Wyoming Data Privacy Laws: Breach Notification & Consumer Rights (2026)

Wyoming takes a different approach to data privacy than many other states. Rather than enacting a single, sweeping consumer privacy law, Wyoming protects resident data through a combination of targeted state statutes and federal regulations.

The state's primary data privacy tool is its data breach notification law, codified at Wyo. Stat. 40-12-501 through 40-12-502 under the Consumer Protection Act. Wyoming also enacted the Genetic Data Privacy Act in 2022, addressing the growing concern over genetic testing companies and consumer DNA data.

This guide covers every major data privacy protection available to Wyoming residents, the obligations businesses face, and the federal framework that fills the gaps where state law is silent.

Does Wyoming Have a Comprehensive Data Privacy Law?

No. As of 2026, Wyoming does not have a comprehensive consumer data privacy law. The state has not passed legislation comparable to the California Consumer Privacy Act (CCPA), the Colorado Privacy Act, or the Virginia Consumer Data Protection Act.

Several states have enacted comprehensive data privacy laws in recent years. Wyoming has considered such legislation but has not advanced a broad consumer privacy bill through the full legislative process.

During the 2024 interim session, the Wyoming Legislature's Select Committee on Blockchain, Financial Technology and Digital Innovation Technology reviewed a draft Wyoming Data Privacy Act. This draft proposed comprehensive consumer data protections, but it did not advance to a floor vote.

In the 2025 general session, the Legislature considered Senate File 0065, a narrower bill focused on data privacy for government entities. SF0065 would have required government agencies to adopt policies for the collection, access, security, and use of personal data. The bill passed the Wyoming Senate unanimously (31-0) and received a favorable committee recommendation in the House, but it did not complete the full legislative process before the session ended.

For now, Wyoming residents must rely on the state's existing targeted statutes and federal law for data privacy protection.

Wyoming Data Breach Notification Law (Wyo. Stat. 40-12-501 to 40-12-502)

The cornerstone of Wyoming's data privacy framework is its data breach notification statute, found in Article 5 of the Consumer Protection Act (Wyo. Stat. 40-12-501 through 40-12-502). Originally enacted in 2007 and significantly amended in 2015, this law requires businesses to alert Wyoming residents when their personal data is compromised.

Who Must Comply

The law applies to any individual or commercial entity that conducts business in Wyoming and owns or licenses computerized data containing personal identifying information about Wyoming residents. This includes businesses headquartered outside Wyoming if they hold data on Wyoming residents.

Third-party service providers that maintain data on behalf of another entity also have obligations. If a service provider discovers a breach, it must notify the data owner as soon as practicable so the data owner can fulfill its notification duties.

What Triggers a Notification

A notification is required when there is a "breach of the security of the data system," which the statute defines as the unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal identifying information.

However, notification is not automatically required for every breach. After discovering a breach, the entity must conduct a good-faith, reasonable, and prompt investigation to determine whether the personal identifying information has been or is reasonably likely to be misused. If the investigation concludes that misuse has not occurred and is not likely to occur, notification is not required.

Good-faith acquisition of personal identifying information by an employee or agent of the entity for business purposes is not considered a breach, as long as the information is not used for an unauthorized purpose or subject to further unauthorized disclosure.

What Counts as Personal Identifying Information

Wyoming's 2015 amendment significantly expanded the definition of personal identifying information. Under Wyo. Stat. 40-12-501, protected data includes an individual's first name or first initial and last name combined with any of the following:

1. Social Security number
2. Driver's license number or state identification number
3. Financial account number, credit card number, or debit card number combined with any security code, access code, or password that would allow access to a financial account
4. Tribal identification card number
5. Federal or state government-issued identification number
6. Shared secrets or security tokens used for data-based authentication and identification
7. Username or email address combined with a password or security question and answer that would permit access to an online account
8. Birth certificate or marriage certificate
9. Medical information, including medical history, condition, treatment, or diagnosis by a healthcare provider
10. Health insurance information, including policy number, subscriber identification number, or application and claims history
11. Unique biometric data used for authentication purposes
12. Individual taxpayer identification number

Wyoming's definition is notably broader than many other states. The inclusion of shared login secrets, security tokens, vital records like birth and marriage certificates, and tribal identification cards was distinctive when the 2015 amendments took effect.

Notification Timing

The statute requires notification "in the most expedient time possible and without unreasonable delay." There is no specific day count like some states impose. However, the timing must be consistent with the legitimate needs of law enforcement and any measures necessary to determine the scope of the breach and restore the reasonable integrity of the computerized data system.

Law enforcement may request a delay in notification if alerting affected individuals would impede an active criminal investigation. Once law enforcement determines that notification will no longer compromise the investigation, the entity must proceed with notification without further delay.

