AN ACT relating to data privacy.

UNOFFICIAL COPY 26 RS BR 1330
Page 1 of 10
XXXX 12/17/2025 11:51 AM Jacketed
AN ACT relating to data privacy. 1
Be it enacted by the General Assembly of the Commonwealth of Kentucky: 2
Section 1. KRS 367.3611 (Effective January 1, 2026) is amended to read as 3
follows: 4
As used in KRS 367.3611 to 367.3629: 5
(1) "Affiliate" means a legal entity that controls, is controlled by, or is under common 6
control with another legal entity or shares common bra nding with another legal 7
entity. For the purposes of this definition, "control" or "controlled" means: 8
(a) Ownership of, or the power to vote, more than fifty percent (50%) of the 9
outstanding shares of any class of voting security of a company; 10
(b) Control in any manner over the election of a majority of the directors or of 11
individuals exercising similar functions; or 12
(c) The power to exercise controlling influence over the management of a 13
company; 14
(2) "Authenticate" means verifying through reasonabl e means that the consumer 15
entitled to exercise his or her consumer rights in KRS 367.3615 is the same 16
consumer exercising such consumer rights with respect to the personal data at issue; 17
(3) "Automated-decision system": 18
(a) Means a computational process, i ncluding one derived from algorithms, 19
machine learning, artificial intelligence, statistics, and other data 20
processing techniques, that processes personal data to make a decision or 21
facilitate human decision-making regarding surveillance pricing; and 22
(b) Excludes word processing software, spreadsheet software, map navigation 23
systems, web hosting, domain registration, networking, caching, website -24
loading, data storage, firewalls, anti -virus, anti -malware, spam - and 25
robocall-filtering, spellchecking, calculat ors, database, or similar 26
technologies, provided that these technologies do not make decisions 27
UNOFFICIAL COPY 26 RS BR 1330
Page 2 of 10
XXXX 12/17/2025 11:51 AM Jacketed
regarding surveillance pricing; 1
(4) "Base price" means the lowest price for a specific good or service offered by a 2
controller to any consumer in Kentucky; 3
(5) "Biometric data" means data generated by automatic measurements of an 4
individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, 5
irises, or other unique biological patterns or characteristics that are used to identify 6
a specifi c individual. Biometric data does not include a physical or digital 7
photograph, a video or audio recording, or data generated therefrom, unless that 8
data is generated to identify a specific individual or information collected, used, or 9
stored for health care treatment, payment, or operations under HIPAA; 10
(6)[(4)] "Business associate" has the same meaning as established in 45 C.F.R. sec. 11
160.103 pursuant to HIPAA; 12
(7)[(5)] "Child" has the same meaning as in 15 U.S.C. sec. 6501; 13
(8)[(6)] "Consent" means a cle ar affirmative act signifying a consumer's freely given, 14
specific, informed, and unambiguous agreement to process personal data relating to 15
the consumer. Consent may include a written statement, written by electronic 16
means or any other unambiguous affirmative action; 17
(9)[(7)] "Consumer" means a natural person who is a resident of the Commonwealth 18
of Kentucky acting only in an individual context. Consumer does not include a 19
natural person acting in a commercial or employment context; 20
(10)[(8)] "Controller" m eans the natural or legal person that, alone or jointly with 21
others, determines the purpose and means of processing personal data; 22
(11)[(9)] "Covered entity" has the same meaning as established in 45 C.F.R. sec. 23
160.103 pursuant to HIPAA; 24
(12)[(10)] "Decisions that produce legal or similarly significant effects concerning a 25
consumer" means a decision made by a controller that results in the provision or 26
denial by the controller of financial and lending services, housing, insurance, 27
UNOFFICIAL COPY 26 RS BR 1330
Page 3 of 10
XXXX 12/17/2025 11:51 AM Jacketed
education enrollment, cri minal justice, employment opportunities, health care 1
services, or access to basic necessities like food and water; 2
(13)[(11)] "De-identified data" means data that cannot reasonably be linked to an 3
identified or identifiable natural person or a device linked to a person; 4
(14)[(12)] "Fund" means the consumer privacy fund established in KRS 367.3629; 5
(15)[(13)] "Health care provider" means: 6
(a) Any health facility as defined in KRS 216B.015; 7
(b) Any person or entity providing health care or health services, in cluding those 8
licensed, certified, or registered under, or subject to, KRS 194A.700 to 9
194A.729 or KRS Chapter 310, 311, 311A, 311B, 312, 313, 314, 314A, 315, 10
319, 319A, 319B, 319C, 320, 327, 333, 334A, or 335; 11
