South Dakota Biometric Privacy Laws: Collection, Consent & Penalties (2026)
South Dakota takes a minimal approach to biometric privacy regulation. Unlike states such as Illinois or Texas that have enacted specific biometric privacy statutes, South Dakota provides biometric data protection only through its data breach notification law.
This means businesses operating in South Dakota can collect, store, and use biometric data such as fingerprints, facial recognition templates, and voiceprints without obtaining consent from individuals. Protection only kicks in after a security breach has already occurred.
For a broader overview of privacy protections in the state, see the parent guide to [South Dakota Data Privacy Laws](/us-laws/data-privacy-laws/south-dakota-data-privacy-laws).
How South Dakota Law Defines Biometric Data
South Dakota's breach notification statute, SDCL 22-40-19, defines biometric data as data generated from measurements or analysis of human body characteristics for authentication purposes. This definition appears within the broader definition of "personal information" that triggers breach notification requirements.
Under the statute, biometric data is protected when it appears in combination with an identification number assigned to a person by their employer and any required security code, access code, or password.
The definition is notably narrow compared to other states. It covers biometric data only when used for authentication purposes. Biometric data collected for other reasons, such as marketing analytics or research, falls outside the statute's scope.
Common types of biometric data that would qualify under this definition include:
- Fingerprint scans used for device or system login
- Facial recognition templates used for identity verification
- Iris scans used for building access
- Voiceprints used for phone authentication
- Hand geometry measurements used for timekeeping systems
Photographs, video recordings, and audio recordings are not explicitly addressed in the biometric data definition under SDCL 22-40-19.
Breach Notification Requirements for Biometric Data
South Dakota's breach notification law, enacted through SB 62 in 2018 and codified at SDCL 22-40-20, establishes the primary legal framework that protects biometric data in the state.
Who Must Comply
Any person or business that conducts business in South Dakota and owns or licenses computerized personal information of South Dakota residents must comply with the breach notification requirements. This applies to both in-state and out-of-state entities.
Notification Timeline
When a breach of system security exposes personal information that includes biometric data, the information holder must notify affected South Dakota residents no later than 60 days from discovery or notification of the breach.
This 60-day window can be extended only if law enforcement determines that notification would impede a criminal investigation. In that case, notification must occur within 30 days after law enforcement clears the delay.
Attorney General Reporting
Any breach affecting more than 250 South Dakota residents must be reported to the South Dakota Attorney General by mail or email. This report must include information about the nature of the breach and the types of personal information compromised.
What Triggers a Notification
A "breach of system security" under the law means the unauthorized acquisition of unencrypted computerized data, or encrypted data along with the encryption key, that materially compromises the security, confidentiality, or integrity of personal or protected information.
If biometric authentication data is exposed in such a breach, the notification obligations apply.
What South Dakota Law Does Not Cover
The gaps in South Dakota's biometric privacy framework are significant. Understanding what the law does not do is just as important as understanding what it does.
No Collection Consent Requirements
South Dakota does not require businesses or employers to obtain consent before collecting biometric data. A company can implement fingerprint scanners, facial recognition cameras, or voice authentication systems without providing notice or obtaining any form of permission from the individuals whose data is collected.
No Retention or Destruction Rules
The law does not set limits on how long organizations can store biometric data. There are no requirements to publish a data retention schedule or to destroy biometric data after a set period or when the purpose for collection has ended.
No Purpose Limitation
Businesses that collect biometric data in South Dakota face no restrictions on how they use it. The law does not prohibit selling, sharing, or repurposing biometric data, so long as no breach notification obligations are triggered.
No Private Right of Action
Individual South Dakota residents cannot file lawsuits over biometric data misuse. Only the Attorney General has enforcement authority related to breach notification violations. This stands in sharp contrast to Illinois's BIPA, which allows individuals to sue for $1,000 to $5,000 per violation.
No Dedicated Enforcement Penalties
The breach notification statute allows the Attorney General to recover attorney's fees and costs associated with enforcement actions under SDCL 22-40-26, but does not specify per-violation civil penalty amounts for breach notification failures.
