Kansas Consumer Privacy Law

Primary law

The breach statute applies to any person that conducts business in Kansas, and to any government unit, that owns or licenses computerized data including personal information — with no revenue or volume threshold.

A person that conducts business in this state, or a government, governmental subdivision or agency that owns or licenses computerized data that includes personal information shall, when it becomes aware of any breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused.

See K.S.A. 50-7a02(a).

Primary law

The Kansas Consumer Protection Act is construed liberally to protect consumers from suppliers who commit deceptive and unconscionable practices.

This act shall be construed liberally to promote the following policies: (a) To simplify, clarify and modernize the law governing consumer transactions; (b) to protect consumers from suppliers who commit deceptive and unconscionable practices;

See K.S.A. 50-623.

Primary law

A KCPA consumer includes an individual, husband and wife, sole proprietor, or family partnership acting for personal, family, household, business, or agricultural purposes — broader than most consumer-protection statutes.

"Consumer" means an individual, husband and wife, sole proprietor, or family partnership who seeks or acquires property or services for personal, family, household, business or agricultural purposes.

See K.S.A. 50-624(b).

Primary law

A KCPA supplier is anyone who, in the ordinary course of business, solicits, engages in, or enforces consumer transactions, whether or not dealing directly with the consumer.

"Supplier" means a manufacturer, distributor, dealer, seller, lessor, assignor, or other person who, in the ordinary course of business, solicits, engages in or enforces consumer transactions, whether or not dealing directly with the consumer.

See K.S.A. 50-624(l).

Primary law

A KCPA consumer transaction is a disposition of property or services for value within Kansas, expressly excluding insurance contracts regulated under state law.

"Consumer transaction" means a sale, lease, assignment or other disposition for value of property or services within this state, except insurance contracts regulated under state law, to a consumer; or a solicitation by a supplier with respect to any of these dispositions.

See K.S.A. 50-624(c).

Primary law

The KCPA prohibits a supplier from engaging in any deceptive act or practice in connection with a consumer transaction — the hook that makes a misleading privacy policy actionable.

No supplier shall engage in any deceptive act or practice in connection with a consumer transaction.

See K.S.A. 50-626(a).

Primary law

Enumerated deceptive acts include the willful use of falsehood or ambiguity as to a material fact and the willful failure to state or concealment of a material fact — the natural theories against a privacy policy that misstates or omits actual data practices.

(2) the willful use, in any oral or written representation, of exaggeration, falsehood, innuendo or ambiguity as to a material fact; (3) the willful failure to state a material fact, or the willful concealment, suppression or omission of a material fact;

See K.S.A. 50-626(b)(2)–(3).

Primary law

The KCPA separately prohibits unconscionable acts and practices, and the prohibition reaches conduct before, during, or after the consumer transaction.

No supplier shall engage in any unconscionable act or practice in connection with a consumer transaction. An unconscionable act or practice violates this act whether it occurs before, during or after the transaction.

See K.S.A. 50-627(a).

Primary law

Section 5 of the FTC Act declares unfair or deceptive acts or practices in or affecting commerce unlawful, which reaches a privacy policy that misstates a business's actual data practices.

Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.

See 15 U.S.C. § 45(a)(1).

Primary law

A financial institution may not disclose nonpublic personal information to a nonaffiliated third party unless it has provided the consumer a privacy notice complying with the GLBA.

Except as otherwise provided in this subchapter, a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 6803 of this title.

See 15 U.S.C. § 6802(a).

Primary law

A HIPAA covered entity must give individuals a notice describing the uses and disclosures of their protected health information and their rights and the entity's legal duties.

an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information

See 45 C.F.R. § 164.520(a)(1).

Primary law

An operator of a website or online service directed to children, or with actual knowledge it collects children's personal information, may not collect that information in violation of the COPPA notice and parental-consent regulations.

It is unlawful for an operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child, to collect personal information from a child in a manner that violates the regulations prescribed under subsection (b).

See 15 U.S.C. § 6502(a)(1).

Primary law

A vendor that maintains computerized personal information it does not own or license must notify the owner or licensee of the information after discovering a breach involving unauthorized access and acquisition.

An individual or a commercial entity that maintains computerized data that includes personal information that the individual or the commercial entity does not own or license shall give notice to the owner or licensee of the information of any breach of the security of the data following discovery of a breach, if the personal information was, or is reasonably believed to have been, accessed and acquired by an unauthorized person.

See K.S.A. 50-7a02(b).

