South Dakota Data Privacy Laws: Breach Notification & Consumer Rights (2026)
South Dakota takes a targeted approach to data privacy regulation rather than enacting a single comprehensive consumer privacy statute. The state's primary data protection tool is its Data Breach Notification Law, codified in SDCL 22-40-19 through 22-40-26, which took effect on July 1, 2018.
South Dakota was the 49th state to pass a breach notification law, leaving Alabama as the last holdout at the time. While the state has not adopted an omnibus privacy law comparable to those in California, Colorado, or Virginia, it enforces data protection through its breach notification requirements, consumer protection statutes, computer crimes laws, and reliance on federal regulatory frameworks.
This guide covers every South Dakota data privacy statute currently in effect, recent 2026 legislative developments, federal frameworks that apply to South Dakota businesses, and what consumers and organizations need to know to stay compliant.
South Dakota Data Breach Notification Law (SDCL 22-40-19 Through 22-40-26)
The South Dakota Data Breach Notification Law was established through Senate Bill 62, signed into law on March 21, 2018, and effective July 1, 2018. Governor Dennis Daugaard signed the legislation after South Dakota had spent years as one of only two states without breach notification requirements.
This statute governs how businesses and organizations must respond when personal data held in their systems is compromised by unauthorized access.
Who Must Comply
The law applies to any "information holder," defined as any person or business that conducts business in South Dakota and owns or licenses computerized personal or protected information of South Dakota residents. This includes businesses headquartered outside the state if they hold data belonging to South Dakota residents.
Government agencies, nonprofits, healthcare providers, financial institutions, and educational organizations operating in South Dakota all fall under this requirement unless they are subject to stricter federal notification rules.
What Constitutes a Breach
Under SDCL 22-40-19, a "breach of system security" is defined as the unauthorized acquisition of unencrypted computerized data, or encrypted computerized data along with the encryption key, that materially compromises the security, confidentiality, or integrity of personal or protected information maintained by the information holder.
The statute includes an important exception. A good-faith acquisition of personal information by an employee or agent of the information holder does not constitute a breach, provided the information is not used improperly or subjected to further unauthorized disclosure.
Categories of Protected Data
South Dakota's law protects two distinct categories of information, each with its own definition.
Personal Information requires a person's first name or first initial and last name in combination with one or more of the following data elements:
- Social Security number
- Driver's license number or other government-issued identification number
- Account number, credit card number, or debit card number combined with any required security code, access code, password, routing number, or PIN that permits access to a financial account
- Health information as defined under HIPAA, including data from healthcare providers, health insurers, employers, or educational institutions
- An identification number assigned by an employer combined with any required security code, access code, password, or biometric data used for authentication
Protected Information stands alone without requiring a name combination and includes:
- A username or email address combined with a password, security question answer, or other credential that permits access to an online account
- An account number or credit or debit card number combined with any security code, access code, or password that permits access to a financial account
The law excludes information that is lawfully obtained from publicly available federal, state, or local government records. It also excludes data that has been redacted or modified to render it unusable.
The 60-Day Notification Deadline
Once an information holder discovers or is notified of a breach of system security, it must disclose the breach to any South Dakota resident whose personal or protected information was, or is reasonably believed to have been, acquired by an unauthorized person. This disclosure must occur no later than 60 days from the discovery or notification of the breach.
This 60-day window is a firm deadline under South Dakota law. Several other states use vaguer language such as "without unreasonable delay" or "as expeditiously as possible," making South Dakota's requirement more defined and predictable for businesses.
Notification Methods
Information holders can provide breach notifications through several channels under SDCL 22-40-22:
- Written notice sent to the affected individual's mailing address
- Electronic notice if the electronic communication is consistent with the federal Electronic Signatures in Global and National Commerce Act (E-SIGN Act) or if the information holder's primary method of communication with the resident has been electronic
- Substitute notice when the cost of direct notification exceeds $250,000, the affected class exceeds 500,000 persons, or the information holder lacks sufficient contact information
Substitute notice requires all three of the following: email notice to affected individuals whose email addresses are available, conspicuous posting on the information holder's website, and notification to statewide media outlets.
The statute does not prescribe specific content requirements for the breach notification itself. However, the information holder must provide notification to nationwide consumer reporting agencies regarding the timing, distribution, and content of the notices sent to affected individuals.
Attorney General Notification
Under SDCL 22-40-24, any information holder that experiences a breach affecting more than 250 South Dakota residents must disclose the breach to the South Dakota Attorney General by mail or electronic mail. This notification must include the details of the breach and the scope of affected individuals.
