Idaho Data Privacy Laws: Breach Notification & Consumer Rights (2026)
Idaho takes a patchwork approach to data privacy. Unlike states such as California, Colorado, and Connecticut that have enacted comprehensive consumer data privacy statutes, Idaho has no single law giving residents broad control over how businesses collect, use, or share their personal information.
Instead, Idaho residents depend on a combination of the state's data breach notification law, identity theft criminal statutes, student data protections, the Consumer Protection Act, and a layer of federal privacy laws that apply to specific industries.
This guide covers every part of Idaho's data privacy framework: what protections exist, what your rights are, who enforces the rules, and where the gaps remain.
Idaho's Data Breach Notification Law
The cornerstone of Idaho's data privacy framework is the Idaho Identity Theft Act, codified at Idaho Code § 28-51-104 through § 28-51-107. Enacted in 2006, this law requires businesses, government agencies, and individuals that handle computerized personal information to notify affected Idaho residents when a data breach occurs.
The law does not regulate how companies collect or use personal data. It focuses entirely on what happens after a breach.
What Counts as a Data Breach in Idaho?
Under Idaho Code § 28-51-104, a breach is defined as the "illegal acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information" maintained by an agency, individual, or commercial entity.
The law includes an important carve-out: good faith acquisition of personal information by an employee or agent for legitimate business purposes does not qualify as a breach, as long as the information is not used improperly or shared without authorization.
What Is Personal Information Under Idaho Law?
Idaho Code § 28-51-104 defines personal information as an Idaho resident's first name or first initial and last name combined with one or more of the following data elements:
- Social Security number
- Driver's license number or state identification card number
- Financial account number, credit card number, or debit card number, combined with any required security code, access code, or password that would permit access to the account
The definition specifically excludes information that is lawfully obtained from publicly available sources or from federal, state, or local government records that are lawfully made available to the general public.
Notification Requirements
The notification rules under Idaho Code § 28-51-105 apply to any entity that conducts business in Idaho and owns or licenses computerized data containing personal information about Idaho residents.
When a breach is discovered, the entity must conduct a good faith, reasonable, and prompt investigation to determine whether personal information has been or is reasonably likely to be misused. If the investigation confirms misuse has occurred or is likely, the entity must notify affected Idaho residents "as soon as possible" without unreasonable delay.
Idaho does not set a specific number of days for notification, unlike states such as Colorado (30 days) or Florida (30 days). The standard is reasonableness.
State Agency Notification to the Attorney General
Idaho holds public agencies to a stricter standard than private businesses. Under § 28-51-105, any state agency that discovers a breach must notify the Idaho Attorney General within 24 hours. This requirement exists in addition to the agency's obligation to notify affected residents.
Private businesses are not required by Idaho law to report breaches to the Attorney General, though they may do so voluntarily through the AG's Consumer Protection Division.
Methods of Notification
Idaho law permits four methods of notifying affected residents, as defined in § 28-51-104:
| Method | Details |
|---|---|
| Written notice | Sent to the last known address of the affected resident |
| Telephone | Direct contact with the affected resident |
| Electronic notice | Must comply with federal Electronic Signatures in Global and National Commerce Act (E-SIGN) requirements |
| Substitute notice | Available when costs exceed $25,000, more than 50,000 residents are affected, or the entity lacks sufficient contact information |
Substitute notice requires all three of the following: email notice to all available email addresses, conspicuous posting on the entity's website, and notification through statewide media outlets.
Third-Party Data Holders
If a business maintains personal information on behalf of another entity (for example, a cloud service provider), § 28-51-105 requires the data holder to notify the data owner immediately after discovering a breach where misuse is likely. The data holder must also share all relevant information about the breach.
Law Enforcement Delays
Notification may be delayed if a law enforcement agency advises that immediate notice would impede a criminal investigation. Once law enforcement confirms that notification will no longer compromise the investigation, the entity must proceed with notice without unreasonable delay.
Penalties for Violating Idaho's Breach Notification Law
Enforcement of Idaho's breach notification requirements falls to the entity's primary regulator. Under Idaho Code § 28-51-107, the primary regulator may initiate a civil action and seek injunctive relief against any entity that fails to provide required notice.
The penalties break down as follows:
| Violation Type | Penalty |
|---|---|
| Intentional failure to notify | Fine of up to $25,000 per breach |
| Government employee intentional disclosure | Misdemeanor: up to $2,000 fine and/or 1 year in jail |
The $25,000 cap applies per breach of the security system, not per individual affected. A single breach affecting thousands of residents still carries a maximum fine of $25,000.
Idaho does not provide a private right of action under the breach notification law. Individual consumers cannot sue for breach notification violations. Enforcement rests with government regulators.
Compliance Safe Harbors
Idaho Code § 28-51-106 provides two safe harbors for compliance:
-
Internal policy compliance. Entities that maintain their own breach notification procedures as part of an information security policy are deemed compliant if their procedures meet the timing requirements of § 28-51-105 and they follow those procedures when a breach occurs.
