South Carolina Data Privacy Laws: Breach Notification & Consumer Rights (2026)

South Carolina takes a sectoral approach to data privacy. The state has not enacted a comprehensive consumer data privacy statute that grants residents broad rights over their personal data. Instead, South Carolina protects personal information through a combination of breach notification requirements, insurance industry regulations, identity theft protections, and federal law.

This guide covers every major data privacy protection available to South Carolina residents as of March 2026. It explains the state's breach notification law, the Insurance Data Security Act, consumer protection statutes, the federal framework that applies in South Carolina, and answers to common questions about data privacy rights in the Palmetto State.

South Carolina Breach Notification Act (S.C. Code 39-1-90)

The primary data privacy protection for South Carolina residents is the state's breach notification law. Codified at S.C. Code Section 39-1-90, this statute was enacted as part of the Financial Identity Fraud and Identity Theft Protection Act (FIFITPA) in 2008. It requires both businesses and government agencies to notify residents when their personal identifying information is compromised.

Who Must Comply

The breach notification law applies to two categories of entities.

Private businesses. Any person conducting business in South Carolina who owns or licenses computerized data or other data that includes personal identifying information must comply. The law does not set a minimum company size or revenue threshold. Any business that holds South Carolina residents' personal data falls under the statute.

Government agencies. State agencies and other public bodies in South Carolina that own or license data containing personal identifying information must also provide breach notifications under the same requirements.

What Triggers a Notification

A breach notification is required when there is unauthorized access to and acquisition of computerized data that compromises the security, confidentiality, or integrity of personal identifying information. The notification obligation arises when the illegal use of the information has occurred or is reasonably likely to occur, or when the use creates a material risk of harm to the resident.

This is an important distinction. South Carolina uses a harm-based trigger rather than a blanket notification requirement. If a business determines that unauthorized access occurred but the likelihood of harm is low, it may not need to send notifications. However, the burden of making that determination falls on the business.

Definition of Personal Identifying Information

The statute defines personal identifying information as a resident's first name or first initial and last name in combination with one or more of the following data elements, when neither encrypted nor redacted:

• Social Security number
• Driver's license number or state identification card number
• Financial account number, credit card number, or debit card number in combination with any required security code, access code, or password

The definition does not include information that is lawfully obtained from publicly available sources or from federal, state, or local government records lawfully made available to the general public.

Notification Timeline

South Carolina does not set a specific day count for breach notifications. Instead, the law requires disclosure in the most expedient time possible and without unreasonable delay. The notification timeline must be consistent with the legitimate needs of law enforcement and any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

A law enforcement agency may request a delay in notification if it determines that the notification would impede a criminal investigation. Once law enforcement determines the notification no longer compromises the investigation, the business must proceed with disclosure.

How Notification Must Be Provided

Businesses can provide breach notifications through several methods:

Written notice. A letter sent to the last known mailing address of the affected resident.

Electronic notice. Permitted if electronic communication is the primary method of interaction between the business and the affected individual.

Telephonic notice. Direct phone calls to affected individuals.

Substitute notice. Available when the cost of direct notification exceeds $250,000, the affected class exceeds 500,000 persons, or the business does not have sufficient contact information. Substitute notice requires all three of the following: email notification when an email address is available, conspicuous posting on the business's website, and notification to major statewide media.

Reporting to State Authorities

When a business provides breach notification to more than 1,000 persons at one time, it must also notify the Consumer Protection Division of the South Carolina Department of Consumer Affairs and all nationwide consumer reporting agencies without unreasonable delay. The notice to consumer reporting agencies must include the timing, distribution, and content of the notification sent to residents.

Third-Party Data Holders

A business that maintains computerized data containing personal identifying information that it does not own must notify the owner or licensee of the information immediately following discovery of a breach if the personal identifying information was acquired by an unauthorized person.

Penalties and Enforcement

The breach notification law provides several enforcement mechanisms.

Willful and knowing violations. A South Carolina resident injured by a willful and knowing violation may file a civil action to recover damages. Courts have discretion in determining the amount of damages.

Negligent violations. A resident may also bring a civil action for negligent violations, though recovery is limited to actual damages resulting from the violation.

Injunctive relief. Affected residents may seek an injunction to enforce compliance with the statute.

Attorney's fees. A successful plaintiff may recover attorney's fees and court costs.

The Consumer Protection Division of the Department of Consumer Affairs handles administrative enforcement of the breach notification requirements.

