Kansas Data Privacy Laws: Breach Notification & Consumer Rights (2026)

Kansas takes a sectoral approach to data privacy rather than enacting a single comprehensive consumer privacy statute. While states like California, Colorado, Texas, and Virginia have passed broad data protection laws granting consumers extensive rights over their personal information, Kansas has not followed suit.

Instead, Kansas residents rely on a collection of targeted laws. These include a data breach notification statute, the state Consumer Protection Act, student data privacy protections, financial institution information security requirements, and criminal identity theft provisions.

This guide breaks down each Kansas law that touches data privacy, explains what protections you have, what businesses must do to comply, and how enforcement works across the state.

Protection of Consumer Information Act

The Protection of Consumer Information Act is Kansas's primary data breach notification law. Codified at K.S.A. 50-7a01 through 50-7a04, it took effect in 2006 and establishes the rules businesses and government agencies must follow when a security breach exposes personal information belonging to Kansas consumers.

Key Definitions Under K.S.A. 50-7a01

The statute defines several critical terms that determine when the law applies and who it protects.

Personal information means a consumer's first name or first initial and last name linked to any one or more of the following data elements, when those elements are neither encrypted nor redacted:

• Social Security number
• Driver's license number or state identification card number
• Financial account number, credit card number, or debit card number, alone or in combination with any required security code, access code, or password that would permit access to a consumer's financial account

This definition is narrower than what many newer state privacy laws cover. Kansas does not include biometric data, medical information, or online account credentials in its breach notification trigger -- unless those elements fall under one of the categories listed above.

Security breach means the unauthorized access and acquisition of unencrypted or unredacted computerized data that compromises the security, confidentiality, or integrity of personal information. The breach must cause, or the entity must reasonably believe it has caused or will cause, identity theft to any consumer.

Encrypted means the transformation of data through an algorithmic process into a form in which there is a low probability of assigning meaning without the use of a confidential process or key, or securing the information by another method that renders the data elements unreadable or unusable.

A good-faith acquisition of personal information by an employee or agent of a business, for the purposes of that business, does not qualify as a security breach -- provided the personal information is not used for or subject to further unauthorized disclosure.

Breach Notification Requirements Under K.S.A. 50-7a02

When a business or government entity that conducts business in Kansas becomes aware of a security breach, K.S.A. 50-7a02 requires it to take the following steps.

Investigation. The entity must conduct a good-faith, reasonable, and prompt investigation to determine the likelihood that personal information has been or will be misused.

Consumer notification. If the investigation determines that misuse of information has occurred or is reasonably likely to occur, the entity must notify affected Kansas residents. The notification must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

Kansas does not set a specific deadline measured in days. The standard is "without unreasonable delay," which gives businesses some flexibility but also leaves room for enforcement discretion by the Attorney General.

Large-scale breach reporting. When a breach requires notification to more than 1,000 consumers at one time, the entity must also notify all nationwide consumer reporting agencies of the timing, distribution, and content of the notices sent to consumers.

Methods of Notification

Kansas law allows notification through several channels:

• Written notice sent to the consumer's mailing address
• Electronic notice consistent with the federal Electronic Signatures in Global and National Commerce Act (15 U.S.C. Section 7001)

Substitute Notice

An entity may provide substitute notice if it demonstrates that the cost of providing standard notification would exceed $100,000, the affected class of consumers exceeds 5,000 people, or the entity does not have sufficient contact information to provide direct notice.

Substitute notice must include all of the following:

• Email notice to affected consumers for whom the entity has an email address
• Conspicuous posting of the notice on the entity's website
• Notification to major statewide media outlets

Compliance Alternatives

Businesses that maintain their own notification procedures as part of an information security policy are deemed in compliance with Kansas law, as long as those procedures are consistent with the timing requirements of K.S.A. 50-7a02 and the business follows its own policies when a breach occurs.

Entities regulated by state or federal law that maintain breach procedures under their primary regulator's rules, regulations, or guidelines are also deemed in compliance.

Enforcement and Penalties

The Kansas Attorney General has the authority to bring enforcement actions against individuals and commercial entities that violate the Protection of Consumer Information Act. The Attorney General may seek injunctive relief and civil penalties.

