Wyoming Data Privacy Laws: Breach Notification & Consumer Rights (2026)

Wyoming has no comprehensive consumer privacy law. Residents and businesses rely primarily on the data breach notification statute at Wyo. Stat. 40-12-501, the Genetic Data Privacy Act, and federal laws including HIPAA and GLBA for data protection.

Wyoming has no comprehensive consumer data privacy law as of May 2026. The state protects resident data through a combination of targeted statutes covering data breaches, genetic data, and synthetic imagery, along with federal sector-specific laws that fill the most significant gaps.

The state's core data protection tools are the breach notification statute at Wyo. Stat. 40-12-501 through 40-12-509, the Genetic Data Privacy Act at Wyo. Stat. Title 35, Chapter 32, and a new government-sector data policy law enacted in March 2026. A landmark deepfake statute, Enrolled Act 32, takes effect July 1, 2026.

This guide covers every data privacy protection available to Wyoming residents, the compliance obligations facing businesses, and the federal framework that provides the baseline where state law is silent.

Does Wyoming Have a Comprehensive Data Privacy Law?

No. As of May 2026, Wyoming has not enacted a comprehensive consumer data privacy law comparable to the California Consumer Privacy Act, the Colorado Privacy Act, or the Virginia Consumer Data Protection Act.

Wyoming has considered comprehensive legislation on multiple occasions. During the 2024 interim session, the Legislature's Select Committee on Blockchain, Financial Technology and Digital Innovation Technology reviewed a draft Wyoming Data Privacy Act that would have extended broad consumer rights over personal data. That draft did not advance to a floor vote.

In the 2025 general session, the Legislature considered Senate File 0065, a narrower bill limiting its scope to government entities. SF0065 passed the Senate unanimously (31-0) but did not complete the House process before adjournment. The 2026 Budget Session returned to that concept: Senate File 0020 passed both chambers and was signed into law on March 6, 2026 (discussed below in the government data privacy section). Wyoming residents continue to rely on targeted state statutes and federal law for consumer data protection.

Wyoming Data Breach Notification Law (Wyo. Stat. 40-12-501 to 40-12-509)

The foundation of Wyoming's data privacy framework is its breach notification statute, codified in Article 5 of the Consumer Protection Act at Wyo. Stat. 40-12-501 through 40-12-509. The Legislature enacted the statute in 2007 and significantly expanded it through 2015 amendments.

Who Must Comply

The statute applies to any individual or commercial entity that conducts business in Wyoming and owns or licenses computerized data containing personal identifying information about Wyoming residents. Businesses headquartered outside Wyoming are covered if they hold data on Wyoming residents.

Third-party service providers also have obligations. If a service provider discovers a breach, it must notify the data owner as soon as practicable so the data owner can fulfill notification duties.

What Triggers a Notification

A notification duty arises when there is a "breach of the security of the data system," defined as the unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal identifying information.

Notification is not automatically required for every unauthorized access. The entity must first conduct a good-faith, reasonable, and prompt investigation to determine whether personal identifying information has been or is reasonably likely to be misused. If the investigation concludes that misuse has not occurred and is not reasonably likely, notification is not required.

Good-faith acquisition by an employee or agent for legitimate business purposes is not considered a breach, provided the information is not used for an unauthorized purpose or further unauthorized disclosure.

What Counts as Personal Identifying Information

Under Wyo. Stat. 40-12-501, protected data consists of an individual's first name or first initial and last name combined with any of the following 12 categories:

1. Social Security number
2. Driver's license number or state identification number
3. Financial account number, credit card number, or debit card number combined with any security code, access code, or password providing financial account access
4. Tribal identification card number
5. Federal or state government-issued identification number
6. Shared secrets or security tokens used for data-based authentication and identification
7. Username or email address combined with a password or security question and answer permitting access to an online account
8. Birth certificate or marriage certificate
9. Medical information, including medical history, condition, treatment, or diagnosis by a healthcare provider
10. Health insurance information, including policy number, subscriber identification number, or application and claims history
11. Unique biometric data used for authentication purposes
12. Individual taxpayer identification number

Wyoming's definition is notably broad. The inclusion of vital records (birth and marriage certificates), tribal identification cards, and authentication tokens distinguishes it from narrower state definitions that cover only financial and Social Security data.