Financial Institution Exemption

A financial institution that is subject to and in compliance with the federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice (issued March 7, 2005) is considered to be in compliance with Section 39-1-90. This covers institutions regulated by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision.

South Carolina Insurance Data Security Act (Title 38, Chapter 99)

South Carolina was the first state in the nation to adopt the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law. The South Carolina Insurance Data Security Act, codified at S.C. Code Title 38, Chapter 99, took effect on January 1, 2019. It establishes comprehensive cybersecurity requirements specifically for insurance industry licensees.

Who Must Comply

The Act applies to all licensees of the South Carolina Department of Insurance. This includes insurance companies, agents, brokers, adjusters, and other entities licensed to conduct insurance business in the state. Small licensees with fewer than a specified number of employees may qualify for certain exemptions from the most detailed requirements.

Information Security Program Requirements

Every licensee must develop, implement, and maintain a comprehensive written information security program. The program must be based on the licensee's own risk assessment and must include administrative, technical, and physical safeguards for the protection of nonpublic information.

The security program must address:

• The size and complexity of the licensee's business
• The nature and scope of the licensee's activities, including the use of third-party service providers
• The sensitivity of the nonpublic information the licensee collects and stores

Risk Assessment Requirements

Licensees must conduct a risk assessment that identifies reasonably foreseeable internal and external threats that could result in unauthorized access to nonpublic information. The assessment must evaluate the likelihood and potential damage of identified threats and assess the sufficiency of existing policies, procedures, information systems, and safeguards.

Board of Directors Oversight

The Act requires the board of directors (or an appropriate committee) to oversee the development and implementation of the licensee's information security program. The board must require executive management to develop and maintain the program and must receive regular reports on the status of the program.

Third-Party Service Provider Management

Licensees that share nonpublic information with third-party service providers must exercise due diligence in selecting providers. The licensee must require third-party providers to implement appropriate safeguards and must monitor and verify compliance with those safeguards.

Cybersecurity Event Notification

When a licensee determines that a cybersecurity event has occurred, it must notify the Director of the South Carolina Department of Insurance within 72 hours if any of the following conditions are met:

• South Carolina is the licensee's state of domicile
• The licensee reasonably believes the event involved nonpublic information of 250 or more South Carolina consumers
• The event requires notice to another state or federal governmental entity
• There is a reasonable likelihood of material harm to a South Carolina consumer

Investigation Requirements

If a licensee learns that a cybersecurity event has occurred or may have occurred, it must conduct a prompt investigation. During the investigation, the licensee must determine whether the event actually occurred, assess its nature and scope, identify any nonpublic information that was involved, and perform reasonable measures to restore the security of the information systems.

Penalties

The Director of the South Carolina Department of Insurance may examine and investigate licensees to determine compliance. Violations of the Act may result in regulatory action by the Department, including fines and other penalties available under existing insurance regulatory authority.

Financial Identity Fraud and Identity Theft Protection Act (FIFITPA)

The Financial Identity Fraud and Identity Theft Protection Act (Act No. 190 of 2008) is the umbrella legislation that established many of South Carolina's data privacy protections. Beyond the breach notification requirements discussed above, FIFITPA includes several additional consumer protections.

Security Freeze Rights

South Carolina residents have the right to place a security freeze on their consumer credit reports. A security freeze prohibits a credit reporting agency from releasing the consumer's credit report or any information from it without the consumer's express authorization. This helps prevent identity thieves from opening new accounts in the consumer's name.

Records Disposal Requirements

FIFITPA requires both businesses and government agencies to properly dispose of records containing personal identifying information. When disposing of such records, entities must modify the personal identifying information by shredding, erasing, or other means to make it unreadable or undecipherable.

A public body complies with the disposal requirement if it contracts with a person engaged in the business of disposing of records for the modification of personal identifying information on behalf of the body.

Violations of the records disposal requirements constitute a misdemeanor with a fine of up to $500 per violation.

Identity Theft Protections

FIFITPA strengthened South Carolina's criminal penalties for identity-related crimes.

Financial identity fraud. A person who commits financial identity fraud is guilty of a felony and, upon conviction, may be fined at the court's discretion or imprisoned for up to ten years, or both.

Identity theft through garbage rummaging. A first violation is a misdemeanor with a fine up to $250. Subsequent violations carry fines up to $1,000. A person who knowingly and willfully rummages through garbage to commit identity fraud is guilty of a Class F felony, punishable by up to five years imprisonment and a fine of up to $1,000.

Consumer Reporting Protections

The Act includes provisions governing how consumer reporting agencies handle South Carolina residents' data, including requirements around fraud alerts, active duty military alerts, and the handling of identity theft reports.

