Missouri Data Privacy Laws: Breach Notification & Consumer Rights (2026)
Missouri takes a sectoral approach to data privacy rather than adopting a single comprehensive consumer privacy statute. The state relies on several targeted laws to protect residents' personal information, with the data breach notification statute (Mo. Rev. Stat. Section 407.1500) serving as the primary privacy protection for most consumers.
This guide covers every major Missouri law that touches data privacy, from breach notification requirements to identity theft penalties to Social Security number protections. It also explains how federal privacy laws fill the gaps where Missouri does not have state-level protections.
Missouri Has No Comprehensive Consumer Privacy Law
As of 2026, Missouri has not enacted a comprehensive consumer data privacy law. States like California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), and Connecticut (CTDPA) have passed laws granting residents broad rights over their personal data, including the right to access, correct, delete, and opt out of the sale of personal information.
Missouri residents do not currently have these broad statutory rights under state law.
Legislative Efforts That Have Not Succeeded
Missouri lawmakers have introduced privacy legislation in recent sessions. In 2024, Senate Bill 731 proposed creating consumer data protection rights similar to those in other states, including rights to access and delete personal data and opt out of data sales. The bill died in committee.
Other proposals have been introduced in the Missouri House and Senate during the 2024 and 2025 legislative sessions, but none advanced to the governor's desk. The 2024 session was particularly unproductive for privacy legislation, with historically low overall bill passage rates.
Until the legislature acts, Missouri residents must rely on the state's existing patchwork of privacy-related statutes and federal law for data protection.
Missouri Data Breach Notification Law (Mo. Rev. Stat. Section 407.1500)
The Missouri data breach notification statute is the state's most significant data privacy protection. It establishes mandatory notification requirements when personal information is compromised in a security breach.
Who Must Comply
The law applies to two categories of entities:
Data owners and licensees: Any person that owns or licenses personal information of residents of Missouri, or any person that conducts business in Missouri that owns or licenses personal information in any form of a Missouri resident, must notify affected consumers following a breach.
Data custodians: Any person that maintains or possesses records or data containing personal information of Missouri residents that the person does not own or license must notify the owner or licensee of the information immediately following discovery of a breach.
This broad scope means the law covers businesses of all sizes, government contractors, service providers, and any other entity that handles Missouri residents' personal data.
What Qualifies as a Breach of Security
Under Section 407.1500, a "breach of security" is defined as unauthorized access to and unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality, or integrity of the personal information.
Two conditions must be present for an event to constitute a breach: there must be unauthorized access, and there must be unauthorized acquisition. Simply accessing data without acquiring it may not trigger the notification requirement.
Good-faith acquisition of personal information by an entity or its employee or agent for a legitimate purpose is not considered a breach of security, provided the personal information is not used in violation of applicable law or in a manner that harms or poses an actual threat to the security, confidentiality, or integrity of the personal information.
What Personal Information Is Protected
The statute defines "personal information" as an individual's first name or first initial and last name in combination with any one or more of the following data elements, when the data elements are not encrypted, redacted, or otherwise rendered unreadable or unusable:
| Data Element | Examples |
|---|---|
| Social Security number | Full SSN |
| Driver's license or government ID number | MO driver's license, state ID |
| Financial account number with security code | Bank account + PIN, credit card + CVV |
| Unique electronic identifier or routing code with security code | Online banking credentials |
| Medical information | Medical history, diagnoses, treatment records |
| Health insurance information | Policy number, subscriber ID, insurer identifiers |
Missouri's definition is broader than some states because it includes medical information and health insurance information as protected data elements. If any of these data elements are encrypted, redacted, or otherwise rendered unreadable, a breach involving those elements does not trigger the notification requirement.
Notification Timeline
Missouri requires notification to be made "without unreasonable delay." The statute does not specify a fixed number of days, unlike states such as Colorado (30 days) or Florida (30 days).
The notification timeline accounts for the legitimate needs of law enforcement and any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.
Attorney General Notification
When a breach affects more than 1,000 consumers at one time, the entity must also notify the Missouri Attorney General's office without unreasonable delay. This notification must include the timing, distribution, and content of the consumer notice.
The Attorney General's office maintains resources for both businesses reporting breaches and consumers who have received breach notifications.
What the Notice Must Include
Breach notifications to affected consumers must include advice that directs the consumer to remain vigilant by reviewing account statements and monitoring free credit reports. While Missouri's content requirements are less detailed than some other states, best practices suggest including:
- A description of the incident
- The types of personal information compromised
- Steps the consumer can take to protect themselves
- Contact information for the notifying entity
- Information about credit monitoring and fraud alerts
Methods of Notification
Entities may provide notice through the following methods:
Written notice: Sent to the consumer's postal address in the entity's records.
