AN ACT relating to data privacy.

UNOFFICIAL COPY 26 RS BR 356
Page 1 of 20
XXXX 2/11/2026 7:44 PM Jacketed
AN ACT relating to data privacy. 1
Be it enacted by the General Assembly of the Commonwealth of Kentucky: 2
Section 1. KRS 367.3611 is amended to read as follows: 3
As used in KRS 367.3611 to 367.3629: 4
(1) "Affiliate" means a legal entity that controls, is controlled by, or is under common 5
control with another legal entity or shares common branding with another legal 6
entity. As used in this subsection [For the purposes of this definition] , "control" or 7
"controlled" means: 8
(a) Ownership of, or the power to vote, more than fifty percent (50%) of the 9
outstanding shares of any class of voting security of a company; 10
(b) Control in any manner over the election of a majority of the directors or of 11
individuals exercising similar functions; or 12
(c) The power to exercise controlling influence over the management of a 13
company; 14
(2) "Algorithmic feed" means a media display system of an online service, product, 15
or feature that delivers a stream or list of media using automated rules to select, 16
order, rank, or prioritize the media based on a user's personal data; 17
(3) "Algorithmic recommendation system": 18
(a) Means a computational proc ess used to select, order, rank, or prioritize 19
media provided to a user through an online service, product, or feature, 20
including but not limited to search results, ranking, recommendations, 21
display, or any other method of automated selection; and 22
(b) Does not include a computational process that: 23
1. Enables users to find other specific users on a covered business's 24
service, such as by entering individual information as a search query 25
or uploading a list of contacts; or 26
2. Returns media responsive to a user 's search query, provided the 27
UNOFFICIAL COPY 26 RS BR 356
Page 2 of 20
XXXX 2/11/2026 7:44 PM Jacketed
system does not: 1
a. Process other personal data of the user to determine the 2
selection, order, rank, or priority of the media; or 3
b. Associate the search query with the user after the search results 4
are returned; 5
(4) "Authenticate" means verifying through reasonable means that the consumer 6
entitled to exercise his or her consumer rights in KRS 367.3615 is the same 7
consumer exercising such consumer rights with respect to the personal data at issue; 8
(5)[(3)] "Biometric data": 9
(a) Means data generated by automatic measurements of an individual's 10
biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, 11
or other unique biological patterns or characteristics that are used to identify a 12
specific individual; and[.] 13
(b) [Biometric data ]Does not include a physical or digital photograph, a video or 14
audio recording, or data generated therefrom, unless that data is generated to 15
identify a specific individual or information collected, used, or stored for 16
health care treatment, payment, or operations under HIPAA; 17
(6)[(4)] "Business associate" has the same meaning as established in 45 C.F.R. sec. 18
160.103 pursuant to HIPAA; 19
(7)[(5)] "Child" means an individual under the age of thirteen (13) years [has the 20
same meaning as in 15 U.S.C. sec. 6501]; 21
(8)[(6)] "Consent": 22
(a) Means a clear affirmative act signifying a consumer's freely given, specific, 23
informed, and unambiguous agreement to process personal data relating to the 24
consumer; and[.] 25
(b) [Consent ]May include a written statement, written by electronic means or any 26
other unambiguous affirmative action; 27
UNOFFICIAL COPY 26 RS BR 356
Page 3 of 20
XXXX 2/11/2026 7:44 PM Jacketed
(9)[(7)] "Consumer": 1
(a) Means a natural person who is a resident of the Commonwealth of Kentucky 2
acting only in an individual context; and[.] 3
(b) [Consumer ] Does not inc lude a natural person acting in a commercial or 4
employment context; 5
(10)[(8)] "Controller" means the natural or legal person that, alone or jointly with 6
others, determines the purpose and means of processing personal data; 7
(11) "Covered design feature" means any feature that: 8
(a) Continuously loads new media in an algorithmic feed seamlessly and absent 9
a specific request from the user in an infinite scroll feed; 10
(b) Uses intermittent, variable reward schedules; or 11
