AN ACT relating to data privacy.

UNOFFICIAL COPY 26 RS HB 692/EN
Page 1 of 9
HB069220.100 - 1450 - XXXX 3/31/2026 7:47 PM Engrossed
AN ACT relating to data privacy. 1
Be it enacted by the General Assembly of the Commonwealth of Kentucky: 2
Section 1. KRS 367.3611 is amended to read as follows: 3
As used in KRS 367.3611 to 367.3629: 4
(1) "Affiliate" means a legal entity that controls, is controlled by, or is under common 5
control with another legal entity or shares common branding with another legal 6
entity. For the purposes of this definition, "control" or "controlled" means: 7
(a) Ownership of, or the power to vote, more than fifty percent (50%) of the 8
outstanding shares of any class of voting security of a company; 9
(b) Control in any manner over the election of a majority of the directors or of 10
individuals exercising similar functions; or 11
(c) The power to exercise controlling influence over the management of a 12
company; 13
(2) "Authenticate" means verifying through reasonabl e means that the consumer 14
entitled to exercise his or her consumer rights in KRS 367.3615 is the same 15
consumer exercising such consumer rights with respect to the personal data at issue; 16
(3) "Automatic content recognition data": 17
(a) Means data about a cons umer's content viewing history collected through 18
the use of technology that is embedded or operated through a smart 19
television or smart monitor, integrated with internet connectivity and an 20
operating system that identifies, in real time, the specific conte nt displayed 21
by analyzing audio or video fingerprints, including but not limited to 22
content received through broadcast, cable, satellite, streaming services, or 23
external inputs, through digital fingerprinting, watermark detection, or 24
similar comparison techniques; and 25
(b) Does not include data: 26
1. Collected about a consumer's interactions with content provided by the 27
UNOFFICIAL COPY 26 RS HB 692/EN
Page 2 of 9
HB069220.100 - 1450 - XXXX 3/31/2026 7:47 PM Engrossed
controller's own services; 1
2. Generated in the course of providing a feature or service requested by 2
a consumer; or 3
3. Collected for the purpose of enforcing terms of service; 4
(4) "Biometric data" means data generated by automatic measurements of an 5
individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, 6
irises, or other unique biological patterns or characterist ics that are used to identify 7
a specific individual. Biometric data does not include a physical or digital 8
photograph, a video or audio recording, or data generated therefrom, unless that 9
data is generated to identify a specific individual or information c ollected, used, or 10
stored for health care treatment, payment, or operations under HIPAA; 11
(5)[(4)] "Business associate" has the same meaning as established in 45 C.F.R. sec. 12
160.103 pursuant to HIPAA; 13
(6)[(5)] "Child" has the same meaning as in 15 U.S.C. sec. 6501; 14
(7)[(6)] "Consent" means a clear affirmative act signifying a consumer's freely given, 15
specific, informed, and unambiguous agreement to process personal data relating to 16
the consumer. Consent may include a written statement, written by electronic 17
means or any other unambiguous affirmative action; 18
(8)[(7)] "Consumer" means a natural person who is a resident of the Commonwealth 19
of Kentucky acting only in an individual context. Consumer does not include a 20
natural person acting in a commercial or employment context; 21
(9)[(8)] "Controller" means the natural or legal person that, alone or jointly with 22
others, determines the purpose and means of processing personal data; 23
(10)[(9)] "Covered entity" has the same meaning as established in 45 C.F.R. sec. 24
160.103 pursuant to HIPAA; 25
(11)[(10)] "Decisions that produce legal or similarly significant effects concerning a 26
consumer" means a decision made by a controller that results in the provision or 27
UNOFFICIAL COPY 26 RS HB 692/EN
Page 3 of 9
HB069220.100 - 1450 - XXXX 3/31/2026 7:47 PM Engrossed
denial by the controller of financial and lending services, housing , insurance, 1
education enrollment, criminal justice, employment opportunities, health care 2
services, or access to basic necessities like food and water; 3
(12)[(11)] "De-identified data" means data that cannot reasonably be linked to an 4
