South Dakota
South Dakota Data Privacy Laws: Breach Notification & Consumer Rights (2026)
South Dakota does not have a comprehensive consumer data privacy law. The state's primary data protection tool, SDCL 22-40-19, requires businesses to notify affected residents within 60 days of a breach and report incidents affecting more than 250 residents to the Attorney General.
South Dakota takes a targeted approach to data privacy regulation rather than enacting a single comprehensive consumer privacy statute. The state's primary data protection tool is its Data Breach Notification Law, codified at SDCL 22-40-19 through 22-40-26, which took effect July 1, 2018.
South Dakota was the 49th state to pass a breach notification law. While the state has not adopted an omnibus privacy law comparable to those in California, Colorado, or Virginia, it enforces data protection through its breach notification requirements, consumer protection statutes, a new genetic data privacy law, and federal regulatory frameworks that apply to businesses in every state.
This guide covers every South Dakota data privacy statute currently in effect, the 2026 legislative developments that added new protections, federal frameworks that apply to South Dakota businesses and residents, and practical steps for both consumers and organizations.
South Dakota Data Breach Notification Law (SDCL 22-40-19 Through 22-40-26)
The South Dakota Data Breach Notification Law was established through Senate Bill 62, signed March 21, 2018, and effective July 1, 2018. Governor Dennis Daugaard signed the legislation after South Dakota had spent years as one of only two states without breach notification requirements.
Who Must Comply
The law applies to any "information holder": any person or business that conducts business in South Dakota and owns or licenses computerized personal or protected information of South Dakota residents. Businesses headquartered outside the state must comply if they hold data belonging to South Dakota residents.
Government agencies, nonprofits, healthcare providers, financial institutions, and educational organizations operating in South Dakota all fall under this requirement, unless they are subject to stricter federal notification rules.
What Constitutes a Breach
Under SDCL 22-40-19, a "breach of system security" is the unauthorized acquisition of unencrypted computerized data, or encrypted computerized data along with the encryption key, that materially compromises the security, confidentiality, or integrity of personal or protected information. A good-faith acquisition by an employee or agent does not constitute a breach, provided the information is not used improperly or further disclosed.
Categories of Protected Data
South Dakota's law protects two distinct categories of information.
Personal Information requires a person's first name or first initial and last name in combination with one or more of: Social Security number; driver's license or government-issued ID number; account, credit card, or debit card number combined with any required security code or PIN; health information as defined under HIPAA; or an employer-assigned identification number combined with a required security code or biometric authentication data.
Protected Information stands alone without requiring a name combination and includes: a username or email address combined with a password or security question answer that permits access to an online account; or an account or credit/debit card number combined with any security code that permits access to a financial account.
The law excludes information lawfully obtained from publicly available government records and data that has been redacted or modified to render it unusable.
The 60-Day Notification Deadline
Once an information holder discovers or is notified of a breach, it must disclose to any affected South Dakota resident whose personal or protected information was, or is reasonably believed to have been, acquired by an unauthorized person. This disclosure must occur no later than 60 days from discovery or notification of the breach. Several other states use vaguer language such as "without unreasonable delay," making South Dakota's requirement more predictable for businesses.
Notification Methods
Information holders can provide breach notifications through several channels under SDCL 22-40-22: written notice to the affected individual's mailing address; electronic notice consistent with the federal E-SIGN Act; or substitute notice when the cost of direct notification exceeds $250,000, the affected class exceeds 500,000 persons, or the information holder lacks sufficient contact information. Substitute notice requires all three of: email notice, conspicuous website posting, and notification to statewide media.
The statute does not prescribe specific content requirements for the notice itself, but the information holder must notify nationwide consumer reporting agencies about the timing, distribution, and content of notices sent to affected individuals.
Attorney General Notification
Under SDCL 22-40-24, any information holder experiencing a breach affecting more than 250 South Dakota residents must disclose the breach to the South Dakota Attorney General by mail or email. The notification must include the details of the breach and the scope of affected individuals.
Law Enforcement Delay and Harm Assessment
Notification may be delayed if a law enforcement agency determines it would impede a criminal investigation. Once law enforcement clears the delay, the information holder must issue notifications within 30 days. There is no open-ended postponement.
South Dakota also allows an information holder to forgo notification if, after an appropriate investigation, it reasonably determines the breach will not likely result in harm to affected individuals. That determination must be documented in writing and retained for at least three years. The Attorney General must still be notified of the determination even when individual notice is not sent.
Encryption Safe Harbor
Encrypted data is generally exempt from notification requirements. The safe harbor does not apply, however, if the encryption key was also compromised in the breach. If an unauthorized party obtains both the encrypted data and the decryption key, the full notification obligations apply.
