Kentucky · House Bill · 2026 Regular Session
HB692
Kentucky HB 692 — An Act Relating to Data Privacy
Status ● Enacted Effective Jul 1, 2027 Passage Likelihood N/A

WHAT THIS BILL REGULATES · 1 REQUIREMENT TYPE

D-01 AUTOMATED PROCESSING RIGHTS & DATA CONTROLS
8 OBLIGATIONS D-01.1D-01.3D-01.4D-01.5D-01.7

How Is This Bill Enforced

Enforcement Authority
Enforcement authority rests with the Kentucky Attorney General under the existing Kentucky Consumer Data Protection Act (KRS 367.3611–367.3629). No private right of action is created by this bill or the underlying statute.
Private Right of Action
No private right of action. Enforcement is exclusive to the designated authority.
Penalties
The bill itself does not establish independent penalties. Enforcement remedies are governed by the existing Kentucky Consumer Data Protection Act, which provides for Attorney General enforcement actions, injunctive relief, and civil penalties under the state consumer protection framework.

What This Bill Requires

Verbatim statutory text on the left; plain-language analysis and a per-section checklist on the right. Numbered markers cross-link to the matching checklist row.

Statutory Text
Analysis & Obligations
KRS 367.3611
Definitions — ACR data, biometric data, smart monitor added

(3) "Automatic content recognition dataAutomatic content recognition data"Automatic content recognition data": (a) Means data about a consumer's content viewing history collected through the use of technology that is embedded or operated through a smart television or smart monitor, integrated with internet connectivity and an operating system that identifies, in real time, the specific content displayed by analyzing audio or video fingerprints, including but not limited to content received through broadcast, cable, satellite, streaming services, or external inputs, through digital fingerprinting, watermark detection, or similar comparison techniques; and (b) Does not include data: 1. Collected about a consumer's interactions with content provided by the controller's own services; 2. Generated in the course of providing a feature or service requested by a consumer; or 3. Collected for the purpose of enforcing terms of service;KRS 367.3611(3)": (a) Means data about a consumerConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8)'s content viewing history collected through the use of technology that is embedded or operated through a smart television or smart monitorSmart monitor"Smart monitor": (a) Means a digital, display device that integrates hardware and software components to enable: 1. Internet connectivity; 2. Application execution; and 3. Media content streaming independently of an external computer or media source; and (b) Does not include a voice assistant device or mobile device;KRS 367.3611(30), integrated with internet connectivity and an operating system that identifies, in real time, the specific content displayed by analyzing audio or video fingerprints, including but not limited to content received through broadcast, cable, satellite, streaming services, or external inputs, through digital fingerprinting, watermark detection, or similar comparison techniques; and (b) Does not include data: 1. Collected about a consumerConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8)'s interactions with content provided by the controllerController"Controller" means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data;KRS 367.3611(9)'s own services; 2. Generated in the course of providing a feature or service requested by a consumerConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8); or 3. Collected for the purpose of enforcing terms of service;

(4) "Biometric dataBiometric data"Biometric data" means data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual. Biometric data does not include a physical or digital photograph, a video or audio recording, or data generated therefrom, unless that data is generated to identify a specific individual or information collected, used, or stored for health care treatment, payment, or operations under HIPAA;KRS 367.3611(4)" means data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual. Biometric dataBiometric data"Biometric data" means data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual. Biometric data does not include a physical or digital photograph, a video or audio recording, or data generated therefrom, unless that data is generated to identify a specific individual or information collected, used, or stored for health care treatment, payment, or operations under HIPAA;KRS 367.3611(4) does not include a physical or digital photograph, a video or audio recording, or data generated therefrom, unless that data is generated to identify a specific individual or information collected, used, or stored for health care treatment, payment, or operations under HIPAA;

(30) "Smart monitorSmart monitor"Smart monitor": (a) Means a digital, display device that integrates hardware and software components to enable: 1. Internet connectivity; 2. Application execution; and 3. Media content streaming independently of an external computer or media source; and (b) Does not include a voice assistant device or mobile device;KRS 367.3611(30)": (a) Means a digital, display device that integrates hardware and software components to enable: 1. Internet connectivity; 2. Application execution; and 3. Media content streaming independently of an external computer or media source; and (b) Does not include a voice assistant device or mobile device;

Section 1 of the bill amends the definitions section of the Kentucky Consumer Data Protection Act to add three new defined terms. Automatic content recognition data is defined as data about a consumer's content viewing history collected via technology embedded in or operated through a smart television or smart monitor that identifies specific content in real time through audio or video fingerprinting. The definition carves out data collected about interactions with the controller's own services, data generated to provide a consumer-requested feature, and data collected to enforce terms of service. Biometric data is newly defined as a standalone term covering automatically measured biological characteristics used to identify individuals, with exclusions for photographs and recordings unless used for identification. Smart monitor is defined as a display device with internet connectivity, application execution, and independent streaming capability, excluding voice assistant devices and mobile devices.