Electronic notice: Permitted for consumers who have valid email addresses on file and have agreed to receive communications electronically. Electronic notice must be consistent with the provisions of the federal Electronic Signatures in Global and National Commerce Act (E-SIGN Act, 15 U.S.C. Section 7001).
Substitute notice: Available when direct notification is not feasible because the cost would exceed $100,000, the affected class exceeds 150,000 consumers, or the entity does not have sufficient contact information. Substitute notice requires all three of the following: email notice (when email addresses are available), conspicuous posting on the entity's website, and notification to major statewide media.
Exceptions to Notification
Notification is not required if, after an appropriate investigation or after consultation with relevant federal, state, or local law enforcement agencies, the entity determines that a risk of identity theft or other fraud to any consumer is not reasonably likely to occur as a result of the breach. This determination must be documented in writing and maintained for five years.
Entities regulated by state or federal law that maintain breach notification procedures under their primary or functional regulator are deemed in compliance with the Missouri statute if they notify affected consumers under those existing procedures.
Penalties for Noncompliance
The Missouri Attorney General has exclusive authority to enforce the breach notification law. The Attorney General may bring an action to obtain actual damages for a willful and knowing violation and may seek civil penalties not to exceed $150,000 per breach of the security system, or per series of breaches of a similar nature discovered in a single investigation.
There is no private right of action under the breach notification statute. Individual consumers cannot sue businesses directly for failure to provide breach notification.
Missouri Merchandising Practices Act and Data Privacy
The Missouri Merchandising Practices Act (MMPA), codified at Mo. Rev. Stat. Sections 407.010 through 407.130, provides a broader consumer protection framework that can apply to data privacy violations.
How the MMPA Applies to Privacy
Section 407.020 declares it unlawful for any person to use deception, fraud, false pretense, false promise, misrepresentation, unfair practice, or the concealment, suppression, or omission of any material fact in connection with the sale or advertisement of merchandise in trade or commerce.
This broad prohibition can apply to data privacy in several ways:
False privacy promises: A company that promises in its privacy policy not to sell consumer data but then sells it could face MMPA liability for misrepresentation.
Concealment of data practices: Failing to disclose material data collection or sharing practices could violate the prohibition against concealment or omission of material facts.
Deceptive data security claims: Representing that consumer data is secured by specific measures when it is not could constitute deception under the MMPA.
Enforcement and Penalties
The Missouri Attorney General administers and enforces the MMPA. The AG can investigate potential violations, issue subpoenas for documents, and bring enforcement actions.
Local prosecuting attorneys may also bring criminal charges for intentional MMPA violations. A person who knowingly violates the MMPA may face felony charges.
Consumers have a private right of action under the MMPA, which distinguishes it from the breach notification statute. Consumers who suffer an ascertainable loss due to a prohibited practice can sue for actual damages, punitive damages, and attorney's fees.
Identity Theft Protections in Missouri
Missouri has robust criminal and civil statutes addressing identity theft, providing both penalties for offenders and remedies for victims.
Criminal Identity Theft (Mo. Rev. Stat. Section 570.223)
Under Section 570.223, a person commits identity theft if they knowingly and with the intent to deceive or defraud obtain, possess, transfer, use, or attempt to obtain, transfer, or use one or more means of identification not lawfully issued for their use.
Penalty Structure
The penalties for identity theft in Missouri are tiered based on the value of credit, money, goods, services, or other property obtained:
| Value of Theft | Classification | Potential Penalty |
|---|---|---|
| No financial gain | Class B misdemeanor | Up to 6 months in jail |
| Up to $750 | Class A misdemeanor | Up to 1 year in jail |
| $750 to $25,000 | Class D felony | Up to 7 years in prison |
| $25,000 to $75,000 | Class C felony | Up to 10 years in prison |
| Over $75,000 | Class B felony | 5 to 15 years in prison |
Repeat offenders face enhanced penalties. A person previously convicted of identity theft who commits another identity theft involving property valued at $750 or less is guilty of a class E felony rather than a misdemeanor.
Restitution
Courts may order defendants to pay restitution to victims, including costs incurred in clearing the victim's credit history or credit rating and costs connected with any civil or administrative proceeding to satisfy any debt, lien, or other obligation arising from the defendant's actions.
Civil Remedies for Identity Theft Victims
Victims of identity theft in Missouri have access to significant civil remedies under Section 570.223:
Statutory damages: Up to $5,000 per incident, or three times the amount of actual damages, whichever is greater.
Injunctive relief: Victims may seek a court order to prevent future violations.
Attorney's fees: Courts may award reasonable attorney's fees to the plaintiff.
Statute of limitations: Civil actions must be brought within five years from the date the identity of the wrongdoer was discovered or reasonably should have been discovered.
