Mississippi
Mississippi Data Privacy Laws: Breach Notification & Consumer Rights (2026)
Mississippi has no comprehensive consumer data privacy law. The state's primary data protection requirement is its breach notification statute, Miss. Code Ann. § 75-24-29, which requires businesses holding personal information of Mississippi residents to notify affected individuals without unreasonable delay after a security breach.
Mississippi takes a targeted approach to data privacy rather than enacting a single comprehensive consumer protection law. The state's primary data privacy statute is its data breach notification law, codified at Miss. Code Ann. § 75-24-29, which requires businesses to notify Mississippi residents when their personal information has been compromised.
Beyond breach notification, Mississippi relies on its Consumer Protection Act for deceptive data practices, the Insurance Data Security Act for licensed insurers, federal privacy frameworks, and criminal statutes addressing computer crimes and identity theft. This page covers every relevant Mississippi data privacy statute, what rights residents have, what obligations businesses must meet, and what penalties apply for noncompliance.
Mississippi has introduced comprehensive privacy legislation in multiple recent sessions, most recently HB 1051 in 2026, but none of these bills have advanced. Until a comprehensive law passes, federal overlay remains the dominant protection for most Mississippians.
Mississippi Data Breach Notification Law (Miss. Code Ann. § 75-24-29)
Mississippi enacted its data breach notification law effective July 1, 2011, through H.B. 582. The statute applies to any person who conducts business in Mississippi and, in the ordinary course of that business, owns, licenses, or maintains personal information of any resident of the state. This scope covers businesses of all sizes, regardless of physical location, as long as they hold personal data belonging to Mississippi residents.
What Qualifies as Personal Information
"Personal information" means an individual's first name or first initial and last name combined with any one or more of the following data elements: Social Security number; driver's license number or state identification card number; or financial account number, credit card number, or debit card number combined with any required security code, access code, or password that would permit access to the individual's financial accounts. Publicly available government records are excluded.
What Constitutes a Breach
A "breach of security" is the unauthorized acquisition of electronic files, media, databases, or computerized data containing personal information when access to that information has not been secured by encryption or other technology that renders it unreadable or unusable. Encrypted data is not subject to the notification requirement, creating a meaningful safe harbor for businesses that encrypt data at rest.
Notification Requirements
When a breach occurs, the business must disclose it to all affected individuals without unreasonable delay, subject to: completion of an investigation to determine the nature and scope of the incident, and restoration of the reasonable integrity of the data system. Notification is not required if the business reasonably determines after an appropriate investigation that the breach will not likely result in harm.
If 100 or more individuals are affected, the business must also provide written notice to the Mississippi Attorney General's office.
Permitted Notice Methods
- Written notice sent to the individual's last known address
- Telephone notice with direct personal contact
- Electronic notice, when consistent with the federal E-SIGN Act (15 U.S.C. § 7001)
- Substitute notice, when the cost of direct notice would exceed $5,000, the affected class exceeds 5,000 people, or the business lacks sufficient contact information. Substitute notice requires email to all known email addresses, conspicuous website posting, and notification to statewide media.
Law enforcement may request a delay in notification if the disclosure would impede a criminal investigation.
Compliance Safe Harbors
Entities that maintain their own notification procedures consistent with the statute's timing requirements are deemed compliant if they notify affected individuals under their own policies. Entities subject to and compliant with the notification requirements of a primary federal regulator (such as HIPAA or GLBA) are also deemed compliant.
