	Global Data Privacy Guide
	USA, Mississippi
	(United States) Firm Butler Snow LLP Updated 01 Mar 2022
1. What is the key legislation?	Mississippi's Notice of Breach of Security law, Miss. Code Ann. § 75-24-29, which requires breach notification of unencrypted personal information. Mississippi’s children’s online privacy legislation enacted in 2024, Mississippi Code Annotated § 45-38-1 et seq., has been enjoined based on First Amendment challenges. See Netchoice LLC v. Fitch, Civil No. 1:24-cv-170-HSO-BWR, 2025 WL 1709668 (S.D. of Miss. June 18, 2025). Mississippi has not enacted comprehensive consumer privacy legislation.
2. What are the key decisions applying that legislation?	There are no reported opinions applying the data breach notification law.
1. How are “personal data” and “sensitive data” defined?	Personal information is defined as an individual's first name or first initial and last name in combination with any one or more of the following data elements: (i) Social Security number; (ii) driver's license or state/tribal identification card number; or (iii) account number or credit or debit card number in combination with any required security code, access code or password that would permit access to an individual's financial account. Personal information does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media. There is no definition of “sensitive” personal information.
2. How is the defined data protected?	Encryption. Breach notification is not required if the affected personal information is secured by encryption or any other method or technology that renders the personal information unreadable or unusable.
3. Who is subject to privacy obligations?	Any entity who conducts business in Mississippi and who, in the ordinary course of its business functions, owns, licenses or maintains computerized personal information of any resident of Mississippi. And any person who conducts business in Mississippi that maintains computerized data that includes personal information that the person does not own or license.
4. How is “data processing” defined?	Not applicable.
5. What are the principles applicable to personal data processing?	Not applicable.
6. How is the processing of personal data regulated?	Breach notification is required for unauthorized acquisition of unencrypted personal information.
7. How are storage, security and retention of personal data regulated?	A breach of encrypted personal information does not require breach notification.
8. What are the data subjects' rights under the data legislation?	Not applicable.
9. What are the consent requirements for data subjects?	Not applicable.
10. How is authorization for use of data handled?	Not applicable.
11. Are cross-border data transfers regulated? If so, what are the restrictions on cross-border data transfers?	No.
12. How are data "incidents" and "breaches" defined?	A data breach is defined as unauthorized acquisition of unencrypted computerized data containing personal information. Breach notification is not required if, after an appropriate investigation, the entity reasonably determines that the breach is not likely to result in harm to the affected individuals.
13. Are there any notification requirements for incidents and/or data breaches?	Yes. Breach notification may be provided in writing, by telephone, electronically (if the person primarily communicates with the affected individuals electronically or the notice is consistent with the E-SIGN Act, 15 U.S.C.A. § 7001), or substitute notice (if the cost of notification would exceed $5,000.00, the affected class of individuals to be notified exceed 5,000, or the person does not have sufficient contact information).
14. Who is/are the privacy regulator(s)?	The Mississippi Attorney General.
15. What are the consequences of a data breach?	Failure of any person who conducts business in the state to provide notice of a data breach shall constitute an unfair trade practice, and shall be enforced by the Attorney General. Consequences of failing to provide notice of a data breach may include the imposition of civil penalties and criminal penalties. Note: The Office of the Attorney General has authority to enforce the statute and may bring an unfair trade practices act. If a court finds from clear and convincing evidence that a person knowingly and willfully committed any unfair or deceptive trade practice, the Attorney General, upon petition to the court, may recover a civil penalty in a sum not to exceed USD $10,000.00 per violation. The Attorney General may also recover investigative costs and a reasonable attorney's fee. There is no private right of action for a data breach. Additionally, any person who, knowingly and willfully, commits an unfair or deceptive trade practice shall be guilty of a misdemeanor, and upon the first conviction shall be fined up to one thousand dollars USD $1,000.00. Subsequent convictions are in addition to a fine subject to imprisonment as a misdemeanor or a felony.
16. How is electronic marketing regulated?	Not applicable.
17. Are there sector-specific or industry-specific privacy requirements?	Mississippi’s Insurance Data Security Law, Mississippi Code Annotated § 83-5-801, et seq., applies to insurance companies licensed or registered in Mississippi. It establishes data security standards and requires breach notification to the Mississippi Insurance Commissioner.
18. What are the requirements for appointing Data Protection Officers or similar roles?	Not applicable.
19. What are the record-keeping and documentation obligations?	Not applicable.
20. What are the requirements for conducting Data Protection Impact Assessments (DPIAs)?	Not applicable.
21. What are the requirements for third-party vendor management and data sharing?	Not applicable.
22. What are the penalties and enforcement mechanisms for non-compliance?	Failure to provide the required data breach notification shall constitute an unfair trade practice and may result in civil and criminal penalties.
23. What are the ongoing compliance and audit requirements?	Not applicable.
24. Are there any recent developments or expected reforms?	None expected.