For violations committed by a state-licensed insurance company, the Kansas Insurance Commissioner has sole enforcement authority rather than the Attorney General.

Kansas's breach notification law does not provide a private right of action. Individual consumers cannot sue a business directly for failing to provide breach notification. Enforcement rests exclusively with the Attorney General or, for insurers, the Insurance Commissioner.

K.S.A. 50-7a03 has been repealed. K.S.A. 50-7a04 is a severability clause that preserves the remaining provisions of the Act if any single provision is found invalid.

Kansas Consumer Protection Act

The Kansas Consumer Protection Act (KCPA), codified at K.S.A. 50-623 through 50-643, is the state's general consumer protection statute. While it was not designed specifically for data privacy, the Attorney General has used it to pursue enforcement actions related to deceptive data practices.

How the KCPA Applies to Data Privacy

The KCPA prohibits deceptive acts and practices, unconscionable acts, and false or misleading representations in consumer transactions. Under K.S.A. 50-623, the Act is to be construed liberally to promote its purposes, which include:

• Simplifying and modernizing the law governing consumer transactions
• Protecting consumers from suppliers who commit deceptive and unconscionable practices
• Encouraging fair and honest business dealings

When a company collects personal data from Kansas consumers and then fails to protect it as promised in its privacy policy, misrepresents how data will be used, or engages in deceptive data collection practices, the Attorney General can bring an action under the KCPA.

Penalties Under the KCPA

Violations of the Kansas Consumer Protection Act carry civil penalties of $500 to $1,000 per violation. Each deceptive act directed at an individual consumer can constitute a separate violation, meaning penalties can accumulate rapidly in cases involving widespread data misuse.

The Attorney General may also seek injunctive relief to stop ongoing violations and obtain restitution for affected consumers.

Identity Theft as an Unconscionable Act

Kansas law explicitly links identity theft to the Consumer Protection Act. Under K.S.A. 50-6,139b, conduct that constitutes identity theft under K.S.A. 21-6107 is considered an unconscionable act or practice. Any person who engages in such conduct is subject to all remedies and penalties available under the KCPA.

This provides the Attorney General with an additional enforcement tool when data breaches lead to identity theft.

Student Data Privacy Act

Kansas enacted the Student Data Privacy Act in 2014 through Senate Bill 367, now codified at K.S.A. 72-6311 through 72-6320. The law specifically protects student information held by educational agencies and their contractors.

What the Student Data Privacy Act Prohibits

The Act prohibits three categories of conduct:

• Unauthorized disclosure of student data and personally identifiable student data. Educational agencies and their operators cannot release student records without proper authorization.
• Unauthorized collection of biometric data from students. Schools and their technology vendors cannot collect fingerprints, retinal scans, or other biometric identifiers without authorization.
• Unauthorized use of devices to assess psychological or emotional state. No device or mechanism may be used to evaluate a student's psychological or emotional condition without proper consent.

Definitions of Protected Data

Student data includes information contained in a student's educational record, such as state and national assessment results, course completion and transcript information, graduation data, and dropout data.

Personally identifiable student data means student data that, alone or in combination, is linked or linkable to a specific student and would allow a reasonable person to identify the student with reasonable certainty.

Enforcement

The Kansas Attorney General or a district attorney may enforce the Student Data Privacy Act by bringing an action in court. They may seek injunctive relief to prevent any educational agency from disclosing student data in violation of the Act.

Citizens who believe a school or educational technology vendor has violated the Act can file complaints with either their district attorney or the Office of the Attorney General.

Kansas Financial Institutions Information Security Act

In 2023, Kansas enacted the Kansas Financial Institutions Information Security Act through Senate Bill 44. This law established information security standards for financial institutions operating in the state.

Purpose and Standards

The Act aligns Kansas with federal information security requirements by establishing standards consistent with 16 C.F.R. Section 314 (the FTC's Safeguards Rule) as in effect on July 1, 2023. This means covered entities must implement comprehensive information security programs to protect customer data.