identified or identifiable natural person or a device linked to a person; 5
(13)[(12)] "Fund" means the consumer privacy fund established in KRS 367.3629; 6
(14)[(13)] "Health care provider" means: 7
(a) Any health facility as defined in KRS 216B.015; 8
(b) Any person or entity provid ing health care or health services, including those 9
licensed, certified, or registered under, or subject to, KRS 194A.700 to 10
194A.729 or KRS Chapter 310, 311, 311A, 311B, 312, 313, 314, 314A, 315, 11
319, 319A, 319B, 319C, 320, 327, 333, 334A, or 335; 12
(c) The current and former employers, officers, directors, administrators, agents, 13
or employees of those entities listed in paragraphs (a) and (b) of this 14
subsection; or 15
(d) Any person acting within the course and scope of his or her office, 16
employment, or agency relating to a health care provider; 17
(15)[(14)] "Health record" means a record, other than for financial or billing purposes, 18
relating to an individual, kept by a health care provider as a result of the 19
professional relationship established between the he alth care provider and the 20
individual; 21
(16)[(15)] "HIPAA" means the federal Health Insurance Portability and Accountability 22
Act of 1996, Pub. L. No. 104-191; 23
(17)[(16)] "Identified or identifiable natural person" means a person who can be readily 24
identified directly or indirectly; 25
(18)[(17)] "Institution of higher education" means an educational institution which: 26
(a) Admits as regular students only individuals having a certificate of graduation 27
UNOFFICIAL COPY 26 RS HB 692/EN
Page 4 of 9
HB069220.100 - 1450 - XXXX 3/31/2026 7:47 PM Engrossed
from a high school or the recognized equivalent of such a certificate; 1
(b) Is legally authorized in this state to provide a program of education beyond 2
high school; 3
(c) Provides an educational program for which it awards a bachelor's or higher 4
degree, or provides a program which is acceptable for full credit toward such 5
a degree, a program of postgraduate or postdoctoral studies, or a program of 6
training to prepare students for g ainful employment in a recognized 7
occupation; and 8
(d) Is a public or other nonprofit institution; 9
(19)[(18)] "Nonprofit organization" means any incorporated or unincorporated entity 10
that: 11
(a) Is operating for religious, charitable, or educational purposes; and 12
(b) Does not provide net earnings to, or operate in any manner that inures to the 13
benefit of, any officer, employee, or shareholder of the entity; 14
(20)[(19)] "Personal data" means any information that is linked or reasonably linkable to 15
an identified or identifiable natural person. Personal data does not include de -16
identified data or publicly available information; 17
(21)[(20)] "Precise geolocation data" means information derived from technology, 18
including but not limited to global positioning system lev el latitude and longitude 19
coordinates or other mechanisms, that directly identifies the specific location of a 20
natural person with precision and accuracy within a radius of one thousand seven 21
hundred fifty (1,750) feet. Precise geolocation data does not in clude the content of 22
communications or any data generated by or connected to advanced utility metering 23
infrastructure systems or equipment for use by a utility; 24
(22)[(21)] "Process" or "processing" means any operation or set of operations performed, 25
whether by manual or automated means, on personal data or on sets of personal 26
data, including but not limited to the collection, use, storage, disclosure, analysis, 27
UNOFFICIAL COPY 26 RS HB 692/EN
Page 5 of 9
HB069220.100 - 1450 - XXXX 3/31/2026 7:47 PM Engrossed
deletion, or modification of personal data; 1
(23)[(22)] "Processor" means a natural or legal entit y that processes personal data on 2
behalf of a controller; 3
(24)[(23)] "Profiling" means any form of automated processing performed on personal 4
data to evaluate, analyze, or predict personal aspects related to an identified or 5
identifiable natural person's e conomic situation, health, personal preferences, 6
interests, reliability, behavior, location, or movements; 7
(25)[(24)] "Protected health information" means the same as established in 45 C.F.R. 8
sec. 160.103 pursuant to HIPAA; 9