(c) Automatically plays a video, unless the video is the next in a series and user 12
expressly and unambiguously chose to play a prior video in the series; 13
(12)[(9)] "Covered entity" has the same meaning as established in 45 C.F.R. sec. 14
160.103 pursuant to HIPAA; 15
(13) "Covered minor" means a user that a covered online service knows or should 16
have known, based on objective knowledge or circumstances, to be a minor; 17
(14) "Covered online service" means a person that owns, operates, controls, or 18
provides an online service that: 19
(a) Conducts business in this state; 20
(b) Alone, or jointly with its affiliates, subsidiaries, or parent companies, 21
determines the purposes and means of processing of consumers' personal 22
data; and 23
(c) Annually processes, buys, receives, sells, o r shares the personal data of one 24
hundred thousand (100,000) or more consumers, or derives at least fifty 25
percent (50%) of its annual gross revenue from the sale or sharing of 26
personal data; 27
UNOFFICIAL COPY 26 RS BR 356
Page 4 of 20
XXXX 2/11/2026 7:44 PM Jacketed
(15) "Dark pattern": 1
(a) Means a user interface designed or manip ulated with the effect of 2
substantially subverting or impairing user autonomy, decision making, or 3
choice; and 4
(b) Includes any practice determined to be an unfair or deceptive act or practice 5
by the Federal Trade Commission under 15 U.S.C. sec. 45, as of January 1, 6
2024; 7
(16)[(10)] "Decisions that produce legal or similarly significant effects concerning a 8
consumer" means a decision made by a controller that results in the provision or 9
denial by the controller of financial and lending services, housing, in surance, 10
education enrollment, criminal justice, employment opportunities, health care 11
services, or access to basic necessities like food and water; 12
(17) "Default" means a preselected option adopted by the covered business for an 13
online service, product, or feature; 14
(18)[(11)] "De-identified data" means data that cannot reasonably be linked to an 15
identified or identifiable natural person or a device linked to a person; 16
(19)[(12)] "Fund" means the consumer privacy fund established in KRS 367.3629; 17
(20)[(13)] "Health care provider" means: 18
(a) Any health facility as defined in KRS 216B.015; 19
(b) Any person or entity providing health care or health services, including those 20
licensed, ce rtified, or registered under, or subject to, KRS 194A.700 to 21
194A.729 or KRS Chapter 310, 311, 311A, 311B, 312, 313, 314, 314A, 315, 22
319, 319A, 319B, 319C, 320, 327, 333, 334A, or 335; 23
(c) The current and former employers, officers, directors, administrat ors, agents, 24
or employees of those entities listed in paragraphs (a) and (b) of this 25
subsection; or 26
(d) Any person acting within the course and scope of his or her office, 27
UNOFFICIAL COPY 26 RS BR 356
Page 5 of 20
XXXX 2/11/2026 7:44 PM Jacketed
employment, or agency relating to a health care provider; 1
(21)[(14)] "Health record" means a record, other than for financial or billing purposes, 2
relating to an individual, kept by a health care provider as a result of the 3
professional relationship established between the health care provider and the 4
individual; 5
(22)[(15)] "HIPAA" means the federal Health Insurance Portability and Accountability 6
Act of 1996, Pub. L. No. 104-191; 7
(23)[(16)] "Identified or identifiable natural person" means a person who can be readily 8
identified directly or indirectly; 9
(24)[(17)] "Institution of higher education" means an educational institution which: 10
(a) Admits as regular students only individuals having a certificate of graduation 11
from a high school or the recognized equivalent of such a certificate; 12
(b) Is legally authorized in this state to provide a p rogram of education beyond 13
high school; 14
(c) Provides an educational program for which it awards a bachelor's or higher 15
degree, or provides a program which is acceptable for full credit toward such 16
a degree, a program of postgraduate or postdoctoral studies , or a program of 17
training to prepare students for gainful employment in a recognized 18
occupation; and 19
(d) Is a public or other nonprofit institution; 20
(25) (a) "Knows to be a child" or "knows to be a minor" means having actual 21
knowledge that a user is a child or minor, as applicable. 22
