South Dakota's Data Protection Law: A Comprehensive Guide

Currently, South Dakota doesn't have a comprehensive data privacy law. You can visit our US State Privacy Laws Tracker to stay updated on the progress of privacy-related bills across the US.

Data protection laws have become a necessity in the current era. More and more countries are formulating or implementing such laws to enhance data safeguards and provide consumers with privacy rights.

Data privacy and protection laws exist in the United States at different levels.

Federal and sectoral laws like the Children’s Online Privacy Protection Act and the Fair Credit Reporting Act have limited material and territorial scopes. State-level comprehensive data privacy laws, with wider application and scope, include the California Consumer Protection Act and the Colorado Privacy Act.

However, not every state has an established comprehensive privacy law. In such an event, businesses operating in the state should still follow the best compliance practices to stay compliant with federal and sectoral laws and build customer trust.

The blog aims to offer readers a brief overview of the current status of data privacy laws in South Dakota.

Understanding South Dakota's Data Protection Law

South Dakota Breach Notification Law (Section 22-40-20 of South Dakota Codified Laws) mandates that organizations must notify data owners not later than sixty days from the discovery or notification of the breach of system security unless a longer period of time is required due to the legitimate needs of law enforcement, in the event their system security is breached due to any unauthorized access, compromising the security, confidentiality, and integrity of the data. Notification laws are common in most states as the regulation enables organizations to be proactive in preventing and mitigating data breach incidents and also notifying the impacted individuals so they may take necessary measures to protect their sensitive data accordingly.

The Children’s Online Privacy Protection Act (COPPA) is a federal data protection law that emphasizes protecting minors' privacy, i.e., children under the age of 13 years of age. The privacy of minors is taken seriously not only in the US but also in other countries globally. Hence, businesses must implement appropriate privacy and security controls around the data of minors to prevent any legal consequences.

Similar other laws, such as the Fair Credit Reporting Act (FCRA) and Gramm-Leach-Bliley Act (GLBA), exist to protect certain categories of personal and sensitive personal data.

Best Practices

• Businesses must learn more about federal, sectoral, and state-specific laws and examine the territorial scope.
• Businesses must conduct a thorough data asset and sensitive data discovery process to identify all data in the environment. Further data classification and cataloging enable businesses to categorize the data with labels and tags.
• Businesses should also create and automate privacy policies that inform users about data collection and processing practices and purposes.
• Appropriate security measures should be employed, such as data security policies, access policies and controls, etc.
• Businesses must minimize their data collection to only what is reasonably necessary and specific to the purpose. This allows businesses to reduce risks associated with collecting large volumes.

Conclusion

Though South Dakota has yet to establish a state-wide data privacy law, it recognizes the importance of residents’ data protection. Hence, businesses must proactively streamline their privacy practices to meet compliance and build trust.