Deceased persons: If the identifying information of a deceased person is used unlawfully, the deceased person's estate has the right to recover damages.
Trafficking in Stolen Identities (Mo. Rev. Stat. Section 570.224)
Section 570.224 creates a separate offense for trafficking in stolen identities. A person commits this offense if they manufacture, sell, transfer, or possess with intent to sell or transfer means of identification for the purpose of committing identity theft.
Possession of five or more means of identification of the same person, or possession of means of identification of five or more separate persons, is evidence of intent to traffic. This offense is classified as a class B felony, carrying a potential sentence of 5 to 15 years in prison.
Social Security Number Protections
Missouri has specific protections for Social Security numbers under multiple statutes.
Private Sector SSN Restrictions (Mo. Rev. Stat. Section 407.1355)
Section 407.1355 prohibits entities from publicly posting or displaying an individual's Social Security number. It also specifically restricts employers:
- Employers may not require an employee to use their SSN as an employee number for any employment-related activity.
- Employers may not require the use of the last four digits of a SSN as an employee number (effective since December 31, 2015).
These restrictions do not prevent the collection, use, or release of SSNs as required by state or federal law, or the use of SSNs for internal verification or administrative purposes.
Government Records SSN Protection (Mo. Rev. Stat. Section 105.1500)
All personal information in the possession of a public agency is considered a closed record under Missouri law. No state entity may publicly disclose any Social Security number of a living person unless the disclosure is permitted by federal or state law, authorized by the holder, or for use in a civil, criminal, administrative, or arbitral proceeding.
Court Filing Protections (Mo. Rev. Stat. Section 509.520)
Section 509.520 prohibits the inclusion of full Social Security numbers in court pleadings, attachments, exhibits, judgments, or orders. This protection helps prevent identity theft through public court records.
Credit Report Security Freezes
Missouri's security freeze law (Mo. Rev. Stat. Sections 407.1380 through 407.1384) allows consumers to restrict access to their credit reports, which is an important tool for preventing identity theft after a data breach.
How Security Freezes Work
Under Section 407.1382, a consumer may request that a consumer credit reporting agency place a security freeze on the consumer's credit report. Once a freeze is in place, the credit reporting agency may not release the consumer's credit report or any information from it without the consumer's express authorization.
Security freezes are now free for all consumers nationwide under federal law (the Economic Growth, Regulatory Relief, and Consumer Protection Act of 2018), superseding state fee provisions.
Enforcement
Under Section 407.1384, any consumer credit reporting agency that knowingly fails to comply with the security freeze provisions is liable to the consumer for actual damages, court costs, and reasonable attorney's fees. Courts may also award equitable relief to restore a damaged consumer's credit.
Student Data Privacy Protections
Missouri protects student data through Mo. Rev. Stat. Section 161.096, which regulates the state's longitudinal data system and student data accessibility.
Key protections include:
- Access to personally identifiable student data is restricted to authorized staff, district administrators, teachers, school personnel with a legitimate need, and students and their parents for their own records.
- Contracts with private vendors that handle student data must include provisions prohibiting the sale of student data or its use for advertising purposes, with penalties for noncompliance.
- The Missouri Department of Elementary and Secondary Education (DESE) must comply with all relevant state and federal privacy laws, including the federal Family Educational Rights and Privacy Act (FERPA).
Federal Privacy Laws Covering Missouri Residents
Because Missouri lacks a comprehensive state privacy law, federal statutes play a particularly important role in protecting Missouri residents' data in specific sectors.
Health Information: HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) protects the health information of Missouri residents held by covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates. HIPAA establishes a federal floor for health data privacy, and states are free to enact stricter protections. HIPAA does not preempt state laws that provide greater privacy protections.
Missouri's breach notification law complements HIPAA by including medical information and health insurance information in its definition of protected personal information under Section 407.1500.
Financial Information: GLBA
The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to customers and to safeguard sensitive financial data. Missouri residents who are customers of banks, credit unions, securities firms, and insurance companies receive privacy protections under GLBA. Financial institutions subject to GLBA that maintain their own breach notification procedures are deemed in compliance with Missouri's breach notification statute.
Education Records: FERPA
The Family Educational Rights and Privacy Act (FERPA) protects the education records of Missouri students at institutions that receive federal funding. Parents and eligible students (age 18 and older) have the right to access education records, request corrections, and control disclosures of personally identifiable information from those records.
Consumer Data: FTC Act Section 5
The Federal Trade Commission (FTC) enforces Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices in commerce. The FTC has used this authority to bring enforcement actions against companies with inadequate data security practices or those that misrepresent their privacy practices. This provides a baseline level of privacy protection for all Missouri consumers.
Children's Online Privacy: COPPA
The Children's Online Privacy Protection Act (COPPA) requires websites and online services directed at children under 13 to obtain verifiable parental consent before collecting personal information from children. This federal law provides important protections for Missouri's youngest residents online.
