Bill > HB473

This bill amends Kentucky's consumer data privacy law to make two key changes. First, it expands exemptions to the state's data privacy regulations for health care-related information, specifically adding protections for information collected by health care providers that maintain protected health information under HIPAA (the Health Insurance Portability and Accountability Act) and information included in a limited data set as defined by federal regulations. Second, the bill modifies requirements for data protection impact assessments, particularly for profiling activities, by explicitly including an assessment of potential "unlawful disparate impact" on consumers. The bill requires controllers (organizations that determine the purposes and means of processing personal data) to conduct and document impact assessments for various data processing activities, including targeted advertising, selling personal data, and profiling. These assessments must weigh the benefits of data processing against potential risks to consumer rights, considering factors like de-identified data, consumer expectations, and the context of data processing. The assessments remain confidential and can be requested by the Attorney General during investigations, with the bill specifying that such a request does not waive attorney-client privilege. The changes will take effect on June 1, 2026, providing businesses time to adapt to the new requirements.

Business and Industry

https://apps.legislature.ky.gov/record/25RS/hb473.html