United States of America: Rejected House Bill 301 Relating to Consumer Data Privacy including cybersecurity regulation

On 30 March 2023, the Kentucky House Bill 301 Relating to Consumer Data Privacy including cybersecurity regulation was rejected after failing to pass before the legislature session adjourned. The Bill followed a similar bill (SB 15) introduced on 3 January 2023 in the Kentucky State Senate. The House Bill would have applied to businesses based in or providing services to consumers in Kentucky who, annually, either process the personal data of 100'000 consumers or at least 25'000 consumers while deriving over 50% of gross revenue from the sale of such data. The Bill would have established cybersecurity obligations for data controllers, namely implementing data security practices to protect the confidentiality, integrity, and accessibility of consumer data.