Global Data Privacy Guide

Back XLS

1. What is the key legislation?

Mississippi's Notice of Breach of Security law, Miss. Code Ann. § 75-24-29, which requires breach notification of unencrypted personal information. Mississippi’s children’s online privacy legislation enacted in 2024, Mississippi Code Annotated § 45-38-1 et seq., has been enjoined based on First Amendment challenges. See Netchoice LLC v. Fitch, Civil No. 1:24-cv-170-HSO-BWR, 2025 WL 1709668 (S.D. of Miss. June 18, 2025). Mississippi has not enacted comprehensive consumer privacy legislation.

2. What are the key decisions applying that legislation?

There are no reported opinions applying the data breach notification law.

1. How are “personal data” and “sensitive data” defined?

Personal information is defined as an individual's first name or first initial and last name in combination with any one or more of the following data elements: (i) Social Security number; (ii) driver's license or state/tribal identification card number; or (iii) account number or credit or debit card number in combination with any required security code, access code or password that would permit access to an individual's financial account. Personal information does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media. There is no definition of “sensitive” personal information.

2. How is the defined data protected?

Encryption. Breach notification is not required if the affected personal information is secured by encryption or any other method or technology that renders the personal information unreadable or unusable.

3. Who is subject to privacy obligations?

Any entity who conducts business in Mississippi and who, in the ordinary course of its business functions, owns, licenses or maintains computerized personal information of any resident of Mississippi. And any person who conducts business in Mississippi that maintains computerized data that includes personal information that the person does not own or license.

4. How is “data processing” defined?

Not applicable.

5. What are the principles applicable to personal data processing?

Not applicable.

6. How is the processing of personal data regulated?

Breach notification is required for unauthorized acquisition of unencrypted personal information.

7. How are storage, security and retention of personal data regulated?

A breach of encrypted personal information does not require breach notification.

8. What are the data subjects' rights under the data legislation?

Not applicable.

9. What are the consent requirements for data subjects?

Not applicable.

10. How is authorization for use of data handled?

Not applicable.

11. Are cross-border data transfers regulated? If so, what are the restrictions on cross-border data transfers?

No.

12. How are data "incidents" and "breaches" defined?

A data breach is defined as unauthorized acquisition of unencrypted computerized data containing personal information. Breach notification is not required if, after an appropriate investigation, the entity reasonably determines that the breach is not likely to result in harm to the affected individuals.

13. Are there any notification requirements for incidents and/or data breaches?

Yes. Breach notification may be provided in writing, by telephone, electronically (if the person primarily communicates with the affected individuals electronically or the notice is consistent with the E-SIGN Act, 15 U.S.C.A. § 7001), or substitute notice (if the cost of notification would exceed $5,000.00, the affected class of individuals to be notified exceed 5,000, or the person does not have sufficient contact information).

14. Who is/are the privacy regulator(s)?

The Mississippi Attorney General.

15. What are the consequences of a data breach?

Failure of any person who conducts business in the state to provide notice of a data breach shall constitute an unfair trade practice, and shall be enforced by the Attorney General. Consequences of failing to provide notice of a data breach may include the imposition of civil penalties and criminal penalties.

Note: The Office of the Attorney General has authority to enforce the statute and may bring an unfair trade practices act. If a court finds from clear and convincing evidence that a person knowingly and willfully committed any unfair or deceptive trade practice, the Attorney General, upon petition to the court, may recover a civil penalty in a sum not to exceed USD $10,000.00 per violation. The Attorney General may also recover investigative costs and a reasonable attorney's fee.

There is no private right of action for a data breach.

Additionally, any person who, knowingly and willfully, commits an unfair or deceptive trade practice shall be guilty of a misdemeanor, and upon the first conviction shall be fined up to one thousand dollars USD $1,000.00. Subsequent convictions are in addition to a fine subject to imprisonment as a misdemeanor or a felony.

16. How is electronic marketing regulated?

Not applicable.

17. Are there sector-specific or industry-specific privacy requirements?

Mississippi’s Insurance Data Security Law, Mississippi Code Annotated § 83-5-801, et seq., applies to insurance companies licensed or registered in Mississippi. It establishes data security standards and requires breach notification to the Mississippi Insurance Commissioner.

18. What are the requirements for appointing Data Protection Officers or similar roles?

Not applicable.

19. What are the record-keeping and documentation obligations?

Not applicable.

20. What are the requirements for conducting Data Protection Impact Assessments (DPIAs)?

Not applicable.

21. What are the requirements for third-party vendor management and data sharing?

Not applicable.

22. What are the penalties and enforcement mechanisms for non-compliance?

Failure to provide the required data breach notification shall constitute an unfair trade practice and may result in civil and criminal penalties.

23. What are the ongoing compliance and audit requirements?

Not applicable.

24. Are there any recent developments or expected reforms?

None expected.

Global Data Privacy Guide

USA, Mississippi

Global Data Privacy Guide

USA, Mississippi