(c) The current and former employers, office rs, directors, administrators, agents, 12
or employees of those entities listed in paragraphs (a) and (b) of this 13
subsection; or 14
(d) Any person acting within the course and scope of his or her office, 15
employment, or agency relating to a health care provider; 16
(16)[(14)] "Health record" means a record, other than for financial or billing purposes, 17
relating to an individual, kept by a health care provider as a result of the 18
professional relationship established between the health care provider and the 19
individual; 20
(17)[(15)] "HIPAA" means the federal Health Insurance Portability and Accountability 21
Act of 1996, Pub. L. No. 104-191; 22
(18)[(16)] "Identified or identifiable natural person" means a person who can be readily 23
identified directly or indirectly; 24
(19) "Individualized data" means personal data collected through electronic 25
surveillance technology, observation, inference, or tracking of a consumer's 26
online activity or device characteristics, including but not limited to browsing 27
UNOFFICIAL COPY 26 RS BR 1330
Page 4 of 10
XXXX 12/17/2025 11:51 AM Jacketed
history, search history, precise geolocation data, device hardware characteristics, 1
or operating system; 2
(20)[(17)] "Institution of higher education" means an educational institution which: 3
(a) Admits as regular students only individuals having a certificate of graduation 4
from a high school or the recognized equivalent of such a certificate; 5
(b) Is legally authorized in this state to provide a program of education beyond 6
high school; 7
(c) Provides an educational program for which it awards a bachelor's or higher 8
degree, or provides a program which is acceptable for full credit toward such 9
a degree, a program of postgraduate or postdoctoral studies, or a program of 10
training to prepare studen ts for gainful employment in a recognized 11
occupation; and 12
(d) Is a public or other nonprofit institution; 13
(21)[(18)] "Nonprofit organization" means any incorporated or unincorporated entity 14
that: 15
(a) Is operating for religious, charitable, or educational purposes; and 16
(b) Does not provide net earnings to, or operate in any manner that inures to the 17
benefit of, any officer, employee, or shareholder of the entity; 18
(22)[(19)] "Personal data" means any information that is linked or reasonably linkable to 19
an ide ntified or identifiable natural person. Personal data does not include de -20
identified data or publicly available information; 21
(23)[(20)] "Precise geolocation data" means information derived from technology, 22
including but not limited to global positioning sy stem level latitude and longitude 23
coordinates or other mechanisms, that directly identifies the specific location of a 24
natural person with precision and accuracy within a radius of one thousand seven 25
hundred fifty (1,750) feet. Precise geolocation data doe s not include the content of 26
communications or any data generated by or connected to advanced utility metering 27
UNOFFICIAL COPY 26 RS BR 1330
Page 5 of 10
XXXX 12/17/2025 11:51 AM Jacketed
infrastructure systems or equipment for use by a utility; 1
(24)[(21)] "Process" or "processing" means any operation or set of operations performed, 2
whether by manual or automated means, on personal data or on sets of personal 3
data, including but not limited to the collection, use, storage, disclosure, analysis, 4
deletion, or modification of personal data; 5
(25)[(22)] "Processor" means a natural or leg al entity that processes personal data on 6
behalf of a controller; 7
(26)[(23)] "Profiling" means any form of automated processing performed on personal 8
data to evaluate, analyze, or predict personal aspects related to an identified or 9
identifiable natural pe rson's economic situation, health, personal preferences, 10
interests, reliability, behavior, location, or movements; 11
(27)[(24)] "Protected health information" means the same as established in 45 C.F.R. 12
sec. 160.103 pursuant to HIPAA; 13
(28)[(25)] "Pseudonymous data" means personal data that cannot be attributed to a 14
specific natural person without the use of additional information, provided that the 15
additional information is kept separately and is subject to appropriate technical and 16
organizational measures to ensure that the personal data is not attributed to an 17
identified or identifiable natural person; 18
(29)[(26)] "Publicly available information" means information that is lawfully made 19
available through federal, state, or local government records, or information that a 20
business has a reasonable basis to believe is lawfully made available to the general 21
public through widely distributed media, by the consumer, or by a person to whom 22