The Attorney General's office maintains a Consumer Protection Division that oversees breach reporting and enforcement actions related to data security failures.
Law Enforcement Delay Exception
Notification may be delayed if a law enforcement agency determines that providing notice will impede a criminal investigation. However, once law enforcement determines that notification will no longer compromise the investigation, the information holder must issue notifications within 30 days.
This two-tiered timeline means that even with a law enforcement delay, there is still a hard deadline. Businesses cannot rely on an open-ended law enforcement investigation to postpone notifications indefinitely.
Harm Assessment Exception
South Dakota allows information holders to forgo notification if, after an appropriate investigation, they reasonably determine that the breach will not likely result in harm to the affected individuals. However, this determination must be documented in writing, and the documentation must be maintained for at least three years.
The Attorney General must still be notified of the determination even when the information holder decides not to notify affected individuals.
Encryption Safe Harbor
Encrypted data is generally exempt from notification requirements. However, this safe harbor does not apply if the encryption key was also compromised in the breach. If both the encrypted data and the key used to decrypt it are obtained by an unauthorized party, the breach triggers notification obligations just as if the data were unencrypted.
Federal Compliance Exemption
Entities regulated by federal law, including those subject to HIPAA or the Gramm-Leach-Bliley Act (GLBA), are deemed to comply with South Dakota's breach notification requirements if they maintain breach notification procedures pursuant to their primary federal regulator's rules and notify affected South Dakota residents in accordance with applicable federal law.
This exemption recognizes that federally regulated entities such as hospitals, insurance companies, and banks already face their own breach notification obligations and should not be subject to duplicative state requirements.
Penalties for Breach Notification Violations
Under SDCL 22-40-26, failure to comply with the breach notification law is classified as a deceptive act or practice under South Dakota's Deceptive Trade Practices and Consumer Protection Act (SDCL 37-24).
The Attorney General may bring an enforcement action to recover civil penalties of up to $10,000 per day for each violation of the notification requirements. The Attorney General may also recover attorney's fees and costs associated with the enforcement action.
There is no private right of action under the breach notification statute. Only the Attorney General can bring enforcement proceedings, meaning individual consumers cannot sue businesses directly for failing to provide timely breach notifications.
South Dakota Deceptive Trade Practices and Consumer Protection Act (SDCL 37-24)
The Deceptive Trade Practices and Consumer Protection Act serves as an additional layer of data privacy enforcement in South Dakota. While not a data privacy law per se, this statute is used to hold businesses accountable for making false or misleading claims about their data security or privacy practices.
Under SDCL 37-24, it is unlawful for a business to engage in deceptive acts or practices, which can include misrepresenting data security measures, failing to honor privacy policies, or making false claims about how consumer data is protected.
The Attorney General enforces this statute when an enforcement action is deemed in the public interest. Penalties for intentional violations include civil fines of up to $2,000 per violation. Consumers who are adversely affected may bring private actions to recover actual damages.
Because breach notification failures are classified as deceptive practices, the Attorney General can pursue violators under both SDCL 22-40-26 (the specific $10,000-per-day breach penalty) and the broader consumer protection framework.
South Dakota Computer Crimes Law (SDCL 43-43B)
South Dakota's Computer Crimes Law criminalizes unauthorized access to computer systems, data tampering, and the introduction of malware. This statute provides criminal penalties for individuals who illegally access, alter, or destroy computerized data.
The law establishes a graduated penalty structure based on the severity of the offense:
- Unauthorized access to a computer system is a Class 1 misdemeanor, punishable by up to one year in jail and a $2,000 fine
- Data tampering or disruption of computer services constitutes a Class 6 felony, carrying up to two years in prison and a $4,000 fine
- Obtaining data through unauthorized access is a Class 5 felony, with penalties of up to five years in prison and a $10,000 fine
- More severe offenses involving theft of data, deployment of ransomware, or destruction of critical systems can be charged as Class 4 through Class 2 felonies, carrying progressively longer prison sentences
The computer crimes statute complements the civil breach notification law by providing criminal consequences for the individuals who perpetrate data breaches, rather than just the businesses that fail to report them.
South Dakota Electronic Transactions Act (SDCL 53-12)
The South Dakota Electronic Transactions Act validates digital signatures and electronic records while imposing requirements on businesses to secure those records from unauthorized modification. Organizations that use electronic records and signatures must maintain reliable authentication systems.
This statute provides a legal foundation for digital commerce in South Dakota and reinforces data integrity obligations for electronic business transactions.
