Idaho Data Privacy Laws: Breach Notification & Consumer Rights (2026)

Idaho has no comprehensive consumer data privacy law as of May 2026. The state relies on its breach notification statute, Idaho Code §§ 28-51-104 through 28-51-107, which requires businesses to notify affected residents of a data breach as soon as possible, alongside sector-specific laws and federal protections.

Idaho takes a patchwork approach to data privacy. Unlike California, Colorado, Connecticut, and roughly 20 other states that have enacted comprehensive consumer data privacy statutes, Idaho has no single law giving residents broad rights to access, correct, or delete their personal information held by businesses.

Instead, Idaho residents depend on a combination of the state's data breach notification law, identity theft criminal statutes, a new insurance-sector security law, student data protections, a synthetic media prohibition, the Consumer Protection Act, and federal privacy laws that apply to specific industries.

This guide covers every part of Idaho's data privacy framework in force as of May 2026: what protections exist, what your rights are, who enforces the rules, and where the gaps remain. For Idaho's recording consent rules, see Idaho Recording Laws.

Idaho's Data Breach Notification Law

The cornerstone of Idaho's data privacy framework is the Idaho Identity Theft Act, codified at Idaho Code §§ 28-51-104 through 28-51-107. Enacted in 2006, this law requires businesses, government agencies, and individuals that handle computerized personal information to notify affected Idaho residents when a data breach occurs.

The law does not regulate how companies collect or use personal data. It focuses entirely on what happens after a breach.

What Counts as a Data Breach in Idaho?

Under Idaho Code § 28-51-104, a breach is the "illegal acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information" maintained by an agency, individual, or commercial entity.

The law includes an important carve-out: good faith acquisition of personal information by an employee or agent for legitimate business purposes does not qualify as a breach, as long as the information is not used improperly or shared without authorization.

What Is Personal Information Under Idaho Law?

Idaho Code § 28-51-104 defines personal information as an Idaho resident's first name or first initial and last name combined with one or more of the following data elements:

• Social Security number
• Driver's license number or state identification card number
• Financial account number, credit card number, or debit card number, combined with any required security code, access code, or password that would permit access to the account

The definition excludes information lawfully obtained from publicly available sources or from government records lawfully made available to the general public.

Notification Requirements

The notification rules under Idaho Code § 28-51-105 apply to any entity that conducts business in Idaho and owns or licenses computerized data containing personal information about Idaho residents.

When a breach is discovered, the entity must conduct a good faith, reasonable, and prompt investigation to determine whether personal information has been or is reasonably likely to be misused. If the investigation confirms misuse has occurred or is likely, the entity must notify affected Idaho residents "as soon as possible" without unreasonable delay.

Idaho does not set a specific number of days for notification, unlike Colorado (30 days) or Florida (30 days). The standard is reasonableness.

State Agency Notification to the Attorney General

Idaho holds public agencies to a stricter standard than private businesses. Under § 28-51-105, any state agency that discovers a breach must notify the Idaho Attorney General within 24 hours. This requirement exists in addition to the agency's obligation to notify affected residents.

Private businesses are not required by Idaho law to report breaches to the Attorney General, though they may do so voluntarily through the AG's Consumer Protection Division.

Methods of Notification

Idaho law permits four methods of notifying affected residents, as defined in § 28-51-104:

Substitute notice requires all three of the following: email notice to all available email addresses, conspicuous posting on the entity's website, and notification through statewide media outlets.

Third-Party Data Holders

If a business maintains personal information on behalf of another entity (for example, a cloud service provider), § 28-51-105 requires the data holder to notify the data owner immediately after discovering a breach where misuse is likely.

Law Enforcement Delays

Notification may be delayed if a law enforcement agency advises that immediate notice would impede a criminal investigation. Once law enforcement confirms that notification will no longer compromise the investigation, the entity must proceed with notice without unreasonable delay.

Penalties for Violating Idaho's Breach Notification Law

Enforcement falls to the entity's primary regulator. Under Idaho Code § 28-51-107, the primary regulator may initiate a civil action and seek injunctive relief against any entity that fails to provide required notice.