(26)[(25)] "Pseudonymous data" means personal data that cannot be attributed to a 10
specific natural person without the use of additional information, provided that the 11
additional information is kept separately and is subject to appropriate technical and 12
organizational measures to ensure that the personal data is not attributed to an 13
identified or identifiable natural person; 14
(27)[(26)] "Publicly available information" means information that is lawfully made 15
available through federal, state, or local government records, or information that a 16
business has a reasonable basis to believe is lawfully made available to the general 17
public through widely distributed media, by the consumer, or by a person to whom 18
the consumer has disclosed the information, unless the consumer has restricted the 19
information to a specific audience; 20
(28)[(27)] "Sale of personal data" means the exchange of personal data for monetary 21
consideration by the controller to a third party. Sale of personal data does not 22
include: 23
(a) The disclosure of personal data to a processor that processes the personal data 24
on behalf of the controller; 25
(b) The disclosure of personal data to a third party for purposes of providing a 26
product or service requested by the consumer; 27
UNOFFICIAL COPY 26 RS HB 692/EN
Page 6 of 9
HB069220.100 - 1450 - XXXX 3/31/2026 7:47 PM Engrossed
(c) The disclosure or transfer of personal data to an affiliate of the controller; 1
(d) The disclosure of information that the consumer: 2
1. Intentionally made available to the general public via a channel of mass 3
media; and 4
2. Did not restrict to a specific audience; or 5
(e) The disclosure or transfer o f personal data to a third party as an asset that is 6
part of a proposed or actual merger, acquisition, bankruptcy, or other 7
transaction in which the third party assumes control of all or part of the 8
controller's assets; 9
(29)[(28)] "Sensitive data" means a category of personal data that includes: 10
(a) Personal data indicating racial or ethnic origin, religious beliefs, mental or 11
physical health diagnosis, sexual orientation, or citizenship or immigration 12
status; 13
(b) The processing of genetic or biometric data that is processed for the purpose 14
of uniquely identifying a specific natural person; 15
(c) The personal data collected from a known child; or 16
(d) Precise geolocation data; 17
(30) "Smart monitor": 18
(a) Means a digital, display device that integrates hardware and software 19
components to enable: 20
1. Internet connectivity; 21
2. Application execution; and 22
3. Media content streaming independently of an external computer or 23
media source; and 24
(b) Does not include a voice assistant device or mobile device; 25
(31)[(29)] "State agency" means all departments, offices, commissions, boards, 26
institutions, and political and corporate bodies of the state, including the offices of 27
UNOFFICIAL COPY 26 RS HB 692/EN
Page 7 of 9
HB069220.100 - 1450 - XXXX 3/31/2026 7:47 PM Engrossed
the clerk of the Supreme Court, clerks of the a ppellate courts, the several courts of 1
the state, and the legislature, its committees, or commissions; 2
(32)[(30)] "Targeted advertising" means displaying advertisements to a consumer where 3
the advertisement is selected based on personal data obtained or in ferred from that 4
consumer's activities over time and across nonaffiliated websites or online 5
applications to predict that consumer's preferences or interests. "Targeted 6
advertising" does not include: 7
(a) Advertisements based on activities within a controll er's own or affiliated 8
websites or online applications; 9
(b) Advertisements based on the context of a consumer's current search query, 10
visit to a website, or online application; 11
(c) Advertisements directed to a consumer in response to the consumer's request 12
for information or feedback; or 13
(d) Processing personal data solely for measuring or reporting advertising 14
performance, reach, or frequency; 15
(33)[(31)] "Third party" means a natural or legal person, public authority, agency, or 16
body other than the consume r, controller, processor, or an affiliate of the processor 17
or the controller; and 18
(34)[(32)] "Trade secret" has the same meaning as in KRS 365.880. 19
Section 2. KRS 367.3617 is amended to read as follows: 20
