Mississippi Data Privacy Laws: Breach Notification & Consumer Rights (2026)

Mississippi takes a targeted approach to data privacy rather than adopting a single comprehensive consumer data protection law. The state's primary data privacy statute is its data breach notification law, codified at Miss. Code Ann. 75-24-29, which requires businesses to notify Mississippi residents when their personal information has been compromised.

Beyond breach notification, Mississippi relies on its Consumer Protection Act, sector-specific regulations for the insurance industry, federal privacy frameworks, and criminal statutes addressing computer crimes and identity theft. This guide covers every relevant Mississippi data privacy statute, what rights residents have, what obligations businesses must meet, and what penalties apply for noncompliance.

Mississippi Data Breach Notification Law (Miss. Code Ann. 75-24-29)

Mississippi enacted its data breach notification law effective July 1, 2011, through H.B. 582. The statute is codified in the Regulation of Business for Consumer Protection chapter of the Mississippi Code. It establishes mandatory notification requirements when personal information of Mississippi residents is compromised through a security breach.

Who Must Comply

The law applies to any person who conducts business in Mississippi and who, in the ordinary course of their business, owns, licenses, or maintains personal information of any resident of the state. This broad scope covers businesses of all sizes, regardless of where the business is physically located, as long as it holds personal data belonging to Mississippi residents.

What Qualifies as Personal Information

Under Miss. Code Ann. 75-24-29, "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements:

• Social Security number
• Driver's license number or state identification card number
• Financial account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to the individual's financial accounts

The definition specifically excludes publicly available information that is lawfully made available to the general public from federal, state, or local government records.

What Constitutes a Breach of Security

A "breach of security" under the statute means the unauthorized acquisition of electronic files, media, databases, or computerized data containing personal information of any Mississippi resident when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable.

This definition is significant because it creates an encryption safe harbor. If personal data was encrypted or otherwise rendered unreadable at the time of the breach, the notification requirements do not apply.

Notification Requirements

When a breach occurs, the business must disclose the breach to all affected individuals. The statute requires notification "without unreasonable delay," subject to two conditions:

1. Completion of an investigation to determine the nature and scope of the incident and to identify affected individuals
2. Restoration of the reasonable integrity of the data system

The law includes a harm-based exemption. Notification is not required if, after an appropriate investigation, the business reasonably determines that the breach will not likely result in harm to the affected individuals.

How Notice Must Be Provided

Mississippi law permits several methods for delivering breach notifications to affected individuals:

Written notice. A letter sent to the most recent address the business has on file for the affected individual.

Telephone notice. Direct phone contact with the affected individual.

Electronic notice. Email notification is permitted if the business's primary means of communication with the affected individual is by electronic means, or if the notice is consistent with the provisions of the federal Electronic Signatures in Global and National Commerce Act (E-SIGN Act, 15 U.S.C. 7001).

Substitute notice. When the cost of providing direct notice would exceed $5,000, the affected class of individuals exceeds 5,000 persons, or the business does not have sufficient contact information to provide written or telephone notice, substitute notice is permitted. Substitute notice requires all of the following:

• Email notice to affected individuals for whom the business has email addresses
• Conspicuous posting of the notice on the business's website
• Notification to statewide media

Attorney General Notification

If a business is required to notify 100 or more affected individuals of a breach, it must also provide written notice of the breach to the Mississippi Attorney General's office.

Law Enforcement Delay

Notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. Once the law enforcement agency determines that the notification will no longer compromise the investigation, notification must proceed.

Exemptions for Regulated Entities

Entities that maintain their own notification procedures as part of an information security policy that is consistent with the timing requirements of the statute are deemed to be in compliance, provided they notify affected individuals in accordance with their existing policies.

Additionally, entities that are subject to and comply with the notification requirements of their primary or functional federal regulator are considered in compliance with the Mississippi statute.