Covered Entities

The Financial Institutions Information Security Act applies to:

• Credit services organizations
• Mortgage companies
• Supervised lenders
• Financial institutions engaging in money transmission

Enforcement by the State Bank Commissioner

The Kansas State Bank Commissioner implements, administers, and enforces the Act. The Commissioner may assess fines or civil penalties on a covered entity of up to $5,000 per violation and may also assess the costs of investigation, examination, or enforcement actions.

Kansas Identity Theft Criminal Statute

Kansas criminalizes identity theft under K.S.A. 21-6107. While this is a criminal law rather than a data privacy regulation, it provides important protections for Kansas residents whose personal information is stolen or misused.

Definition of Identity Theft

Identity theft in Kansas means obtaining, possessing, transferring, using, selling, or purchasing any personal identifying information or document containing the same, belonging to or issued to another person, with the intent to:

• Defraud that person or anyone else in order to receive any benefit
• Misrepresent that person in order to subject them to economic or bodily harm

Personal Identifying Information

The statute defines personal identifying information broadly. It includes:

• Financial account numbers
• Passwords that can be used to access financial resources, including checking or savings accounts
• Credit or debit card information
• Usernames or other log-in credentials that can be used to access personal electronic content

Criminal Penalties

Identity theft penalties in Kansas are scaled based on the monetary loss to victims:

• Less than $1,000: Severity level 8 nonperson felony
• $1,000 to $25,000: Severity level 7 nonperson felony
• $25,000 to $100,000: Severity level 6 nonperson felony
• More than $100,000: Severity level 5 nonperson felony

Kansas felony sentencing guidelines determine the actual prison time based on the severity level and the offender's criminal history. A severity level 5 nonperson felony can carry a presumptive prison sentence ranging from 31 to 136 months depending on prior convictions.

Credit Freeze Protections

Kansas law provides consumers with the right to place a security freeze on their credit reports under K.S.A. 50-702 and related statutes in the Kansas Fair Credit Reporting Act.

How a Security Freeze Works

A security freeze is a notice placed on a consumer report that prohibits a consumer reporting agency from releasing the consumer's credit report or credit score for the purpose of extending credit. This prevents identity thieves from opening new accounts in a victim's name.

Placing a Freeze

Kansas consumers can request a security freeze through:

• Written request sent by certified mail or regular mail
• A secure website if the consumer reporting agency makes one available
• Telephone, if the agency does not have an available secure website

A consumer reporting agency must place the freeze within five business days of receiving the request.

Identification and Management

Within 10 business days of placing a freeze, the consumer reporting agency must provide the consumer with a unique personal identification number, password, or similar device. The agency must also explain the process for placing, removing, and temporarily lifting a security freeze.

Credit freezes in Kansas are free for all consumers. This aligns with the federal Economic Growth, Regulatory Relief, and Consumer Protection Act, which made credit freezes free nationwide.

Kansas Health Information Privacy

Kansas addresses health information privacy primarily through the Kansas Health Information Technology Act, codified at K.S.A. 65-6821 through 65-6836, and through compliance with the federal Health Insurance Portability and Accountability Act (HIPAA).

State-Level Requirements

Kansas law defines health information and protected health information using the same definitions as the HIPAA Privacy Rule. Covered entities in Kansas must provide individuals or their personal representatives with access to their protected health information.

Health care providers must furnish copies of health care records to patients, authorized representatives, or other authorized persons. Under K.S.A. 65-6836, copies must be furnished within 30 days of receiving a proper authorization.

A provider may withhold copies only if providing them would cause substantial harm to the patient or another person. This protection ensures Kansas residents maintain access to their own medical data.

Controlling Law

Where any provision of Kansas state law regarding the confidentiality, privacy, security, or privileged status of protected health information conflicts with the Kansas Health Information Technology Act, the Act's provisions control. Certain exceptions apply for peer review and risk management statutes.

Federal Laws That Apply in Kansas

Because Kansas lacks a comprehensive state-level consumer data privacy law, federal statutes play a significant role in protecting Kansas residents' personal data.

HIPAA

The Health Insurance Portability and Accountability Act governs how health care providers, insurers, and their business associates handle protected health information for Kansas residents. HIPAA establishes national standards for the security and privacy of medical records and provides patients with rights to access and request corrections to their health data.

Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices and to safeguard sensitive consumer financial data. Kansas banks, credit unions, and other financial service providers must comply with GLBA's privacy notice and data security requirements.

FERPA

The Family Educational Rights and Privacy Act protects the privacy of student education records at institutions that receive federal funding. FERPA works alongside Kansas's own Student Data Privacy Act to protect student information in the state.

FTC Act Section 5

The Federal Trade Commission Act prohibits unfair or deceptive acts or practices in commerce. The FTC has used this authority to bring enforcement actions against companies nationwide, including those operating in Kansas, for data privacy and security failures.

Children's Online Privacy Protection Act

COPPA requires websites and online services directed at children under 13 to obtain verifiable parental consent before collecting personal information from children. This federal law applies to all operators collecting data from Kansas children.

The Outlook for Comprehensive Privacy Legislation in Kansas

As of 2026, Kansas has not introduced a comprehensive consumer data privacy bill similar to those enacted in California, Virginia, Colorado, Connecticut, Texas, or the other states that have passed broad privacy laws.

No pending legislation in the Kansas Legislature would create broad consumer rights like the right to access, delete, or opt out of the sale of personal data. Kansas remains among the states that rely on sectoral laws and federal protections rather than a unified data privacy framework.

This means Kansas residents currently do not have statutory rights to:

• Request a copy of all personal data a company holds about them
• Demand deletion of their personal data
• Opt out of the sale or sharing of their personal data
• Opt out of targeted advertising based on their data
• Correct inaccurate personal data held by a business

These rights exist in states with comprehensive privacy laws but are not available under current Kansas statutes.

Residents and businesses should monitor the Kansas Legislature for any future privacy bills, as the national trend toward comprehensive state privacy laws continues to accelerate.

Frequently Asked Questions

Does Kansas have a comprehensive data privacy law?

No. Kansas does not have a comprehensive consumer data privacy law similar to the California Consumer Privacy Act, the Texas Data Privacy and Security Act, or the Virginia Consumer Data Protection Act. Kansas relies on a patchwork of targeted statutes covering data breach notification, consumer protection, student data privacy, and financial institution security. Federal laws like HIPAA, GLBA, and the FTC Act fill additional gaps.

What are my rights if a company experiences a data breach involving my information in Kansas?

Under the Protection of Consumer Information Act (K.S.A. 50-7a02), any business or government entity that conducts business in Kansas must notify you without unreasonable delay if a security breach has compromised your personal information and misuse has occurred or is reasonably likely to occur. Personal information includes your name linked to your Social Security number, driver's license number, or financial account numbers. You also have the right to place a free security freeze on your credit reports.

Can I sue a company in Kansas for a data breach?

Kansas's breach notification law does not provide a private right of action. You cannot sue a company directly under K.S.A. 50-7a01 through 50-7a04 for failing to notify you of a breach. Enforcement is handled by the Kansas Attorney General or the Insurance Commissioner for insurance companies. However, you may have claims under the Kansas Consumer Protection Act if a company engaged in deceptive practices related to your data, and you may have common-law claims depending on the circumstances.

How does Kansas protect student data privacy?

The Kansas Student Data Privacy Act (K.S.A. 72-6311 through 72-6320) prohibits unauthorized disclosure of student data, unauthorized collection of biometric data from students, and unauthorized use of devices to assess a student's psychological or emotional state. The Attorney General and district attorneys can enforce the Act. Parents and students can file complaints with the Attorney General's office if they believe a school or educational technology vendor has violated these protections.

What penalties do businesses face for violating Kansas data privacy laws?

Penalties depend on which statute is violated. Under the Kansas Consumer Protection Act, civil penalties range from $500 to $1,000 per violation. Under the Financial Institutions Information Security Act, the State Bank Commissioner can assess fines up to $5,000 per violation. Identity theft is a felony with sentences ranging up to 136 months in prison depending on the monetary loss. The Attorney General can also seek injunctive relief and restitution under multiple statutes.

More Kansas Laws

• Kansas Recording Laws
• Kansas Statute of Limitations
• Kansas Sexting Laws
• Kansas Whistleblower Laws
• Kansas Car Seat Laws
• Kansas Hit and Run Laws
• Kansas Lemon Laws
• Kansas Child Support Laws