United States of America: Introduced House Bill 301 Relating to Consumer Data Privacy including cybersecurity regulation

On 15 February 2023, House Bill 301 Relating to Consumer Data Privacy was introduced in the Kentucky House of Representatives. The Bill follows a similar bill (SB 15) introduced on 3 January 2023 in the Kentucky State Senate, though it also contains a number of differences, including regarding applicability. The House Bill would apply to businesses based in or providing services to consumers in Kentucky who, annually, either process the personal data of 100'000 consumers or at least 25'000 consumers while deriving over 50% of gross revenue from the sale of such data. The Bill would establish cybersecurity obligations for data controllers, namely implementing data security practices to protect the confidentiality, integrity, and accessibility of consumer data. Practices would need to be commensurate to the nature and volume of the data in question.