Stakeholder opinions vary on the preferred framework for a U.S. comprehensive state privacy law. As the debate rages on, the Kentucky General Assembly offered the latest example of the framework competition that is shaping the perceived state privacy law "patchwork" in recent years.
Kentucky House Bill 15, a comprehensive bill modeled after Virginia's privacy law passed in 2021, has approval from both assembly chambers following a unanimous passage out of the Senate 11 March. The bill, introduced for the first time during the 2024 legislative session, will head back to the House for concurrence on minor Senate amendments and then head to the governor's desk.
If enacted, HB 15 would take effect 1 Jan. 2026.
"This puts us in line with neighboring states such as Virginia, Tennessee and Indiana in terms of language used," state Rep. Josh Branscum, R-Ky., said during HB 15's 29 Feb. hearing before the Senate Standing Committee Economic Development, Tourism and Labor. The bill sponsor touted HB 15 as a "workable solution" to ensure consumer rights and protections while noting the proposal is "a great starting point" and "a framework for our legislature to improve upon for sessions to come."
House Bill 15 is a near-copycat of Virginia's opt-out statute. It starts with identical coverage thresholds of entities that control or process personal data on more than 100,000 consumers or derive 50% of revenue from selling the data of more than 25,000 consumers. The states also share requirements for data protection impact assessments, processing deidentified or pseudonymous data, user opt outs for targeted advertising and data sales, and a 30-day cure provision.
The expected passage comes as a competing bill, Senate Bill 15, was abandoned in its third year of consideration following a majority approval by the Senate during the 2023 session. Instead of a formal reconciliation of provisions between the two bills, Kentucky state lawmakers lined up behind HB 15.
Senate Bill 15 is a more nuanced bill that tracks closer — but not exactly — to Connecticut's privacy law passed in 2022.
The 2024 iteration of SB 15 defined covered entities as companies controlling or processing data on more than 50,000 consumers or those deriving 50% of revenue from data sales involving more than 25,000 consumers. It also proposed recognition of universal opt-out mechanisms while using a broader definition for targeted advertising. Past versions of the bill sought to be even more unique, proposing opt-in consent and a hybrid private right of action.
"It's just really frustrating to know we need to have protections in place and then see a lobby strong enough to water those protections down," said state Sen. Whitney Westerfield, R-Ky., sponsor of SB 15. "So now it looks like we've done something that'll be good enough. … Sometimes when you do just a little bit, it doesn't have to meaningful."
Compliance cakewalk?
Virginia's framework — or more commonly referred to as the original Washington Privacy Act — is the foundation for enacted privacy laws in all states besides California. Kentucky represents an effort to mostly duplicate Virginia. Other states have taken it upon themselves to add, remove or alter provisions for the purpose of consumer protection or lightening perceived burdens on businesses.
With Kentucky's HB 15, a majority of covered entities are likely to have a compliance program in place if they are a national organization complying with Virginia copycats around the U.S. Kentucky-based entities on the lower end of the coverage threshold are most likely to be impacted when the bill passes.
Stites & Harbison Member Sarah Cronan Spurlock, CIPP/US, indicated HB 15 carries a "more conventional definition of consumer where it's only residents of Kentucky, excluding that employment or commercial context," which is notable for Kentucky entities tackling privacy compliance for the first time. The top task for those businesses, however, is assessing whether the bill even applies to them.
"I think the challenge for anyone doing business in Kentucky is going to be first to consider if the new law affects them given the processing thresholds and the potential exemptions for certain businesses or with respect to certain types of data they maintain," Spurlock said, noting additional requirements to prove qualifications for an exemption. "It can get tricky when your business falls under the law while portions of your stored data are exempt."
The 30-day cure period included in HB 15 under exclusive attorney general enforcement does not sunset, adding extra cushion in the event of a violation. While some stakeholders argue cure opportunities weaken privacy laws, it does foster future accountability and vigilance.
"The attorney general can initiate an action in the event you continue a violation of something you've already cured and said you wouldn't violate again," Spurlock said. "An individual company isn't going to get that right to cure for the same violation every time it happens. So there's no sunset, but you certainly can't just disregard a prior remedy."
The competition
Consideration of multiple comprehensive privacy bills is not uncommon. Florida, Indiana and Washington are examples of states that juggled competing bills with varying success.
There are a few reasons why Kentucky's situation is unique and plays directly into the state privacy law patchwork debate.
Few states have passed a comprehensive privacy bill on its first introduction after considering separate or competing bills in preceding years. The decision to push ahead with HB 15 hinged on alignment and uniformity.
Westerfield cited prior conversations with House leadership where he was told SB 15 would "make Kentucky an island," something the Kentucky General Assembly had done on prior policy matters but allegedly lost the appetite for with data privacy.
"It's an argument to which I do not subscribe. I think it's baloney," Westerfield said. "I can name the seven provisions from my bill, down to the chapter, subsection and paragraph, that differed from Virginia. They're material differences that are meaningful, but the bills were nearly identical. It was not an island."
He added SB 15 was an opportunity for Kentucky to "give legislators in other states some cover to do something different" and find a better balance between consumer protections and business needs than Virginia's "boilerplate" provides. Notably, members of the Senate Standing Committee Economic Development, Tourism and Labor told Rep. Branscum they would approve HB 15 despite a desire for opt-in provisions — which Westerfield's SB 15 offered in years prior.
Consumer Reports long supported versions of Westerfield's bill until this year, when he made another round of concessions to stakeholders and lawmakers. The sticking point fueling the opposition, according to Consumer Reports Policy Analyst Matt Schwartz, continues to be the absence of impactful data minimization standards, UOOMs recognition, authorized agent rights and the PRA.
"In a lot of cases they're just looking at what might be the lowest hanging fruit. Exploring what bills other states have done that passed relatively easily," Schwartz said. "The be-all and end-all of consumer privacy legislation should not be ease of compliance for businesses. It's a consideration, but that seems to be elevated as the goal above all else."
Another wrinkle Kentucky brings to the patchwork discussion is a lack of wholesale alignment. HB 15 is modeled after Virginia's 2021 statute. Most core principles have not changed in that law, but the Virginia General Assembly passed meaningful amendments to its comprehensive framework the last two years, including substantial children's privacy amendments days before the Kentucky Senate approved HB 15.
Passing an outdated framework as a starting point may no longer be sufficient given the way modern technology advances. Westerfield, who is not seeking reelection to the Kentucky Senate in November, fears the growing complexity and pace of digital policy matters will render HB 15 useless if there's not constant legislative attention.
"When they come back next year, I just don't see there being a desire or urge to (improve the bill)," Westerfield said. "They'll say, 'Oh, we did that last year. We don't need to do that again.' Like there's a reset on the counter about how bad things have to get before there is the oomph to do it again."