Notification Timing and Content

The statute requires notification "in the most expedient time possible and without unreasonable delay." Wyoming does not impose a specific day-count deadline, unlike states that require notification within 30, 45, or 72 hours. Law enforcement may request a delay if notification would impede an active criminal investigation; once law enforcement clears the delay, the entity must notify without further delay.

Required notice elements include:

• Toll-free contact numbers for the entity and for the major credit reporting agencies
• Types of personal identifying information involved in the breach
• General description of the breach incident
• Approximate date of the breach, if determinable
• Remedial actions taken to prevent further breaches
• Guidance directing residents to review account statements and monitor credit reports
• Whether notification was delayed at law enforcement's request

Methods of Notification and Substitute Notice

Notification may be made by written mail or electronic mail (if the individual has previously consented to electronic communications). Substitute notice is permitted when direct notification is prohibitively costly. For Wyoming-based entities, substitute notice is available when costs would exceed $10,000 or when more than 10,000 individuals are affected. For out-of-state entities, the thresholds are $250,000 or 500,000 affected persons.

Substitute notice requires all three of the following: conspicuous posting on the entity's website, notification to major statewide media, and a toll-free telephone number for affected individuals.

Exemptions

Financial institutions complying with federal interagency guidance under the Gramm-Leach-Bliley Act are deemed compliant with Wyoming's notification requirements. HIPAA-covered entities and business associates complying with the HIPAA Privacy and Security Rules and the HITECH Act are also deemed compliant.

Enforcement

The Wyoming Attorney General (currently Keith Kautz, who took office in July 2025 when former AG Bridget Hill was appointed to the Wyoming Supreme Court) has exclusive enforcement authority. The Attorney General may bring an action in law or equity to address violations and recover damages. There is no private right of action under the breach notification statute; residents must file complaints with the Attorney General's office.

Wyoming Government Data Privacy Act (SF0020, Signed March 6, 2026)

Wyoming's newest data privacy law, Senate File 0020, was signed into law on March 6, 2026. This statute applies to state and local government entities, excluding the judicial branch and law enforcement agencies.

Key provisions:

• Government entities must adopt policies for the collection, access, security, and use of personal data.
• Government entities are prohibited from buying, selling, trading, or transferring personal data without explicit written consent, except for transfers between government entities or to contractors providing government services.
• Wyoming residents may request copies of their personal data held by covered government entities and may object to its accuracy, completeness, or handling. Covered entities must respond within 60 days.
• Sample policies will be developed by January 1, 2027, with staggered effective dates for various government entities.

This statute does not create comprehensive consumer rights against private businesses. Its scope is limited to government data handling.

Wyoming Enrolled Act 32: Synthetic Intimate Imagery and Deepfakes (Effective July 1, 2026)

Wyoming's most significant new privacy-related law in the 2026 session is Enrolled Act 32 (HB 102), which adds Wyo. Stat. sections 6-4-307 and 6-4-308 to the crimes code. The law takes effect July 1, 2026.

The statute addresses two related harms: nonconsensual synthetic intimate imagery involving adults, and AI-generated or computer-edited child sexual abuse material involving minors.

Under section 6-4-307, it is a felony to knowingly disclose or distribute synthetic intimate imagery (including AI-generated or digitally altered images) of an identifiable person without that person's consent and with intent to harm, harass, intimidate, or coerce. Penalties are five to twelve years imprisonment and a fine of up to $10,000.

Section 6-4-308 addresses AI-generated child sexual abuse material specifically, treating it as equivalent to actual child sexual abuse material under Wyoming law.

