Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.


Did You Know?

  • Limited methods of notification delivery
  • Data owners are  responsibile for reporting and notifications
  • Notifications may be required to the state attorney general
  • Notifications may be required to the consumer reporting agencies
  • Laws also cover data protection, data disposal, and record retention
  • Other state laws, federal laws, industry regulations, and/or out-of-country laws may also apply

Who Me?


Missouri breach and notification laws may apply if you are a:

  • Person or business that owns or licenses data about a Missouri resident that includes PII
  • Person or business that maintains or possesses data about a Missouri resident that includes PII but does not own or license the data

There are exemptions.

What is PII?


PII relevant to a breach in Missouri includes an individual’s name with one or more of the following:

  • Social security number, driver's license or other unique indentifcation number;
  • Financial account or credit/debit card numbers; or unique electronic identifier or routing code; with security or access codes, passwords, etc.
  • Medical Information
  • Health insurance information



A few relevant statutes from Missouri code include, but are not limited to:

Title XXVI Trade and Commerce / Chapter 407 Merchandising Practices / § 407.1500.1.


A few related statutes include, but are not limited to:

Title XXVI Trade and Commerce / Chapter 407 Merchandising Practices / "Credit User Protection Law":   § 407.430 – 407.436.1



If the code if violated, the attorney general has exclusive authority to bring an action to obtain actual damages for a willful and knowing violation of this section and may seek a civil penalty not to exceed $150,000 per breach of the security of the system or series of breaches of a similar nature that are discovered in a single investigation.



When considering reporting requirements, it would include, but not limited to:

  • The combination of personal information breached
  • If the data was computerized
  • If the data was encrypted, redacted, or otherwise altered
  • If the data included any kind of key, code or cipher
  • If it was acquired by a person that may compromise the security, confidentiality, or integrity of the personal information
  • If, after an appropriate investigation by the person or the person’s consultation with relevant federal, state, or local agencies responsible for law enforcement, it can be determined the risk of identity theft or other fraud to any consumer is not reasonably likely to occur. (Such a determination must be documented in writing and maintained for five years.)


In Missouri, the notifications must be made without unreasonable delay, unless law enforcement advises the person it will interfere with an investigation. The request must be in writing.


Requires detailed information and potential provision of services

Notification may be required to the state attorney general and consumer reporting agencies.

Disclosure may be made by written notice, electronically, or via telephone with stipulations. A substitute notice, with specific requirements, may be sent if the person demonstrates that the cost of providing the notice would exceed $100,000 or the persons to be notified exceeds 150,000 or they do not have sufficient contact information.

Contact the Privacy Experts at CSR