Primary law

The GLBA Safeguards Rule requires a financial institution to oversee its service providers — selecting capable providers, requiring safeguards by contract, and periodically assessing them.

Oversee service providers, by: (1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; (2) Requiring your service providers by contract to implement and maintain such safeguards; and (3) Periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards.

See 16 C.F.R. § 314.4(f).

Primary law

HIPAA requires a written business-associate contract that establishes the permitted and required uses and disclosures of protected health information by the business associate.

A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate.

See 45 C.F.R. § 164.504(e)(2).

Primary law

If the post-breach investigation determines that misuse of personal information has occurred or is reasonably likely, the business must notify affected Kansas residents as soon as possible, in the most expedient time possible and without unreasonable delay — with no fixed day-count.

If the investigation determines that the misuse of information has occurred or is reasonably likely to occur, the person or government, governmental subdivision or agency shall give notice as soon as possible to the affected Kansas resident. Notice must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.

See K.S.A. 50-7a02(a).

Primary law

A security breach requires unauthorized access and acquisition of unencrypted or unredacted computerized data that compromises personal information and causes, or is reasonably believed to have caused or will cause, identity theft to a Kansas consumer.

"Security breach" means the unauthorized access and acquisition of unencrypted or unredacted computerized data that compromises the security, confidentiality or integrity of personal information maintained by an individual or a commercial entity and that causes, or such individual or entity reasonably believes has caused or will cause, identity theft to any consumer.

See K.S.A. 50-7a01(h).

Primary law

Personal information is a consumer's name linked to an unencrypted, unredacted Social Security number, driver's license or state ID number, or financial-account or card number with any code permitting account access.

"Personal information" means a consumer's first name or first initial and last name linked to any one or more of the following data elements that relate to the consumer, when the data elements are neither encrypted nor redacted: (1) Social security number; (2) driver's license number or state identification card number; or (3) financial account number, or credit or debit card number, alone or in combination with any required security code, access code or password that would permit access to a consumer's financial account.

See K.S.A. 50-7a01(g).

Primary law

When more than 1,000 consumers must be notified at one time, the business must also notify the nationwide consumer reporting agencies, without unreasonable delay, of the timing, distribution, and content of the notices.

In the event that a person discovers circumstances requiring notification pursuant to this section of more than 1,000 consumers at one time, the person shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined by 15 U.S.C. § 1681a(p), of the timing, distribution and content of the notices.

See K.S.A. 50-7a02(f).

Primary law

Substitute notice is permitted where the cost of notice would exceed $100,000, the affected class exceeds 5,000 consumers, or the business lacks sufficient contact information.

substitute notice, if the individual or the commercial entity required to provide notice demonstrates that the cost of providing notice will exceed $100,000, or that the affected class of consumers to be notified exceeds 5,000, or that the individual or the commercial entity does not have sufficient contact information to provide notice.

See K.S.A. 50-7a01(c)(3).

Primary law

Substitute notice means email notice where email addresses are available, conspicuous website posting where the business maintains a website, and notification to major statewide media.

"Substitute notice" means: (1) E-mail notice if the individual or the commercial entity has e-mail addresses for the affected class of consumers; (2) conspicuous posting of the notice on the web site page of the individual or the commercial entity if the individual or the commercial entity maintains a web site; and (3) notification to major statewide media.

See K.S.A. 50-7a01(e).

Primary law

Breach notice may be delayed if a law-enforcement agency determines that notice will impede a criminal investigation.

Notice required by this section may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation. Notice required by this section shall be made in good faith, without unreasonable delay and as soon as possible after the law enforcement agency determines that notification will no longer impede the investigation.

See K.S.A. 50-7a02(c).

Primary law

A business that follows its own consistent breach-notification procedures, or the breach procedures established by its primary or functional state or federal regulator, is deemed to comply with the notice requirements.

Notwithstanding any other provision in this section, an individual or a commercial entity that maintains its own notification procedures as part of an information security policy for the treatment of personal information, and whose procedures are otherwise consistent with the timing requirements of this section, is deemed to be in compliance with the notice requirements of this section if the individual or the commercial entity notifies affected consumers in accordance with its policies in the event of a breach of security of the system. (e) An individual or a commercial entity that is regulated by state or federal law and that maintains procedures for a breach of the security of the system pursuant to the laws, rules, regulations, guidances or guidelines established by its primary or functional state or federal regulator is deemed to be in compliance with this section.

