Global Data Privacy Guide |
|
USA, Kansas |
|
|
(United States)
Firm
Foulston Siefkin LLP
Contributors
Daniel Buller |
|
| 1. What is the key legislation? | Several statutory sections address data-security and privacy obligations under Kansas law. The primary section governing data-security and breach-notification obligations is Kan. Stat. Ann. § 50-7a01, et seq. |
| 2. What are the key decisions applying that legislation? | In re Target Corp. Customer Data Sec. Breach Litig., 66 F. Supp. 3d 1154, 1169 (D. Minn. 2014) denied a motion to dismiss a claim arising from Kan. Stat. Ann. § 50-7a01, et seq., noting that whether a private cause of action exists for breach-notification violations under the Kansas statute is ambiguous. |
| 1. How are “personal data” and “sensitive data” defined? | Kansas’s breach-notification law protects “personal information,” which is defined as a consumer’s first and last name or first initial and last name plus one or more of the following data elements: (i) Social Security number; (ii) driver’s license number or state identification card number; or (iii) financial account number or credit card number alone or in combination with any required security code, access code, or password that would permit access to a consumer’s financial account. Kan. Stat. Ann. § 50-7a01(g); Kan. Stat. Ann. § 50-6,139b(a)(3). “Personal information” does not include “publicly available information that is lawfully made available to the general public from federal, state or local government records.” Kan. Stat. Ann. § 50-7a01(g). |
| 2. How is the defined data protected? | Personal information is protected by Kan. Stat. Ann. § 50-7a01, et seq., which imposes data-security and breach-notification obligations. |
| 3. Who is subject to privacy obligations? | Kansas’s breach notification obligations apply to any “person that conducts business in [Kansas], or a government, governmental subdivision or agency that owns or licenses computerized data that includes personal information.” Kan. Stat. Ann. § 50-7a02(a). Kansas’s Consumer-Protection Act’s data-security obligations apply to all “holders” of personal information. A “holder” is “a person who, in the ordinary course of business, collects, maintains or possesses, or causes to be collected, maintained or possessed, the personal information of any other person. Kan. Stat. Ann. § 50-6,139b(a)(1). |
| 4. How is “data processing” defined? | Not applicable. |
| 5. What are the principles applicable to personal data processing? | There are no specific regulations governing the collection of personal data in Kansas. |
| 6. How is the processing of personal data regulated? | The use and disclosure of personal data is regulated in the following way: a holder of personal information must “maintain reasonable procedures and practices appropriate to the nature of the information, and exercise reasonable care to protect the personal information from unauthorized access, use modification or disclosure.” Kan. Stat. Ann. 50-6,139b(b). |
| 7. How are storage, security and retention of personal data regulated? | Unless otherwise required by federal law or regulation, a holder of personal information must “take reasonable steps to destroy or arrange for the destruction of any records within such holder’s custody or control containing any person’s personal information when such holder no longer intends to maintain or possess such records.” Kan. Stat. Ann. § 50-6,139b(b)(2). The statute provides that destruction must be by “shredding, erasing or otherwise modifying the personal identifying information in the records to make it unreadable or undecipherable through any means.” Id. |
| 8. What are the data subjects' rights under the data legislation? | Courts have noted that whether a private cause of action exists for breach-notification violations under Kan. Stat. Ann. § 50-7a01, et seq. is ambiguous. See, e.g., In re Target Corp. Customer Data Sec. Breach Litig., 66 F. Supp. 3d 1154, 1169 (D. Minn. 2014). |
| 9. What are the consent requirements for data subjects? | Not applicable. |
| 10. How is authorization for use of data handled? | Not applicable. |
| 11. Are cross-border data transfers regulated? If so, what are the restrictions on cross-border data transfers? | The statute does not specifically regulate cross-border data transfers; however, the holder of personal information must implement and maintain reasonable procedures and practices appropriate to the nature of the information, and exercise reasonable care to protect personal information from unauthorized access, use, modification, or disclosure. Kan. Stat. Ann. § 50-6,139b(b)(1). |
| 12. How are data "incidents" and "breaches" defined? | Under K.S.A. § 50-7a01(h), “Security breach” means the unauthorized access and acquisition of unencrypted or unredacted computerized data that compromises the security, confidentiality or integrity of personal information maintained by an individual or a commercial entity and that causes, or such individual or entity reasonably believes has caused or will cause, identity theft to any consumer. Good faith acquisition of personal information by an employee or agent of an individual or a commercial entity for the purposes of the individual or the commercial entity is not a breach of the security of the system, provided that the personal information is not used for or is not subject to further unauthorized disclosure. |