Missouri Attorney General: Consumer Privacy Resources
The Missouri Attorney General's office provides several resources for consumers dealing with data privacy issues.
Identity Theft Assistance
The AG's office operates a hotline for identity theft victims at 800-392-8222. Complaint investigators help advise victims on steps to take after identity theft occurs.
Data Breach Checklist
The AG's office publishes a checklist for consumers who have received a data breach notice. This resource guides consumers through steps such as reviewing the breach notice carefully, placing fraud alerts on credit reports, monitoring financial statements, and filing complaints.
Statutory Guide
The Statutory Guide to Privacy and Data Breach Laws maintained by the AG's office provides an overview of all privacy-related statutes in Missouri, organized by type of protected information.
How Missouri Compares to Other States
Missouri's approach to data privacy differs significantly from states that have enacted comprehensive privacy laws.
| Feature | Missouri | California | Virginia | Colorado |
|---|---|---|---|---|
| Comprehensive privacy law | No | Yes (CCPA/CPRA) | Yes (VCDPA) | Yes (CPA) |
| Right to access data | No | Yes | Yes | Yes |
| Right to delete data | No | Yes | Yes | Yes |
| Right to correct data | No | Yes | Yes | Yes |
| Right to opt out of sales | No | Yes | Yes | Yes |
| Breach notification law | Yes | Yes | Yes | Yes |
| Breach notification deadline | No fixed deadline | Not to exceed 45 days | Without unreasonable delay | 30 days |
| AG notification required | Over 1,000 consumers | Over 500 residents | Required | Over 500 residents |
| Maximum breach penalty | $150,000 per breach | $7,500 per intentional violation | $7,500 per violation | $20,000 per violation |
| Private right of action (breach) | No | Yes (limited) | No | No |
| Identity theft civil remedies | Yes ($5,000 or 3x damages) | Yes | Yes | Yes |
Practical Steps for Missouri Residents
Without a comprehensive privacy law, Missouri residents should take proactive steps to protect their personal information.
Monitor your credit reports. Request free annual credit reports from each of the three major credit bureaus through AnnualCreditReport.com. Review them for unauthorized accounts or inquiries.
Place security freezes. Use Missouri's security freeze law to restrict access to your credit reports. Freezes are free under federal law and do not affect your credit score.
Review breach notifications carefully. If you receive a breach notification, follow the AG's checklist and take advantage of any free credit monitoring offered.
Report identity theft promptly. Contact the Missouri AG's identity theft hotline at 800-392-8222 and file a report with local law enforcement. Document all unauthorized transactions and communications.
Read privacy policies. Since Missouri does not require businesses to provide specific data rights, understanding what data companies collect and how they use it is especially important.
More Missouri Laws
Missouri's data privacy protections are part of a broader set of legal protections for residents. Explore other Missouri legal topics:
This article provides general legal information about Missouri data privacy laws. It is not legal advice and does not create an attorney-client relationship. Data privacy laws change frequently. Consult with a qualified attorney licensed in Missouri for advice about your specific situation.
Sources and References
- Mo. Rev. Stat. Section 407.1500: Data Breach Notification(revisor.mo.gov).gov
- Mo. Rev. Stat. Section 407.020: Missouri Merchandising Practices Act(revisor.mo.gov).gov
- Mo. Rev. Stat. Section 570.223: Identity Theft Statute(revisor.mo.gov).gov
- Mo. Rev. Stat. Section 570.224: Trafficking in Stolen Identities(revisor.mo.gov).gov
- Mo. Rev. Stat. Section 407.1355: Social Security Number Protections(revisor.mo.gov).gov
- Mo. Rev. Stat. Section 105.1500: Personal Privacy Protection Act(revisor.mo.gov).gov
- Mo. Rev. Stat. Section 509.520: Court Filing SSN Protections(revisor.mo.gov).gov
- Mo. Rev. Stat. Sections 407.1380-407.1384: Credit Report Security Freezes(revisor.mo.gov).gov
- Mo. Rev. Stat. Section 161.096: Student Data Privacy(revisor.mo.gov).gov
- Missouri Attorney General: Data Breaches(ago.mo.gov).gov
- Missouri Attorney General: Identity Theft and Data Security(ago.mo.gov).gov
- Missouri Attorney General: Statutory Guide to Privacy and Data Breach Laws(ago.mo.gov).gov
- Missouri Attorney General: Data Breach Checklist(ago.mo.gov).gov
- Missouri DESE: Data Access, Sharing, and Privacy(dese.mo.gov).gov
- HHS: HIPAA Preemption of State Law(hhs.gov).gov
- Missouri Senate: SB 731 (2024 Privacy Bill)(senate.mo.gov).gov