Missouri: An Overview of Data Protection & Data Privacy Law

Increasing concerns over protecting users’ data and privacy have led to a proliferation of new state-level comprehensive data protection laws being enacted across the United States. Missouri, however, has yet to enact such a law. To stay updated on the progress of privacy-related bills across the US, visit our US State Privacy Laws Tracker.

The following guide provides an overview of the state’s current data protection laws and highlights primary considerations for businesses operating in the state.

The Current State of the Data Protection Laws in Missouri

Although Missouri does not have a comprehensive data privacy law, businesses must maintain strict privacy operations. This ensures compliance with changing privacy standards and prepares them to adapt to future regulations.

• Data breach notification (Mo. Rev. Stat. § 407.1500): This law details the data breach notification requirements and timelines for organizations that own or license personal information of Missouri residents.
• Unfair or deceptive acts and practices (Mo. Rev. Stat. § 407.020, the MMPA): As per this law, deceptive privacy notices or unfair data practices may be actionable under Missouri’s consumer protection statute.

Applicable Federal Laws

Depending on the organization’s industry, the following federal laws may apply:

• Health Insurance Portability and Accountability Act (HIPAA) for protected health information handled by covered entities and business associates.
• Children's Online Privacy Protection Act (COPPA) for online data about children under 13.
• Gramm-Leach-Bliley Act (GLBA) for financial institutions’ customer data.
• Fair Credit Reporting Act (FCRA) regulates consumer credit reporting and requires businesses to ensure the accurate and secure handling of consumer credit information.

Best Practices for Businesses

Businesses operating in Missouri are encouraged to maintain a high standard of security when it comes to ensuring safe data protection and privacy practices. Regardless of the presence or absence of any comprehensive privacy law, ensuring safe data handling practices helps with compliance in the long run and strengthens customer trust.

The following best practices may be considered when complying with state, local, and federal laws:

• Creating an inventory of all data and data assets requires understanding what data is being collected, where it is stored, who accesses it, and which rules apply, including cross-border restrictions.
• Enabling data mapping automation to understand data flow to different systems across the environment. This supports data quality, lineage, and lifecycle governance.
• Establishing intake and fulfillment workflows for access, correction, deletion, and opt-out requests where required by sectoral or contractual obligations.
• Conducting training and awareness sessions to educate employees, especially those with access to sensitive data, about safe data handling and cybersecurity hygiene.

Conclusion

Organizations can efficiently navigate the dynamic privacy legal landscape by adhering to best practices and investing resources in learning and understanding applicable laws. Missouri’s breach notification statute and consumer protection regime create real obligations today while the state continues to consider broader privacy legislation.