South Carolina Biometric Privacy Laws: Collection, Consent & Penalties (2026)

South Carolina does not have a standalone biometric privacy law. Unlike Illinois, Texas, and Washington, the state has not enacted legislation that specifically regulates how private businesses collect, store, use, or share biometric identifiers such as fingerprints, facial geometry, or iris scans.

South Carolina's existing data protections touch biometric data in limited and indirect ways. The state's general breach notification law does not explicitly list biometric data in its definition of personal identifying information. However, the Insurance Data Security Act includes biometric records as part of protected nonpublic information for insurance licensees. The SC Biometric Data Privacy Act has been proposed twice but has not advanced into law.

This guide explains the current legal framework, what protections exist, where the gaps are, and what proposed legislation could change.

For broader context on South Carolina's overall privacy framework, see the parent guide to South Carolina Data Privacy Laws.

South Carolina Breach Notification Law (S.C. Code 39-1-90)

South Carolina's primary data breach law is codified at S.C. Code 39-1-90. This law requires businesses conducting business in South Carolina to notify residents when their personal identifying information has been compromised in a data breach.

Definition of Personal Identifying Information

Under S.C. Code 39-1-90, "personal identifying information" means an individual's first name or first initial and last name combined with one or more of the following data elements:

• Social Security number
• Driver's license number or state identification card number
• Financial account number, credit card number, or debit card number combined with any required security code, access code, or password that would permit access to a financial account
• Other numbers or information that may be used to access a person's financial accounts, or numbers or information issued by a governmental or regulatory entity that uniquely identifies an individual

Biometric data is not explicitly listed as a category of personal identifying information under this statute. The fourth category, covering "other numbers or information" issued by a governmental entity that uniquely identifies an individual, could theoretically encompass some government-held biometric data, but this interpretation is untested.

This limited scope means that a breach exposing fingerprint templates, facial recognition data, or iris scans stored by a private company may not trigger notification obligations under S.C. Code 39-1-90 unless that data also falls under one of the enumerated categories.

Notification Requirements

When a breach is discovered, the business must disclose it to affected residents "in the most expedient time possible and without unreasonable delay," consistent with the legitimate needs of law enforcement and measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

If a business provides notice to more than 1,000 people at one time, it must also notify the Consumer Protection Division of the South Carolina Department of Consumer Affairs and all nationwide consumer reporting agencies without unreasonable delay.

Penalties and Enforcement

Administrative fines. A person who knowingly and willfully violates S.C. Code 39-1-90 is subject to an administrative fine of $1,000 per violation.

Private right of action. South Carolina is one of the states that allows individuals to sue for breach notification violations. A resident injured by a violation may:

• Institute a civil action to recover damages for a willful and knowing violation
• Institute a civil action limited to actual damages for a negligent violation
• Seek an injunction to enforce compliance
• Recover attorney's fees and court costs if successful

Unfair Trade Practices. A violation of the breach notification law may also be actionable under the South Carolina Unfair Trade Practices Act (S.C. Code 39-5-10 et seq.), which provides additional remedies.

Exemptions

Financial institutions that are subject to and in compliance with the federal Gramm-Leach-Bliley Act are considered in compliance with S.C. Code 39-1-90.

South Carolina Insurance Data Security Act (S.C. Code 38-99)

The Insurance Data Security Act, enacted in 2018, provides stronger protections for biometric data within the insurance industry specifically.

Under S.C. Code 38-99-10, "nonpublic information" includes biometric records as a protected data element alongside Social Security numbers, driver's license numbers, account numbers, and security codes. Licensed insurers, insurance producers, and other entities regulated by the South Carolina Department of Insurance must protect this nonpublic information.

Key Requirements for Insurers

Information security program. Licensees must develop, implement, and maintain a comprehensive written information security program that protects nonpublic information, including biometric records.

Risk assessment. Licensees must conduct periodic risk assessments to identify reasonably foreseeable internal and external threats that could result in unauthorized access to nonpublic information.

72-hour notification. A licensee must notify the Director of the South Carolina Department of Insurance no later than 72 hours after determining that a cybersecurity event has occurred that meets certain criteria.

