On this pageWhich privacy laws apply to your business in Mississippi?
State Law Practice Note

Mississippi Consumer Privacy Law

Mississippi has no comprehensive consumer-privacy statute. The operative framework is Miss. Code Ann. § 75-24-29 for breach notification, plus the consumer-protection deceptive-practices statute and its narrow individual private remedy.

Lawyer Harvard Law '18 (J.D.) MIT '13 (S.B.) Former Ropes & Gray (6 yrs) Admitted in NY Last reviewed
More details about this document
Editor
, OpenAgreements editor
Feedback
Report a correction
Errata
View reported errata
License
CC BY 4.0
Authorities relied on
Primary lawMiss. Code Ann. § 75-24-29; Miss. Code Ann. § 75-24-5; FTC Act § 5; GLBA privacy notice; HIPAA Notice of Privacy Practices; COPPA; GLBA Safeguards Rule; HIPAA Business Associate Contracts; Miss. Code Ann. § 75-24-15

Which privacy laws apply to your business in Mississippi?

Mississippi has no comprehensive consumer-privacy law. The generally applicable state privacy framework is two-part: the breach-notification statute, which applies to any person conducting business in Mississippi that owns, licenses, or maintains personal information of Mississippi residents in the ordinary course of business , and the consumer-protection prohibition on unfair methods of competition and unfair or deceptive trade practices in or affecting commerce .

That means Mississippi residents do not have general state-law rights to access, delete, correct, or port their personal data; businesses do not have Mississippi-specific duties to honor sale opt-outs, targeted-advertising opt-outs, or universal opt-out signals; and there is no general Mississippi controller, processor, data-protection-assessment, or privacy-notice statute. The breach law governs incident response. The deceptive-practices law governs what a business tells consumers.

The rest of a Mississippi-facing privacy program comes from the federal and sectoral overlay: FTC Act § 5 for deceptive or unfair practices, GLBA for financial institutions, HIPAA for covered health entities and business associates, COPPA for child-directed services, and other states' comprehensive privacy laws when a Mississippi business reaches their residents and thresholds.

Sources for this answer

Primary law

A.1 Miss. Code Ann. § 75-24-29

Mississippi's breach-notification statute applies to any person conducting business in Mississippi that owns, licenses, or maintains personal information of a Mississippi resident in the ordinary course of business.

This section applies to any person who conducts business in this state and who, in the ordinary course of the person’s business functions, owns, licenses or maintains personal information of any resident of this state.

See Miss. Code Ann. § 75-24-29(1).

Primary law

A.2 Miss. Code Ann. § 75-24-5

Mississippi prohibits unfair methods of competition affecting commerce and unfair or deceptive trade practices in or affecting commerce.

Unfair methods of competition affecting commerce and unfair or deceptive trade practices in or affecting commerce are prohibited.

See Miss. Code Ann. § 75-24-5(1).

What must your Mississippi privacy policy contain?

No Mississippi statute generally requires a consumer privacy policy or fixes its contents. The binding state-law rule is truthfulness: unfair or deceptive trade practices in or affecting commerce are prohibited . A privacy policy that misstates how the business collects, uses, shares, secures, or retains data is therefore a deceptive-practices risk under Mississippi law and independently under FTC Act § 5 .

Where a sectoral regime applies, that regime supplies the notice contents. A GLBA financial institution may not disclose nonpublic personal information to nonaffiliated third parties unless it has provided the consumer a compliant privacy notice . A HIPAA covered entity must give individuals notice of protected-health-information uses and disclosures, rights, and legal duties . COPPA bars covered operators from collecting children's personal information in violation of the FTC's notice and parental-consent regulations .

For everyone else, the practical Mississippi drafting rule is: say what you do, and do what you say. A multistate policy should still describe data categories, purposes, third-party disclosures, retention, security, consumer choices, and contact methods because other states may require those elements. But Mississippi itself does not create a standalone policy checklist.