Penalties for Breach Notification Violations
Failure to comply with Miss. Code Ann. § 75-24-29 constitutes an unfair trade practice under the Mississippi Consumer Protection Act. The Attorney General may seek civil penalties of up to $10,000 per knowing and willful violation under Miss. Code Ann. § 75-24-19, and may obtain temporary or permanent injunctive relief. There is no private right of action for individual consumers.
| Violation | Penalty | Authority |
|---|---|---|
| Failure to notify affected individuals | Unfair trade practice | Miss. Code Ann. § 75-24-29 |
| Knowing and willful unfair trade practice | Up to $10,000 per violation | Miss. Code Ann. § 75-24-19 |
| Attorney General injunctive relief | Temporary or permanent injunction | Miss. Code Ann. § 75-24-9 |
| Computer fraud (damage $100 or more) | Up to $10,000 fine and/or up to 5 years imprisonment | Miss. Code Ann. § 97-45-3 |
| Identity theft ($250 or more) | Up to $10,000 fine and/or 2 to 15 years imprisonment | Miss. Code Ann. § 97-45-19 |
Mississippi Consumer Protection Act and Data Privacy
The Mississippi Consumer Protection Act (Miss. Code Ann. § 75-24-1 et seq.) serves as a broader enforcement tool for data privacy violations beyond breach notification failures. The Act prohibits unfair methods of competition and unfair or deceptive trade practices in commerce. Businesses that make misleading claims about their data security practices, fail to implement safeguards they have promised, or misrepresent how they collect or share consumer data may face enforcement action.
Attorney General Lynn Fitch has been active on data privacy through multi-state enforcement coalitions. In August 2024, Fitch joined a 21-state coalition that sent a demand letter to Temu (PDD Holdings) requesting answers about the company's data collection practices, its connections to the Chinese Communist Party, and potential consumer protection violations. Mississippi residents who believe a business has mishandled their personal data can file a complaint with the Attorney General's Consumer Protection Division at consumer@ago.ms.gov.
Mississippi Insurance Data Security Act (Miss. Code Ann. §§ 83-5-801 to 83-5-825)
Mississippi enacted the Insurance Data Security Act on April 3, 2019, effective July 1, 2019. The law applies specifically to insurance licensees and establishes comprehensive cybersecurity and data protection requirements modeled on the NAIC Insurance Data Security Model Law.
Core Requirements
Each licensee must develop, implement, and maintain a comprehensive written information security program based on a risk assessment. The program must include administrative, technical, and physical safeguards for nonpublic information and the licensee's information systems. Licensees must also maintain a written incident response plan and exercise due diligence in selecting and overseeing third-party service providers.
Incident Reporting
A licensee must notify the Mississippi Insurance Commissioner no later than three business days after determining that a cybersecurity event involving nonpublic information has occurred, when certain criteria are met. This three-day timeline is significantly shorter than the general "without unreasonable delay" standard in the breach notification law.
2026 Amendment: HB 1220
Mississippi HB 1220 (2026 Regular Session), signed into law and effective July 1, 2026, amends Miss. Code Ann. § 83-5-803. The amendment requires cybersecurity standards to align with nationally recognized frameworks (such as NIST or CIS controls) and creates a rebuttable presumption against liability in connection with a cybersecurity incident for licensees whose programs substantially align with those standards.
Exemptions
Exemptions apply for licensees that meet any of the following criteria: fewer than 50 employees (excluding independent contractors); less than $5 million in gross annual revenue; less than $10 million in year-end total assets; or licensed solely as an insurance producer or adjuster.
Annual compliance certification is required from Mississippi-domiciled insurers. Cybersecurity events may be reported to cyberreporting@mid.ms.gov.
Mississippi Recording Laws (Miss. Code Ann. § 41-29-531)
Mississippi is a one-party consent state for recording telephone and in-person conversations. Under Miss. Code Ann. § 41-29-531, a person may record a communication if the person is a party to it, or if one party has given prior consent, unless the recording is made for a criminal or tortious purpose. Violations carry criminal penalties of up to $10,000 and one year imprisonment for misdemeanor interception, and up to five years and $10,000 for disclosing the contents of unlawfully intercepted communications. Civil damages of at least $100 per day or $1,000 (whichever is greater) are available to individuals whose communications were illegally recorded. Full details appear on the Mississippi recording laws page.
Pending Comprehensive Privacy Legislation
Mississippi has introduced comprehensive consumer data privacy bills in every recent session. None have been enacted.
