South Carolina Consumer Privacy Law

Primary law

South Carolina's breach-notification statute applies to any person conducting business in the State that owns or licenses computerized data including personal identifying information, and requires disclosure of a qualifying breach to affected residents.

A person conducting business in this State, and owning or licensing computerized data or other data that includes personal identifying information, shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of this State whose personal identifying information that was not rendered unusable through encryption, redaction, or other methods was, or is reasonably believed to have been, acquired by an unauthorized person when the illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to the resident.

See S.C. Code Ann. § 39-1-90(A).

Primary law

SCUTPA declares unfair or deceptive acts or practices in the conduct of any trade or commerce unlawful, supplying the general deception hook for privacy-policy claims.

Unfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce are hereby declared unlawful.

See S.C. Code Ann. § 39-5-20(a).

Primary law

Private SCUTPA recovery requires an ascertainable loss and an individual action, with treble actual damages for willful or knowing violations and fee-shifting.

Any person who suffers any ascertainable loss of money or property, real or personal, as a result of the use or employment by another person of an unfair or deceptive method, act or practice declared unlawful by Section 39-5-20 may bring an action individually, but not in a representative capacity, to recover actual damages. If the court finds that the use or employment of the unfair or deceptive method, act or practice was a willful or knowing violation of Section 39-5-20, the court shall award three times the actual damages sustained and may provide such other relief as it deems necessary or proper. Upon the finding by the court of a violation of this article, the court shall award to the person bringing such action under this section reasonable attorney's fees and costs.

See S.C. Code Ann. § 39-5-140(a).

Primary law

Act No. 96 of 2026 adds Chapter 80 to Title 39, requiring covered online services to exercise reasonable care in the use of minors' personal data and providing data-collection restrictions, parental controls, an annual report, and enforcement.

AN ACT TO AMEND THE SOUTH CAROLINA CODE OF LAWS BY ADDING CHAPTER 80 TO TITLE 39 SO AS TO PROVIDE THAT A COVERED ONLINE SERVICE SHALL EXERCISE REASONABLE CARE IN THE USE OF MINORS' PERSONAL DATA, TO PROVIDE FOR CERTAIN REQUIREMENTS FOR COVERED ONLINE SERVICES, TO RESTRICT THE AMOUNT OF PERSONAL DATA OF A MINOR THAT MAY BE COLLECTED, TO PROVIDE FOR PARENTAL CONTROLS, TO PROVIDE FOR AN ANNUAL REPORT, AND TO PROVIDE FOR ENFORCEMENT.

See Act No. 96, 2026 S.C. Acts (H. 3431) (adding S.C. Code Ann. §§ 39-80-10 to 39-80-80).

Primary law

The South Carolina Insurance Data Security Act requires every insurance licensee to develop, implement, and maintain a comprehensive written information security program based on its risk assessment.

Commensurate with the size and complexity of the licensee, the nature and scope of the licensee's activities, including its use of third-party service providers, and the sensitivity of the nonpublic information used by the licensee or in the licensee's possession, custody, or control, each licensee shall develop, implement, and maintain a comprehensive written information security program based on the licensee's risk assessment and that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee's information system.

See S.C. Code Ann. § 38-99-20(A).

Primary law

A covered online service is an entity conducting business in South Carolina whose online service is reasonably likely to be accessed by minors, that controls the processing of consumers' personal data, and that meets a $25 million revenue, 50,000-record, or 50-percent-of-revenue threshold.

"Covered online service" means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that owns, operates, controls, or provides an online service that conducts business in this State, is reasonably likely to be accessed by minors, determines the purposes and means of the processing of consumer's personal data alone, or jointly with its affiliates, subsidiaries, or parent company and either: (i) has annual gross revenues in excess of twenty-five million dollars, adjusted every odd-numbered year to reflect changes in the Consumer Price Index; (ii) annually buys, receives, sells, or shares the personal data of fifty thousand or more consumers, households, or devices alone or in combination with its affiliates, subsidiaries, or parent company; or (iii) derives at least fifty percent of its annual revenue from the sale or sharing of consumers' personal data

See S.C. Code Ann. § 39-80-10(4)(a) (added by Act No. 96, 2026 S.C. Acts).

Primary law

The act defines a minor as a consumer under eighteen years of age, reaching well beyond COPPA's under-13 population.

"Minor" means a consumer who is less than eighteen years of age.

See S.C. Code Ann. § 39-80-10(8) (added by Act No. 96, 2026 S.C. Acts).

Primary law

Covered online services include commonly branded controlled entities and joint ventures or partnerships where each business has at least a forty percent interest.

"Covered online services" include: (i) an entity that controls or is controlled by a business that shares a name, service mark, or trademark that would cause a reasonable consumer to understand that two or more entities are commonly owned; and (ii) a joint venture or partnership composed of businesses in which each business has at least a forty percent interest in the joint venture or partnership.