Practice caution

Do not describe Mississippi as an opt-out or consumer-rights state. The Mississippi sources captured here support breach notice and deceptive-practices exposure, not general access, deletion, correction, or sale opt-out rights .

Sources for this answer

Primary law

B.1 Miss. Code Ann. § 75-24-5

Mississippi prohibits unfair methods of competition affecting commerce and unfair or deceptive trade practices in or affecting commerce.

Unfair methods of competition affecting commerce and unfair or deceptive trade practices in or affecting commerce are prohibited.

See Miss. Code Ann. § 75-24-5(1).

Primary law

B.2 FTC Act § 5

Section 5 of the FTC Act declares unfair or deceptive acts or practices in or affecting commerce unlawful, which reaches a privacy policy that misstates a business's actual data practices.

Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.

See 15 U.S.C. § 45(a)(1).

Primary law

B.3 GLBA privacy notice

A GLBA financial institution may not disclose nonpublic personal information to a nonaffiliated third party unless it has provided the consumer a compliant privacy notice.

a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 6803 of this title.

See 15 U.S.C. § 6802(a).

Primary law

B.4 HIPAA Notice of Privacy Practices

A HIPAA covered entity must give individuals a notice describing uses and disclosures of protected health information, individual rights, and the entity's legal duties.

an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information

See 45 C.F.R. § 164.520(a)(1).

Primary law

B.5 COPPA

COPPA prohibits covered operators from collecting children's personal information in violation of the FTC's notice and parental-consent regulations.

It is unlawful for an operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child, to collect personal information from a child in a manner that violates the regulations prescribed under subsection (b).

See 15 U.S.C. § 6502(a)(1).

What must your contracts with vendors say?

Mississippi has no general data-processing-agreement statute. It does not prescribe controller-to-processor instructions, deletion clauses, audit rights, or subprocessor flow-downs. The Mississippi-specific vendor rule is breach-response flow-up: a person conducting business in Mississippi that maintains computerized personal information it does not own or license must notify the owner or licensee as soon as practicable after discovery of a breach, if the personal information was or is reasonably believed to have been acquired by an unauthorized person for fraudulent purposes .

Write that flow-up duty into vendor contracts. The statute gives the duty but leaves the operational details open, so the contract should specify the notice channel, what counts as discovery, required incident facts, forensic cooperation, timing for updates, responsibility for resident notice, and cost allocation. Because Mississippi's resident notice is due without unreasonable delay, a vendor's slow notice can consume the owner's response window.

Federal regimes add fuller terms where they apply. The GLBA Safeguards Rule requires financial institutions to oversee service providers, including by requiring safeguards by contract and reassessing providers over time . HIPAA requires a written business-associate agreement establishing permitted uses and disclosures before protected health information is shared . Outside those regimes, carry the standard multistate protections anyway: processing limited to documented instructions, confidentiality, reasonable security, breach notice back to your business on a fixed clock, cooperation, and return or deletion at the end of the engagement.

Sources for this answer

Primary law

C.1 Miss. Code Ann. § 75-24-29

A Mississippi vendor maintaining computerized personal information it does not own or license must notify the owner or licensee as soon as practicable after discovering a breach involving unauthorized acquisition or reasonably believed acquisition for fraudulent purposes.

Any person who conducts business in this state that maintains computerized data which includes personal information that the person does not own or license shall notify the owner or licensee of the information of any breach of the security of the data as soon as practicable following its discovery

See Miss. Code Ann. § 75-24-29(4).

Primary law

C.2 GLBA Safeguards Rule

The GLBA Safeguards Rule requires a financial institution to oversee its service providers — selecting capable providers, requiring safeguards by contract, and periodically assessing them.

Oversee service providers, by: (1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; (2) Requiring your service providers by contract to implement and maintain such safeguards; and (3) Periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards.

See 16 C.F.R. § 314.4(f).

Primary law

C.3 HIPAA Business Associate Contracts

HIPAA requires a written business-associate contract that establishes the permitted and required uses and disclosures of protected health information by the business associate.

A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate.

