Senate Bill 15

Actions | Amendments
Last Action 03/16/23: returned to Committee on Committees (H)
Title AN ACT relating to consumer data privacy.
Bill Documents Current/Final
Introduced
Fiscal Impact Statements Local Mandate
Additional Fiscal Impact Statements Exist
Bill Request Number 2
Sponsors W. Westerfield, D. Carroll, C. McDaniel, J. Schickel, A. Southworth, L. Tichenor
Summary of Original Version Create new sections of KRS Chapter 367 to define terms; set the parameters for applicability of this Act; define various consumer rights related to data collection; require a data controller to comply with a consumer request to exercise those rights, including confirming whether or not a controller is processing the consumer's data and providing the consumer access to his or her data, deleting his or her personal data, providing a copy of the consumer's data that he or she previously provided in a portable and usable format, opting out of targeted advertising, opting out of tracking, and opting out of the sale or sharing of his or her personal data; require controllers to establish a process for consumers to appeal a controller's refusal to act on a consumer's request to exercise a right; set forth requirements for persons or entities that control or process personal data; require persons who control data to conduct data protection impact assessments; establish that the Attorney General has exclusive authority to enforce, with the exception of a private right of action by which consumers can seek injunctive relief for specific violations if the data controller or processor received an written notice of violation from the Attorney General and failed to cure the violation within 30 days; create a consumer privacy fund in the State Treasury to be administered by the Office of the Attorney General and direct that all civil penalties collected with regard to enforcement actions be deposited in the fund; set forth that this Act supersedes and preempts all rules, regulations, codes, ordinances, and other laws adopted by a city, county, charter county, urban-county government, consolidated local government, unified local government, or local agency regarding the processing of personal data; amend KRS 367.240 to conform; allow the Act to be cited as the Kentucky Consumer Protection Data Act; EFFECTIVE January 1, 2025.
Index Headings of Original Version Data Processing - Personal data protection, consumer data privacy rights
Effective Dates, Delayed - Kentucky Consumer Data Protection Act, effective January 1, 2025
Short Titles and Popular Names - Kentucky Consumer Data Protection Act
Trade Practices and Retailing - Personal data protection, consumer data privacy rights
Consumer Affairs - Personal data protection, consumer data privacy rights
Local Mandate - Personal data protection, prescription drug monitoring programs, exemptions
Local Mandate - Kentucky Consumer Data Protection Act
Jump to Proposed Amendments Senate Committee Substitute 1 with Fiscal Impact Statements
Senate Floor Amendment 1
Senate Floor Amendment 2
Senate Floor Amendment 3
Votes Vote History

Actions

Top | Amendments
01/03/23
  • introduced in Senate
  • to Committee on Committees (S)
01/05/23
  • to Economic Development, Tourism, & Labor (S)
02/23/23
  • reported favorably, 1st reading, to Calendar with Committee Substitute (1)
02/24/23
  • 2nd reading, to Rules
03/02/23
  • floor amendment (1) filed to Committee Substitute, floor amendment (2) filed to bill
03/09/23
  • floor amendment (3) filed to Committee Substitute
03/15/23
  • posted for passage in the Regular Orders of the Day for Wednesday, March 15, 2023
  • 3rd reading
  • floor amendments (1) and (2) withdrawn
  • passed 32 -2 with Committee Substitute (1) and Floor Amendment (3)
  • received in House
  • to Committee on Committees (H)
03/16/23
  • taken from Committee on Committees (H)
  • 1st reading
  • returned to Committee on Committees (H)

Proposed Amendments

Top | Actions
Amendment Senate Committee Substitute 1
Fiscal Impact Statement Local Mandate to Senate Committee Substitute 1
Summary Retain original provisions; exempt a small telephone utility or a Tier III CMRS provider from the provisions of this Act; exempt information held by a prescription drug monitoring program from the provisions of this Act; limit civil remedies to appropriate injunctive relief solely for the violation of the rights and obligations pursuant to this Act.
Index Headings Data Processing - Personal data protection, prescription drug monitoring programs, exemption
Trade Practices and Retailing - Personal data protection, prescription drug monitoring programs, exemption
Consumer Affairs - Personal data protection, prescription drug monitoring programs, exemption