Federal Laws That May Apply in South Dakota
Because South Dakota lacks comprehensive biometric privacy protections, federal laws provide some additional coverage in specific contexts.
HIPAA
Health care providers, insurers, and their business associates in South Dakota must comply with HIPAA when handling biometric data in a health care context. South Dakota's breach notification law recognizes this by deeming HIPAA-regulated entities in compliance if they follow federal breach notification requirements.
Gramm-Leach-Bliley Act (GLBA)
Financial institutions in South Dakota that collect biometric data for customer authentication must comply with GLBA data security requirements. Similar to HIPAA entities, financial institutions that follow their federal regulator's breach notification requirements are deemed compliant with South Dakota's state law.
Children's Online Privacy Protection Act (COPPA)
Companies collecting biometric data from children under 13 in South Dakota must comply with COPPA requirements, which include obtaining verifiable parental consent before collecting biometric identifiers.
How South Dakota Compares to Neighboring States
South Dakota's approach to biometric privacy is among the least protective in the region.
Iowa enacted a consumer data protection law that classifies biometric data as sensitive and requires affirmative consent for processing. Montana similarly passed comprehensive privacy legislation with biometric data protections.
North Dakota, Nebraska, and Wyoming share South Dakota's limited approach, relying primarily on breach notification laws without dedicated biometric privacy statutes.
Minnesota, to the east, has enacted stronger consumer data privacy protections that include biometric data provisions.
Practical Guidance for South Dakota Residents
Without a dedicated biometric privacy law, South Dakota residents have limited legal recourse regarding their biometric data. However, there are practical steps to protect yourself.
Ask employers and businesses what biometric data they collect and how they store it. While they are not legally required to tell you, many organizations have privacy policies that address biometric data.
Review privacy policies before using apps, devices, or services that collect fingerprints, facial scans, or voice data. Federal laws like COPPA and sector-specific regulations may provide some protections depending on the context.
If you believe your biometric data was compromised in a breach and you did not receive notification, contact the South Dakota Attorney General's Consumer Protection Division to file a complaint.
Legislative Outlook
As of early 2026, South Dakota has not introduced biometric privacy legislation. The state has not proposed a comprehensive consumer data privacy law or a standalone biometric privacy statute.
Given that 20 states have now enacted comprehensive privacy laws with biometric data provisions, legislative activity in South Dakota remains possible. Any new legislation would likely be introduced during the state's annual legislative session, which typically runs from January through March.
Residents and businesses should monitor the South Dakota Legislature website for any proposed privacy-related bills.
More South Dakota Laws
- South Dakota Recording Laws
- South Dakota Recording Laws
- South Dakota Recording Laws
- South Dakota Recording Laws
- South Dakota Recording Laws
- South Dakota Dog Bite Laws
- South Dakota Data Privacy Laws
- South Dakota Recording Laws
Sources and References
This article references South Dakota statutes available through the South Dakota Legislature website. For the full text of the breach notification law, see SDCL 22-40-19 through SDCL 22-40-26. For consumer complaints related to data breaches, contact the South Dakota Attorney General.
This article provides general legal information about South Dakota biometric privacy laws. It is not legal advice. Consult a qualified attorney for guidance on your specific situation. Laws and regulations change frequently. Verify current requirements through official South Dakota government sources.
Sources and References
- SDCL 22-40-19 - Definition of Terms (Breach Notification)(sdlegislature.gov).gov
- SDCL 22-40-20 - Disclosure of Breach Required(sdlegislature.gov).gov
- SDCL 22-40-22 - Notification to Attorney General(sdlegislature.gov).gov
- SDCL 22-40-26 - Attorney General Enforcement(sdlegislature.gov).gov
- SDCL Chapter 22-40 - Identity Crimes(sdlegislature.gov).gov
- SB 62 (2018) - Data Breach Notification Act(mylrc.sdlegislature.gov).gov
- South Dakota Attorney General - Consumer Protection(atg.sd.gov).gov