Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · Kentucky · Kentucky Revised Statutes

367.3613 Application -- Limitations -- Information and data exemptions --

970 words·~4 min read·/ky/367-3613

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Compliance with federal children's online privacy laws.
(1)KRS 367.3611 to 367.3629 apply to persons that conduct business in the
Commonwealth or produce products or services that are targeted to residents of the
Commonwealth and that during a calendar year control or process personal data of
at least:
(a)One hundred thousand (100,000) consumers; or
(b)Twenty-five thousand (25,000) consumers and derive over fifty percent (50%)
of gross revenue from the sale of personal data.
(2)KRS 367.3611 to 367.3629 shall not apply to any:
(a)City, state agency, or any political subdivision of the state;
(b)Financial institutions, their affiliates, or data subject to Title V of the federal
Gramm-Leach-Bliley Act, 15 U.S.C. sec. 6801 et seq.;
(c)Covered entity or business associate governed by the privacy, security, and
breach notification rules issued by the United States Department of Health
and Human Services, 45 C.F.R. pts. 160 and 164 established pursuant to
HIPAA;
(d)Nonprofit organization;
(e)Institution of higher education;
(f)Organization that:
1. Does not provide net earnings to, or operate in any manner that inures to
the benefit of, any officer, employee, or shareholder of the entity; and
2. Is an entity such as those recognized under KRS 304.47-060(1)(e), so
long as the entity collects, processes, uses, or shares data solely in
relation to identifying, investigating, or assisting:
a. Law enforcement agencies in connection with suspected
insurance-related criminal or fraudulent acts; or
b. First responders in connection with catastrophic events; or
(g)Small telephone utility as defined in KRS 278.516, a Tier III CMRS provider
as defined in KRS 65.7621, or a municipally owned utility that does not sell
or share personal data with any third-party.
(3)The following information and data are exempt from KRS 367.3611 to 367.3629:
(a)Protected health information under HIPAA;
(b)Health records;
(c)Patient identifying information for purposes of 42 C.F.R. sec. 2.11;
(d)Identifiable private information for purposes of the federal policy for the
protection of human subjects under 45 C.F.R. pt. 46; identifiable private
information that is otherwise information collected as part of human subjects
research pursuant to the good clinical practice guidelines issued by the
International Council for Harmonisation of Technical Requirements for
Pharmaceuticals for Human Use; the protection of human subjects under 21
C.F.R. pts. 50 and 56; or personal data used or shared in research conducted in
accordance with the requirements set forth in KRS 367.3611 to 367.3629, or
other research conducted in accordance with applicable law;
(e)Information and documents created for purposes of the federal Health Care
Quality Improvement Act of 1986, 42 U.S.C. sec. 11101 et seq.;
(f)Patient safety work product for purposes of the federal Patient Safety and
Quality Improvement Act, 42 U.S.C. sec. 299b-21 et seq.;
(g)Information derived from any of the health care-related information listed in
this subsection that is de-identified in accordance with the requirements for
de-identification pursuant to HIPAA;
(h)Information originating from, and intermingled to be indistinguishable from,
or information treated in the same manner as information exempt under this
subsection that is maintained by a covered entity or business associate, or a
program or qualified service organization as defined by 42 C.F.R. sec. 2.11;
(i)Information collected by a health care provider who is a covered entity that
maintains protected health information in accordance with HIPAA and related
regulations, 45 C.F.R. sec. pts. 160, 162, and 164;
(j)Information included in a limited data set as described in 45 C.F.R. sec.
164.514(e), to the extent the information is used, disclosed, and maintained as
specified in 45 C.F.R. sec. 164.514(e);
(k)Information used only for public health activities and purposes as authorized
by HIPAA;
(l)The collection, maintenance, disclosure, sale, communication, or use of any
personal information bearing on a consumer's creditworthiness, credit
standing, credit capacity, character, general reputation, personal
characteristics, or mode of living by a consumer reporting agency, furnisher,
or user that provides information for use in a consumer report, and by a user
of a consumer report, but only to the extent that such activity is regulated by
and authorized under the federal Fair Credit Reporting Act, 15 U.S.C. sec.
1681 et seq.;
(m)Personal data collected, processed, sold, or disclosed in compliance with the
federal Driver's Privacy Protection Act of 1994, 18 U.S.C. sec. 2721 et seq.;
(n)Personal data regulated by the federal Family Educational Rights and Privacy
Act, 20 U.S.C. sec. 1232g et seq.;
(o)Personal data collected, processed, sold, or disclosed in compliance with the
federal Farm Credit Act, 12 U.S.C. sec. 2001 et seq.;
(p)Data processed or maintained:
1. In the course of an individual applying to, employed by, or acting as an
agent or independent contractor of a controller, processor, or third party,
to the extent that the data is collected and used within the context of that
role;
2. As the emergency contact information of an individual used for
emergency contact purposes; or
3. That is necessary to retain to administer benefits for another individual
relating to the individual under subparagraph 1. of this paragraph and
used for the purposes of administering those benefits;
(q)Data processed by a utility, an affiliate of a utility, or a holding company
system organized specifically for the purpose of providing goods or services
to a utility as defined in KRS 278.010. For purposes of this paragraph,
"holding company system" means two
(2)or more affiliated persons, one
or more of which is a utility; and
(r)Personal data collected and used for purposes of federal policy under the
Combat Methamphetamine Epidemic Act of 2005.
(4)Controllers and processors that comply with the verifiable parental consent
requirements of the Children's Online Privacy Protection Act, 15 U.S.C. sec. 6501
et seq., shall be deemed compliant with any obligation to obtain parental consent
under KRS 367.3611 to 367.3629.
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.