Penalties for Breach Notification Violations

Violation Type	Penalty	Authority
Failure to notify affected individuals	Unfair trade practice	Miss. Code Ann. 75-24-29
Knowing and willful unfair trade practice	Up to $10,000 per violation	Miss. Code Ann. 75-24-19
Attorney General injunctive relief	Temporary or permanent injunction	Miss. Code Ann. 75-24-9
Insurance licensee breach reporting failure	Up to $5,000 per violation (misdemeanor)	Miss. Code Ann. 83-5-85
Computer fraud (unauthorized access)	Up to $10,000 fine and/or 5 years imprisonment	Miss. Code Ann. 97-45-3
Identity theft (over $250)	Up to $10,000 fine and/or 2 to 15 years imprisonment	Miss. Code Ann. 97-45-19
Identity theft (under $250)	Up to $1,000 fine and/or 6 months imprisonment	Miss. Code Ann. 97-45-19

Failure to comply with the breach notification requirements constitutes an unfair trade practice under Miss. Code Ann. 75-24-29. The Mississippi Attorney General has exclusive enforcement authority. The statute does not create a private right of action, meaning individual consumers cannot sue businesses directly for failure to notify.

Under the Mississippi Consumer Protection Act, when the Attorney General proves through clear and convincing evidence that a person knowingly and willfully used any unfair or deceptive trade practice, civil penalties of up to $10,000 per violation may be imposed. The Attorney General may also seek temporary or permanent injunctive relief.

Mississippi Consumer Protection Act and Data Privacy

The Mississippi Consumer Protection Act (Miss. Code Ann. 75-24-1 et seq.) serves as a broader enforcement tool for data privacy violations even beyond breach notification failures. The Act prohibits unfair methods of competition and unfair or deceptive trade practices in commerce.

How It Applies to Data Privacy

Businesses that make misleading claims about their data security practices, fail to implement reasonable safeguards they have promised, or misrepresent how they collect, use, or share consumer data may face enforcement action under the Consumer Protection Act.

The Mississippi Attorney General's Consumer Protection Division, led by Director Crystal Utley Secoy, actively investigates and litigates cases involving unfair and deceptive business practices, including those related to data privacy. The division has been involved in multi-state enforcement actions against major technology companies including Meta and TikTok for privacy-related violations.

Filing a Consumer Complaint

Mississippi residents who believe a business has violated their privacy or mishandled their personal data can file a complaint with the Attorney General's Consumer Protection Division:

• Online: Through the complaint form on the Attorney General's website
• Email: consumer@ago.ms.gov
• Phone: Contact the Consumer Protection Division directly

Mississippi Insurance Data Security Act (Miss. Code Ann. 83-5-801 to 83-5-825)

Mississippi enacted the Insurance Data Security Act on April 3, 2019, with an effective date of July 1, 2019. The law is codified in Title 83, Chapter 5, Article 11 of the Mississippi Code. It applies specifically to insurance licensees and establishes comprehensive cybersecurity and data protection requirements for the insurance industry.

Key Requirements

Information security program. Each licensee must develop, implement, and maintain a comprehensive written information security program based on the licensee's risk assessment. The program must include administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee's information system.

Risk assessment. Licensees must conduct periodic risk assessments to identify reasonably foreseeable internal and external threats that could result in unauthorized access to or misuse of nonpublic information.

Incident response plan. Licensees must establish a written incident response plan that includes internal processes for responding to cybersecurity events.

Third-party service provider oversight. Licensees must exercise due diligence in selecting third-party service providers and require them to implement appropriate security measures.

Incident Reporting

A licensee must notify the Mississippi Insurance Commissioner no later than three business days after determining that a cybersecurity event involving nonpublic information has occurred when certain criteria are met. This is a significantly shorter timeline than the general "without unreasonable delay" standard under the breach notification law.