(b) As used in this subsection, "actual knowledge" means all information and 23
inferences known to a covered online service relating to the age of an 24
individual, including but not limited to self -identified age and any age the 25
covered online service has attributed to or associated with the individual for 26
any purpose, including marketing, advertising, or product development. If a 27
UNOFFICIAL COPY 26 RS BR 356
Page 6 of 20
XXXX 2/11/2026 7:44 PM Jacketed
covered online service's classification of an individual for purposes of 1
marketing or advertising is inconsistent with the individual's self-identified 2
age, a covered online service shall disregard self -identified age for purposes 3
of KRS 367.3611 to 367.3629; 4
(26) "Media" means text, an image, a video, or an audio recording; 5
(27) "Minor" means an individual under the age of eighteen (18) years; 6
(28)[(18)] "Nonprofit organization" means any incorporated or unincorporated entity 7
that: 8
(a) Is operating for religious, charitable, or educational purposes; and 9
(b) Does not provide net earnings to, or operate in any manner that inures to the 10
benefit of, any officer, employee, or shareholder of the entity; 11
(29) "Online service": 12
(a) Means any service, product, or feature that is accessible to the public via the 13
internet, including a website or application; and 14
(b) Does not include: 15
1. A telecommunications service as defined in 47 U.S.C. sec. 153; 16
2. A broadband internet access service as defined in 47 C.F.R. sec. 8.1; 17
or 18
3. The sale, delivery, or use of a physical device; 19
(30) "Parent" includes legal guardian; 20
(31)[(19)] "Personal data": 21
(a) Means any information that is linked or reasonably linkable to an identified or 22
identifiable natural person; and[.] 23
(b) [Personal data ] Does not include de -identified data or publicly available 24
information; 25
(32)[(20)] "Precise geolocation data": 26
(a) Means informat ion derived from technology, including but not limited to 27
UNOFFICIAL COPY 26 RS BR 356
Page 7 of 20
XXXX 2/11/2026 7:44 PM Jacketed
global positioning system level latitude and longitude coordinates or other 1
mechanisms, that directly identifies the specific location of a natural person 2
with precision and accuracy within a radius of one thousand seven hundred 3
fifty (1,750) feet; and[.] 4
(b) [Precise geolocation data ]Does not include the content of communications or 5
any data generated by or connected to advanced utility metering infrastructure 6
systems or equipment for use by a utility; 7
(33)[(21)] "Process" or "processing" means any operation or set of operations performed, 8
whether by manual or automated means, on personal data or on sets of personal 9
data, including but not limited to the collection, use, storage, disclosure, analysi s, 10
deletion, or modification of personal data; 11
(34)[(22)] "Processor" means a natural or legal entity that processes personal data on 12
behalf of a controller; 13
(35)[(23)] "Profiling" means any form of automated processing performed on personal 14
data to evalua te, analyze, or predict personal aspects related to an identified or 15
identifiable natural person's economic situation, health, personal preferences, 16
interests, reliability, behavior, location, or movements; 17
(36)[(24)] "Protected health information" has the same meaning [means the same] as 18
established in 45 C.F.R. sec. 160.103 pursuant to HIPAA; 19
(37)[(25)] "Pseudonymous data" means personal data that cannot be attributed to a 20
specific natural person without the use of additional information, provided that the 21
additional information is kept separately and is subject to appropriate technical and 22
organizational measures to ensure that the personal data is not attributed to an 23
identified or identifiable natural person; 24
(38)[(26)] "Publicly available information": 25
(a) Means information that is lawfully made available through federal, state, or 26
local government records, or information that a business has a reasonable 27
UNOFFICIAL COPY 26 RS BR 356
Page 8 of 20
XXXX 2/11/2026 7:44 PM Jacketed
basis to believe is lawfully made available to the general public through 1
widely distributed media, b y the consumer, or by a person to whom the 2
consumer has disclosed the information, unless the consumer has restricted 3
