights in Section 2 on his or her behalf; change the controller response period from fifteen days to forty-five; require the controller provide a written explanation to the consumer within sixty days of receipt of an appeal instead of thirty days; create a new subsection relating to the controller obtaining personal data from a source other than the consumer and update the controller's compliance requirements with a consumer's request to delete data; prohibit the controller from altering the characteristics of service to the consumer in response to a consumer exercising his or her rights pursuant to Section 3 of this Act; remove requirement for controller to comply with the Office of the Attorney General investigations; remove categories related to personal data shared with third parties; remove prohibition on controllers processing consumer personal data pursuant to one of the conditions; remove the "no longer than necessary" reference to the controller retention of consumer data; remove reference to controller processing data on the basis of consumer characteristics; remove prohibition on controller processing personal data of a child for the purposes of targeting advertising and tracking; require additional requirements for processors assisting a controller; require additional contract requirements between the controller and processor; include additional statutory construction provisions; clarify provision related to data protection assessments; remove the court's option to increase a penalty for a judicial finding of the controller's willful and reckless behavior; clarify that nothing creates an independent cause of action in this Act or any other provision of Kentucky law; effective January 1, 2025. |
| Index Headings |
Consumer Affairs - Personal date protection, consumer data privacy rights Data Processing - Personal date protection, consumer data privacy rights Effective Dates, Delayed - Kentucky Consumer Data Protection Act, effective January 1, 2025 Short Titles and Popular Names - Kentucky Consumer Data Protection Act Trade Practices and Retailing - Personal data protection, consumer data privacy rights |
| Amendment | Senate Floor Amendment 3 |
|---|---|
| Sponsor | W. Westerfield |
| Summary | Amend the state agency exemptions to include agencies that have authority under state or federal law to request or share individualized data; amend exemptions to include a municipally owned utilities; amend to require controllers to provide an explanation of how consumer data is used by the controller in their privacy notices; amend one of the conditions when a controller does not need consent if personal data is being processed for one or more specific purposes and processing the consumer's personal data is required to provide a product or service to the consumer; delete a section that required controllers to conduct data protection impact assessments. |
| Index Headings |
Trade Practices and Retailing - Personal data protection, consumer data privacy rights Consumer Affairs - Personal data protection, consumer data privacy rights Data Processing - Personal data protection, consumer data privacy rights Public Utilities - Personal data protection, consumer data privacy rights, municipally owned utilities, exemption |
Last updated: 11/9/2023 3:03 PM (EST)