Family Privacy Protection Act (Title 30, Chapter 2)

The Family Privacy Protection Act of 2002 provides additional privacy protections specifically related to personal information held by South Carolina state government agencies.

Scope and Requirements

All state agencies, boards, commissions, institutions, departments, and other state entities must develop privacy policies and procedures to ensure that the collection of personal information pertaining to citizens is limited to information that is required and necessary to fulfill a legitimate public purpose.

The Act defines personal information broadly to include photographs, Social Security numbers, dates of birth, driver's identification numbers, names, home addresses, home telephone numbers, medical or disability information, education levels, financial status, bank account numbers, account or identification numbers, employment history, height, weight, race, other physical details, signatures, biometric identifiers, and credit records or reports.

Commercial Solicitation Prohibition

The Act prohibits any person or private entity from using personal information obtained from state agencies for commercial solicitation purposes. A person who knowingly violates this provision is guilty of a misdemeanor and, upon conviction, may be fined up to $500 or imprisoned for up to one year, or both.

South Carolina Unfair Trade Practices Act

The South Carolina Unfair Trade Practices Act (S.C. Code Title 39, Chapter 5) provides a general consumer protection framework that can apply to data privacy violations. While not specifically a data privacy statute, the Act prohibits unfair or deceptive acts or practices in trade or commerce.

Businesses that engage in deceptive practices related to the collection, use, or protection of consumer data could face enforcement actions under this statute. The Department of Consumer Affairs and the Attorney General's office can take action against businesses whose data handling practices constitute unfair or deceptive trade practices.

Health Information Privacy in South Carolina

South Carolina does not have a standalone state health data privacy law equivalent to HIPAA. However, several state provisions supplement federal health privacy protections.

Under South Carolina law, medical records must not be released without written consent from the patient, except as otherwise provided by law. The state imposes additional restrictions on certain sensitive health information, including data related to sexually transmitted diseases, HIV, tuberculosis, other communicable diseases, family planning, drug control, substance abuse, and mental health.

Physicians in South Carolina must retain medical records for at least ten years for adult patients and at least thirteen years for minors. These minimum recordkeeping periods begin from the last date of treatment.

Pending Privacy Legislation

As of March 2026, South Carolina does not have a comprehensive consumer data privacy law. However, the state legislature has considered several privacy-related bills in the 2025-2026 session.

Bill 3401: Technology Transparency Act

House Bill 3401 would add Chapter 31 to Title 37 of the South Carolina Code. If enacted, it would establish consumer rights for data privacy, require controllers to provide privacy notices, mandate data protection assessments, and restrict the sale of sensitive personal data. The bill would also establish appeal processes and require controllers to establish methods for consumers to submit data requests. As of March 2026, this bill has not been enacted into law.

Bill 3400: Child Data Privacy and Protection Act

House Bill 3400 would specifically address children's data privacy, providing protections for minors' personal information collected by online services.

Bill 3431: South Carolina Social Media Regulation Act

Bill 3431 was signed by the Governor on February 5, 2026. This law regulates social media companies' treatment of minor account holders. Beginning March 1, 2026, social media companies must provide parents and guardians with tools to manage children's account settings, restrict purchases and financial transactions, view time spent on the service, and restrict use during specified times of day.

Federal Data Privacy Laws Applicable in South Carolina

Because South Carolina lacks a comprehensive state privacy law, federal statutes play an especially important role in protecting residents' personal data. The following federal laws apply to businesses and organizations operating in South Carolina.

Health Insurance Portability and Accountability Act (HIPAA)

The HIPAA Privacy Rule establishes national standards for the protection of individually identifiable health information. It applies to health plans, health care clearinghouses, and health care providers who conduct certain electronic transactions. HIPAA gives patients the right to access their medical records, request corrections, and receive an accounting of disclosures.

The HIPAA Security Rule requires covered entities to implement administrative, physical, and technical safeguards for electronic protected health information. Violations can result in civil monetary penalties ranging from $100 to $50,000 per violation, with annual maximums up to $1.5 million per violation category.

Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act requires financial institutions to explain their information-sharing practices to customers and to safeguard sensitive data. Financial institutions must provide annual privacy notices describing what personal information they collect, how they use it, and with whom they share it. The FTC's Safeguards Rule requires financial institutions to develop and maintain a comprehensive information security program.