the information to a specific audience; and 4
(b) Does not mean biometric data collected by a covered online service about a 5
covered minor without the covered minor's knowledge; 6
(39)[(27)] "Sale of personal data": 7
(a) Means the exchange of personal data for monetary consideration by the 8
controller to a third party; and[.] 9
(b) [Sale of personal data ]Does not include: 10
1.[(a)] The disclosure of personal data to a processor that processes the 11
personal data on behalf of the controller; 12
2.[(b)] The disclosure of personal data to a third party for purposes of 13
providing a product or service requested by the consumer; 14
3.[(c)] The disclosure or transfer of personal data to an affiliate of the 15
controller; 16
4.[(d)] The disclosure of information that the consumer: 17
a.[1.] Intentionally made available to the general public via a channel of 18
mass media; and 19
b.[2.] Did not restrict to a specific audience; or 20
5.[(e)] The disclosure or transfer of personal data to a third party as an 21
asset that is part of a proposed or actual merger, acquisition, bankruptcy, 22
or other transaction in which the third party assumes control of all or 23
part of the controller's assets; 24
(40)[(28)] "Sensitive data" means a category of personal data that includes: 25
(a) Personal data indicati ng racial or ethnic origin, religious beliefs, mental or 26
physical health diagnosis, sexual orientation, or citizenship or immigration 27
UNOFFICIAL COPY 26 RS BR 356
Page 9 of 20
XXXX 2/11/2026 7:44 PM Jacketed
status; 1
(b) The processing of genetic or biometric data that is processed for the purpose 2
of uniquely identifying a specific natural person; 3
(c) The personal data collected from a known child; or 4
(d) Precise geolocation data; 5
(41)[(29)] "State agency" means all departments, offices, commissions, boards, 6
institutions, and political and corporate bodies of the state, including the offices of 7
the clerk of the Supreme Court, clerks of the appellate courts, the several courts of 8
the state, and the legislature, its committees, or commissions; 9
(42)[(30)] "Targeted advertising": 10
(a) Means displaying advertisements to a consumer where the advertisement is 11
selected based on personal data obtained or inferred from that consumer's 12
activities over time and across nonaffiliated websites or online applications to 13
predict that consumer's preferences or interests; and[.] 14
(b) ["Targeted advertising" ]Does not include: 15
1.[(a)] Advertisements based on activities within a controller's own or 16
affiliated websites or online applications; 17
2.[(b)] Advertisements based on the context of a consumer's current 18
search query, visit to a website, or online application; 19
3.[(c)] Advertisements directed to a consumer in response to the 20
consumer's request for information or feedback; or 21
4.[(d)] Processing personal data solely for measuring or reporting 22
advertising performance, reach, or frequency; 23
(43)[(31)] "Third party" means a natural or legal person, public authority, agency, or 24
body other than the consumer, controller, processor, or an affiliate of the processor 25
or the controller;[ and] 26
(44)[(32)] "Trade secret" has the same meaning as in KRS 365.880; and 27
UNOFFICIAL COPY 26 RS BR 356
Page 10 of 20
XXXX 2/11/2026 7:44 PM Jacketed
(45) "User" means an individual who registers an account or creates a profile on a 1
covered online service. 2
SECTION 2. A NEW SECTION OF KRS 367.3611 TO 367.3629 IS 3
CREATED TO READ AS FOLLOWS: 4
(1) A covered online service shall: 5
(a) Configure all default privacy settings provided to a covered minor through 6
its online service, product, or feature to the highest level of privacy; 7
(b) Provide covered minors with settings to enable or disable each specific 8
category of push noti fication offered by the covered online service on the 9
product or service, including but not limited to marketing notifications, 10
direct message notifications, media interaction notifications, and any other 11
category of notification pushed by the product or service; 12
(c) Disable by default all interaction counts, including but not limited to counts 13
of reactions and comments on all of the covered minor’s media; 14
(d) Offer settings to enable or disable specific types of interaction counts, 15