HB 1051 (2026): Introduced as the Mississippi Consumer Privacy Protection Act during the 2026 Regular Session. It would have applied to businesses with annual revenues exceeding $25 million that either process personal information of at least 25,000 consumers and derive over 50% of revenue from selling personal information, or process personal information of at least 175,000 consumers annually. The bill would have granted rights to access, correct, delete, and port personal data, and to opt out of data sales, targeted advertising, and profiling. It died in committee on February 3, 2026.
SB 2500 (2025): The Mississippi Consumer Data Protection Act, introduced during the 2025 Regular Session with similar provisions. It also failed to advance.
SB 2080 (2023): An earlier attempt to enact the Mississippi Consumer Data Privacy Act, which also died in committee.
These repeated introductions signal growing legislative interest, but businesses operating in Mississippi should not rely on pending legislation for compliance planning.
Federal Privacy Laws That Apply in Mississippi
Because Mississippi lacks a comprehensive consumer privacy law, federal statutes are the primary source of data protection rights for most residents.
TAKE IT DOWN Act (Pub. L. 119-12, May 19, 2025)
The TAKE IT DOWN Act (Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act) was signed May 19, 2025. The criminal prohibition on publishing nonconsensual intimate visual depictions (NCII), including AI-generated deepfakes, took effect immediately. Starting May 19, 2026, covered platforms (social media, image-sharing, messaging, gaming services, and similar) must: (1) establish a process for consumers to request removal of NCII, and (2) remove the images and known identical copies within 48 hours of a valid request. The FTC enforces Section 3 with civil penalties of up to $53,088 per violation. Mississippi residents whose intimate images have been shared without consent can request removal through a covered platform's notice-and-takedown process and file a complaint with the FTC if the platform does not comply.
HIPAA
The Health Insurance Portability and Accountability Act applies to healthcare providers, health plans, and healthcare clearinghouses operating in Mississippi. HIPAA requires covered entities and their business associates to protect protected health information (PHI) through administrative, technical, and physical safeguards. Mississippi does not impose state-level health privacy requirements stricter than HIPAA. The Mississippi State Department of Health provides guidance to residents on accessing medical records and filing complaints with HHS.
GLBA
The Gramm-Leach-Bliley Act requires financial institutions to explain their information-sharing practices and safeguard sensitive customer data. Mississippi's breach notification law explicitly exempts entities that are in compliance with GLBA notification requirements.
COPPA
The Children's Online Privacy Protection Act applies to operators of websites and online services directed at children under 13 who collect personal information from those children. The Mississippi Department of Education addresses COPPA compliance in its student data privacy guidance.
FERPA
The Family Educational Rights and Privacy Act protects the privacy of student education records in Mississippi schools and universities. Mississippi's Student Data Accessibility, Transparency and Accountability Act of 2015 requires the state Department of Education to comply with FERPA and include privacy and security safeguards in contracts governing student data databases.
FTC Act Section 5
The FTC Act prohibits unfair or deceptive acts or practices in commerce. The FTC has used this authority to bring enforcement actions against companies with inadequate data security practices, regardless of whether a state has its own comprehensive privacy law. Mississippi businesses are subject to FTC jurisdiction for deceptive privacy and security practices.
FCRA and FACTA
The Fair Credit Reporting Act and Fair and Accurate Credit Transactions Act govern consumer reporting agencies and the accuracy, privacy, and security of consumer credit information. Mississippi residents have the right to a free annual credit report, to dispute inaccurate information, and to place security freezes and fraud alerts on their credit files.
Practical Steps for Businesses
Businesses that collect or process personal data from Mississippi residents should maintain a written information security policy and review it annually. If a breach occurs, begin the investigation immediately and prepare to notify affected individuals without unreasonable delay. Notify the Attorney General if 100 or more individuals are affected. If regulated by HIPAA or GLBA, confirm whether the federal safe harbor applies. Insurance licensees must additionally maintain an incident response plan and report qualifying cybersecurity events to the Insurance Commissioner within three business days.
Keep records of breach investigations and notification timelines. If any data is encrypted using industry-standard methods, document that fact explicitly to support an encryption safe harbor defense.