(1) A controller shall: 21
(a) Limit the collection of personal data to what is adequate, relevant, and 22
reasonably necessary in relation to the purposes for which the data is 23
processed as disclosed to the consumer; 24
(b) Except as otherwise provided in this section, not process personal data for 25
purposes that are neither reasonably necessary to nor compatible with the 26
disclosed purposes for which the personal data is processed as disclosed to the 27
UNOFFICIAL COPY 26 RS HB 692/EN
Page 8 of 9
HB069220.100 - 1450 - XXXX 3/31/2026 7:47 PM Engrossed
consumer, unless the controller obtains the consumer's consent; 1
(c) Establish, implement, and maintain reasonable administrative, technical, and 2
physical data security practices to protect the confidentiality, integrity, and 3
accessibility of personal data. The data security practices shall be appropriate 4
to the volume and nature of the personal data at issue; 5
(d) Not process personal data in violation of state and federal laws that prohibit 6
unlawful discrimination against consumers. A controller shall not discriminate 7
against a consumer for exercising any of the consumer rights contained in 8
KRS 367.3615, including denying goods or services, charging different prices 9
or rates for goods or services, or providing a different level of quality of 10
goods and services to the consumer. However, nothing in this paragraph shall 11
be construed to requir e a controller to provide a product or service that 12
requires the personal data of a consumer that the controller does not collect or 13
maintain, or to prohibit a controller from offering a different price, rate, level, 14
quality, or selection of goods or servi ces to a consumer, including offering 15
goods or services for no fee, if the offer is related to a consumer's voluntary 16
participation in a bona fide loyalty, rewards, premium features, discounts, or 17
club card program;[ and] 18
(e) Not process sensitive data con cerning a consumer without obtaining the 19
consumer's consent, or, in the case of the processing of sensitive data 20
collected from a known child, process the data in accordance with the federal 21
Children's Online Privacy Protection Act, 15 U.S.C. sec. 6501 et seq.; and 22
(f) Not collect automatic content recognition data without a consumer's 23
consent. 24
(2) Any provision of a contract or agreement of any kind that purports to waive or limit 25
in any way consumer rights pursuant to KRS 367.3615 shall be deemed contrary to 26
public policy and shall be void and unenforceable. 27
UNOFFICIAL COPY 26 RS HB 692/EN
Page 9 of 9
HB069220.100 - 1450 - XXXX 3/31/2026 7:47 PM Engrossed
(3) Controllers shall provide consumers with a reasonably accessible, clear, and 1
meaningful privacy notice that includes: 2
(a) The categories of personal data processed by the controller; 3
(b) The purpose for processing personal data; 4
(c) How consumers may exercise their consumer rights pursuant to KRS 5
367.3615, including how a consumer may appeal a controller's decision with 6
regard to the consumer's request; 7
(d) The categories of personal data that the controller shares with third parties, if 8
any; and 9
(e) The categories of third parties, if any, with whom the controller shares 10
personal data. 11
(4) If a controller sells personal data to th ird parties or processes personal data for 12
targeted advertising, the controller shall clearly and conspicuously disclose such 13
activity, as well as the manner in which a consumer may exercise the right to opt 14
out of processing. 15
(5) A controller shall establ ish, and shall describe in a privacy notice, one (1) or more 16
secure and reliable means for consumers to submit a request to exercise their 17
consumer rights under KRS 367.3615. The different ways to submit a request by a 18
consumer shall take into account the ways in which consumers normally interact 19
with the controller, the need for secure and reliable communication of such 20
requests, and the ability of the controller to authenticate the identity of the 21
consumer making the request. Controllers shall not require a consumer to create a 22
new account in order to exercise consumer rights pursuant to KRS 367.3615 but 23
may require a consumer to use an existing account. 24
Section 3. This Act takes effect July 1, 2027. 25