The law complements the federal TAKE IT DOWN Act and Wyoming's existing nonconsensual intimate image statute at Wyo. Stat. 6-4-306, which covers real (non-synthetic) intimate images. Together, these statutes cover both authentic and AI-generated nonconsensual intimate imagery.

Wyoming Genetic Data Privacy Act (Wyo. Stat. Title 35, Chapter 32)

Wyoming enacted the Genetic Data Privacy Act through House Bill 0086 in 2022. The law took effect July 1, 2022 and is codified at Wyo. Stat. Title 35, Chapter 32.

The statute addresses privacy risks associated with consumer genetic testing services, including DNA ancestry and health testing companies.

Requirements

Businesses must obtain express, informed consent before collecting, using, or disclosing genetic data. Informed consent requires clear notice about the data to be collected and its intended use. Companies must provide transparent disclosures before collection and must implement comprehensive security programs to protect genetic data from unauthorized access or disclosure. Consumers have the right to request deletion of their genetic data when it is no longer needed for the purpose for which it was collected.

Enforcement and Private Right of Action

The Wyoming Attorney General enforces the Genetic Data Privacy Act and may seek civil penalties of up to $2,500 per violation, actual damages, and attorneys' fees. Unlike the breach notification statute, the Genetic Data Privacy Act grants consumers a private right of action: individuals who suffer damages from violations may sue directly without relying on the Attorney General.

HIPAA-covered entities and business associates are exempt from this statute for data they collect as protected health information. Clinical research conducted under applicable federal regulations is also generally exempt.

Wyoming Consumer Protection Act and Data Privacy (Wyo. Stat. 40-12-101 to 40-12-114)

Wyoming's Consumer Protection Act prohibits deceptive trade practices, which provides an additional data privacy enforcement pathway.

A business commits a deceptive trade practice if it makes false or misleading representations about its products, services, or business practices, including data privacy representations. This applies in three common scenarios: a company that publishes a privacy policy promising specific protections but fails to follow them; a company that makes misleading claims about its data security measures or encryption; or a company that fails to disclose material facts about how consumer data is collected, used, or shared.

The Wyoming Attorney General's Consumer Protection and Antitrust Unit investigates and prosecutes violations. The Attorney General can seek injunctive relief, civil penalties, and damages. Consumers also have a limited private right of action, but only when the business knowingly committed an unlawful deceptive trade practice and the plaintiff demonstrates actual harm.

Wyoming Identity Theft and Credit Freeze Protections

Wyoming criminalizes identity theft under Wyo. Stat. 6-3-901, which prohibits unauthorized use of personal identifying information. Penalties depend on economic benefit: if no economic benefit was obtained or the benefit was less than $1,000, the offense is a misdemeanor carrying up to six months imprisonment and a fine of up to $750; if the economic benefit was $1,000 or more, it becomes a felony carrying up to 10 years imprisonment and a fine of up to $10,000. Courts may also order restitution to victims for costs of clearing their credit history.

Wyoming's credit freeze statute (Wyo. Stat. 40-12-501 through 40-12-511) allows residents to place a security freeze on their credit reports at no cost. Credit reporting agencies must lift a freeze within three business days of receiving the consumer's request. The freeze prevents new accounts from being opened without the consumer's express authorization.

Federal Privacy Laws That Protect Wyoming Residents

Because Wyoming lacks a comprehensive state privacy law, federal law fills critical gaps for Wyoming consumers and businesses.

TAKE IT DOWN Act (Pub. L. 119-12, Effective May 19, 2026)

President Trump signed the TAKE IT DOWN Act on May 19, 2025. The criminal prohibition on publishing nonconsensual intimate images took effect immediately on signing. The platform takedown obligations became effective May 19, 2026 (one year after enactment).