including but not limite d to comments, reactions, reshares, or other 16
categories of interactions; and 17
(e) Offer a single setting to turn on all interaction counts only if the settings to 18
turn on specific interactions are equally prominent and accessible. 19
(2) A covered online service shall: 20
(a) Provide a prominent and accessible tool to allow: 21
1. A covered minor to request the covered online service delete any: 22
a. Account profiles; 23
b. Media and personal data provided by or obtained about the 24
consumer, including personal data the con sumer provided to the 25
covered online service; 26
c. Personal data the covered online service obtained from another 27
UNOFFICIAL COPY 26 RS BR 356
Page 11 of 20
XXXX 2/11/2026 7:44 PM Jacketed
source; and 1
d. Derived data; or 2
2. The parent of a covered minor to make such a request on the child’s 3
behalf; 4
(b) Comply with a request under paragraph (a) of this subsection not later than 5
fifteen (15) days after a covered online service receives the request; 6
(c) Provide each covered minor with accessible and user-friendly tools that: 7
1. Allow a covered minor to opt out of the use of the covered minor's 8
personal data to select, recommend, or prioritize media for the covered 9
minor in an algorithmic feed, except when that personal data is: 10
a. The covered minor's express and unambiguous request to 11
receive: 12
i. Media from a specific account, feed, or user, or to receive 13
more or less media from that account, feed, or user; 14
ii. A specific category of media, including but not limited to 15
"breaking news" or to see more or less of that category of 16
media; or 17
iii. More or less media with similar characteristic s as the 18
media they are currently viewing; 19
b. User-selected privacy or accessibility settings; 20
c. The covered minor’s location, but only to determine whether the 21
covered minor is within the Commonwealth for purposes of 22
complying with this section; 23
d. The consumer’s age, but only to implement the covered 24
business’s policies regarding media appropriate for minors; or 25
e. A search query, provided the search query is only used to select 26
and prioritize media in response to the search; 27
UNOFFICIAL COPY 26 RS BR 356
Page 12 of 20
XXXX 2/11/2026 7:44 PM Jacketed
2. Control the use of i n-game purchases or other transactions by 1
allowing a covered minor to opt out of all purchases and transactions 2
or to place limits on purchases and transactions; 3
3. Limit the amount of time the covered minor spends on the covered 4
online service; and 5
4. Notify a covered minor of a covered design feature when any of the 6
tools described in this section are in effect, and describe what settings 7
have been applied; 8
(d) Establish default settings for the safeguards required in paragraph (c) of 9
this subsection at t he option or level that provides the highest protection 10
available for the safety of the covered minor; 11
(e) Collect and use only the minimum amount of a covered minor's personal 12
data necessary to provide the specific elements of an online service with 13
which the covered minor has knowingly engaged, and ensure that the 14
collected personal data is not used for reasons other than those for which it 15
was collected; 16
(f) Retain the personal data of a covered minor only as long as necessary to 17
provide the specific ele ments of an online service with which the covered 18
minor has knowingly engaged; 19
(g) Provide an obvious sign to a covered minor when precise geolocation 20
information is being collected or used; 21
(h) If the covered online service allows parental monitoring, pro vide an obvious 22
signal to a covered minor when the minor is being monitored; 23
(i) Provide parents the ability to do the following for an individual the covered 24
online service knows to be a child: 25
1. Manage the child's privacy and account settings in a manne r that 26
allows parents to: 27
UNOFFICIAL COPY 26 RS BR 356
Page 13 of 20
XXXX 2/11/2026 7:44 PM Jacketed
a. View the child's privacy and account settings; and 1
b. Change and control the child's privacy and account settings; 2
2. Restrict purchases and financial transactions of the child; 3
3. Enable parents to view the total time the chil d has spent on a covered 4