The $25,000 cap applies per breach of the security system, not per individual affected. A single breach affecting thousands of residents still carries a maximum fine of $25,000.

Idaho does not provide a private right of action under the breach notification law. Enforcement rests with government regulators.

Compliance Safe Harbors

Idaho Code § 28-51-106 provides two safe harbors for compliance:

1. Internal policy compliance. Entities that maintain their own breach notification procedures as part of an information security policy are deemed compliant if their procedures meet the timing requirements of § 28-51-105 and they follow those procedures when a breach occurs.

2. Regulatory compliance. Entities regulated by state or federal agencies that maintain breach notification procedures under their primary regulator's guidelines satisfy Idaho's requirements by following those procedures.

These safe harbors mean that financial institutions following GLBA breach rules and healthcare entities following HIPAA breach rules are typically deemed compliant with Idaho law.

Idaho Insurance Data Security Act (2025)

Idaho enacted a significant new sectoral privacy law in 2025. House Bill 117, signed into law in 2025, establishes the Idaho Insurance Data Security Act, codified at Idaho Code Title 41, Chapter 58. The act took effect July 1, 2025. Licensees have until July 1, 2026, to fully implement the required information security programs.

The law follows the National Association of Insurance Commissioners (NAIC) model law and applies to insurance companies and other licensees of the Idaho Department of Insurance.

Key Requirements for Insurance Licensees

Insurance licensees must:

• Develop and maintain a written information security program tailored to the licensee's size, complexity, and the sensitivity of nonpublic information they handle
• Implement administrative, technical, and physical safeguards appropriate to those risk factors
• Conduct prompt investigations of potential cybersecurity events
• Notify the Director of the Idaho Department of Insurance within 10 business days of confirming a significant cybersecurity event

Consumer notification requirements follow the broader breach notification framework under Idaho Code Title 28, Chapter 51.

Exemptions

The Insurance Data Security Act exempts:

• Licensees with fewer than 50 employees and gross annual revenue under $5 million
• Licensees already complying with substantially similar requirements under HIPAA or another federal security program

The law does not create a private right of action. The Department of Insurance enforces compliance and may impose civil penalties.

Idaho's Identity Theft Criminal Laws

Idaho's criminal code provides additional personal data protections through identity theft statutes in Idaho Code Title 18, Chapter 31.

Misappropriation of Personal Identifying Information (§ 18-3126)

Idaho Code § 18-3126 makes it unlawful to obtain or record another person's personal identifying information without authorization when the intent is to use that information to fraudulently obtain credit, money, goods, or services.

This is a felony offense. Penalties include up to 5 years in state prison, fines up to $50,000, or both. The statute was originally enacted in 1999 and strengthened through amendments in 2008.

Acquisition by False Authority (§ 18-3126A)

Idaho Code § 18-3126A targets individuals who obtain personal identifying information by falsely representing that they have authority to access it. This covers scenarios such as impersonating an employer, government official, or financial institution to trick someone into providing their data.

This is also a felony with the same penalties: up to 5 years imprisonment and fines up to $50,000.

Idaho's Synthetic Media and Deepfake Law

Idaho enacted House Bill 575 in 2024, criminalizing the disclosure of explicit synthetic media, including AI-generated nonconsensual intimate images (NCII).

What the Law Covers

A person commits the offense of disclosing explicit synthetic media if they knowingly disclose such media and know, or reasonably should know, that an identifiable person depicted in the media did not consent to its disclosure and the disclosure is likely to cause substantial emotional distress.

"Explicit synthetic media" includes AI-generated or digitally manipulated content that depicts an identifiable individual engaged in sexual conduct or that depicts their genitals or intimate parts.

Penalties

Federal Complement: TAKE IT DOWN Act

The federal TAKE IT DOWN Act (Pub. L. 119-12, signed May 19, 2025) adds a layer of protection on top of Idaho's state law. The Act prohibits any person from knowingly publishing nonconsensual intimate visual depictions of adults or any intimate visual depictions of minors, including AI-generated deepfakes.

Critically, the Act requires covered platforms (social media services and similar online platforms) to establish procedures for takedown requests and to remove reported content within 48 hours of receiving a valid request. These platform obligations became effective May 19, 2026, and are enforced by the Federal Trade Commission.