| 13. Are there any notification requirements for incidents and/or data breaches? | If, after a prompt and reasonable investigation, the owner or licensor of personal information determines that the data has been accessed and acquired and is reasonably likely to be “misused,” the breached entity must give “notice as soon as possible to the affected Kansas resident. Notice must be made in the most expedient time possible and without unreasonable delay,” consistent with law-enforcement needs. Kan. Stat. Ann. § 50-7a02(a). The notice must be given to all affected Kansas residents. Id. An individual or commercial entity that maintains data that includes personal information that the individual or entity does not own or license must notify the owner or licensee of the information following a data breach if the personal information is reasonably believed to have been accessed and acquired by an unauthorized person. Kan. Stat. Ann § 50-7a02(b). See also Kan. Stat. Ann. § 72-6318 for similar notification obligations relating to student data. See also Kan. Stat. Ann. § 75-7240 for responsibilities of Kansas executive branch agency heads. |
| 14. Who is/are the privacy regulator(s)? | The Kansas Attorney General and the Kansas Insurance Commissioner. The Kansas Attorney General has exclusive authority to bring an action for violation of data-security obligations set forth in Kan. Stat. Ann. § 50-6,139b, et seq. Except for violations by insurance companies, the Kansas Attorney General is also empowered, though not exclusively, to bring actions for breach-notification violations under Kan. Stat. Ann. § 50-7a01, et seq. |
| 15. What are the consequences of a data breach? | For violations of Kansas’s breach-notification law, the Attorney General may bring an action in law or in equity “and for other relief that may be appropriate.” Kan. Stat. Ann. § 50-7a02(g). This remedy is “not-exclusive” and may allow for private causes of action to address violations. See id. See also In re Target Corp. Customer Data Sec. Breach Litig., 66 F. Supp. 3d 1154, 1169 (D. Minn. 2014). Each record that is “not destroyed” in compliance with Kansas’s data-retention law is “a separate unconscionable act” under Kansas’s Consumer-Protection Act and subject to civil penalties under that section. Kan. Stat. Ann. § 50-6,139b(d). |
| 16. How is electronic marketing regulated? | Kansas has adopted the Commercial Electronic Mail Act, which prohibits the transmission of certain forms of “commercial electronic mail” from either a computer located in Kansas or to a resident the sender knows is a Kansas resident. Kan. Stat. Ann. § 50-6,107(c). Violators of this section are subject to civil penalties of “not less than USD $500 nor more than USD $10,000 for each such violation.” Kan. Stat. Ann. § 50-6,107(j). |
| 17. Are there sector-specific or industry-specific privacy requirements? | Healthcare industry-specific privacy requirements are set forth in the Kansas Health Information Technology and Exchange Act, Kan. Stat. Ann. § 65-6821, et seq., which protects health information, regulates proper safeguarding of protected health information, and regulates the use and disclosure of protected health information. |
| 18. What are the requirements for appointing Data Protection Officers or similar roles? | Not applicable. |
| 19. What are the record-keeping and documentation obligations? | Employers have certain record-keeping obligations for employee records under Kan. Stat. Ann. § 44-1209. |
| 20. What are the requirements for conducting Data Protection Impact Assessments (DPIAs)? | Not applicable. |
| 21. What are the requirements for third-party vendor management and data sharing? | Not applicable. |
| 22. What are the penalties and enforcement mechanisms for non-compliance? | The Kansas Attorney General has exclusive authority to bring an action for violation of data-security obligations set forth in Kan. Stat. Ann. § 50-6,139b, et seq. Except for violations by insurance companies, the Kansas Attorney General is also empowered, though not exclusively, to bring actions for breach-notification violations under Kan. Stat. Ann. § 50-7a01, et seq. For breach-notification violations by an insurance company, enforcement authority is vested solely in the Kansas Insurance Commissioner. Kan. Stat. Ann. § 50-7a02(h). Courts have noted that whether a private cause of action exists for breach-notification violations under Kan. Stat. Ann. § 50-7a01, et seq. is ambiguous. See, e.g., In re Target Corp. Customer Data Sec. Breach Litig., 66 F. Supp. 3d 1154, 1169 (D. Minn. 2014) (denying a motion to dismiss). See also our answer to “What are the consequences of a data breach?” |
| 23. What are the ongoing compliance and audit requirements? | Not applicable. |
| 24. Are there any recent developments or expected reforms? | Not applicable. |
Global Data Privacy Guide
USA, Kansas
(United States) Firm Foulston Siefkin LLPContributors Daniel Buller Sarah Otto
Updated 15 Aug 2025Several statutory sections address data-security and privacy obligations under Kansas law. The primary section governing data-security and breach-notification obligations is Kan. Stat. Ann. § 50-7a01, et seq.
