Global Data Privacy Guide |
|
USA, Missouri |
|
(United States)
Contributors Updated 01 Jan 2021 |
|
What is the key legislation? | The key privacy legislation is:
|
What data is protected? | Data Breach Law: Missouri resident’s “Personal Information” defined as:
SSN Law: Social Security Numbers Credit Card Law: Credit Card Numbers |
Who is subject to privacy obligations? | Any entity which “owns or licenses” (read: holds) Missouri resident’s Personal Information. Entities that hold Personal Information on behalf of others (read: akin to Processor under GDPR). |
What are the principles applicable to personal data processing? | SSN Law: Persons may not require:
|
How is the processing of personal data regulated? | Data Breach Law: “Unauthorized” disclosure requires data breach notification in accordance with the statute. SSN Law: Credit Card Law: |
How are storage, security and retention of personal data regulated? | “Missouri law does not impose separate security or storage requirements apart from what is described above regarding the regulation of use and disclosure of personal data.” I would change this because a number of other states (OR, MA, RI) have WISP requirements within their statutory frameworks that establish minimum requirements for security programs, and other states (NY, OH, and potentially Utah in the near future) have statutes that provide a safe harbor for security programs. Since there is a growing number of states that have separate provisions or entirely separate statutes aimed at data security, I would highlight that Missouri does not. |
What are the data subjects' rights? | No. |
Are there restrictions on cross-border data transfers? | N/A |
Are there any notification requirements for data breaches? | Yes. Risk-based assessment, with notification required unless assessment determines that identity theft or fraud not reasonably likely to occur. Notification to affected individuals “without unreasonable delay.” Notice to Missouri Attorney General and credit reporting agencies if notice is required for more than 1,000 Missouri residents. |
Who is the privacy regulator? | Data Breach Law; SSN Law: Credit Card Law: |
What are the consequences of a privacy breach? | Data Breach Law: Credit Card Law: |
How is electronic marketing regulated? | Electronic marketing is governed by RSMO 407.1120-407.1132. The statute requires that all unsolicited email marketing messages include a return email address or toll-free phone number so that the recipient of the message can unsubscribe from further messages if desired. Violating or assisting in the violation of the section constitutes an unlawful merchandising practice, and damages of the greater of USD $500 or actual damages can be recovered for violations. More information on this statute can be found here: https://revisor.mo.gov/main/OneSection.aspx?section=407.1120&bid=23281 |
Are there any recent developments or expected reforms? | No updates – the only privacy-related bill proposed so far this session is updating the state Sunshine Laws to include social media pages of government officials and governing bodies in the definition of a “public record.” |
Global Data Privacy Guide
USA, Missouri
(United States)Contributors
Updated 01 Jan 2021The key privacy legislation is:
- Missouri’s Data Breach Notification Statute, RSMO § 407.1500 et. Seq. (“Data Breach Law”)
- Regulation of Social Security Numbers, RSMO 407.1355 (“SSN Law”)
- Credit Card Numbers, RSMO 407.433 (“Credit Card Law”)
Data Breach Law:
Missouri resident’s “Personal Information” defined as:
- First name/first initial and last name, if in combination with:
- Social Security Number;
- Driver’s License Number;
- Other unique identifying number created or collected by governmental entities;
- Financial account, credit card, or debit card number, in combination with any password, PIN code, or other code which would afford access to an individual’s financial account;
- A unique identifier or routing code, in combination with any password, PIN code, or other code which would afford access to an individual’s financial account;
- Medical information; or
- Health insurance information.
SSN Law: Social Security Numbers
Credit Card Law: Credit Card Numbers
Any entity which “owns or licenses” (read: holds) Missouri resident’s Personal Information. Entities that hold Personal Information on behalf of others (read: akin to Processor under GDPR).
SSN Law:
Persons may not require:
- Transmission of SSN’s over the internet, unless connection “secure” or SSN encrypted;
- Individual to use SSN to access the website, unless in combination with a password, unique personal identifier, or other authentication devices; or
- Individual to use SSN as employee number for any type of employment-related activities.
Data Breach Law:
“Unauthorized” disclosure requires data breach notification in accordance with the statute.
SSN Law:
May not intentionally communicate or otherwise make available to the general public or to an individual's co-workers
Credit Card Law:
No person other than the cardholder may disclose more than the last five numbers of a credit card number on a sales receipt.
“Missouri law does not impose separate security or storage requirements apart from what is described above regarding the regulation of use and disclosure of personal data.”
I would change this because a number of other states (OR, MA, RI) have WISP requirements within their statutory frameworks that establish minimum requirements for security programs, and other states (NY, OH, and potentially Utah in the near future) have statutes that provide a safe harbor for security programs. Since there is a growing number of states that have separate provisions or entirely separate statutes aimed at data security, I would highlight that Missouri does not.
No.
N/A
Yes. Risk-based assessment, with notification required unless assessment determines that identity theft or fraud not reasonably likely to occur.
Notification to affected individuals “without unreasonable delay.” Notice to Missouri Attorney General and credit reporting agencies if notice is required for more than 1,000 Missouri residents.
Data Breach Law; SSN Law:
Missouri Attorney General
Credit Card Law:
State Prosecuting Attorneys
Data Breach Law:
Attorney General may seek actual damages for a willful and knowing violation of breach notification statute, as well as civil penalty not exceeding USD $150,000 per violation.
Credit Card Law:
Repeat violations are a class A misdemeanor.
Electronic marketing is governed by RSMO 407.1120-407.1132.
The statute requires that all unsolicited email marketing messages include a return email address or toll-free phone number so that the recipient of the message can unsubscribe from further messages if desired.
Violating or assisting in the violation of the section constitutes an unlawful merchandising practice, and damages of the greater of USD $500 or actual damages can be recovered for violations. More information on this statute can be found here: https://revisor.mo.gov/main/OneSection.aspx?section=407.1120&bid=23281
No updates – the only privacy-related bill proposed so far this session is updating the state Sunshine Laws to include social media pages of government officials and governing bodies in the definition of a “public record.”