Together, Idaho HB 575 and the TAKE IT DOWN Act create both criminal liability for individual bad actors and a federal takedown mechanism targeting the platforms that host NCII content.

Idaho Consumer Protection Act

The Idaho Consumer Protection Act (Idaho Code § 48-601 et seq.) serves as a general-purpose tool for addressing unfair and deceptive business practices, including those involving personal data.

While the act does not mention data privacy specifically, Idaho Code § 48-603 prohibits "engaging in any act or practice that is otherwise misleading, false, or deceptive" in the conduct of commerce. This catch-all provision gives the Idaho Attorney General authority to pursue companies that engage in deceptive data collection practices, misrepresent their privacy policies, or fail to honor their stated data handling commitments.

Attorney General Raul Labrador's office has significantly increased consumer protection enforcement. In 2025, the office took 49 enforcement actions against businesses violating Idaho's consumer protection laws, up from 17 in 2024 and 8 in 2023. While most of those actions addressed broader deceptive practices, the Consumer Protection Act remains the primary tool for data-related misconduct outside the breach notification law.

The AG's Consumer Protection Division can seek:

• Injunctive relief to stop deceptive practices
• Voluntary compliance agreements
• Civil penalties through district court action

Consumers can file complaints directly with the AG's office. The AG can also accept assurances of voluntary compliance from businesses that commit to correcting their practices.

Student Data Privacy Protections

Idaho Code § 33-133 establishes specific protections for student data in Idaho's public education system. This law was enacted in 2014 to address growing concerns about how schools and educational technology vendors handle student information.

What Student Data Is Protected?

The law defines "personally identifiable data" to include the student's name, names of parents or family members, the student's or family's address, and any direct or indirect identifiers that could identify a specific student.

Prohibited Data Collection

Idaho law explicitly prohibits educational records from containing:

• Juvenile delinquency or criminal records (unless required by law)
• Medical or health records
• Social Security numbers
• Biometric information
• Gun ownership records
• Sexual orientation
• Religious affiliation

Vendor Requirements

Private vendors that access student data must either agree to a complete prohibition on secondary uses of student data (no selling, marketing, or advertising), or provide full disclosure of secondary data uses and obtain parental consent before any use beyond the contracted service.

Penalties

Violations that result in unauthorized release of personally identifiable data carry civil penalties of up to $50,000 per violation. Schools must also notify affected parents and students when unauthorized disclosures occur.

Public Records Act Privacy Exemptions

Idaho's Public Records Act (Idaho Code Title 74, Chapter 1) includes privacy-related exemptions under § 74-106 that restrict disclosure of certain personal information held by government agencies.

Exempt records include:

• Personnel records of current or former public employees (except public service history, pay grade, and gross salary)
• Home addresses and phone numbers of retired public employees
• Medical and health records, including prescriptions, psychiatric care, and counseling records
• Reportable disease records maintained by health departments
• Records where disclosure would constitute an "unwarranted invasion of personal privacy"

These exemptions protect individuals from having sensitive personal information disclosed through public records requests, though they apply only to government-held records.

Federal Privacy Laws That Apply in Idaho

Because Idaho lacks a comprehensive state privacy law, federal statutes provide the primary privacy protections for many Idaho residents and businesses.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA applies to Idaho healthcare providers, health plans, healthcare clearinghouses, and their business associates. It requires physical, technical, and administrative safeguards to protect personal health information (PHI). Idaho healthcare entities must comply with both the HIPAA Privacy Rule and the Security Rule.

Gramm-Leach-Bliley Act (GLBA)

Financial institutions operating in Idaho must comply with GLBA, which requires written information security programs, consumer privacy notices explaining data sharing practices, and opt-out rights for consumers regarding third-party data sharing. Financial institutions licensed in Idaho that are also subject to the new Idaho Insurance Data Security Act may need to comply with both frameworks if they hold insurance licenses.

Children's Online Privacy Protection Act (COPPA)

Any Idaho business that operates a website or online service directed at children under 13, or that knowingly collects personal information from children under 13, must comply with COPPA. Requirements include verified parental consent before data collection and restrictions on how children's data can be used or shared.

