Kentucky State Senate Introduces Consumer Data Privacy Act

Written By Haley Metteauer

On January 18, 2022, Senator Whitney Westerfield (R) introduced Senate Bill 15, which if passed will create a new section relating to protection of consumers’ personal data.

Covered entities under the bill are those: 

  • conducting business in Kentucky or producing products or services targeted to Kentucky residents; and either

    • controlling or processing personal data of at least 10,000 consumers; or

    • deriving over 40% of their gross revenue from the sale of consumer’s personal data.

Under the major provisions of this bill, a covered entity will be required to:

  • Provide consumers with a privacy notice outlining the personal data “reasonably necessary” to be collected, the purpose for its collection, third parties which may receive disclosure of the information and the manner in which consumers can exercise their rights with respect to these practices.

    • Comply with a consumers' request to:

    • confirm whether their personal data has been processed;

    • delete the consumer’s personal data;

    • receive a copy of their personal data previously provided by the consumer to the entity in a “portable and, to the extent technically practicable, readily usable format” to enable the consumer to easily review the transmittal of their information to a third party; and

    • “opt out” of targeted advertisements, tracking, and the sale or sharing of personal data.

  • Respond to consumers' requests without undue delay, no later than 30 days after receipt of request—unless, the covered entity finds it to be “reasonably necessary” to extend this period by 15 additional days.

  • Provide consumers with the requested information at no charge, at least twice annually per consumer, unless the consumer request is “excessive, repetitive, technically infeasible, or manifestly unfounded,” in which case an administrative remedy can be assessed.

  • Establish, implement, and maintain an appeal process that consumers' may utilize if the entity refuses to take action on a request pursuant to these provisions and maintain proper channels of access and communication.

  • Establish, implement, and maintain sufficient administrative, technical, and physical data practices to safeguard consumers' personal data.

Haley Metteauer
Previous

Congress Introduces Banning Surveillance Advertisement Act
Next

Mississippi State Senate Introduces Consumer Data Privacy Act