online service, and place reasonable limits on the child's use of the 5
covered online service; and 6
4. Restrict the child's use of the covered online service during times of 7
day specified by the parents, including during school hours and at 8
night; and 9
(j) Establish mechanisms for covered minors and parents to report harms on 10
covered online services. 11
(3) A covered online service shall not, by default, configure its online product, 12
service, or feature to: 13
(a) Use an algorithmic recommen dation system to recommend to any known 14
adult user that they connect to a covered minor as a friend, follower, or 15
contact; 16
(b) Use an algorithmic recommendation system to recommend to any known 17
adult user that they follow a covered minor’s media, unless th e covered 18
minor’s account was connected to the known adult’s account as a friend, 19
follower, or contact prior to the recommendation; 20
(c) Use an algorithmic recommendation system to recommend to any known 21
adult user that they communicate with a covered minor through direct 22
messaging, unless the covered minor’s account was connected to the known 23
adult’s account as a friend, follower, or contact prior to the 24
recommendation; 25
(d) Use an algorithmic recommendation system to recommend to a covered 26
minor that they c ommunicate with any known adult through direct 27
UNOFFICIAL COPY 26 RS BR 356
Page 14 of 20
XXXX 2/11/2026 7:44 PM Jacketed
messaging, unless the covered minor’s account was connected to the known 1
adult’s account as a friend, follower, or contact prior to the 2
recommendation; 3
(e) Display a covered minor’s friends, followers, or contacts; 4
(f) Enable search engine indexing of a covered minor’s account profile and 5
media; 6
(g) Display the location of any covered minor to any other user unless the 7
covered minor has expressly and unambiguously chosen to share his or her 8
location with the specific user; 9
(h) Send push notifications to any covered minor; or 10
(i) Provide a single setting that enables all push notifications. 11
(4) (a) A covered online service that facilitates communications between users 12
shall provide a prominent, accessible, and responsive tool that gives a 13
covered minor the option to block specific users from taking each of the 14
following actions: 15
1. Accessing the user’s media; 16
2. Interacting with the user’s media; 17
3. Communicating with the user through their media; 18
4. Communicating with the user through direct messaging; and 19
5. Communicating with the user through any other means offered by the 20
covered online service through the product or service. 21
(b) The tool described in paragraph (a) of this subsection shall provide a 22
covered minor with the option to prevent media from the blocked user from 23
appearing in the covered minor’s feed. 24
(c) The tool described in paragraph (a ) of this subsection shall, at a minimum, 25
be accessible from a feature located: 26
1. Proximate to every instance of another user’s username, avatar, or 27
UNOFFICIAL COPY 26 RS BR 356
Page 15 of 20
XXXX 2/11/2026 7:44 PM Jacketed
both; 1
2. On all media shared by another user; 2
3. On every direct message or direct message thread; and 3
4. In a first-level settings menu labeled "blocked users." 4
(d) The features described in paragraph (c)1. to 3. of this subsection shall 5
provide a covered minor with the option to: 6
1. Block the other user, which will trigger all of the settings in 7
paragraphs (a) and (b) of this subsection; or 8
2. Go to the settings page to select more granular block settings for the 9
other user. 10
(5) A covered online service that offers an algorithmic feed to a covered minor that 11
uses the covered minor’s personal data to select, r ecommend, or prioritize media 12
in the feed shall: 13
(a) Provide a prominent and accessible user interface that enables the covered 14
minor to: 15
1. Expressly and unambiguously communicate his or her preferences 16
about the types of media to be recommended and to be blocked in the 17
output of the relevant algorithmic recommendation system; and 18
2. Access, review, and make changes to any personal data the covered 19
online service uses to determine the output of the relevant algorithmic 20
recommendation system; 21
(b) Ensure that the relevant algorithmic recommendation system is informed by 22