South Dakota SB 111: Social Media Data Transparency (2026)
In a significant step toward digital privacy, Governor Larry Rhoden signed Senate Bill 111 into law on March 10, 2026. This legislation, sponsored by Senator Michael Rohl of Aberdeen, requires social media companies to provide users with their collected personal data upon request and maintain transparent interoperability interfaces.
SB 111 passed the South Dakota Senate unanimously on a 34-0 vote and cleared committee without opposition. It makes South Dakota the second state, after Utah, to adopt specific legislation mandating social media companies provide users with their own digital footprint data.
Key provisions of SB 111 include:
- Social media companies must provide user-friendly reports detailing their data collection practices
- Users have the right to request and receive all personal data a social media company has collected about them
- Companies must grant consumers control over how their personal information is used
- Transparent interoperability interfaces must be maintained
This law represents a targeted approach to digital privacy rather than a broad omnibus statute. It addresses the growing concern over social media data practices without imposing comprehensive privacy obligations across all industries.
2026 Legislative Session: Other Data Privacy Bills
The 2026 South Dakota legislative session saw several additional data privacy proposals beyond SB 111.
SB 110: Internet Service Provider Data Privacy (Failed)
Senator Rohl also introduced SB 110, which would have restricted internet service providers from using or transferring customer data to third parties without explicit consumer permission unless necessary to provide the service. The bill initially tied 4-4 in the Senate State Affairs Committee before failing 5-3 when Senator Deibert switched his vote. Lobbyists from ISPs including Midco and CenturyLink argued the bill would create excessive regulatory burdens. The bill was later killed in the House on a 10-2 procedural vote.
HB 1275: App Store Age Verification (Failed)
House Bill 1275 would have required app store providers to implement age verification and obtain parental consent for minors. The bill passed the House 50-17 but was defeated in the Senate State Affairs Committee 5-4. Opponents noted the bill was nearly identical to Texas SB 2420, which was blocked by a federal court in December 2025 as unconstitutional.
Insurance Data Security in South Dakota
South Dakota's Division of Insurance regulates insurance companies and producers under Title 58 of the South Dakota Codified Laws. The state has adopted an older version of the NAIC Insurance Data Security Model Law through South Dakota Administrative Rules 20:06:45:20 through 20:06:45:26.
However, South Dakota has not adopted the current version of the NAIC Insurance Data Security Model Law (#668), which was finalized in 2017. The current NAIC model requires insurance licensees to develop, implement, and maintain a comprehensive written information security program, conduct risk assessments, establish incident response plans, and notify regulators within 72 hours of a cybersecurity event.
Insurance entities operating in South Dakota should be aware that while the state's requirements are based on an older version of the NAIC model, they remain subject to South Dakota's general breach notification law (SDCL 22-40-19 through 22-40-26) for data breaches involving personal or protected information.
Insurers who comply with GLBA requirements under their primary federal regulator are deemed compliant with South Dakota's breach notification provisions under the federal compliance exemption.
Federal Privacy Frameworks Applicable in South Dakota
Because South Dakota lacks a comprehensive state privacy law, federal frameworks play a particularly important role in protecting consumer data within the state.
Health Insurance Portability and Accountability Act (HIPAA)
Healthcare providers, health plans, healthcare clearinghouses, and their business associates in South Dakota must comply with HIPAA's Privacy and Security Rules. HIPAA establishes national standards for protecting individually identifiable health information (PHI) and requires administrative, physical, and technical safeguards.
South Dakota healthcare entities that comply with HIPAA's breach notification requirements satisfy the state's notification obligations under the federal compliance exemption in SDCL 22-40.
Gramm-Leach-Bliley Act (GLBA)
Financial institutions in South Dakota, including banks, credit unions, securities firms, and insurance companies, must comply with the GLBA's Safeguards Rule. This federal law requires financial institutions to explain their information-sharing practices and to safeguard sensitive customer data through a written information security program.
The FTC's updated Safeguards Rule, which took effect in June 2023, strengthened requirements for risk assessments, access controls, encryption, and incident response plans.
Family Educational Rights and Privacy Act (FERPA)
Educational institutions in South Dakota that receive federal funding must comply with FERPA, which protects the privacy of student education records. Parents have the right to access and request corrections to their children's records, and schools generally cannot disclose personally identifiable information without consent.
The South Dakota Department of Education maintains the Student Information Management System and enforces data privacy requirements for K-12 institutions within the state.
