Skip to main content
CourtGPT logoCourtGPT
Directory
Law
For Attorneys
Blog
AppointmentsSign InSign Up
§ 367.3613 — Kentucky Law | CourtGPT
  1. Home/
  2. Laws/
  3. Kentucky/
  4. Chapter 367 - Consumer Protection/
  5. § 367.3613
Kentucky Legal Code

§ 367.3613

Ask AI about this
367.3613 Application -- Limitations -- Information and data exemptions -- Compliance with federal children's online privacy laws. (Effective January 1, 2026) (1) KRS 367.3611 to 367.3629 apply to persons that conduct business in the Commonwealth o r produce products or services that are targeted to residents of the Commonwealth and that during a calendar year control or process personal data of at least: (a) One hundred thousand (100,000) consumers; or (b) Twenty -five thousand (25,000) consumers and derive over fifty percent (50%) of gross revenue from the sale of personal data. (2) KRS 367.3611 to 367.3629 shall not apply to any: (a) City, state agency, or any political subdivision of the state; (b) Financial institutions, their affiliates, or data subject to Title V of the federal Gramm -Leach -Bliley Act, 15 U.S.C. sec. 6801 et seq.; (c) Covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Serv ices, 45 C.F.R. pts. 160 and 164 established pursuant to HIPAA; (d) Nonprofit organization; (e) Institution of higher education; (f) Organization that: 1.

d States Department of Health and Human Serv ices, 45 C.F.R. pts. 160 and 164 established pursuant to HIPAA; (d) Nonprofit organization; (e) Institution of higher education; (f) Organization that: 1. Does not provide net earnings to, or operate in any manner that inures to the benefit of, any officer, employee, or shareholder of the entity; and 2. Is an entity such as those recognized under KRS 304.47 -060(1)(e), so long as the entity collects, processe s, uses, or shares data solely in relation to identifying, investigating, or assisting: a. Law enforcement agencies in connection with suspected insurance -related criminal or fraudulent acts; or b. First responders in connection with catastrophic events; o r (g) Small telephone utility as defined in KRS 278.516, a Tier III CMRS provider as defined in KRS 65.7621, or a municipally owned utility that does not sell or share personal data with any third -party processor. (3) The following information and data are exempt from KRS 367.3611 to 367.3629: (a) Protected health information under HIPAA; (b) Health records; (c) Patient identifying information for purposes of 42 C.F.R. sec.

ing information and data are exempt from KRS 367.3611 to 367.3629: (a) Protected health information under HIPAA; (b) Health records; (c) Patient identifying information for purposes of 42 C.F.R. sec. 2.11; (d) Identifiable private information for purposes of the federal policy for th e protection of human subjects under 45 C.F.R. pt. 46; identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by the International Council for Har monisation of Technical Requirements for Pharmaceuticals for Human Use; the protection of human subjects under 21 C.F.R. pts. 50 and 56, or personal data used or shared in research conducted in accordance with the requirements set forth in KRS 367.3611 to 367.3629, or other research conducted in accordance with applicable law; (e) Information and documents created for purposes of the federal Health Care Quality Improvement Act of 1986, 42 U.S.C. sec. 11101 et seq.; (f) Patient safety work product for purpos es of the federal Patient Safety and Quality Improvement Act, 42 U.S.C. sec.

eral Health Care Quality Improvement Act of 1986, 42 U.S.C. sec. 11101 et seq.; (f) Patient safety work product for purpos es of the federal Patient Safety and Quality Improvement Act, 42 U.S.C. sec. 299b -21 et seq.; (g) Information derived from any of the health care -related information listed in this subsection that is de -identified in accordance with the requirements for de-identification pursuant to HIPAA; (h) Information originating from, and intermingled to be indistinguishable from, or information treated in the same manner as information exempt under this subsection that is maintained by a covered entity or business ass ociate, or a program or qualified service organization as defined by 42 C.F.R. sec. 2.11; (i) Information used only for public health activities and purposes as authorized by HIPAA; (j) The collection, maintenance, disclosure, sale, communication, or use o f any personal information bearing on a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, furnisher, or user that provides information f or use in a consumer report, and by a user of

character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, furnisher, or user that provides information f or use in a consumer report, and by a user of a consumer report, but only to the extent that such activity is regulated by and authorized under the federal Fair Credit Reporting Act, 15 U.S.C. sec. 1681 et seq.; (k) Personal data collected, processed, sold , or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994, 18 U.S.C. sec. 2721 et seq.; (l) Personal data regulated by the federal Family Educational Rights and Privacy Act, 20 U.S.C. sec. 1232g et seq.; (m) Personal data collec ted, processed, sold, or disclosed in compliance with the federal Farm Credit Act, 12 U.S.C. sec. 2001 et seq.; (n) Data processed or maintained: 1. In the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role; 2. As the emergency contact information of an individual used for emergency contact purposes; or 3.

or third party, to the extent that the data is collected and used within the context of that role; 2. As the emergency contact information of an individual used for emergency contact purposes; or 3. That is necessary to retain to administer benefits for another individual relating to the individual under subparagraph 1. of this paragraph and used for the purposes of administering those benefits; (o) Data processed by a utility, an affiliate of a utility, or a holding company syste m organized specifically for the purpose of providing goods or services to a utility as defined in KRS 278.010. For purposes of this paragraph, 'holding company system' means two (2) or more affiliated persons, one (1) or more of which is a utility; and (p) Personal data collected and used for purposes of federal policy under the Combat Methamphetamine Epidemic Act of 2005. (4) Controllers and processors that comply with the verifiable parental consent requirements of the Children's Online Privacy Protecti on Act, 15 U.S.C. sec. 6501 et seq., shall be deemed compliant with any obligation to obtain parental consent under KRS 367.3611 to 367.3629. Effective: January 1, 2026 History: Created 2024 Ky.

ecti on Act, 15 U.S.C. sec. 6501 et seq., shall be deemed compliant with any obligation to obtain parental consent under KRS 367.3611 to 367.3629. Effective: January 1, 2026 History: Created 2024 Ky. Acts ch. 72, sec. 2, effective January 1, 2026.