	Global Data Privacy Guide
	USA, Missouri
	(United States) Contributors Updated 01 Jan 2021
What is the key legislation?	The key privacy legislation is: Missouri’s Data Breach Notification Statute, RSMO § 407.1500 et. Seq. (“Data Breach Law”) Regulation of Social Security Numbers, RSMO 407.1355 (“SSN Law”) Credit Card Numbers, RSMO 407.433 (“Credit Card Law”)
What data is protected?	Data Breach Law: Missouri resident’s “Personal Information” defined as: First name/first initial and last name, if in combination with: Social Security Number; Driver’s License Number; Other unique identifying number created or collected by governmental entities; Financial account, credit card, or debit card number, in combination with any password, PIN code, or other code which would afford access to an individual’s financial account; A unique identifier or routing code, in combination with any password, PIN code, or other code which would afford access to an individual’s financial account; Medical information; or Health insurance information. SSN Law: Social Security Numbers Credit Card Law: Credit Card Numbers
Who is subject to privacy obligations?	Any entity which “owns or licenses” (read: holds) Missouri resident’s Personal Information. Entities that hold Personal Information on behalf of others (read: akin to Processor under *GDPR*).
What are the principles applicable to personal data processing?	SSN Law: Persons may not require: Transmission of SSN’s over the internet, unless connection “secure” or SSN encrypted; Individual to use SSN to access the website, unless in combination with a password, unique personal identifier, or other authentication devices; or Individual to use SSN as employee number for any type of employment-related activities.
How is the processing of personal data regulated?	Data Breach Law: “Unauthorized” disclosure requires data breach notification in accordance with the statute. SSN Law: May not intentionally communicate or otherwise make available to the general public or to an individual's co-workers Credit Card Law: No person other than the cardholder may disclose more than the last five numbers of a credit card number on a sales receipt.
How are storage, security and retention of personal data regulated?	“Missouri law does not impose separate security or storage requirements apart from what is described above regarding the regulation of use and disclosure of personal data.” I would change this because a number of other states (OR, MA, RI) have WISP requirements within their statutory frameworks that establish minimum requirements for security programs, and other states (NY, OH, and potentially Utah in the near future) have statutes that provide a safe harbor for security programs. Since there is a growing number of states that have separate provisions or entirely separate statutes aimed at data security, I would highlight that Missouri does not.
What are the data subjects' rights?	No.
Are there restrictions on cross-border data transfers?	N/A
Are there any notification requirements for data breaches?	Yes. Risk-based assessment, with notification required unless assessment determines that identity theft or fraud not reasonably likely to occur. Notification to affected individuals “without unreasonable delay.” Notice to Missouri Attorney General and credit reporting agencies if notice is required for more than 1,000 Missouri residents.
Who is the privacy regulator?	Data Breach Law; SSN Law: Missouri Attorney General Credit Card Law: State Prosecuting Attorneys
What are the consequences of a privacy breach?	Data Breach Law: Attorney General may seek actual damages for a willful and knowing violation of breach notification statute, as well as civil penalty not exceeding USD $150,000 per violation. Credit Card Law: Repeat violations are a class A misdemeanor.
How is electronic marketing regulated?	Electronic marketing is governed by RSMO 407.1120-407.1132. The statute requires that all unsolicited email marketing messages include a return email address or toll-free phone number so that the recipient of the message can unsubscribe from further messages if desired. Violating or assisting in the violation of the section constitutes an unlawful merchandising practice, and damages of the greater of USD $500 or actual damages can be recovered for violations. More information on this statute can be found here: https://revisor.mo.gov/main/OneSection.aspx?section=407.1120&bid=23281
Are there any recent developments or expected reforms?	No updates – the only privacy-related bill proposed so far this session is updating the state Sunshine Laws to include social media pages of government officials and governing bodies in the definition of a “public record.”

Global Data Privacy Guide

Back XLS

What is the key legislation?