the consumer has disclosed the information, unless the consumer has restricted the 23
information to a specific audience; 24
(30)[(27)] "Sale of personal data" means the exchange of personal data for monetary 25
consideration by the controller to a third party. Sale of personal data does not 26
include: 27
UNOFFICIAL COPY 26 RS BR 1330
Page 6 of 10
XXXX 12/17/2025 11:51 AM Jacketed
(a) The disclosure of personal data to a processor that processes the personal data 1
on behalf of the controller; 2
(b) The disclosure of personal data to a third party for purposes of providing a 3
product or service requested by the consumer; 4
(c) The disclosure or transfer of personal data to an affiliate of the controller; 5
(d) The disclosure of information that the consumer: 6
1. Intentionally made available to the general public via a channel of mass 7
media; and 8
2. Did not restrict to a specific audience; or 9
(e) The disclosure or transfer o f personal data to a third party as an asset that is 10
part of a proposed or actual merger, acquisition, bankruptcy, or other 11
transaction in which the third party assumes control of all or part of the 12
controller's assets; 13
(31)[(28)] "Sensitive data" means a category of personal data that includes: 14
(a) Personal data indicating racial or ethnic origin, religious beliefs, mental or 15
physical health diagnosis, sexual orientation, or citizenship or immigration 16
status; 17
(b) The processing of genetic or biometric data that is processed for the purpose 18
of uniquely identifying a specific natural person; 19
(c) The personal data collected from a known child; or 20
(d) Precise geolocation data; 21
(32)[(29 )] "State agency" means all departments, offices, commissions, boards, 22
institutions, and political and corporate bodies of the state, including the offices of 23
the clerk of the Supreme Court, clerks of the appellate courts, the several courts of 24
the state, and the legislature, its committees, or commissions; 25
(33) "Surveillance pricing": 26
(a) Means offering or setting a customized price increase for a good or service 27
UNOFFICIAL COPY 26 RS BR 1330
Page 7 of 10
XXXX 12/17/2025 11:51 AM Jacketed
for a specific consumer or group of consumers, based in whole or in part, 1
on individualized data collected through electronic surveillance technology; 2
and 3
(b) Includes the use of technological methods, systems, or tools including, but 4
not limited to sensors, cameras, device tracking, biometric monitoring, or 5
other forms of observation or data collecti on that are capable of gathering 6
personally identifiable information about a consumer's behavior, 7
characteristics, location, or other personal attributes, whether in physical or 8
digital environments; 9
(34)[(30)] "Targeted advertising" means displaying adver tisements to a consumer where 10
the advertisement is selected based on personal data obtained or inferred from that 11
consumer's activities over time and across nonaffiliated websites or online 12
applications to predict that consumer's preferences or interests. "Targeted 13
advertising" does not include: 14
(a) Advertisements based on activities within a controller's own or affiliated 15
websites or online applications; 16
(b) Advertisements based on the context of a consumer's current search query, 17
visit to a website, or online application; 18
(c) Advertisements directed to a consumer in response to the consumer's request 19
for information or feedback; or 20
(d) Processing personal data solely for measuring or reporting advertising 21
performance, reach, or frequency; 22
(35)[(31)] "Third party" means a natural or legal person, public authority, agency, or 23
body other than the consumer, controller, processor, or an affiliate of the processor 24
or the controller; and 25
(36)[(32)] "Trade secret" has the same meaning as in KRS 365.880. 26
Section 2. KRS 367.3617 (Effective January 1, 2026) is amended to read as 27
UNOFFICIAL COPY 26 RS BR 1330
Page 8 of 10
XXXX 12/17/2025 11:51 AM Jacketed
follows: 1
(1) A controller shall: 2
(a) Limit the collection of personal data to what is adequate, relevant, and 3
reasonably necessary in relation to the purpose s for which the data is 4
processed as disclosed to the consumer; 5
(b) Except as otherwise provided in this section, not process personal data for 6
purposes that are neither reasonably necessary to nor compatible with the 7
disclosed purposes for which the personal data is processed as disclosed to the 8
consumer, unless the controller obtains the consumer's consent; 9
(c) Establish, implement, and maintain reasonable administrative, technical, and 10
physical data security practices to protect the confidentiality, inte grity, and 11
accessibility of personal data. The data security practices shall be appropriate 12