Amendment Senate Floor Amendment 1
Sponsor D. Thayer
Summary Retain most of the original provisions except this amendment: now defines "decisions that produce legal or similarly significant effects concerning a consumer,"; redefines "consent," "de-identified data," "identified or identifiable natural person," "personal data," "profiling," ""sale," "sell," or "sold"," "targeted advertising"; removes the definition of "dark pattern," ""sharing," "share," or "shared"," and "tracking,"; requires the controller to comply with additional consumer requests related to correcting inaccuracies in the consumer's personal data and opting out of profiling; remove a consumer's right to opt out of selling or sharing personal data; remove the consumer's ability to authorize another person to exercise the rights in Section 2 on his or her behalf; change the controller response period from fifteen days to forty-five; require the controller provide a written explanation to the consumer within sixty days of receipt of an appeal instead of thirty days; create a new subsection relating to the controller obtaining personal data from a source other than the consumer and update the controller's compliance requirements with a consumer's request to delete data; prohibit the controller from altering the characteristics of service to the consumer in response to a consumer exercising his or her rights pursuant to Section 3 of this Act; remove requirement for controller to comply with the Office of the Attorney General investigations; remove categories related to personal data shared with third parties; remove prohibition on controllers processing consumer personal data pursuant to one of the conditions; remove the "no longer than necessary" reference to the controller retention of consumer data; remove reference to controller processing data on the basis of consumer characteristics; remove prohibition on controller processing personal data of a child for the purposes of targeting advertising and tracking; require an additional requirements for processors assisting a controller; require additional contract requirements between the controller and processor; include additional statutory construction provisions; clarify provision related to data protection assessments; remove the court's option to increase a penalty for a judicial finding of the controller's willful and reckless behavior; clarify that nothing creates an independent cause of action in this Act or any other provision of Kentucky law; effective January 1, 2025.
Index Headings Data Processing - Personal data protection, consumer data privacy rights
Effective Dates, Delayed - Kentucky Consumer Data Protection Act, effective January 1, 2025
Local Mandate - Kentucky Consumer Data Protection Act
Local Mandate - Personal data protection, prescription drug monitoring programs, exemptions
Short Titles and Popular Names - Kentucky Consumer Data Protection Act
Trade Practices and Retailing - Personal data protection, consumer data privacy rights
Consumer Affairs - Personal data protection, consumer data privacy rights

Amendment Senate Floor Amendment 2
Sponsor D. Thayer
Summary Retain most of the original provisions except this amendment: now defines "decisions that produce legal or similarly significant effects concerning a consumer"; redefines "consent," "de-identified data," "identified or identifiable natural person," "personal data," "profiling," "sale," "sell," or "sold"," "targeted advertising"; removes the definition of "dark pattern," "sharing," "share," or "shared"," and "tracking,"; requires the controller to comply with additional consumer requests related to correcting inaccuracies in the consumer's personal data and opting out of profiling; remove a consumer's right to opt out of selling or sharing personal data; remove the consumer's ability to authorize another person to exercise the rights in Section 2 on his or her behalf; change the controller response period from fifteen days to forty-five; require the controller provide a written explanation to the consumer within sixty days of receipt of an appeal instead of thirty days; create a new subsection relating to the controller obtaining personal data from a source other than the consumer and update the controller's compliance requirements with a consumer's request to delete data; prohibit the controller from altering the characteristics of service to the consumer in response to a consumer exercising his or her rights pursuant to Section 3 of this Act; remove requirement for controller to comply with the Office of the Attorney General investigations; remove categories related to personal data shared with third parties; remove prohibition on controllers processing consumer personal data pursuant to one of the conditions; remove the "no longer than necessary" reference to the controller retention of consumer data; remove reference to controller processing data on the basis of consumer characteristics; remove prohibition on controller processing personal data of a child for the purposes of targeting advertising and tracking; require additional requirements for processors assisting a controller; require additional contract requirements between the controller and processor; include additional statutory construction provisions; clarify provision related to data protection assessments; remove the court's option to increase a penalty for a judicial finding of the controller's willful and reckless behavior; clarify that nothing creates an independent cause of action in this Act or any other provision of Kentucky law; effective January 1, 2025.
Index Headings Consumer Affairs - Personal date protection, consumer data privacy rights
Data Processing - Personal date protection, consumer data privacy rights
Effective Dates, Delayed - Kentucky Consumer Data Protection Act, effective January 1, 2025
Short Titles and Popular Names - Kentucky Consumer Data Protection Act
Trade Practices and Retailing - Personal data protection, consumer data privacy rights

Amendment Senate Floor Amendment 3
Sponsor W. Westerfield
Summary Amend the state agency exemptions to include agencies that have authority under state or federal law to request or share individualized data; amend exemptions to include a municipally owned utilities; amend to require controllers to provide an explanation of how consumer data is used by the controller in their privacy notices; amend one of the conditions when a controller does not need consent if personal data is being processed for one or more specific purposes and processing the consumer's personal data is required to provide a product or service to the consumer; delete a section that required controllers to conduct data protection impact assessments.
Index Headings Trade Practices and Retailing - Personal data protection, consumer data privacy rights
Consumer Affairs - Personal data protection, consumer data privacy rights
Data Processing - Personal data protection, consumer data privacy rights
Public Utilities - Personal data protection, consumer data privacy rights, municipally owned utilities, exemption

Last updated: 11/9/2023 3:03 PM (EST)