Exemptions

The Insurance Data Security Act provides exemptions for smaller licensees that meet any of the following criteria:

• Fewer than 50 employees, excluding independent contractors
• Less than $5,000,000 in gross annual revenue
• Less than $10,000,000 in year-end total assets
• Licensed as an insurance producer or insurance adjuster

Penalties

Violations of the Insurance Data Security Act are penalized under Miss. Code Ann. 83-5-85, which applies to violations of the state's insurance laws. Offenders may be guilty of a misdemeanor and punished by a fine of up to $5,000.

Mississippi Computer Crimes and Identity Theft Laws

Mississippi's criminal code provides additional privacy protections through statutes addressing unauthorized computer access and identity theft. These laws are codified in Title 97, Chapter 45 of the Mississippi Code.

Computer Fraud (Miss. Code Ann. 97-45-3)

The computer fraud statute criminalizes the unauthorized access to computer systems, networks, and data. Under Miss. Code Ann. 97-45-3, penalties depend on the value of the damage or loss caused:

• Damage under $100: Misdemeanor with a fine of up to $1,000 and/or up to 6 months imprisonment
• Damage of $100 or more: Felony with a fine of up to $10,000 and/or up to 5 years imprisonment

Offenses Against Computer Users (Miss. Code Ann. 97-45-5)

This statute addresses denial of authorized access to computer systems and unauthorized disclosure of passwords, codes, or other access credentials. Penalties follow the same tiered structure as computer fraud.

Identity Theft (Miss. Code Ann. 97-45-19)

Mississippi's identity theft statute criminalizes obtaining or attempting to obtain personal identity information with the intent to unlawfully use that information. The penalties are tiered based on the value involved:

• Under $250: Misdemeanor punishable by up to $1,000 fine and/or up to 6 months in county jail
• $250 or more: Felony punishable by a fine of up to $10,000 and/or imprisonment of 2 to 15 years

Courts must also order convicted individuals to pay restitution to victims under Miss. Code Ann. 99-37-1.

Federal Privacy Laws That Apply in Mississippi

Because Mississippi does not have a comprehensive consumer data privacy law, federal statutes play a critical role in protecting the personal information of Mississippi residents in specific sectors.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA applies to healthcare providers, health plans, and healthcare clearinghouses operating in Mississippi. The law requires covered entities to protect the privacy and security of protected health information (PHI) through administrative, technical, and physical safeguards.

The Mississippi State Department of Health provides guidance to residents on their rights under HIPAA, including the right to access medical records, request corrections, and receive an accounting of disclosures.

Mississippi does not impose state-level health privacy requirements that are stricter than HIPAA. Healthcare providers in the state follow the federal framework for protecting patient information.

Gramm-Leach-Bliley Act (GLBA)

The GLBA requires financial institutions operating in Mississippi to explain their information-sharing practices and to safeguard sensitive customer data. Financial institutions must provide privacy notices to customers and implement comprehensive information security programs.

Mississippi's breach notification law explicitly exempts entities that comply with GLBA notification requirements from separate state compliance obligations.

Children's Online Privacy Protection Act (COPPA)

COPPA applies to operators of websites and online services directed at children under 13 who collect personal information from those children. The Mississippi Department of Education addresses COPPA compliance in its student data privacy guidance.

Family Educational Rights and Privacy Act (FERPA)

FERPA protects the privacy of student education records in Mississippi schools and universities. The law requires schools to obtain written consent before releasing student information and gives parents and eligible students the right to inspect and correct records.

Mississippi enacted the Mississippi Student Data Accessibility, Transparency and Accountability Act of 2015, which requires the Mississippi Department of Education to comply with FERPA and ensure that contracts governing databases with student data include privacy and security safeguards.

FTC Act Section 5

The Federal Trade Commission Act prohibits unfair or deceptive acts or practices in commerce. The FTC has used this authority to bring enforcement actions against companies with inadequate data security practices, regardless of whether a state has its own comprehensive privacy law. Mississippi businesses are subject to FTC jurisdiction for deceptive privacy and security practices.