What the Notice Must Include

Wyoming's breach notification law specifies that notices must be clear and conspicuous and include the following:

• Toll-free contact numbers for the entity providing the notice and for the major credit reporting agencies
• The types of personal identifying information that were subject to the breach
• A general description of the breach incident
• The approximate date of the breach, if it can be determined
• The remedial actions taken by the entity to prevent further breaches
• Advice directing the Wyoming resident to remain vigilant by reviewing account statements and monitoring credit reports
• Whether the notification was delayed at the request of law enforcement

Methods of Notification

Entities can provide notification through written notice sent to the affected individual's mailing address or through electronic mail if the individual has consented to receive electronic communications.

Substitute notice is permitted when the cost of direct notification would be prohibitive. For Wyoming-based entities, substitute notice is allowed if costs exceed $10,000 or affected persons exceed 10,000. For entities based outside Wyoming, the thresholds are $250,000 in costs or 500,000 affected persons.

Substitute notice requires all of the following:

• Conspicuous posting on the entity's website
• Notification to major statewide media
• A toll-free telephone number for affected individuals to call

Exemptions

The law provides exemptions for two categories of organizations:

• Financial institutions that comply with federal interagency guidance on response programs for unauthorized access to customer information under the Gramm-Leach-Bliley Act (GLBA) are deemed to be in compliance with the notification requirements.
• HIPAA-covered entities that comply with the privacy and security provisions of the Health Insurance Portability and Accountability Act and the HITECH Act are also deemed to be in compliance.

Enforcement and Penalties

The Wyoming Attorney General has exclusive authority to enforce the breach notification law. The Attorney General may bring an action in law or equity to address violations, recover damages, or both.

There is no private right of action under this statute. Individual Wyoming residents cannot sue businesses directly for breach notification violations. They must instead file complaints with the Attorney General's office.

Wyoming Consumer Protection Act and Data Privacy

Beyond the breach notification statute, Wyoming's broader Consumer Protection Act (Wyo. Stat. 40-12-101 through 40-12-114) provides additional data privacy protections through its prohibition of deceptive trade practices.

Under the Act, a business commits a deceptive trade practice if it makes false or misleading representations about its products, services, or business practices. This applies to data privacy in several ways:

• A company that publishes a privacy policy promising specific data protections but fails to follow those policies may be liable for deceptive practices
• Misleading claims about data security measures or encryption could constitute a violation
• Failing to disclose material information about how consumer data is collected, used, or shared may also qualify

The Wyoming Attorney General's Consumer Protection and Antitrust Unit investigates and prosecutes these violations. The Attorney General can seek injunctive relief, civil penalties, and damages.

Private consumers also have a limited right of action under the Consumer Protection Act, but only when the business knowingly committed an unlawful deceptive trade practice. The plaintiff must demonstrate actual harm resulting from the defendant's conduct.

Wyoming Genetic Data Privacy Act

Wyoming took a significant step in specialized data privacy by enacting the Genetic Data Privacy Act through House Bill 0086 in 2022. Codified at Wyo. Stat. Title 35, Chapter 32, the law took effect on July 1, 2022.

This law addresses the unique privacy concerns raised by consumer genetic testing services like DNA ancestry and health testing companies.

Key Requirements

The Genetic Data Privacy Act imposes several obligations on businesses that collect genetic data:

Consent before collection. Businesses must obtain express consent from an individual before collecting, using, or disclosing their genetic data. This consent must be informed, meaning the business must provide clear notice about what data will be collected and how it will be used.

Transparency notices. Before collecting genetic data, companies must provide consumers with transparent information about the collection, use, and disclosure of genetic data.

Security requirements. Businesses must implement and maintain a comprehensive security program to protect genetic data from unauthorized access, use, or disclosure.

Deletion rights. Consumers have the right to request deletion of their genetic data when it is no longer being used or needed for the purpose for which it was collected. The business must honor these requests.

Enforcement and Penalties

The Wyoming Attorney General enforces the Genetic Data Privacy Act. Penalties include:

• Up to $2,500 per violation in civil penalties
• Recovery of actual damages for harmed consumers
• Attorneys' fees and costs

Unlike many state data privacy laws, consumers also have a private right of action under the Genetic Data Privacy Act. Individuals who suffer damages from violations can sue directly without relying on the Attorney General.

Exemptions

The law does not apply to covered entities or business associates that collect protected health information under HIPAA. Clinical research conducted in accordance with federal regulations is also generally exempt.

Wyoming Identity Theft Laws

Wyoming criminalizes identity theft under Wyo. Stat. 6-3-901, which prohibits the unauthorized use of personal identifying information. While primarily a criminal statute, it complements the state's data privacy framework by deterring misuse of personal data.

Penalties

The penalties depend on the economic benefit gained or attempted:

• Misdemeanor: If no economic benefit was gained, or if the benefit was less than $1,000, the penalty is up to six months imprisonment, a fine of up to $750, or both
• Felony: If the economic benefit was $1,000 or more, the penalty is up to 10 years imprisonment, a fine of up to $10,000, or both

Courts may also order restitution to the victim, including payment for costs incurred in clearing credit history or restoring credit ratings, as well as attorney fees.