The Kansas Consumer Protection Act, Kan. Stat. Ann. § 50-6,139b, also imposes data-retention and related obligations on holders of “personal information.”
In re Target Corp. Customer Data Sec. Breach Litig., 66 F. Supp. 3d 1154, 1169 (D. Minn. 2014) denied a motion to dismiss a claim arising from Kan. Stat. Ann. § 50-7a01, et seq., noting that whether a private cause of action exists for breach-notification violations under the Kansas statute is ambiguous.
Kansas’s breach-notification law protects “personal information,” which is defined as a consumer’s first and last name or first initial and last name plus one or more of the following data elements: (i) Social Security number; (ii) driver’s license number or state identification card number; or (iii) financial account number or credit card number alone or in combination with any required security code, access code, or password that would permit access to a consumer’s financial account. Kan. Stat. Ann. § 50-7a01(g); Kan. Stat. Ann. § 50-6,139b(a)(3). “Personal information” does not include “publicly available information that is lawfully made available to the general public from federal, state or local government records.” Kan. Stat. Ann. § 50-7a01(g).
Personal information is protected by Kan. Stat. Ann. § 50-7a01, et seq., which imposes data-security and breach-notification obligations.
The Kansas Consumer Protection Act, Kan. Stat. Ann. § 50-6,139b, also imposes data-retention and related obligations on holders of “personal information.” The statute requires reasonable procedures and practices appropriate to the nature of the information, and the exercise reasonable care to protect the personal information from unauthorized access, use, modification, or disclosure. Kan. Stat. Ann. § 50-6,139b(b)(1).
Kansas’s breach notification obligations apply to any “person that conducts business in [Kansas], or a government, governmental subdivision or agency that owns or licenses computerized data that includes personal information.” Kan. Stat. Ann. § 50-7a02(a). Kansas’s Consumer-Protection Act’s data-security obligations apply to all “holders” of personal information. A “holder” is “a person who, in the ordinary course of business, collects, maintains or possesses, or causes to be collected, maintained or possessed, the personal information of any other person. Kan. Stat. Ann. § 50-6,139b(a)(1).
Not applicable.
There are no specific regulations governing the collection of personal data in Kansas.
The use and disclosure of personal data is regulated in the following way: a holder of personal information must “maintain reasonable procedures and practices appropriate to the nature of the information, and exercise reasonable care to protect the personal information from unauthorized access, use modification or disclosure.” Kan. Stat. Ann. 50-6,139b(b).
Unless otherwise required by federal law or regulation, a holder of personal information must “take reasonable steps to destroy or arrange for the destruction of any records within such holder’s custody or control containing any person’s personal information when such holder no longer intends to maintain or possess such records.” Kan. Stat. Ann. § 50-6,139b(b)(2). The statute provides that destruction must be by “shredding, erasing or otherwise modifying the personal identifying information in the records to make it unreadable or undecipherable through any means.” Id.
Courts have noted that whether a private cause of action exists for breach-notification violations under Kan. Stat. Ann. § 50-7a01, et seq. is ambiguous. See, e.g., In re Target Corp. Customer Data Sec. Breach Litig., 66 F. Supp. 3d 1154, 1169 (D. Minn. 2014).
Not applicable.
Not applicable.
The statute does not specifically regulate cross-border data transfers; however, the holder of personal information must implement and maintain reasonable procedures and practices appropriate to the nature of the information, and exercise reasonable care to protect personal information from unauthorized access, use, modification, or disclosure. Kan. Stat. Ann. § 50-6,139b(b)(1).
Under K.S.A. § 50-7a01(h), “Security breach” means the unauthorized access and acquisition of unencrypted or unredacted computerized data that compromises the security, confidentiality or integrity of personal information maintained by an individual or a commercial entity and that causes, or such individual or entity reasonably believes has caused or will cause, identity theft to any consumer. Good faith acquisition of personal information by an employee or agent of an individual or a commercial entity for the purposes of the individual or the commercial entity is not a breach of the security of the system, provided that the personal information is not used for or is not subject to further unauthorized disclosure.