These definitions establish the scope for the new consent obligation in Section 2 and clarify the treatment of biometric data throughout the KCDPA.

KRS 367.3617
Controller obligations — ACR data consent requirement added
Deployer

(1)(a) 1 Limit the collection of personal dataPersonal data"Personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified data or publicly available information;KRS 367.3611(20) to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed as disclosed to the consumerConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8);

(1)(b) 2 Except as otherwise provided in this section, not process personal dataPersonal data"Personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified data or publicly available information;KRS 367.3611(20) for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which the personal dataPersonal data"Personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified data or publicly available information;KRS 367.3611(20) is processed as disclosed to the consumerConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8), unless the controllerController"Controller" means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data;KRS 367.3611(9) obtains the consumerConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8)'s consentConsent"Consent" means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. Consent may include a written statement, written by electronic means or any other unambiguous affirmative action;KRS 367.3611(7);

(1)(c) 3 Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal dataPersonal data"Personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified data or publicly available information;KRS 367.3611(20). The data security practices shall be appropriate to the volume and nature of the personal dataPersonal data"Personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified data or publicly available information;KRS 367.3611(20) at issue;

(1)(d) 4 Not process personal dataPersonal data"Personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified data or publicly available information;KRS 367.3611(20) in violation of state and federal laws that prohibit unlawful discrimination against consumersConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8). A controllerController"Controller" means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data;KRS 367.3611(9) shall not discriminate against a consumerConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8) for exercising any of the consumerConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8) rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumerConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8). However, nothing in this paragraph shall be construed to require a controllerController"Controller" means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data;KRS 367.3611(9) to provide a product or service that requires the personal data of a consumerConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8) that the controllerController"Controller" means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data;KRS 367.3611(9) does not collect or maintain, or to prohibit a controllerController"Controller" means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data;KRS 367.3611(9) from offering a different price, rate, level, quality, or selection of goods or services to a consumerConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8), including offering goods or services for no fee, if the offer is related to a consumerConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8)'s voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program;

(1)(e) 5 Not process sensitive dataSensitive data"Sensitive data" means a category of personal data that includes: (a) Personal data indicating racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; (b) The processing of genetic or biometric data that is processed for the purpose of uniquely identifying a specific natural person; (c) The personal data collected from a known child; or (d) Precise geolocation data;KRS 367.3611(29) concerning a consumerConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8) without obtaining the consumerConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8)'s consentConsent"Consent" means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. Consent may include a written statement, written by electronic means or any other unambiguous affirmative action;KRS 367.3611(7), or, in the case of the processing of sensitive dataSensitive data"Sensitive data" means a category of personal data that includes: (a) Personal data indicating racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; (b) The processing of genetic or biometric data that is processed for the purpose of uniquely identifying a specific natural person; (c) The personal data collected from a known child; or (d) Precise geolocation data;KRS 367.3611(29) collected from a known child, process the data in accordance with the federal Children's Online Privacy Protection Act, 15 U.S.C. sec. 6501 et seq.; and

(1)(f) 6 Not collect automatic content recognition dataAutomatic content recognition data"Automatic content recognition data": (a) Means data about a consumer's content viewing history collected through the use of technology that is embedded or operated through a smart television or smart monitor, integrated with internet connectivity and an operating system that identifies, in real time, the specific content displayed by analyzing audio or video fingerprints, including but not limited to content received through broadcast, cable, satellite, streaming services, or external inputs, through digital fingerprinting, watermark detection, or similar comparison techniques; and (b) Does not include data: 1. Collected about a consumer's interactions with content provided by the controller's own services; 2. Generated in the course of providing a feature or service requested by a consumer; or 3. Collected for the purpose of enforcing terms of service;KRS 367.3611(3) without a consumerConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8)'s consentConsent"Consent" means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. Consent may include a written statement, written by electronic means or any other unambiguous affirmative action;KRS 367.3611(7).

(2) Any provision of a contract or agreement of any kind that purports to waive or limit in any way consumerConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8) rights pursuant to KRS 367.3615 shall be deemed contrary to public policy and shall be void and unenforceable.