See K.S.A. 50-7a02(d)–(e).

Primary law

The breach statute names the Attorney General as enforcer (in law or equity) and creates no express private remedy, while providing that the section is not exclusive of other applicable law.

For violations of this section, except as to insurance companies licensed to do business in this state, the attorney general is empowered to bring an action in law or equity to address violations of this section and for other relief that may be appropriate. The provisions of this section are not exclusive and do not relieve an individual or a commercial entity subject to this section from compliance with all other applicable provisions of law.

See K.S.A. 50-7a02(g).

Primary law

An aggrieved consumer may recover, in an individual action but not a class action, damages or a civil penalty, whichever is greater.

A consumer who is aggrieved by a violation of this act may recover, but not in a class action, damages or a civil penalty as provided in subsection (a) of K.S.A. 50-636 and amendments thereto, whichever is greater.

See K.S.A. 50-634(b).

Primary law

Consumers may bring a class action for declaratory judgment, an injunction, and appropriate ancillary relief — but not damages — against an act or practice that violates the KCPA.

Whether a consumer seeks or is entitled to recover damages or has an adequate remedy at law, a consumer may bring a class action for declaratory judgment, an injunction and appropriate ancillary relief, except damages, against an act or practice that violates this act.

See K.S.A. 50-634(c).

Primary law

A damages class action is available only for acts or practices specifically proscribed by the deceptive-acts, unconscionable-acts, or door-to-door provisions, declared unlawful by a prior published final judgment, or prohibited by a prior consent judgment.

A consumer who suffers loss as a result of a violation of this act may bring a class action for the damages caused by an act or practice: (1) Violating any of the acts or practices specifically proscribed in K.S.A. 50-626, 50-627 and 50-640, and amendments thereto, or (2) declared to violate K.S.A. 50-626 or 50-627, and amendments thereto, by a final judgment of any district court or the supreme court of this state that was either officially reported or made available for public dissemination under subsection (a)(3) of K.S.A. 50-630 and amendments thereto by the attorney general 10 days before the consumer transactions on which the action is based, or (3) with respect to a supplier who agreed to it, was prohibited specifically by the terms of a consent judgment which became final before the consumer transactions on which the action is based.

See K.S.A. 50-634(d).

Primary law

A KCPA consumer transaction is a disposition of property or services for value within Kansas, expressly excluding insurance contracts regulated under state law.

"Consumer transaction" means a sale, lease, assignment or other disposition for value of property or services within this state, except insurance contracts regulated under state law, to a consumer; or a solicitation by a supplier with respect to any of these dispositions.

See K.S.A. 50-624(c).

Primary law

Breach-statute enforcement belongs to the Attorney General, except that the insurance commissioner has sole authority over violations by insurance companies licensed in Kansas.

For violations of this section, except as to insurance companies licensed to do business in this state, the attorney general is empowered to bring an action in law or equity to address violations of this section and for other relief that may be appropriate. The provisions of this section are not exclusive and do not relieve an individual or a commercial entity subject to this section from compliance with all other applicable provisions of law. (h) For violations of this section by an insurance company licensed to do business in this state, the insurance commissioner shall have the sole authority to enforce the provisions of this section.

See K.S.A. 50-7a02(g)–(h).

Primary law

Any KCPA violation renders the violator liable for a civil penalty of up to $10,000 per violation, recoverable in an individual action including one brought by the Attorney General or a county or district attorney.

The commission of any act or practice declared to be a violation of this act shall render the violator liable to the aggrieved consumer, or the state or a county as provided in subsection (c), for the payment of a civil penalty, recoverable in an individual action, including an action brought by the attorney general or county attorney or district attorney, in a sum set by the court of not more than $10,000 for each violation.

See K.S.A. 50-636(a).

Primary law

A supplier that willfully violates a court order issued under the KCPA forfeits a civil penalty of up to $20,000 per violation, in addition to other penalties.

Any supplier who willfully violates the terms of any court order issued pursuant to this act shall forfeit and pay a civil penalty of not more than $20,000 per violation, in addition to other penalties that may be imposed by the court, as the court shall deem necessary and proper.

See K.S.A. 50-636(b).

Primary law

A continuing violation not tied to a specific identifiable consumer transaction is deemed a separate violation for each day the act or practice exists.

Any act or practice declared to be a violation of this act not identified to be in connection with a specific identifiable consumer transaction but which is continuing in nature shall be deemed a separate violation each day such act or practice exists.

See K.S.A. 50-636(d).