these preferences; and 23
(c) Provide the minor with the choice of an algorithmic feed that only selects 24
media from sources the minor affirmatively chose to follow or otherwise 25
include in the feed. 26
(6) A covered online service shall not: 27
UNOFFICIAL COPY 26 RS BR 356
Page 16 of 20
XXXX 2/11/2026 7:44 PM Jacketed
(a) Profile a covered minor unless profiling is necessary to provide a covered 1
online service requested by a covered minor, and only with respect to the 2
aspects of the covered online service with which the covered minor is 3
actively and knowingly engaged; 4
(b) Facilitate advertising of prohibited products, including but not limited to 5
narcotic drugs, tobacco products, gambling, and alcohol, to covered minors; 6
(c) Facilitate targeted advertising to a covered minor; 7
(d) Use dark patterns directed at a covered minor; 8
(e) Be required to collect the personal data of a user to comply with this section. 9
A covered online service that collects personal data of a user for ag e 10
verification shall not use personal data for other purposes and shall delete 11
personal data after use for age verification; 12
(f) Provide a covered minor with a single setting that makes more than one (1) 13
default privacy or design feature setting less protective at once; 14
(g) Request or prompt a covered minor to make any of the settings less 15
protective, unless the change is strictly necessary for the covered minor to 16
access a service or feature that the minor has expressly and unambiguously 17
requested; or 18
(h) Use notifications and push alerts to a covered minor between the hours of 19
10 p.m. and 6 a.m., and between the hours of 8 a.m. and 4 p.m. on weekdays 20
from August 1 to May 31, prevailing time in the covered minor's location. 21
Section 3. KRS 367.3613 is amended to read as follows: 22
(1) KRS 367.3611 to 367.3629 applies[apply] to persons that conduct business in the 23
Commonwealth or produce products or services that are targeted to residents of the 24
Commonwealth and that during a calendar year control or process personal data of 25
at least: 26
(a) One hundred thousand (100,000) consumers; or 27
UNOFFICIAL COPY 26 RS BR 356
Page 17 of 20
XXXX 2/11/2026 7:44 PM Jacketed
(b) Twenty-five thousand (25,000) consumers and derive over fifty percent (50%) 1
of gross revenue from the sale of personal data. 2
(2) KRS 367.3611 to 367.3629 shall not apply to any: 3
(a) City, state agency, or any political subdivision of the state; 4
(b) Financial institutions, their affiliates, or data subject to Title V of the federal 5
Gramm-Leach-Bliley Act, 15 U.S.C. sec. 6801 et seq.; 6
(c) Covered entity or business associate governed by the privacy, security, and 7
breach notification rules issued by the United States Department of Health 8
and Human Services, 45 C.F.R. pts. 160 and 164 established pursuant to 9
HIPAA; 10
(d) Nonprofit organization; 11
(e) Institution of higher education; 12
(f) Organization that: 13
1. Does not provide net earnings to, or operate in any manner that inures to 14
the benefit of, any officer, employee, or shareholder of the entity; and 15
2. Is an entity such as those recognized under KRS 304.47 -060(1)(e), so 16
long as the entity collects, processes, uses, or shares data solely in 17
relation to identifying, investigating, or assisting: 18
a. Law enforcement agencies in connection with suspected 19
insurance-related criminal or fraudulent acts; or 20
b. First responders in connection with catastrophic events; or 21
(g) Small telephone utility as defined in KRS 278.516, a Tier III CMRS provider 22
as defined in KRS 65.7621, or a municipally owned utility that does not sell 23
or share personal data with any third-party. 24
(3) The following information and data are exempt from KRS 367.3611 to 367.3629: 25
(a) Protected health information under HIPAA; 26
(b) Health records; 27
UNOFFICIAL COPY 26 RS BR 356
Page 18 of 20
XXXX 2/11/2026 7:44 PM Jacketed
(c) Patient identifying information for purposes of 42 C.F.R. sec. 2.11; 1
(d) Identifiable private information for purposes of the federal policy for the 2
protection of human subjects under 45 C.F.R. pt. 46; identifiable private 3
information that is otherwise information collected as part of human subjects 4
research pursuant to the goo d clinical practice guidelines issued by the 5