to the volume and nature of the personal data at issue; 13
(d) Not process personal data in violation of state and federal laws that prohibit 14
unlawful discrimination against consumers. A controller shall not discriminate 15
against a consumer for exercising any of the consumer rights contained in 16
KRS 367.3615, including denying goods or services, charging different prices 17
or rates for goods or services, or providing a diff erent level of quality of 18
goods and services to the consumer. However, nothing in this paragraph shall 19
be construed to require a controller to provide a product or service that 20
requires the personal data of a consumer that the controller does not collect o r 21
maintain, or to prohibit a controller from offering a different price, rate, level, 22
quality, or selection of goods or services to a consumer, including offering 23
goods or services for no fee, if the offer is related to a consumer's voluntary 24
participation in a bona fide loyalty, rewards, premium features, discounts, or 25
club card program;[ and] 26
(e) Not process sensitive data concerning a consumer without obtaining the 27
UNOFFICIAL COPY 26 RS BR 1330
Page 9 of 10
XXXX 12/17/2025 11:51 AM Jacketed
consumer's consent, or, in the case of the processing of sensitive data 1
collected from a k nown child, process the data in accordance with the federal 2
Children's Online Privacy Protection Act, 15 U.S.C. sec. 6501 et seq.; and 3
(f) Not engage in surveillance pricing, or offer, set, or display a price for a 4
purchasable good or service to a consumer using an automated -decision 5
system that is based, in whole or in part, on individualized data. The base 6
price for all purchasable goods and services shall be the same for all 7
prospective consumers regardless of their individualized data. However, this 8
paragraph shall not be construed to prohibit any of the following: 9
1. An adjustment of the base price based on a real -time, non -10
individualized factor, such as current market demand, inventory 11
levels, competitor pricing, or time -of-day, provided that the adjus ted 12
price is applied uniformly to all consumers seeking the good or service 13
at that time and in that region, regardless of the consumer's 14
individualized data; 15
2. An offer of a different price, rate, level, or quality of goods or services 16
to a consumer who is a bona fide participant in a voluntary loyalty, 17
rewards, premium features, discounts, or club card program where the 18
difference is clearly disclosed and does not rely on individualized data 19
beyond what is necessary for program operation; or 20
3 Price diff erences based solely on legitimate, verifiable costs, such as 21
shipping costs to different geographical zones or costs related to the 22
method of service delivery. 23
(2) Any provision of a contract or agreement of any kind that purports to waive or limit 24
in any way consumer rights pursuant to KRS 367.3615 shall be deemed contrary to 25
public policy and shall be void and unenforceable. 26
(3) Controllers shall provide consumers with a reasonably accessible, clear, and 27
UNOFFICIAL COPY 26 RS BR 1330
Page 10 of 10
XXXX 12/17/2025 11:51 AM Jacketed
meaningful privacy notice that includes: 1
(a) The categories of personal data processed by the controller; 2
(b) The purpose for processing personal data; 3
(c) How consumers may exercise their consumer rights pursuant to KRS 4
367.3615, including how a consumer may appeal a controller's decision with 5
regard to the consumer's request; 6
(d) The categories of personal data that the controller shares with third parties, if 7
any; and 8
(e) The categories of third parties, if any, with whom the controller shares 9
personal data. 10
(4) If a controller sells personal data to third parties or processes personal data for 11
targeted advertising, the controller shall clearly and conspicu ously disclose such 12
activity, as well as the manner in which a consumer may exercise the right to opt 13
out of processing. 14
(5) A controller shall establish, and shall describe in a privacy notice, one (1) or more 15
secure and reliable means for consumers to su bmit a request to exercise their 16
consumer rights under KRS 367.3615. The different ways to submit a request by a 17
consumer shall take into account the ways in which consumers normally interact 18
with the controller, the need for secure and reliable communicat ion of such 19
requests, and the ability of the controller to authenticate the identity of the 20
consumer making the request. Controllers shall not require a consumer to create a 21
new account in order to exercise consumer rights pursuant to KRS 367.3615 but 22
may require a consumer to use an existing account. 23
Section 3. This Act may be cited as the Kentucky Price Fairness Act. 24