If, after a prompt and reasonable investigation, the owner or licensor of personal information determines that the data has been accessed and acquired and is reasonably likely to be “misused,” the breached entity must give “notice as soon as possible to the affected Kansas resident. Notice must be made in the most expedient time possible and without unreasonable delay,” consistent with law-enforcement needs. Kan. Stat. Ann. § 50-7a02(a). The notice must be given to all affected Kansas residents. Id. An individual or commercial entity that maintains data that includes personal information that the individual or entity does not own or license must notify the owner or licensee of the information following a data breach if the personal information is reasonably believed to have been accessed and acquired by an unauthorized person. Kan. Stat. Ann § 50-7a02(b). See also Kan. Stat. Ann. § 72-6318 for similar notification obligations relating to student data. See also Kan. Stat. Ann. § 75-7240 for responsibilities of Kansas executive branch agency heads.
The Kansas Attorney General and the Kansas Insurance Commissioner. The Kansas Attorney General has exclusive authority to bring an action for violation of data-security obligations set forth in Kan. Stat. Ann. § 50-6,139b, et seq. Except for violations by insurance companies, the Kansas Attorney General is also empowered, though not exclusively, to bring actions for breach-notification violations under Kan. Stat. Ann. § 50-7a01, et seq.
For violations of Kansas’s breach-notification law, the Attorney General may bring an action in law or in equity “and for other relief that may be appropriate.” Kan. Stat. Ann. § 50-7a02(g). This remedy is “not-exclusive” and may allow for private causes of action to address violations. See id. See also In re Target Corp. Customer Data Sec. Breach Litig., 66 F. Supp. 3d 1154, 1169 (D. Minn. 2014). Each record that is “not destroyed” in compliance with Kansas’s data-retention law is “a separate unconscionable act” under Kansas’s Consumer-Protection Act and subject to civil penalties under that section. Kan. Stat. Ann. § 50-6,139b(d).
Kansas has adopted the Commercial Electronic Mail Act, which prohibits the transmission of certain forms of “commercial electronic mail” from either a computer located in Kansas or to a resident the sender knows is a Kansas resident. Kan. Stat. Ann. § 50-6,107(c). Violators of this section are subject to civil penalties of “not less than USD $500 nor more than USD $10,000 for each such violation.” Kan. Stat. Ann. § 50-6,107(j).
Healthcare industry-specific privacy requirements are set forth in the Kansas Health Information Technology and Exchange Act, Kan. Stat. Ann. § 65-6821, et seq., which protects health information, regulates proper safeguarding of protected health information, and regulates the use and disclosure of protected health information.
Student data privacy requirements are set forth in K.S.A. 72-6312 through 72-6320, which regulates the disclosure of student data by educational agencies.
Kansas law protects social security numbers. Kan. Stat. Ann. § 75-3520(a)(1). Insurance companies and educational institutions are prohibited from using social security numbers as personal identifiers. Kan. Stat. Ann. § 40-2425 (insurance companies); § 76-768 (educational institutions).
The Kansas Constitution protects against unreasonable government searches. See Kansas Const., Bill of Rights, § 15.
Not applicable.
Employers have certain record-keeping obligations for employee records under Kan. Stat. Ann. § 44-1209.
Not applicable.
Not applicable.
The Kansas Attorney General has exclusive authority to bring an action for violation of data-security obligations set forth in Kan. Stat. Ann. § 50-6,139b, et seq. Except for violations by insurance companies, the Kansas Attorney General is also empowered, though not exclusively, to bring actions for breach-notification violations under Kan. Stat. Ann. § 50-7a01, et seq. For breach-notification violations by an insurance company, enforcement authority is vested solely in the Kansas Insurance Commissioner. Kan. Stat. Ann. § 50-7a02(h). Courts have noted that whether a private cause of action exists for breach-notification violations under Kan. Stat. Ann. § 50-7a01, et seq. is ambiguous. See, e.g., In re Target Corp. Customer Data Sec. Breach Litig., 66 F. Supp. 3d 1154, 1169 (D. Minn. 2014) (denying a motion to dismiss). See also our answer to “What are the consequences of a data breach?”
Not applicable.
Not applicable.