International Council for Harmonisation of Technical Requirements for 6
Pharmaceuticals for Human Use; the protection of human subjects under 21 7
C.F.R. pts. 50 and 56; or personal data used or shared in research conducted in 8
accordance with the requirements set forth in KRS 367.3611 to 367.3629, or 9
other research conducted in accordance with applicable law; 10
(e) Information and documents created for purposes of the federal Health Care 11
Quality Improvement Act of 1986, 42 U.S.C. sec. 11101 et seq.; 12
(f) Patient safety work product for purposes of the federal Patient Safety and 13
Quality Improvement Act, 42 U.S.C. sec. 299b-21 et seq.; 14
(g) Information derived from any of the health care -related information listed in 15
this s ubsection that is de -identified in accordance with the requirements for 16
de-identification pursuant to HIPAA; 17
(h) Information originating from, and intermingled to be indistinguishable from, 18
or information treated in the same manner as information exempt un der this 19
subsection that is maintained by a covered entity or business associate, or a 20
program or qualified service organization as defined by 42 C.F.R. sec. 2.11; 21
(i) Information collected by a health care provider who is a covered entity that 22
maintains protected health information in accordance with HIPAA and related 23
regulations, 45 C.F.R. sec. pts. 160, 162, and 164; 24
(j) Information included in a limited data set as described in 45 C.F.R. sec. 25
164.514(e), to the extent the information is used, disclosed, and maintained as 26
specified in 45 C.F.R. sec. 164.514(e); 27
UNOFFICIAL COPY 26 RS BR 356
Page 19 of 20
XXXX 2/11/2026 7:44 PM Jacketed
(k) Information used only for public health activities and purposes as authorized 1
by HIPAA; 2
(l) The collection, maintenance, disclosure, sale, communication, or use of any 3
personal information bear ing on a consumer's creditworthiness, credit 4
standing, credit capacity, character, general reputation, personal 5
characteristics, or mode of living by a consumer reporting agency, furnisher, 6
or other person[user] that provides information for use in a consu mer report, 7
and by a person using[user of] a consumer report, but only to the extent that 8
such activity is regulated by and authorized under the federal Fair Credit 9
Reporting Act, 15 U.S.C. sec. 1681 et seq.; 10
(m) Personal data collected, processed, sold, o r disclosed in compliance with the 11
federal Driver's Privacy Protection Act of 1994, 18 U.S.C. sec. 2721 et seq.; 12
(n) Personal data regulated by the federal Family Educational Rights and Privacy 13
Act, 20 U.S.C. sec. 1232g et seq.; 14
(o) Personal data collected , processed, sold, or disclosed in compliance with the 15
federal Farm Credit Act, 12 U.S.C. sec. 2001 et seq.; 16
(p) Data processed or maintained: 17
1. In the course of an individual applying to, employed by, or acting as an 18
agent or independent contractor of a controller, processor, or third party, 19
to the extent that the data is collected and used within the context of that 20
role; 21
2. As the emergency contact information of an individual used for 22
emergency contact purposes; or 23
3. That is necessary to retain to adm inister benefits for another individual 24
relating to the individual under subparagraph 1. of this paragraph and 25
used for the purposes of administering those benefits; 26
(q) Data processed by a utility, an affiliate of a utility, or a holding company 27
UNOFFICIAL COPY 26 RS BR 356
Page 20 of 20
XXXX 2/11/2026 7:44 PM Jacketed
system organized specifically for the purpose of providing goods or services 1
to a utility as defined in KRS 278.010. As used in [For purposes of] this 2
paragraph, "holding company system" means two (2) or more affiliated 3
persons, one (1) or more of which is a utility; and 4
(r) Personal data collected and used for purposes of federal policy under the 5
Combat Methamphetamine Epidemic Act of 2005. 6
(4) Controllers and processors that comply with the verifiable parental consent 7
requirements of the Children's Online Privacy Protection Act, 15 U.S.C. sec. 6501 8
et seq., shall be deemed compliant with any obligation to obtain parental consent 9
under KRS 367.3611 to 367.3629. 10
Section 4. Section 2 of this Act may be cited as the Kentucky Kid’s Code. 11