Federal Compliance Exemption
Entities regulated by federal law, including those subject to HIPAA or the Gramm-Leach-Bliley Act, are deemed to comply with South Dakota's breach notification requirements if they maintain breach notification procedures pursuant to their primary federal regulator's rules and notify affected South Dakota residents in accordance with applicable federal law.
Penalties for Breach Notification Violations
Under SDCL 22-40-26, failure to comply is classified as a deceptive act or practice under South Dakota's Deceptive Trade Practices and Consumer Protection Act (SDCL 37-24). The Attorney General may recover civil penalties of up to $10,000 per day for each violation, plus attorney's fees and costs.
There is no private right of action. Only the Attorney General can bring enforcement proceedings.
South Dakota Deceptive Trade Practices and Consumer Protection Act (SDCL 37-24)
The Deceptive Trade Practices and Consumer Protection Act serves as an additional layer of data privacy enforcement. It is unlawful for a business to engage in deceptive acts or practices, which can include misrepresenting data security measures, failing to honor privacy policies, or making false claims about how consumer data is protected.
The Attorney General enforces this statute when an action is deemed in the public interest. Penalties for intentional violations include civil fines of up to $2,000 per violation. Consumers adversely affected may bring private actions to recover actual damages. Because breach notification failures are classified as deceptive practices, the Attorney General can pursue violators under both SDCL 22-40-26 and this broader consumer protection framework.
South Dakota Genetic Data Privacy Act (SB 49, 2026)
Governor Larry Rhoden signed Senate Bill 49 into law on March 30, 2026. The law takes effect July 1, 2026 and was championed by AG Marty Jackley, who said the 2025 multistate action against 23andMe's bankruptcy sale of genetic data directly influenced the bill's drafting.
SB 49 passed the full House 65-2 and the Senate 34-0 before the governor signed it.
Who SB 49 Covers
The Act applies to "direct-to-consumer genetic testing companies": any entity that offers genetic testing products or services directly to consumers, or that analyzes, collects, or uses genetic data collected via a DTC genetic testing product or service. HIPAA-covered entities and business associates are expressly exempt, as is genetic data used for medical screening, diagnosis, or treatment at hospitals and affiliated facilities.
Key Requirements
Covered companies must publish a prominent, publicly available privacy notice disclosing their data collection, disclosure, use, retention, and security practices. The notice must specifically state whether de-identified genetic data is shared with or disclosed to third parties for research purposes.
Companies must provide a process enabling consumers to access their account and genetic data and to request deletion of their account or destruction of their biological sample.
Penalties
Civil penalties under SB 49 may not exceed $5,000 per violation. Enforcement authority rests with the Attorney General.
AG Jackley and the 23andMe Action
In June 2025, AG Jackley joined a 28-state coalition lawsuit seeking to block 23andMe from selling customer genetic data as part of the company's bankruptcy proceedings. The coalition argued that customers had not consented to the sale of their DNA information to a third-party buyer. The 2025 multistate action was the direct impetus for Jackley proposing SB 49 in the 2026 legislative session.
2026 Legislative Session: Social Media and Other Bills
SB 111: Social Media Data Transparency (Enacted)
Governor Larry Rhoden signed Senate Bill 111 on March 10, 2026. The law requires social media companies to provide users with their collected personal data upon request and maintain transparent interoperability interfaces. It passed the Senate 34-0.
Key provisions include: user-friendly reports on data collection practices; the right to request and receive all personal data a social media company has collected; consumer control over how personal information is used; and transparency requirements for data interoperability.
SB 110: Internet Service Provider Data Privacy (Failed)
Senator Rohl also introduced SB 110, which would have restricted ISPs from using or transferring customer data without explicit consumer permission unless necessary to provide the service. The bill failed 5-3 in the Senate State Affairs Committee after ISP industry opposition.
HB 1275: App Store Age Verification (Failed)
House Bill 1275 would have required app store providers to implement age verification and obtain parental consent for minors. It passed the House 50-17 but was defeated 5-4 in the Senate State Affairs Committee. Opponents noted the bill was nearly identical to Texas SB 2420, which a federal court blocked in December 2025 as unconstitutional.
South Dakota Insurance Data Security
South Dakota's Division of Insurance regulates insurance companies and producers under Title 58 of the South Dakota Codified Laws. South Dakota has adopted the NAIC Insurance Data Security Model Law through SDCL Chapter 58-43, which requires insurance licensees to develop, implement, and maintain comprehensive written information security programs, conduct risk assessments, establish incident response plans, and notify the Director of Insurance within 72 hours of a cybersecurity event.
Insurers who comply with GLBA requirements under their primary federal regulator are deemed compliant with South Dakota's breach notification provisions under the federal compliance exemption in SDCL 22-40.