Family Educational Rights and Privacy Act (FERPA)

FERPA protects the privacy of student education records at Idaho schools that receive federal funding. It gives parents (and students over 18) the right to access, review, and request corrections to educational records. FERPA works alongside Idaho's own student data protection law (§ 33-133) to create a dual layer of protection.

Fair Credit Reporting Act (FCRA)

The FCRA regulates how consumer reporting agencies in Idaho collect, share, and use credit information. Idaho residents have the right to access their credit reports, dispute inaccurate information, and limit who can access their credit data.

FTC Act Section 5

The Federal Trade Commission enforces Section 5 of the FTC Act against unfair or deceptive data practices. Idaho businesses that misrepresent their privacy policies or fail to implement reasonable data security measures face FTC enforcement regardless of whether Idaho has a specific state law covering the conduct.

A Note on Federal Comprehensive Privacy Legislation

The American Privacy Rights Act (APRA), which would have established a federal baseline for consumer data privacy rights, was introduced in 2024 but expired without passage at the end of the 118th Congress in January 2025. As of May 2026, the bill has not been reintroduced. There is no federal comprehensive consumer data privacy law in force.

How to Report a Data Breach in Idaho

For Businesses and Agencies

Contact the Idaho Attorney General's Consumer Protection Division:

• Email: consumer_protection@ag.idaho.gov
• Mailing address: P.O. Box 83720, Boise, ID 83720-0010
• Phone: 208-334-4135

State agencies must report within 24 hours of discovery. Private businesses may report voluntarily.

For Consumers

If you believe your personal information was compromised in a breach:

1. Contact the company or agency that experienced the breach
2. File a complaint with the Idaho Attorney General
3. Place a fraud alert or credit freeze with the three major credit bureaus
4. Monitor your financial accounts and credit reports for suspicious activity

The Attorney General's office maintains a public registry of reported breaches dating back to January 1, 2021.

Idaho vs. Other States: Where Does Idaho Stand?

As of May 2026, more than 20 states have enacted comprehensive consumer data privacy laws. Idaho is not among them. Here is how Idaho compares to neighboring and notable states.

The gap is significant. Idaho residents have no statutory right to know what personal data a company holds about them, no right to request deletion, and no right to opt out of the sale of their personal information.

Privacy Legislation Outlook

Idaho has not enacted a comprehensive consumer data privacy law through the 2025 legislative session. No comprehensive privacy bill was on an active track in the 2025-2026 session as of May 2026.

The national trend remains clear: the number of states with comprehensive privacy laws has grown from roughly 5 in 2023 to more than 20 by mid-2026. Factors that could accelerate Idaho action include:

• Neighboring state pressure. Montana's comprehensive privacy law took effect in October 2024. As more states in the region adopt privacy laws, Idaho businesses that operate across state lines must comply with those laws regardless of what Idaho requires.
• Federal baseline potential. Although the APRA did not pass in 2024 and has not been reintroduced, renewed federal activity could establish a national floor that all states must meet.
• Sectoral expansion. The 2025 Insurance Data Security Act shows that Idaho is willing to adopt sector-specific privacy obligations. Additional sectoral laws in healthcare, financial services, or education technology could follow.

Until Idaho acts, residents should understand that their primary protections come from the breach notification law, identity theft criminal statutes, the new insurance security law, the synthetic media prohibition, and whichever federal laws apply to the specific industry handling their data.

More Idaho Laws

• Idaho AI Meeting Recording Laws
• Idaho Alimony Laws
• Idaho At-Will Employment Laws
• Idaho Car Accident Laws
• Idaho Car Seat Laws
• Idaho Child Custody Laws
• Idaho Child Support Laws
• Idaho Common Law Marriage Laws
• Idaho Deepfake Laws
• Idaho Divorce Laws
• Idaho Dog Bite Laws
• Idaho Emancipation Laws
• Idaho Expungement Laws
• Idaho Hit and Run Laws
• Idaho Landlord-Tenant Laws
• Idaho Lemon Laws

This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney licensed in Idaho for guidance on your specific situation. Laws and regulations may change; verify all information with official state sources.