See 45 C.F.R. § 164.504(e)(2).

When must you notify people of a data breach in Mississippi?

Mississippi requires notice to all affected individuals without unreasonable delay after a covered breach, subject to completing an investigation, identifying affected individuals, restoring system integrity, and any law-enforcement or national-security delay . There is no fixed day-count deadline in the captured statute. Individual notice is not required if, after an appropriate investigation, the person reasonably determines that the breach will not likely result in harm to affected individuals .

The trigger is acquisition-based and narrower than access-only statutes. A breach of security means unauthorized acquisition of electronic files, media, databases, or computerized data containing personal information when access to that personal information has not been secured by encryption or another method or technology rendering it unreadable or unusable . An affected individual is a Mississippi resident whose personal information was, or is reasonably believed to have been, intentionally acquired by an unauthorized person through a breach .

Mississippi's personal-information definition is the traditional identity-theft trio: first name or first initial and last name plus Social Security number, driver's license/state ID/tribal ID number, or financial-account/payment-card number with a required security code, access code, or password that would permit access to the financial account . Publicly available information from government records or widely distributed media is excluded.

Notice may be written, telephone, or electronic if electronic communication is the primary communication method with affected individuals or E-SIGN-consistent. Substitute notice is available if notice cost would exceed $5,000, the affected class exceeds 5,000 individuals, or sufficient contact information is unavailable, and it requires email where available, conspicuous website posting where the person maintains a website, and notice to major statewide media including newspapers, radio, and television .

There is no general Attorney General breach-notice threshold in § 75-24-29. Instead, failure to comply is itself an unfair trade practice enforced by the Attorney General, and the section expressly says it does not create a private right of action .

Sources for this answer

Primary law

D.1 Miss. Code Ann. § 75-24-29

A person conducting business in Mississippi must disclose a covered breach to all affected individuals without unreasonable delay, subject to investigation, identification of affected individuals, system-restoration measures, and statutory delay provisions.

A person who conducts business in this state shall disclose any breach of security to all affected individuals. The disclosure shall be made without unreasonable delay, subject to the provisions of subsections (4) and (5) of this section and the completion of an investigation by the person to determine the nature and scope of the incident, to identify the affected individuals, or to restore the reasonable integrity of the data system.

See Miss. Code Ann. § 75-24-29(3).

Primary law

D.2 Miss. Code Ann. § 75-24-29

Mississippi individual notice is not required if, after appropriate investigation, the person reasonably determines that the breach will not likely result in harm to affected individuals.

Notification shall not be required if, after an appropriate investigation, the person reasonably determines that the breach will not likely result in harm to the affected individuals.

See Miss. Code Ann. § 75-24-29(3).

Primary law

D.3 Miss. Code Ann. § 75-24-29

A Mississippi breach of security is unauthorized acquisition of electronic files, media, databases, or computerized data containing personal information when access has not been secured by encryption or another method rendering it unreadable or unusable.

“Breach of security” means unauthorized acquisition of electronic files, media, databases or computerized data containing personal information of any resident of this state when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable

See Miss. Code Ann. § 75-24-29(2)(a).

Primary law

D.4 Miss. Code Ann. § 75-24-29

An affected individual is a Mississippi resident whose personal information was, or is reasonably believed to have been, intentionally acquired by an unauthorized person through a breach.

“Affected individual” means any individual who is a resident of this state whose personal information was, or is reasonably believed to have been, intentionally acquired by an unauthorized person through a breach of security.

See Miss. Code Ann. § 75-24-29(2)(b)(iv).

Primary law

D.5 Miss. Code Ann. § 75-24-29

Mississippi personal information is name plus Social Security number, driver's license/state ID/tribal ID number, or financial-account/payment-card number with a required security code, access code, or password permitting account access.

“Personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements:

See Miss. Code Ann. § 75-24-29(2)(b).