South Dakota Computer Crimes Law (SDCL 43-43B)
South Dakota's Computer Crimes Law criminalizes unauthorized access to computer systems, data tampering, and the introduction of malware. The law establishes a graduated penalty structure: unauthorized access to a computer system is a Class 1 misdemeanor; data tampering or disruption of computer services is a Class 6 felony; obtaining data through unauthorized access is a Class 5 felony; and more severe offenses involving theft of data, ransomware deployment, or destruction of critical systems are charged as Class 4 through Class 2 felonies.
The computer crimes statute complements the civil breach notification law by providing criminal consequences for individuals who perpetrate data breaches.
Federal Privacy Frameworks Applicable in South Dakota
Because South Dakota lacks a comprehensive state privacy law, federal frameworks carry particular weight for businesses and residents within the state.
TAKE IT DOWN Act (Pub. L. 119-12, 2025)
President Trump signed the TAKE IT DOWN Act on May 19, 2025. The law stands for "Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act."
The criminal prohibition against publishing nonconsensual intimate images (NCII), including AI-generated deepfakes, took effect immediately upon signing. The platform notice-and-removal obligation, which requires covered platforms to remove NCII within 48 hours of a valid request, became enforceable by the FTC on May 19, 2026. Platforms that fail to implement compliant notice-and-removal processes face FTC law enforcement action and civil penalties of up to $53,088 per violation.
Health Insurance Portability and Accountability Act (HIPAA)
Healthcare providers, health plans, healthcare clearinghouses, and their business associates in South Dakota must comply with HIPAA's Privacy and Security Rules. South Dakota healthcare entities that comply with HIPAA's breach notification requirements satisfy the state's notification obligations under the federal compliance exemption in SDCL 22-40.
Gramm-Leach-Bliley Act (GLBA)
Financial institutions in South Dakota must comply with the GLBA's Safeguards Rule. The FTC's updated Safeguards Rule, effective June 2023, strengthened requirements for risk assessments, access controls, encryption, and incident response plans.
Children's Online Privacy Protection Act (COPPA)
Businesses and websites that collect information from children under 13 must comply with COPPA, which requires verifiable parental consent before collecting personal information from minors.
Family Educational Rights and Privacy Act (FERPA)
Educational institutions in South Dakota that receive federal funding must comply with FERPA, which protects the privacy of student education records.
FTC Act Section 5
The FTC can take action against businesses that engage in unfair or deceptive practices related to data privacy and security under Section 5 of the FTC Act. South Dakota businesses are subject to FTC enforcement even without a state comprehensive privacy law.
American Privacy Rights Act (APRA)
Congress introduced a bipartisan federal comprehensive privacy bill (APRA, H.R. 8818) in June 2024. The bill did not pass the 118th Congress and expired in January 2025. It has not been reintroduced in the 119th Congress as of May 2026. No federal comprehensive consumer privacy law is in effect.
What Consumers Should Do After a Data Breach
The South Dakota Consumer Protection Division provides guidance for residents who receive breach notification letters. A security breach does not automatically result in identity theft, but prompt action reduces risk.
If your Social Security number was compromised: contact one of the three credit reporting agencies (Experian, Equifax, or TransUnion) to place a fraud alert; order and review your credit reports; contact the Social Security Administration at 1-800-772-1213; and consider placing a security freeze with all three credit agencies.
If existing financial accounts were compromised: monitor account statements closely; report unauthorized transactions immediately to your card issuer; and request new account numbers and credentials.
For identity theft recovery, the South Dakota Attorney General's office directs consumers to the Federal Trade Commission's IdentityTheft.gov for step-by-step recovery plans.
South Dakota vs. States With Comprehensive Privacy Laws
| Feature | South Dakota | States With Comprehensive Laws (e.g., CA, VA, CO) |
|---|---|---|
| Comprehensive privacy law | No | Yes |
| Right to access personal data | Limited (SB 111 social media; SB 49 genetic data) | Broad across all businesses |
| Right to delete personal data | Genetic data only (SB 49) | Yes (general) |
| Right to opt out of data sales | No | Yes |
| Breach notification deadline | 60 days | Varies (30-90 days) |
| AG notification threshold | 250+ residents | Varies (500-1,000+) |
| Private right of action | No (breach law) | Varies by state |
| Maximum penalty per violation | $10,000/day (breach); $5,000 (genetic) | Varies ($2,500-$7,500+) |
More South Dakota Laws
- South Dakota AI Meeting Recording Laws
- South Dakota Alimony Laws
- South Dakota At-Will Employment Laws
- South Dakota Car Accident Laws
- South Dakota Car Seat Laws
- South Dakota Child Custody Laws
- South Dakota Child Support Laws
- South Dakota Common Law Marriage Laws
- South Dakota Deepfake Laws
- South Dakota Divorce Laws
- South Dakota Dog Bite Laws
- South Dakota Emancipation Laws
- South Dakota Expungement Laws
- South Dakota Hit and Run Laws
- South Dakota Landlord-Tenant Laws
- South Dakota Lemon Laws
Frequently Asked Questions
Does South Dakota have a comprehensive consumer data privacy law?
