Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.


Did You Know?

  • Limited methods of notification delivery
  • Data owners are responsible for reporting and notifications
  • Reporting to Consumer Reporting Agencies may be required with specific information
  • Other state laws, federal laws, industry regulations, and/or out-of-country laws may apply

Who Me?


Breach and notification laws may apply if you are a person or agency that:

  • Owns or licenses computerized data that includes PII 
  • Maintains computerized data that includes PII that they do not own or license

‚ÄčThere are exemptions.

What is PII?


PII relevant to a breach in Kansas includes an individual’s name with one or more of the following:

  • Social security number
  • Driver’s license or state identification card number
  • Account, credit or debit card number, in combination with, and linked to, any required security code etc. permitting access to the individual's account



A few applicable statutes include, but are not limited to:

Chapter 50 – Unfair Trade and Consumer Protection

     Article 7a – Protection of Consumer Information

          50-7a01 - 50-7a04


A few related statutes include, but are not limited to:

Chapter 50 – Unfair Trade and Consumer Protection

     Article 7a – Protection of Consumer Information

          50-7a03. – Destruction of consumer information

Chapter 50 – Unfair Trade and Consumer Protection    

     Article 6 –Consumer Protection

          50-669a, 50-669b



The attorney general is empowered to bring an action in law or equity to address violations and other relief. For violations of this section by an insurance company licensed to do business in this state, the insurance commissioner shall have the sole authority for enforcement.



When considering reporting requirements, it would include, but not be limited to:

  • The combination of personal information breached
  • If the data was computerized
  • If the data was encrypted or redacted
  • Whether any kind of key or password might have been obtained
  • The likelihood that the personal information will be misused


Notification may be delayed if law enforcement advises the person it will interfere with an investigation, otherwise, the notification must be made in the most expedient time possible and without unreasonable delay. If notification is required to more than 1,000 persons, all consumer reporting agencies must be notified with specific information without unreasonable delay.


Requires detailed information and potential provision of services

Disclosure may be made by written notice or electronically (with stipulations).

A substitute notice, with specific requirements, may be sent if the cost of the notice exceeds $100,000, or persons notified exceed 5,000, or they do not have sufficient contact information.

Contact the Privacy Experts at CSR