Kentucky Joins the Ranks of State Data Privacy Legislation

VPD Provisions

The Kentucky CDPA does not specifically define “vehicle information” or include any provisions specific to VPD. “Personal data” is defined as any information that is linked to an identified or identifiable natural person, and it does not include de-identified data or publicly available information. 24RS HB 15 § 1(19). “Sensitive data” is defined as a category of personal data that includes: personal data indicating racial or ethnic original, religious beliefs, mental or physical health diagnosis, or citizenship or immigration status; the processing of genetic or biometric data that is processed for the purpose of uniquely identifying a specific natural person; the personal data collected from a known child; or precise geolocation data. 24RS HB 15 § 1(29)(a-e).

The Kentucky CDPA restricts the processing of personal data for purposes that are not “reasonably necessary” for the disclosed purposes that it is being processed without the consumer’s consent. 24RS HB 15 § 4(1)(b).

“Biometric data” is defined as “data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual.” It does not include a photograph, video, or audio recording. 24RS HB 15 § 1(3).

The bill also restricts a controller’s or a processor’s ability to collect data to “conduct internal research to develop, improve, or repair products, services, or technology.” 24RS HB 15 § 8(2).

Finally, the Kentucky CDPA specifically exempts from its scope data that is collected, processed, sold, or disclosed in compliance with the federal Driver’s Privacy Protection Act of 1994, 18 U.S.C. sec. 2721 et seq. 24RS HB 15 § 2(3)(k).