Primary law

D.6 Miss. Code Ann. § 75-24-29

Mississippi permits written, telephone, electronic, or substitute notice; substitute notice is available when cost exceeds $5,000, the affected class exceeds 5,000 individuals, or contact information is insufficient, and requires email, website posting, and major statewide media.

substitute notice, provided the person demonstrates that the cost of providing notice in accordance with paragraph (a), (b) or (c) of this subsection would exceed Five Thousand Dollars ($5,000.00), that the affected class of subject persons to be notified exceeds five thousand (5,000) individuals or the person does not have sufficient contact information.

See Miss. Code Ann. § 75-24-29(6).

Primary law

D.7 Miss. Code Ann. § 75-24-29

Failure to comply with Mississippi's breach-notification section is an unfair trade practice enforced by the Attorney General, and the section creates no private right of action.

Failure to comply with the requirements of this section shall constitute an unfair trade practice and shall be enforced by the Attorney General; however, nothing in this section may be construed to create a private right of action.

See Miss. Code Ann. § 75-24-29(8).

Can a consumer sue your business in Mississippi over privacy?

Not under the breach-notification section itself: § 75-24-29 expressly says it does not create a private right of action . The available private route is narrower: an individual who purchases or leases goods or services primarily for personal, family, or household purposes and suffers an ascertainable loss from a practice prohibited by § 75-24-5 may bring an action or assert the loss as a setoff or counterclaim .

That consumer-protection remedy is not a general privacy class-action statute. A private plaintiff must first make a reasonable attempt to resolve the claim through an informal dispute-settlement program approved by the Attorney General . And Mississippi bars class actions under the chapter: every private action must be maintained in the name and for the sole use and benefit of the individual person .

For privacy disputes, the practical distinction is this: a missed breach-notice duty belongs to the Attorney General under § 75-24-29, while a consumer-facing privacy misrepresentation may fit § 75-24-5 and § 75-24-15 only if the plaintiff can satisfy the statute's purchase-or-lease, personal/family/household-purpose, ascertainable-loss, and procedural requirements.

Sources for this answer

Primary law

E.1 Miss. Code Ann. § 75-24-29

Mississippi's breach-notification section is enforced by the Attorney General and expressly creates no private right of action.

Failure to comply with the requirements of this section shall constitute an unfair trade practice and shall be enforced by the Attorney General; however, nothing in this section may be construed to create a private right of action.

See Miss. Code Ann. § 75-24-29(8).

Primary law

E.2 Miss. Code Ann. § 75-24-15

An individual purchaser or lessee of goods or services for personal, family, or household purposes who suffers ascertainable loss from a practice prohibited by § 75-24-5 may bring an individual action or assert the loss as a setoff or counterclaim.

any person who purchases or leases goods or services primarily for personal, family or household purposes and thereby suffers any ascertainable loss of money or property, real or personal, as a result of the use or employment by the seller, lessor, manufacturer or producer of a method, act or practice prohibited by Section 75-24-5 may bring an action at law

See Miss. Code Ann. § 75-24-15(1).

Primary law

E.3 Miss. Code Ann. § 75-24-15

Before bringing a private action under the chapter, the plaintiff must have made a reasonable attempt to resolve the claim through an Attorney-General-approved informal dispute settlement program.

In any private action brought under this chapter, the plaintiff must have first made a reasonable attempt to resolve any claim through an informal dispute settlement program approved by the Attorney General.

See Miss. Code Ann. § 75-24-15(2).

Primary law

E.4 Miss. Code Ann. § 75-24-15

Mississippi does not permit class actions under the chapter; every private action must be maintained for the sole use and benefit of the individual person.

Nothing in this chapter shall be construed to permit any class action or suit, but every private action must be maintained in the name of and for the sole use and benefit of the individual person.

See Miss. Code Ann. § 75-24-15(4).

Researching a different state? This survey covers all 51 U.S. states

OpenAgreements is a free legal reference project maintained by UseJunior. See our methodology for how we research and verify the content.
This research preview is not legal advice. Page text is intended for reuse under CC BY 4.0; source excerpts and linked materials belong to their respective owners.
PrivacyTermsDisclaimer