(3) 7 ControllersController"Controller" means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data;KRS 367.3611(9) shall provide consumersConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8) with a reasonably accessible, clear, and meaningful privacy notice that includes: (a) The categories of personal dataPersonal data"Personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified data or publicly available information;KRS 367.3611(20) processed by the controllerController"Controller" means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data;KRS 367.3611(9); (b) The purpose for processing personal dataPersonal data"Personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified data or publicly available information;KRS 367.3611(20); (c) How consumersConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8) may exercise their consumerConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8) rights pursuant to KRS 367.3615, including how a consumerConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8) may appeal a controllerController"Controller" means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data;KRS 367.3611(9)'s decision with regard to the consumerConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8)'s request; (d) The categories of personal dataPersonal data"Personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified data or publicly available information;KRS 367.3611(20) that the controllerController"Controller" means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data;KRS 367.3611(9) shares with third parties, if any; and (e) The categories of third parties, if any, with whom the controllerController"Controller" means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data;KRS 367.3611(9) shares personal dataPersonal data"Personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified data or publicly available information;KRS 367.3611(20).

(4) 8 If a controllerController"Controller" means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data;KRS 367.3611(9) sells personal dataPersonal data"Personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified data or publicly available information;KRS 367.3611(20) to third parties or processes personal dataPersonal data"Personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified data or publicly available information;KRS 367.3611(20) for targeted advertising, the controllerController"Controller" means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data;KRS 367.3611(9) shall clearly and conspicuously disclose such activity, as well as the manner in which a consumerConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8) may exercise the right to opt out of processing.

(5) 9 A controllerController"Controller" means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data;KRS 367.3611(9) shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumersConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8) to submit a request to exercise their consumerConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8) rights under KRS 367.3615. The different ways to submit a request by a consumerConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8) shall take into account the ways in which consumersConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8) normally interact with the controllerController"Controller" means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data;KRS 367.3611(9), the need for secure and reliable communication of such requests, and the ability of the controllerController"Controller" means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data;KRS 367.3611(9) to authenticate the identity of the consumerConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8) making the request. ControllersController"Controller" means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data;KRS 367.3611(9) shall not require a consumerConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8) to create a new account in order to exercise consumerConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8) rights pursuant to KRS 367.3615 but may require a consumerConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8) to use an existing account.

Section 2 of the bill amends the controller-obligations section of the KCDPA to add a new subsection (1)(f) requiring controllers to obtain consumer consent before collecting automatic content recognition data. This is a standalone consent obligation independent of the existing sensitive-data consent requirement in subsection (1)(e). The practical effect is that operators of smart televisions and smart monitors that use ACR technology must obtain affirmative opt-in consent before collecting any viewing-history data through audio or video fingerprinting. The remaining subsections of KRS 367.3617 — covering data minimization, purpose limitation, data security, non-discrimination, sensitive data consent, privacy notices, sale/targeted-advertising disclosures, and consumer-rights request mechanisms — are re-enacted without substantive change.