How Mississippi Residents Exercise Their Rights
Mississippi does not yet grant residents broad rights to access, delete, or port their personal data from private companies. Consumer rights under state law are limited to receiving breach notifications, filing complaints with the Attorney General, and pursuing criminal enforcement through the Cyber Crime Division.
Under federal law, Mississippi residents have rights including: the right to access and request corrections to medical records under HIPAA; the right to access and dispute credit reports under the FCRA; the right to a free annual credit report at AnnualCreditReport.com; and the right to place fraud alerts or credit freezes with the major credit bureaus at no cost.
For complaints: file with the Mississippi Attorney General's Consumer Protection Division at consumer@ago.ms.gov or through the online form at attorneygenerallynnfitch.com. For federal violations, file with the FTC at reportfraud.ftc.gov or with HHS for HIPAA complaints at hhs.gov/hipaa/filing-a-complaint.
Explore data privacy laws in other states on our Data Privacy Laws hub page.
More Mississippi Laws
- Mississippi AI Meeting Recording Laws
- Mississippi Alimony Laws
- Mississippi At-Will Employment Laws
- Mississippi Car Accident Laws
- Mississippi Car Seat Laws
- Mississippi Child Custody Laws
- Mississippi Child Support Laws
- Mississippi Common Law Marriage Laws
- Mississippi Deepfake Laws
- Mississippi Divorce Laws
- Mississippi Dog Bite Laws
- Mississippi Emancipation Laws
- Mississippi Expungement Laws
- Mississippi Hit and Run Laws
- Mississippi Landlord-Tenant Laws
- Mississippi Lemon Laws
This article provides general legal information about Mississippi data privacy laws. It is not legal advice and does not create an attorney-client relationship. Data privacy laws change frequently. Consult with a qualified attorney licensed in Mississippi for advice about your specific situation. Last reviewed: May 2026.
Frequently Asked Questions
Does Mississippi have a comprehensive consumer data privacy law?
No. As of May 2026, Mississippi does not have a comprehensive consumer data privacy law similar to California's CCPA or Virginia's VCDPA. The state has introduced multiple bills, including HB 1051 in 2026 and SB 2500 in 2025, but none have been enacted. Mississippi relies primarily on its data breach notification law (Miss. Code Ann. § 75-24-29), the Consumer Protection Act, sector-specific insurance regulations, and applicable federal privacy laws.
What are the data breach notification requirements in Mississippi?
Under Miss. Code Ann. § 75-24-29, any business that owns, licenses, or maintains personal information of Mississippi residents must notify affected individuals without unreasonable delay when a security breach occurs. Personal information means name combined with Social Security number, driver's license number, or financial account numbers with security codes. If 100 or more individuals are affected, the business must also notify the Mississippi Attorney General. Notification is not required if the business reasonably determines the breach will not likely cause harm, or if the data was encrypted.
What penalties does Mississippi impose for failing to report a data breach?
Failure to comply with Mississippi's breach notification law is treated as an unfair trade practice under the Consumer Protection Act. The Attorney General can seek civil penalties of up to $10,000 per knowing and willful violation and can obtain injunctive relief. There is no private right of action for individual consumers.
Does Mississippi have specific cybersecurity requirements for insurance companies?
Yes. The Mississippi Insurance Data Security Act (Miss. Code Ann. §§ 83-5-801 to 83-5-825), effective July 1, 2019, requires insurance licensees to develop and maintain written information security programs, conduct risk assessments, maintain incident response plans, and report qualifying cybersecurity events to the Insurance Commissioner within three business days. A 2026 amendment (HB 1220, effective July 1, 2026) adds a safe harbor for programs that align with nationally recognized cybersecurity standards. Exemptions apply for licensees with fewer than 50 employees, under $5 million in annual revenue, or under $10 million in total assets.
What does the TAKE IT DOWN Act mean for Mississippi residents?