Proposed Comprehensive Privacy Legislation

Mississippi has introduced several comprehensive consumer privacy bills in recent legislative sessions, though none have been enacted as of March 2026.

HB 1051 (2026): Mississippi Consumer Privacy Protection Act

House Bill 1051 was introduced during the 2026 Regular Session. The bill would have created a comprehensive consumer privacy framework with the following provisions:

Applicability. The bill would apply to businesses conducting business in Mississippi with annual revenues exceeding $25 million that either process personal information of at least 25,000 consumers and derive over 50% of gross revenue from selling personal information, or process personal information of at least 175,000 consumers annually.

Consumer rights. The bill proposed granting Mississippi consumers the right to access, correct, delete, and obtain portable copies of their personal data, as well as the right to opt out of data sales, targeted advertising, and profiling.

Business obligations. Controllers would be required to provide clear privacy notices, respond to consumer requests within 45 days, establish appeals processes, and implement reasonable data security measures.

Enforcement. The Mississippi Attorney General would have exclusive enforcement authority, with civil penalties for violations.

Status. HB 1051 died in committee on February 3, 2026.

SB 2500 (2025): Mississippi Consumer Data Protection Act

Senate Bill 2500 was introduced during the 2025 Regular Session as the "Mississippi Consumer Data Protection Act." It proposed similar privacy protections including consumer rights to know, access, correct, delete, and port their data. The bill also failed to advance.

SB 2779 (2025): Mississippi Consumer Data Privacy Act

Senate Bill 2779 was another 2025 proposal that would have granted Mississippi consumers the right to know what personal information is collected about them, whether their data is sold and to whom, the right to opt out of data sales, and the right to access their collected personal data.

These repeated legislative attempts suggest that Mississippi may eventually adopt a comprehensive privacy law, but businesses should not rely on proposed legislation for compliance planning.

How Mississippi Compares to Neighboring States

Mississippi's data privacy framework is less comprehensive than several of its neighboring states. While states like Texas and Virginia have enacted comprehensive consumer data privacy laws, Mississippi continues to rely primarily on its breach notification statute and general consumer protection authority.

Alabama and Louisiana, like Mississippi, lack comprehensive consumer privacy laws and depend on breach notification requirements and existing consumer protection frameworks. Tennessee enacted the Tennessee Information Protection Act (TIPA) in 2023, which took effect July 1, 2025, putting it ahead of Mississippi in consumer data protection.

Practical Steps for Mississippi Residents

Even without a comprehensive privacy law, Mississippi residents can take several steps to protect their personal data:

Monitor for breach notifications. If you receive a breach notification from a business, take it seriously. Change passwords, monitor financial accounts, and consider placing a fraud alert or credit freeze with the major credit bureaus.

File complaints with the Attorney General. If you believe a business has mishandled your personal information or failed to notify you of a data breach, file a complaint with the Mississippi Attorney General's Consumer Protection Division at consumer@ago.ms.gov.

Exercise federal privacy rights. Even without a state privacy law, you have rights under federal laws like HIPAA (for medical records), FERPA (for education records), COPPA (for children's data), and GLBA (for financial information).

Use the FTC's complaint process. For companies that make deceptive claims about their privacy practices, you can file a complaint with the Federal Trade Commission.

More Mississippi Laws

Mississippi has additional laws that may affect your rights and responsibilities. Explore these related topics:

• Mississippi Recording Laws
• Mississippi Background Check Laws
• [Mississippi Medical Records Retention Laws
• Mississippi Surveillance Camera Laws
• Mississippi Whistleblower Laws

Explore data privacy laws in other states on our Data Privacy Laws hub page.

This article provides general legal information about Mississippi data privacy laws. It is not legal advice and does not create an attorney-client relationship. Data privacy laws change frequently and legislative proposals may advance in future sessions. Consult with a qualified attorney licensed in Mississippi for advice about your specific situation. Last reviewed: March 2026.