-
Regulatory compliance. Entities regulated by state or federal agencies that maintain breach notification procedures under their primary regulator's guidelines satisfy Idaho's requirements by following those procedures.
These safe harbors mean that financial institutions following GLBA breach rules and healthcare entities following HIPAA breach rules are typically deemed compliant with Idaho law.
Idaho's Identity Theft Criminal Laws
Idaho's criminal code provides additional personal data protections through identity theft statutes in Idaho Code Title 18, Chapter 31.
Misappropriation of Personal Identifying Information (§ 18-3126)
Idaho Code § 18-3126 makes it unlawful to obtain or record another person's personal identifying information without authorization when the intent is to use that information to fraudulently obtain credit, money, goods, or services.
This is a felony offense. Penalties include:
- Up to 5 years in state prison
- Fines up to $50,000
- Or both imprisonment and fines
The statute was originally enacted in 1999 and strengthened through amendments in 2008.
Acquisition by False Authority (§ 18-3126A)
Idaho Code § 18-3126A targets individuals who obtain personal identifying information by falsely representing that they have authority to access it. This covers scenarios such as impersonating an employer, government official, or financial institution to trick someone into providing their data.
This is also a felony with the same penalties: up to 5 years imprisonment and fines up to $50,000.
Idaho Consumer Protection Act
The Idaho Consumer Protection Act (Idaho Code § 48-601 et seq.) serves as a general-purpose tool for addressing unfair and deceptive business practices, including those involving personal data.
While the act does not mention data privacy specifically, Idaho Code § 48-603 prohibits "engaging in any act or practice that is otherwise misleading, false, or deceptive" in the conduct of commerce. This catch-all provision gives the Idaho Attorney General authority to pursue companies that engage in deceptive data collection practices, misrepresent their privacy policies, or fail to honor their stated data handling commitments.
The AG's Consumer Protection Division investigates complaints and can seek:
- Injunctive relief to stop deceptive practices
- Voluntary compliance agreements
- Civil penalties through district court action
Consumers can file complaints directly with the AG's office. The AG can also accept assurances of voluntary compliance from businesses that commit to correcting their practices.
Student Data Privacy Protections
Idaho Code § 33-133 establishes specific protections for student data in Idaho's public education system. This law was enacted in 2014 to address growing concerns about how schools and educational technology vendors handle student information.
What Student Data Is Protected?
The law defines "personally identifiable data" to include:
- Student's name
- Names of parents or family members
- Student's or family's address
- Any direct or indirect identifiers that could identify a specific student
Prohibited Data Collection
Idaho law explicitly prohibits educational records from containing certain types of sensitive information:
- Juvenile delinquency or criminal records (unless required by law)
- Medical or health records
- Social Security numbers
- Biometric information
- Gun ownership records
- Sexual orientation
- Religious affiliation
Vendor Requirements
Private vendors that access student data face specific restrictions under § 33-133. Vendors must either:
- Agree to a complete prohibition on secondary uses of student data (no selling, marketing, or advertising), or
- Provide full disclosure of secondary data uses and obtain parental consent before engaging in any use beyond the contracted service
Penalties
Violations of the student data privacy law that result in unauthorized release of personally identifiable data carry civil penalties of up to $50,000 per violation. Schools must also notify affected parents and students when unauthorized disclosures occur.
Public Records Act Privacy Exemptions
Idaho's Public Records Act (Idaho Code Title 74, Chapter 1) includes privacy-related exemptions under § 74-106 that restrict disclosure of certain personal information held by government agencies.
Exempt records include:
- Personnel records of current or former public employees (except public service history, pay grade, and gross salary)
- Home addresses and phone numbers of retired public employees
- Medical and health records, including prescriptions, psychiatric care, and counseling records
- Reportable disease records maintained by health departments
- Records where disclosure would constitute an "unwarranted invasion of personal privacy"
These exemptions protect individuals from having sensitive personal information disclosed through public records requests, though they apply only to government-held records.
Federal Privacy Laws That Apply in Idaho
Because Idaho lacks a comprehensive state privacy law, federal statutes provide the primary privacy protections for many Idaho residents and businesses. Here are the key federal laws that fill the gaps.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA applies to Idaho healthcare providers, health plans, healthcare clearinghouses, and their business associates. It requires physical, technical, and administrative safeguards to protect personal health information (PHI). Idaho healthcare entities must comply with both the HIPAA Privacy Rule and the Security Rule.
Gramm-Leach-Bliley Act (GLBA)
Financial institutions operating in Idaho must comply with GLBA, which requires:
- Written information security programs
- Consumer privacy notices explaining data sharing practices
- Opt-out rights for consumers regarding third-party data sharing
- Employee cybersecurity awareness training
Children's Online Privacy Protection Act (COPPA)
Any Idaho business that operates a website or online service directed at children under 13, or that knowingly collects personal information from children under 13, must comply with COPPA. Requirements include verified parental consent before data collection and restrictions on how children's data can be used or shared.