Compliance actions 9 items
1
ControllersController"Controller" means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data;KRS 367.3611(9) must limit personal dataPersonal data"Personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified data or publicly available information;KRS 367.3611(20) collection to what is adequate, relevant, and reasonably necessary for the disclosed processing purposes.
D-01.4
2
ControllersController"Controller" means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data;KRS 367.3611(9) must not process personal dataPersonal data"Personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified data or publicly available information;KRS 367.3611(20) for purposes that are neither reasonably necessary to nor compatible with the purposes disclosed to the consumerConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8), unless the controllerController"Controller" means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data;KRS 367.3611(9) obtains consumerConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8) consentConsent"Consent" means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. Consent may include a written statement, written by electronic means or any other unambiguous affirmative action;KRS 367.3611(7).
D-01.4
3
ControllersController"Controller" means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data;KRS 367.3611(9) must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal dataPersonal data"Personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified data or publicly available information;KRS 367.3611(20), appropriate to the volume and nature of the data.
4
ControllersController"Controller" means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data;KRS 367.3611(9) must not process personal dataPersonal data"Personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified data or publicly available information;KRS 367.3611(20) in violation of antidiscrimination laws and must not discriminate against consumersConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8) for exercising their data privacy rights, subject to a safe harbor for bona fide loyalty and rewards programs.
D-01.5
5
ControllersController"Controller" means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data;KRS 367.3611(9) must obtain consumerConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8) consentConsent"Consent" means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. Consent may include a written statement, written by electronic means or any other unambiguous affirmative action;KRS 367.3611(7) before processing sensitive dataSensitive data"Sensitive data" means a category of personal data that includes: (a) Personal data indicating racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; (b) The processing of genetic or biometric data that is processed for the purpose of uniquely identifying a specific natural person; (c) The personal data collected from a known child; or (d) Precise geolocation data;KRS 367.3611(29), or in the case of data from a known child, process the data in accordance with the federal Children's Online Privacy Protection Act.
D-01.8
6
ControllersController"Controller" means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data;KRS 367.3611(9) must obtain consumerConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8) consentConsent"Consent" means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. Consent may include a written statement, written by electronic means or any other unambiguous affirmative action;KRS 367.3611(7) before collecting automatic content recognition dataAutomatic content recognition data"Automatic content recognition data": (a) Means data about a consumer's content viewing history collected through the use of technology that is embedded or operated through a smart television or smart monitor, integrated with internet connectivity and an operating system that identifies, in real time, the specific content displayed by analyzing audio or video fingerprints, including but not limited to content received through broadcast, cable, satellite, streaming services, or external inputs, through digital fingerprinting, watermark detection, or similar comparison techniques; and (b) Does not include data: 1. Collected about a consumer's interactions with content provided by the controller's own services; 2. Generated in the course of providing a feature or service requested by a consumer; or 3. Collected for the purpose of enforcing terms of service;KRS 367.3611(3).
D-01.8
7
ControllersController"Controller" means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data;KRS 367.3611(9) must provide consumersConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8) with a reasonably accessible, clear, and meaningful privacy notice disclosing: (1) categories of personal dataPersonal data"Personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified data or publicly available information;KRS 367.3611(20) processed, (2) processing purposes, (3) how to exercise consumerConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8) rights and appeal decisions, (4) categories of data shared with third parties, and (5) categories of third-party recipients.
D-01.1
8
ControllersController"Controller" means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data;KRS 367.3611(9) that sell personal dataPersonal data"Personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified data or publicly available information;KRS 367.3611(20) to third parties or process personal dataPersonal data"Personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified data or publicly available information;KRS 367.3611(20) for targeted advertising must clearly and conspicuously disclose such activity and the manner in which consumersConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8) may opt out.
D-01.3
9
ControllersController"Controller" means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data;KRS 367.3611(9) must establish and describe in a privacy notice one or more secure and reliable means for consumersConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8) to submit rights requests, accounting for normal interaction channels, security, and authentication capability. ControllersController"Controller" means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data;KRS 367.3611(9) must not require consumersConsumer"Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;KRS 367.3611(8) to create a new account to exercise their rights.
D-01.1
Section 3
Effective date

This Act takes effect July 1, 2027.

Section 3 establishes that the Act takes effect July 1, 2027.

Passage Likelihood

Enacted
Status Enacted

Legislative History

2026-02-23 introduced in House
2026-02-23 to Committee on Committees (H)
2026-03-02 to Small Business & Information Technology (H)
2026-03-11 reported favorably, 1st reading, to Calendar
2026-03-12 2nd reading, to Rules
2026-03-12 posted for passage in the Regular Orders of the Day for Friday, March 13 2026
2026-03-13 3rd reading, passed 92-0
2026-03-16 received in Senate
2026-03-16 to Committee on Committees (S)
2026-03-24 to Economic Development, Tourism, & Labor (S)
2026-03-24 taken from Economic Development, Tourism, & Labor (S)
2026-03-24 1st reading
2026-03-24 returned to Economic Development, Tourism, & Labor (S)
2026-03-25 taken from Economic Development, Tourism, & Labor (S)
2026-03-25 2nd reading
2026-03-25 returned to Economic Development, Tourism, & Labor (S)
2026-03-26 reported favorably, to Rules with Committee Substitute (1) as a consent bill
2026-03-26 posted for passage in the Consent Orders of the Day for Friday, March 27 2026
2026-03-27 posted for passage in the Consent Orders of the Day for Tuesday, March 31 2026
2026-03-31 3rd reading, passed 38-0 with Committee Substitute (1)
2026-03-31 received in House
2026-03-31 to Rules (H)
2026-03-31 posted for passage for concurrence in Senate Committee Substitute (1)
2026-03-31 House concurred in Committee Substitute (1)
2026-03-31 passed 88-0
2026-04-01 enrolled, signed by Speaker of the House
2026-04-01 enrolled, signed by President of the Senate
2026-04-01 delivered to Governor
2026-04-13 signed by Governor (Acts Ch. 118)

Sources

Full Text

Entry Last Reviewed

2026-05-20
AI generated