Consumer notification. Licensees must notify affected consumers as required by S.C. Code 39-1-90 and other applicable state and federal laws.

This Act is significant because it explicitly includes biometric records in its definition of protected information, filling a gap left by the general breach notification statute.

What South Carolina Law Does Not Cover

South Carolina's existing laws leave significant gaps in biometric privacy protection.

No consent requirement for biometric data collection. South Carolina does not require businesses or employers to obtain consent before collecting biometric data from adults. Companies can implement fingerprint time clocks or facial recognition systems without providing notice or obtaining approval.

No retention or destruction timelines. The state does not mandate specific retention schedules or destruction timelines for biometric data held by private entities.

No restrictions on biometric data sales. South Carolina does not prohibit or restrict the sale or sharing of biometric data with third parties.

Limited breach notification coverage. The general breach notification law does not explicitly list biometric data as personal identifying information, leaving a potential gap in notification obligations for biometric-only breaches.

No law enforcement restrictions. South Carolina has not enacted limits on government or law enforcement use of facial recognition or other biometric surveillance technologies.

Employer Use of Biometric Data in South Carolina

South Carolina has no state law that restricts employers from collecting biometric data from employees. Companies operating in South Carolina that use fingerprint scanners for timekeeping, facial recognition for building access, or other biometric systems are not required by state law to:

• Provide written notice before collecting biometric data
• Obtain employee consent
• Establish data retention or destruction policies
• Limit sharing of employee biometric data with vendors or third parties

This stands in sharp contrast to Illinois, where employers face statutory damages of $1,000 to $5,000 per violation of the Biometric Information Privacy Act.

Pending Legislation

South Carolina has seen multiple attempts to pass biometric privacy legislation.

SC Biometric Data Privacy Act (Bill 4812, 2019-2020 Session). This bill proposed comprehensive biometric privacy protections modeled in part on Illinois BIPA. It would have required businesses to obtain written consent before collecting biometric information, allowed consumers to request deletion of their biometric data, prohibited the sale of biometric information, and established standards of care for businesses collecting biometric data. The bill was introduced in December 2019 but did not advance.

SC Biometric Data Privacy Act (Bill 3063, 2021-2022 Session). A reintroduced version of the biometric privacy bill was filed again in December 2020. It contained similar provisions, including requirements to inform consumers of the purpose for collection, obtain consent, and limit the use and sharing of biometric data. This version also did not advance.

Neither bill has been enacted. If the SC Biometric Data Privacy Act passes in a future session, it would create significant new obligations for businesses collecting biometric information in South Carolina.

Federal Protections That Apply in South Carolina

Because South Carolina lacks a comprehensive biometric privacy law, federal statutes provide additional protections for residents.

Section 5 of the FTC Act allows the Federal Trade Commission to take enforcement action against companies engaged in unfair or deceptive practices involving biometric data.

HIPAA protects biometric data collected or used by covered healthcare entities and their business associates under the Privacy Rule.

COPPA requires parental consent before collecting biometric data from children under 13, enforced by the FTC.

How South Carolina Compares to Other States

South Carolina falls into a lower tier of states for biometric privacy protection. The omission of biometric data from the general breach notification law's definition of personal identifying information is a notable gap.

• Illinois has the strongest biometric law in the nation (BIPA), with a private right of action and statutory damages of $1,000 to $5,000 per violation
• Texas and Washington have biometric-specific statutes enforced by their attorneys general
• States with comprehensive privacy laws (Colorado, Connecticut, Virginia) classify biometric data as sensitive and require opt-in consent
• South Carolina protects biometric data only through the Insurance Data Security Act (for insurers) and general unfair trade practices enforcement, with no explicit biometric coverage in its general breach notification law

More South Carolina Laws

• South Carolina Recording Laws
• South Carolina Recording Laws
• South Carolina Recording Laws
• South Carolina Recording Laws
• South Carolina Recording Laws
• South Carolina Recording Laws
• South Carolina Data Privacy Laws
• South Carolina Recording Laws

This article provides general legal information about South Carolina biometric privacy laws. It is not legal advice. Laws and regulations change frequently, and this content may not reflect the most recent developments. Consult a qualified attorney licensed in South Carolina for advice about your specific situation.