Family Educational Rights and Privacy Act (FERPA)

FERPA protects the privacy of student education records at schools that receive federal funding. It gives parents the right to access their children's education records, request corrections, and control the disclosure of personally identifiable information from those records. When a student turns 18 or enters a postsecondary institution, these rights transfer to the student.

Children's Online Privacy Protection Act (COPPA)

The COPPA Rule requires operators of websites and online services directed to children under 13 to obtain verifiable parental consent before collecting, using, or disclosing personal information from children. It also requires these operators to maintain reasonable security procedures and to post clear privacy policies.

Fair Credit Reporting Act (FCRA)

The FCRA regulates how consumer reporting agencies collect, maintain, and distribute consumer credit information. It gives consumers the right to know what is in their credit file, to dispute inaccurate information, and to have outdated negative information removed. The FCRA also limits who can access consumer credit reports and for what purposes.

How South Carolina Compares to Other States

As of March 2026, twenty states have enacted comprehensive consumer data privacy laws. South Carolina is not among them. States including California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Texas, Oregon, Delaware, New Hampshire, New Jersey, Nebraska, Kentucky, Minnesota, Maryland, Rhode Island, and Vermont have all passed comprehensive privacy statutes.

South Carolina's approach differs in several important ways.

No general consumer data rights. South Carolina residents do not have a statutory right to access, delete, or correct personal data held by private businesses. They cannot opt out of data sales or targeted advertising under state law.

No data controller obligations. Businesses operating in South Carolina are not required by state law to conduct data protection assessments, maintain data processing records, or provide privacy notices (outside of the insurance and financial sectors).

Breach notification only. The state's primary protection for personal data remains the breach notification statute, which activates only after a security incident has already occurred.

Reliance on federal law. For most industries and data types, South Carolina residents depend on federal statutes like HIPAA, GLBA, FERPA, and COPPA for privacy protections.

The pending Technology Transparency Act (Bill 3401) would bring South Carolina closer to the comprehensive privacy frameworks adopted by other states, but it has not been enacted as of this writing.

Practical Steps for South Carolina Residents

Even without a comprehensive privacy law, South Carolina residents can take several steps to protect their personal data.

Place a security freeze. Under FIFITPA, you have the right to freeze your credit reports at no cost. This prevents new accounts from being opened in your name without your explicit authorization.

Monitor breach notifications. The SC Department of Consumer Affairs publishes security breach notices on its website. Check this page regularly to see if organizations that hold your data have reported breaches.

File complaints. If you believe a business has violated the breach notification law or engaged in unfair data practices, file a complaint with the South Carolina Department of Consumer Affairs.

Exercise federal rights. Request your medical records under HIPAA, review your credit reports under the FCRA, and check your children's school records under FERPA. These federal rights apply regardless of South Carolina state law.

Review privacy policies. Even without a state law requiring data access rights, many businesses voluntarily extend California CCPA or other state privacy rights to all U.S. consumers. Check whether the businesses you interact with offer data access, deletion, or opt-out tools.

Practical Steps for Businesses Operating in South Carolina

Businesses that collect personal data from South Carolina residents should take the following steps to ensure compliance with existing law.

Develop a breach response plan. Prepare procedures for detecting, investigating, and responding to data breaches. Include templates for notification letters that comply with Section 39-1-90.

Encrypt personal data. The breach notification requirement does not apply to encrypted data. Implementing encryption for personal identifying information significantly reduces breach notification obligations and liability exposure.

Implement records disposal procedures. FIFITPA requires proper destruction of records containing personal identifying information. Establish shredding, erasing, or other disposal protocols.

Monitor legislative developments. With Bill 3401 (Technology Transparency Act) still pending, businesses should prepare for the possibility of comprehensive privacy requirements in South Carolina.

Comply with federal requirements. Ensure compliance with HIPAA, GLBA, COPPA, and other federal privacy laws that apply to your industry.

Insurance licensees. If your business is licensed by the South Carolina Department of Insurance, ensure full compliance with the Insurance Data Security Act, including maintaining a written information security program, conducting risk assessments, and meeting the 72-hour cybersecurity event notification requirement.

More South Carolina Laws

• South Carolina Whistleblower Laws
• South Carolina Child Support Laws
• South Carolina Sexting Laws
• South Carolina Hit and Run Laws
• South Carolina Statute of Limitations
• South Carolina Recording Laws
• South Carolina Car Seat Laws
• South Carolina Dog Bite Laws

This article is for informational purposes only and does not constitute legal advice. Data privacy laws change frequently, and enforcement interpretations evolve over time. Consult a licensed attorney in South Carolina for advice about your specific situation. Last reviewed: March 2026.