No. As of May 2026, South Dakota does not have a comprehensive consumer data privacy law similar to California's CCPA, Virginia's VCDPA, or Colorado's CPA. The state relies on its data breach notification law (SDCL 22-40-19 through 22-40-26), its new Genetic Data Privacy Act (SB 49, effective July 1, 2026), consumer protection statutes, and federal frameworks. SB 111, signed March 2026, requires social media companies to provide users with their collected data on request, but it does not create general consumer privacy rights.
How quickly must a business notify South Dakota residents of a data breach?
Under SDCL 22-40-21, businesses must notify affected South Dakota residents within 60 days of discovering or being notified of a data breach. If law enforcement requests a delay, notification must still occur within 30 days after law enforcement clears the delay. There is no exception allowing indefinite postponement.
What are the penalties for failing to report a data breach in South Dakota?
Failure to comply with South Dakota's breach notification law is treated as a deceptive act under SDCL 37-24. The Attorney General can impose civil penalties of up to $10,000 per day for each violation, plus attorney's fees and court costs. Only the Attorney General can bring enforcement actions. There is no private right of action allowing individual consumers to sue.
When must a business notify the South Dakota Attorney General about a breach?
Under SDCL 22-40-24, any information holder must notify the South Dakota Attorney General by mail or email when a breach affects more than 250 South Dakota residents. For breaches affecting fewer than 250 residents, Attorney General notification is not required, but notification to affected individuals and consumer reporting agencies is still mandatory.
Does South Dakota's breach notification law apply to encrypted data?
Generally, no. Encrypted data is exempt because the law defines a breach as involving unencrypted computerized data. However, this safe harbor does not apply if the encryption key was also compromised. If an unauthorized person obtains both the encrypted data and the decryption key, the full notification requirements apply.
What is South Dakota's Genetic Data Privacy Act (SB 49)?
South Dakota's Genetic Data Privacy Act, signed March 30, 2026, and effective July 1, 2026, regulates direct-to-consumer genetic testing companies. Covered companies must publish privacy notices, allow consumers to access and delete their genetic data and biological samples, and disclose when de-identified data is shared with third parties for research. Civil penalties can reach $5,000 per violation. HIPAA-covered entities and hospitals are expressly exempt.
What does the TAKE IT DOWN Act mean for South Dakota residents?
The TAKE IT DOWN Act (Pub. L. 119-12), signed May 19, 2025, is a federal law that criminalizes the nonconsensual publication of intimate images, including AI-generated deepfakes. It applies in all 50 states, including South Dakota. Covered online platforms must remove such images within 48 hours of a valid request. The FTC began enforcing the platform removal obligations on May 19, 2026, with civil penalties up to $53,088 per violation.
Sources and References
- South Dakota Codified Laws Chapter 22-40: Data Breach Notification(sdlegislature.gov).gov
- SDCL 22-40-19: Definitions for Data Breach Notification(sdlegislature.gov).gov
- SDCL 22-40-22: Methods of Notification(sdlegislature.gov).gov
- SDCL 22-40-24: Attorney General Notification Requirements(sdlegislature.gov).gov
- SDCL 22-40-26: Penalties for Noncompliance(sdlegislature.gov).gov
- SB 62 (2018): South Dakota Data Breach Notification Law (Full Bill Text)(mylrc.sdlegislature.gov).gov
- SB 49 (2026): South Dakota Genetic Data Privacy Act(sdlegislature.gov).gov
- SB 111 (2026): Social Media Data Transparency Act(sdlegislature.gov).gov
- South Dakota Consumer Protection: Security Breaches(consumer.sd.gov).gov
- South Dakota Consumer Protection: Laws(consumer.sd.gov).gov
- Deceptive Trade Practices and Consumer Protection Act (SDCL 37-24)(consumer.sd.gov).gov
- South Dakota Computer Crimes Law (SDCL 43-43B)(sdlegislature.gov).gov
- South Dakota Division of Insurance: Laws, Rules and Bulletins(dlr.sd.gov).gov
- South Dakota Department of Education: FERPA(doe.sd.gov).gov
- FTC: TAKE IT DOWN Act Enforcement Information(ftc.gov).gov
- FTC: Take It Down Act Enforcement Starts Now (May 2026)(ftc.gov).gov
- HHS: HIPAA for Professionals(hhs.gov).gov
- FTC: Gramm-Leach-Bliley Act(ftc.gov).gov
- FTC: COPPA(ftc.gov).gov
- FTC: Federal Trade Commission Act(ftc.gov).gov
- IdentityTheft.gov(identitytheft.gov).gov
- Hunton: South Dakota Enacts Genetic Data Privacy Act (April 2026)(hunton.com)