Covered online platforms must now establish procedures for individuals to request removal of nonconsensual intimate imagery, including AI-generated deepfakes. Upon receiving a valid removal notice, platforms must remove the content within 48 hours. Failure to comply constitutes an unfair or deceptive act under the FTC Act, and the FTC has enforcement authority with civil penalties available. Wyoming's Enrolled Act 32 addresses the same underlying harm at the state criminal level; the TAKE IT DOWN Act provides the federal civil enforcement mechanism against platforms.

HIPAA

The HIPAA Privacy Rule protects medical records and personal health information held by healthcare providers, health plans, and healthcare clearinghouses in Wyoming. It requires administrative, technical, and physical safeguards for protected health information and gives patients rights to access and request corrections to their medical records.

GLBA

The Gramm-Leach-Bliley Act requires financial institutions to explain their information-sharing practices and safeguard sensitive data. Banks, credit unions, and other financial companies operating in Wyoming must provide privacy notices to customers and maintain comprehensive data security programs.

COPPA

The Children's Online Privacy Protection Act requires websites and online services directed at children under 13 to obtain verifiable parental consent before collecting personal information. This applies to any business collecting data from Wyoming children online, regardless of where the business is located.

FTC Act Section 5

The FTC Act prohibits unfair or deceptive practices in commerce. The FTC has used this authority to take enforcement action against companies with inadequate data security practices, providing a federal baseline of privacy protection for all Wyoming consumers.

FCRA

The Fair Credit Reporting Act governs consumer reporting agencies and gives Wyoming residents rights to access, dispute, and limit use of their credit files. FCRA also imposes security requirements on furnishers and users of consumer reports.

Wyoming Recording Laws and Electronic Privacy

Wyoming is a one-party consent state under Wyo. Stat. 7-3-702. This statute bars interception of wire, oral, or electronic communications without the consent of at least one party to the conversation. A participant in a conversation may record it without the other party's knowledge. For a full analysis of recording consent requirements and penalties, see Wyoming Recording Laws.

How Wyoming Compares to States With Comprehensive Privacy Laws

Practical Steps for Wyoming Residents

Monitor credit and accounts. Review bank statements, credit card statements, and credit reports regularly. Under federal law, you are entitled to one free credit report annually from each major bureau through AnnualCreditReport.com.

Use the free credit freeze. Wyoming's credit freeze statute lets you lock your credit report at no cost. File requests directly with Equifax, Experian, and TransUnion.

Review privacy policies before sharing data. Wyoming's Consumer Protection Act gives you recourse if a business makes false claims about its data practices. Read what you are agreeing to.

Request deletion of genetic data. If you have used a consumer DNA testing service, the Genetic Data Privacy Act gives you the right to request deletion of your sample and data when no longer needed.

Report deepfake and synthetic imagery violations. Starting July 1, 2026, violations of Wyo. Stat. 6-4-307 should be reported to law enforcement. Platform-level complaints about nonconsensual intimate imagery can also be submitted to the FTC under the TAKE IT DOWN Act.

File complaints with the AG. The Wyoming Attorney General's Consumer Protection and Antitrust Unit accepts complaints about data breach notification failures and deceptive privacy practices.

More Wyoming Laws

• Wyoming AI Meeting Recording Laws
• Wyoming Alimony Laws
• Wyoming At-Will Employment Laws
• Wyoming Car Accident Laws
• Wyoming Car Seat Laws
• Wyoming Child Custody Laws
• Wyoming Child Support Laws
• Wyoming Common Law Marriage Laws
• Wyoming Deepfake Laws
• Wyoming Divorce Laws
• Wyoming Dog Bite Laws
• Wyoming Emancipation Laws
• Wyoming Expungement Laws
• Wyoming Landlord-Tenant Laws
• Wyoming Lemon Laws
• Wyoming Power of Attorney Laws

This article provides general legal information about Wyoming data privacy laws. It is not legal advice and does not create an attorney-client relationship. Data privacy laws change frequently. Consult with a qualified attorney licensed in Wyoming for advice about your specific situation. Information verified as of May 2026.