The TAKE IT DOWN Act (Pub. L. 119-12), signed May 19, 2025, is a federal law that criminalizes the publication of nonconsensual intimate images, including AI-generated deepfakes. Starting May 19, 2026, covered platforms must remove such images within 48 hours of a valid consumer request. The FTC enforces compliance and can impose civil penalties of up to $53,088 per violation. Mississippi residents can request removal directly from platforms and file an FTC complaint if the platform does not comply within 48 hours.
Can I sue a company in Mississippi for mishandling my personal data?
Mississippi's breach notification law does not create a private right of action. Only the Attorney General can enforce violations of Miss. Code Ann. § 75-24-29. You can file a complaint with the Attorney General's Consumer Protection Division at consumer@ago.ms.gov. For federal violations, such as HIPAA or FTC Act violations, separate federal enforcement mechanisms apply. The TAKE IT DOWN Act provides a separate civil right of action under 15 U.S.C. § 6851 for victims of nonconsensual intimate image disclosure.
Is Mississippi a one-party consent state for recording calls?
Yes. Under Miss. Code Ann. § 41-29-531, a person may record a phone call or in-person conversation if they are a party to it or if one party has consented, unless the recording is made for a criminal or tortious purpose. This means you can legally record your own conversations without telling the other party. Recording a conversation you are not part of without consent is a criminal violation.
Sources and References
- Mississippi Code Ann. 75-24-29: Data Breach Notification Requirements(law.justia.com)
- Mississippi Code Ann. 75-24-19: Civil Penalties for Unfair Trade Practices(law.justia.com)
- Mississippi Attorney General: Consumer Protection Division(attorneygenerallynnfitch.com).gov
- Mississippi Insurance Data Security Law(mid.ms.gov).gov
- Mississippi Insurance Data Security Act: Miss. Code Ann. 83-5-801 to 83-5-825(law.justia.com)
- Mississippi Computer Crimes and Identity Theft: Title 97, Chapter 45(law.justia.com)
- Mississippi Identity Theft Statute: Miss. Code Ann. 97-45-19(law.justia.com)
- Mississippi State Department of Health: Privacy and Your Health Information(msdh.ms.gov).gov
- Mississippi Department of Education: Information Security and Data Privacy(mdek12.org).gov
- Mississippi DIT Services: Cybersecurity for Businesses(its.ms.gov).gov
- HB 1051 (2026): Mississippi Consumer Privacy Protection Act(trackbill.com)
- SB 2500 (2025): Mississippi Consumer Data Protection Act(billstatus.ls.state.ms.us).gov
- U.S. Department of Health and Human Services: HIPAA(hhs.gov).gov
- Federal Trade Commission: Gramm-Leach-Bliley Act(ftc.gov).gov
- Federal Trade Commission: COPPA Rule(ftc.gov).gov
- U.S. Department of Education: FERPA(www2.ed.gov).gov
- Mississippi State Auditor: State Agency Cybersecurity Compliance(osa.ms.gov).gov
- Miss. Code Ann. § 75-24-29: Data Breach Notification (Mississippi Legislature)(legislature.ms.gov).gov
- Miss. Code Ann. § 75-24-29: Data Breach Notification (Cornell LII)(law.cornell.edu)
- AG Fitch Demands Accountability for Data Privacy from China-Connected Online Retailer (August 27, 2024)(attorneygenerallynnfitch.com).gov
- HB 1220 (2026): Amendment to Miss. Code Ann. § 83-5-803, Cybersecurity Safe Harbor - Mississippi Legislature(billstatus.ls.state.ms.us).gov
- HB 1051 (2026): Mississippi Consumer Privacy Protection Act - LegiScan(legiscan.com)
- TAKE IT DOWN Act (Pub. L. 119-12): FTC Enforcement Begins May 19, 2026(ftc.gov).gov
- FTC: Complying With the TAKE IT DOWN Act(ftc.gov).gov
- Reporters Committee for Freedom of the Press: Mississippi Recording Laws(rcfp.org)
- Perkins Coie: Mississippi Security Breach Notification Chart(perkinscoie.com)