The key privacy legislation is:

Missouri’s Data Breach Notification Statute, RSMO § 407.1500 et. Seq. (“Data Breach Law”)
Regulation of Social Security Numbers, RSMO 407.1355 (“SSN Law”)
Credit Card Numbers, RSMO 407.433 (“Credit Card Law”)

What data is protected?

Data Breach Law:

Missouri resident’s “Personal Information” defined as:

First name/first initial and last name, if in combination with:
- Social Security Number;
- Driver’s License Number;
- Other unique identifying number created or collected by governmental entities;
- Financial account, credit card, or debit card number, in combination with any password, PIN code, or other code which would afford access to an individual’s financial account;
- A unique identifier or routing code, in combination with any password, PIN code, or other code which would afford access to an individual’s financial account;
- Medical information; or
- Health insurance information.

SSN Law: Social Security Numbers

Credit Card Law: Credit Card Numbers

Who is subject to privacy obligations?

Any entity which “owns or licenses” (read: holds) Missouri resident’s Personal Information. Entities that hold Personal Information on behalf of others (read: akin to Processor under GDPR).

What are the principles applicable to personal data processing?

SSN Law:

Persons may not require:

Transmission of SSN’s over the internet, unless connection “secure” or SSN encrypted;
Individual to use SSN to access the website, unless in combination with a password, unique personal identifier, or other authentication devices; or
Individual to use SSN as employee number for any type of employment-related activities.

How is the processing of personal data regulated?

Data Breach Law:

“Unauthorized” disclosure requires data breach notification in accordance with the statute.

SSN Law:
May not intentionally communicate or otherwise make available to the general public or to an individual's co-workers

Credit Card Law:
No person other than the cardholder may disclose more than the last five numbers of a credit card number on a sales receipt.

How are storage, security and retention of personal data regulated?

“Missouri law does not impose separate security or storage requirements apart from what is described above regarding the regulation of use and disclosure of personal data.”

I would change this because a number of other states (OR, MA, RI) have WISP requirements within their statutory frameworks that establish minimum requirements for security programs, and other states (NY, OH, and potentially Utah in the near future) have statutes that provide a safe harbor for security programs. Since there is a growing number of states that have separate provisions or entirely separate statutes aimed at data security, I would highlight that Missouri does not.

What are the data subjects' rights?

No.

Are there restrictions on cross-border data transfers?

N/A

Are there any notification requirements for data breaches?

Yes. Risk-based assessment, with notification required unless assessment determines that identity theft or fraud not reasonably likely to occur.

Notification to affected individuals “without unreasonable delay.” Notice to Missouri Attorney General and credit reporting agencies if notice is required for more than 1,000 Missouri residents.

Who is the privacy regulator?

Data Breach Law; SSN Law:
Missouri Attorney General

Credit Card Law:
State Prosecuting Attorneys

What are the consequences of a privacy breach?

Data Breach Law:
Attorney General may seek actual damages for a willful and knowing violation of breach notification statute, as well as civil penalty not exceeding USD $150,000 per violation.

Credit Card Law:
Repeat violations are a class A misdemeanor.

How is electronic marketing regulated?

Electronic marketing is governed by RSMO 407.1120-407.1132.

The statute requires that all unsolicited email marketing messages include a return email address or toll-free phone number so that the recipient of the message can unsubscribe from further messages if desired.

Violating or assisting in the violation of the section constitutes an unlawful merchandising practice, and damages of the greater of USD $500 or actual damages can be recovered for violations. More information on this statute can be found here: https://revisor.mo.gov/main/OneSection.aspx?section=407.1120&bid=23281

Are there any recent developments or expected reforms?

No updates – the only privacy-related bill proposed so far this session is updating the state Sunshine Laws to include social media pages of government officials and governing bodies in the definition of a “public record.”

Global Data Privacy Guide

USA, Missouri

Global Data Privacy Guide

USA, Missouri

Members