Family Educational Rights and Privacy Act (FERPA)
FERPA protects the privacy of student education records at Idaho schools that receive federal funding. It gives parents (and students over 18) the right to access, review, and request corrections to educational records. FERPA works alongside Idaho's own student data protection law (§ 33-133) to create a dual layer of protection.
Fair Credit Reporting Act (FCRA)
The FCRA regulates how consumer reporting agencies in Idaho collect, share, and use credit information. Idaho residents have the right to access their credit reports, dispute inaccurate information, and limit who can access their credit data.
How to Report a Data Breach in Idaho
If you discover a data breach affecting Idaho residents, or if you are an Idaho resident who believes your personal information was compromised, here is how to reach the relevant authorities.
For Businesses and Agencies
Contact the Idaho Attorney General's Consumer Protection Division:
- Email: consumer_protection@ag.idaho.gov
- Mailing address: P.O. Box 83720, Boise, ID 83720-0010
- Phone: 208-334-4135
State agencies must report within 24 hours of discovery. Private businesses may report voluntarily.
For Consumers
If you believe your personal information was compromised in a breach:
- Contact the company or agency that experienced the breach
- File a complaint with the Idaho Attorney General
- Place a fraud alert or credit freeze with the three major credit bureaus
- Monitor your financial accounts and credit reports for suspicious activity
The Attorney General's office maintains a public registry of reported breaches dating back to January 1, 2021, which you can use to check whether organizations you interact with have experienced security incidents.
Idaho vs. Other States: Where Does Idaho Stand?
As of 2026, approximately 20 states have enacted comprehensive consumer data privacy laws. Idaho is not among them. Here is how Idaho compares to neighboring and notable states.
| Feature | Idaho | Montana | Colorado | California |
|---|---|---|---|---|
| Comprehensive privacy law | No | Yes (effective Oct. 2024) | Yes (effective July 2023) | Yes (CCPA/CPRA) |
| Consumer right to access data | No | Yes | Yes | Yes |
| Consumer right to delete data | No | Yes | Yes | Yes |
| Right to opt out of data sales | No | Yes | Yes | Yes |
| Breach notification required | Yes | Yes | Yes | Yes |
| Breach notification deadline | "As soon as possible" | 60 days | 30 days | "Most expedient time possible" |
| AG notification required | State agencies only (24 hrs) | Yes (if 500+ affected) | Yes (if 500+ affected) | Yes (if 500+ affected) |
| Maximum breach fine | $25,000 per breach | $10,000 per violation | $20,000 per violation | $7,500 per intentional violation |
The gap is significant. Idaho residents have no statutory right to know what personal data a company holds about them, no right to request deletion, and no right to opt out of the sale of their personal information.
What Could Change: Privacy Legislation Outlook
Idaho has not introduced comprehensive privacy legislation in recent legislative sessions, and no active bills are moving through the Idaho Legislature as of March 2026. However, the national trend is clear: the number of states with comprehensive privacy laws has grown from 5 in 2023 to approximately 20 in 2026.
Factors that could push Idaho toward stronger privacy legislation include:
- Neighboring state pressure. Montana's comprehensive privacy law took effect in October 2024. As more states in the region adopt privacy laws, Idaho businesses that operate across state lines must comply with those laws anyway.
- Federal legislation. The American Data Privacy and Protection Act (ADPPA) has been introduced multiple times in Congress. If a federal privacy law passes, it would establish a baseline for all states, including Idaho.
- Public demand. Data breaches continue to increase nationally, and consumer awareness of privacy rights has grown alongside the adoption of laws in other states.
Until Idaho acts, residents should understand that their primary protections come from the breach notification law, identity theft criminal statutes, and whatever federal laws apply to the specific industry handling their data.
More Idaho Laws
- Idaho Hit and Run Laws
- Idaho Car Seat Laws
- Idaho Whistleblower Laws
- Idaho Dog Bite Laws
- Idaho Statute of Limitations
- Idaho Child Support Laws
- Idaho Lemon Laws
- Idaho Sexting Laws
This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney licensed in Idaho for guidance on your specific situation. Laws and regulations may change; verify all information with official state sources.
Sources and References
- Idaho Code § 28-51-104: Definitions(legislature.idaho.gov).gov
- Idaho Code § 28-51-105: Notification Requirements(legislature.idaho.gov).gov
- Idaho Code § 28-51-106: Compliance Safe Harbors(legislature.idaho.gov).gov
- Idaho Code § 28-51-107: Penalties(legislature.idaho.gov).gov
- Idaho Code § 18-3126: Identity Theft(legislature.idaho.gov).gov
- Idaho Code § 18-3126A: Acquisition by False Authority(legislature.idaho.gov).gov
- Idaho Code § 33-133: Student Data Privacy(legislature.idaho.gov).gov
- Idaho Consumer Protection Act § 48-601(legislature.idaho.gov).gov
- Idaho Code § 48-603: Deceptive Practices(legislature.idaho.gov).gov
- Idaho Public Records Act § 74-106(legislature.idaho.gov).gov
- Security Breaches - Idaho AG(ag.idaho.gov).gov
- Consumer Protection - Idaho AG(ag.idaho.gov).gov