Credit Freeze Protections

Wyoming's Consumer Protection Act also includes credit freeze provisions within Article 5 (Wyo. Stat. 40-12-501 through 40-12-511). These provisions allow Wyoming residents to place a security freeze on their credit report, which prevents credit reporting agencies from releasing their report without express authorization.

Key credit freeze rights include:

• The right to place a security freeze at no cost
• Credit reporting agencies must remove a security freeze within three business days of receiving the consumer's request
• The freeze prevents new accounts from being opened in the consumer's name without authorization

These protections are particularly valuable for breach victims who want to prevent identity thieves from opening new lines of credit.

Federal Privacy Laws That Protect Wyoming Residents

Because Wyoming lacks a comprehensive state privacy law, federal regulations play an especially important role in protecting resident data. The following federal laws apply to specific sectors in Wyoming.

HIPAA (Health Insurance Portability and Accountability Act)

The HIPAA Privacy Rule protects medical records and personal health information held by healthcare providers, health plans, and healthcare clearinghouses in Wyoming. It requires administrative, technical, and physical safeguards for protected health information and gives patients rights to access and request corrections to their medical records.

GLBA (Gramm-Leach-Bliley Act)

The GLBA requires financial institutions in Wyoming to explain their information-sharing practices and safeguard sensitive data. Banks, credit unions, and other financial companies must provide privacy notices to customers and implement comprehensive data security programs.

FERPA (Family Educational Rights and Privacy Act)

The FERPA protects student education records at schools that receive federal funding. Parents have rights to access and amend their children's records. When students turn 18 or attend postsecondary institutions, these rights transfer to the student.

COPPA (Children's Online Privacy Protection Act)

The COPPA requires websites and online services directed at children under 13 to obtain verifiable parental consent before collecting personal information. This applies to any business that collects data from Wyoming children online, regardless of where the business is located.

FTC Act Section 5

The Federal Trade Commission Act prohibits unfair or deceptive practices in commerce. The FTC has used this authority to take enforcement action against companies with inadequate data security practices, providing a federal baseline of privacy protection for Wyoming consumers.

Comparing Wyoming to States With Comprehensive Privacy Laws

Understanding where Wyoming stands compared to states with comprehensive privacy laws helps illustrate what protections exist and what gaps remain.

Feature	Wyoming	California (CCPA/CPRA)	Colorado (CPA)	Virginia (VCDPA)
Comprehensive privacy law	No	Yes	Yes	Yes
Right to access data	No (except genetic)	Yes	Yes	Yes
Right to delete data	No (except genetic)	Yes	Yes	Yes
Right to opt out of sale	No	Yes	Yes	Yes
Right to correct data	No	Yes	Yes	Yes
Data breach notification	Yes	Yes	Yes	Yes
Genetic data protections	Yes	Yes	Limited	Limited
Private right of action	Limited	Yes (breaches)	No	No
AG enforcement	Yes	Yes	Yes	Yes

Wyoming provides strong protections in narrow areas, particularly breach notification and genetic data, but lacks the broad consumer rights over personal data that comprehensive privacy laws grant.

Practical Steps to Protect Your Data in Wyoming

Given the absence of a comprehensive privacy law, Wyoming residents should take proactive measures:

Monitor your accounts. Regularly review bank statements, credit card statements, and credit reports for unauthorized activity. You are entitled to one free credit report annually from each major credit bureau through AnnualCreditReport.com.

Place a credit freeze. Use Wyoming's credit freeze provisions to lock your credit report and prevent unauthorized accounts from being opened in your name.

Review privacy policies. Before sharing personal information with businesses, read their privacy policies to understand how your data will be used and shared.

Use strong, unique passwords. Since Wyoming's breach notification law covers compromised login credentials, protecting your accounts with strong passwords and two-factor authentication reduces your risk.

Report breaches and suspicious activity. File complaints with the Wyoming Attorney General's Consumer Protection Unit if you believe a business has failed to notify you of a breach or has mishandled your data.

Be cautious with genetic testing. Wyoming's Genetic Data Privacy Act gives you the right to request deletion of genetic data. Exercise this right if you no longer want a company to retain your DNA information.

More Wyoming Laws

• Wyoming Recording Laws
• Wyoming Car Seat Laws
• Wyoming Whistleblower Laws
• Wyoming Sexting Laws
• Wyoming Statute of Limitations
• Wyoming Child Support Laws
• Wyoming Dog Bite Laws
• Wyoming Lemon Laws

This article provides general legal information about Wyoming data privacy laws. It is not legal advice and does not create an attorney-client relationship. Data privacy laws change frequently. Consult with a qualified attorney licensed in Wyoming for advice about your specific situation.