Federal Trade Commission Act (FTC Act)
The FTC enforces consumer protection across all industries, including in South Dakota. Under Section 5 of the FTC Act, the commission can take action against businesses that engage in unfair or deceptive practices related to data privacy and security. Even without a state comprehensive privacy law, South Dakota businesses are subject to FTC enforcement if they fail to protect consumer data or misrepresent their privacy practices.
Children's Online Privacy Protection Act (COPPA)
Businesses and websites that collect information from children under 13 must comply with COPPA, which requires verifiable parental consent before collecting personal information from minors. This applies to all operators, including those based in South Dakota.
Payment Card Industry Data Security Standard (PCI DSS)
While not a government regulation, PCI DSS is a contractual requirement for all South Dakota businesses that process, store, or transmit credit card information. Non-compliance can result in fines from payment card networks and increased liability for data breaches involving cardholder data.
What Consumers Should Do After a Data Breach
The South Dakota Consumer Protection Division provides guidance for residents who receive breach notification letters. A security breach does not automatically mean identity theft will occur, but taking prompt action reduces risk.
If your Social Security number was compromised:
- Contact one of the three credit reporting agencies (Experian, Equifax, or TransUnion) to place a fraud alert
- Order and review your credit reports for unauthorized accounts or suspicious inquiries
- Contact the Social Security Administration at 1-800-772-1213
- Consider placing a security freeze with all three credit agencies
- Monitor credit reports on an ongoing basis
If existing financial accounts were compromised:
- Monitor account statements closely for fraudulent charges
- Report unauthorized transactions immediately to your card issuer
- Request new account numbers and updated credentials
If government identification was compromised:
- Contact the issuing agency for specific guidance
- The agency may recommend document cancellation or file flagging
For identity theft recovery, the South Dakota Attorney General's office directs consumers to the Federal Trade Commission's IdentityTheft.gov resource for step-by-step recovery plans.
Comparison: South Dakota vs. States With Comprehensive Privacy Laws
South Dakota's data privacy framework differs significantly from states that have enacted comprehensive consumer privacy legislation.
| Feature | South Dakota | States With Comprehensive Laws (e.g., CA, VA, CO) |
|---|---|---|
| Comprehensive privacy law | No | Yes |
| Right to access personal data | Limited (SB 111 for social media only) | Broad across all businesses |
| Right to delete personal data | No general right | Yes |
| Right to opt out of data sales | No | Yes |
| Breach notification deadline | 60 days | Varies (30-90 days) |
| AG notification threshold | 250+ residents | Varies (500-1,000+) |
| Private right of action | No (breach law) | Varies by state |
| Maximum penalty per violation | $10,000/day | Varies ($2,500-$7,500+) |
South Dakota's 60-day notification deadline is moderate compared to other states. Its $10,000-per-day penalty structure is among the more severe in the nation, creating meaningful incentive for compliance despite the absence of a private right of action.
More South Dakota Laws
Sources and References
- South Dakota Codified Laws Chapter 22-40: Data Breach Notification(sdlegislature.gov).gov
- SDCL 22-40-19: Definitions for Data Breach Notification(sdlegislature.gov).gov
- SDCL 22-40-22: Methods of Notification(sdlegislature.gov).gov
- SDCL 22-40-24: Attorney General Notification Requirements(sdlegislature.gov).gov
- SDCL 22-40-26: Penalties for Noncompliance(sdlegislature.gov).gov
- SB 62 (2018): South Dakota Data Breach Notification Law (Full Bill Text)(mylrc.sdlegislature.gov).gov
- South Dakota Consumer Protection: Security Breaches(consumer.sd.gov).gov
- South Dakota Consumer Protection: Laws(consumer.sd.gov).gov
- Deceptive Trade Practices and Consumer Protection Act (SDCL 37-24)(consumer.sd.gov).gov
- South Dakota Computer Crimes Law (SDCL 43-43B)(sdlegislature.gov).gov
- SB 111 (2026): Social Media Data Transparency Act(sdlegislature.gov).gov
- South Dakota Division of Insurance: Laws, Rules & Bulletins(dlr.sd.gov).gov
- NAIC Insurance Data Security Model Law Brief(content.naic.org)
- South Dakota Department of Education: FERPA(doe.sd.gov).gov
- HHS: HIPAA for Professionals(hhs.gov).gov
- FTC: Gramm-Leach-Bliley Act(ftc.gov).gov
- FTC: COPPA(ftc.gov).gov
- FTC: Federal Trade Commission Act(ftc.gov).gov
- IdentityTheft.gov(identitytheft.gov).gov