See S.C. Code Ann. § 39-80-10(4)(b) (added by Act No. 96, 2026 S.C. Acts).

Primary law

The act took effect upon the Governor's approval, which occurred on February 5, 2026 — there is no phased compliance schedule.

This act takes effect upon approval by the Governor. Ratified the 3rd day of February, 2026. Approved the 5th day of February, 2026.

See Act No. 96, 2026 S.C. Acts, § 4.

Primary law

A service must treat a known minor as a minor individually, but a COPPA child-directed service must treat all of its users as minors absent actual knowledge to the contrary.

Where subitem (a)(i) is met, the covered online service must treat the particular individual as a minor. Where subitem (a)(ii) is met, the covered online service must treat all individuals using or visiting the covered online service as minors, except where the covered online service has actual knowledge that the individual is not a minor.

See S.C. Code Ann. § 39-80-10(17)(b) (added by Act No. 96, 2026 S.C. Acts).

Primary law

The chapter exempts government entities, personal data controlled in compliance with GLBA, HITECH, or the HIPAA privacy regulations, and clinical-trial data.

The provisions contained in this chapter do not apply to: (1) a federal, state, tribal, or local government entity in the ordinary course of its operations; (2) personal data that is controlled by a covered online service that is: (a) required to comply with: (i) Title V of the federal Gramm-Leach-Bliley Act; (ii) the federal Health Information Technology for Economic and Clinical Health Act; or (iii) regulations promulgated pursuant to Section 264(C) of the Health Insurance Portability and Accountability Act of 1996; (b) in compliance with the information security requirements of the statutes or regulations identified in subitem (a); (3) information including, but not limited to, personal data collected as part of a clinical trial subject to the federal policy for the protection of human subjects pursuant to human subject protection requirements of the U.S. Food and Drug Administration;

See S.C. Code Ann. § 39-80-20(D) (added by Act No. 96, 2026 S.C. Acts).

Primary law

A covered online service owes a duty of reasonable care in the use of minors' personal data and the design and operation of the service to prevent seven enumerated categories of harm to minors.

A covered online service shall exercise reasonable care in the use of a minor's personal data and the design and operation of the covered online service including, but not limited to, covered design features, to prevent the following harm to minors: (1) compulsive usage of the covered online service; (2) severe psychological harm including, but not limited to, anxiety, depression, self-harm or suicidal ideations; (3) severe emotional distress; (4) highly offensive intrusions on the minor's reasonable privacy expectations; (5) identity theft; (6) discrimination against the minor on the basis of race, ethnicity, sex, disability, or national origin; and (7) material financial or physical injury.

See S.C. Code Ann. § 39-80-20(A) (added by Act No. 96, 2026 S.C. Acts).

Primary law

Covered online services must minimize collection, use, and sharing of minors' personal data to what a minor knowingly engaged with, and must delete age-verification data after use.

Covered online services shall only collect, use, or share the minimum amount of a minor's personal data necessary to provide the specific elements of the covered online service with which a minor has knowingly engaged. Such personal data may not be used for reasons other than those for which it was collected. Minors' personal data collected for age verification or estimation cannot be used for other purposes and must be deleted after use.

See S.C. Code Ann. § 39-80-40(A) (added by Act No. 96, 2026 S.C. Acts).

Primary law

Covered design features include features that encourage or increase a minor's frequency, time spent, or activity, including infinite scroll, autoplay, gamification, engagement counts, push alerts, in-game purchases, and appearance-altering filters.

"Covered design feature" means any feature or component of a covered online service that will encourage or increase a minor's frequency, time spent, or activity on a covered online service including, but not limited to: (a) infinite scroll or any design feature that automatically loads and displays content other than what the user prompted, requested, or searched for; (b) auto-playing videos or any design feature in which videos automatically begin playing when a user navigates to or scrolls through a set of videos; (c) gamification or any design feature that emulates gameplay including, but not limited to, streaks, badges, or rewards, that motivate or cause more frequent or more extensive use of a covered online service; (d) quantification of engagement including, but not limited to, providing a visible count of how many likes, comments, clicks, views, or reactions any user-generated item has received; (e) notifications and push alerts; (f) in-game purchases or any design feature in which digital items or tokens are purchased with virtual currency or other forms of payment, including where the purchased digital item can be shared with another user; or (g) appearance-altering filters.

See S.C. Code Ann. § 39-80-10(3) (added by Act No. 96, 2026 S.C. Acts).

Primary law

The act flatly prohibits covered online services from facilitating targeted advertising to minors, with no consent exception.

Covered online services may not facilitate targeted advertising to minors.

See S.C. Code Ann. § 39-80-40(C) (added by Act No. 96, 2026 S.C. Acts).

Primary law

Settings for the section's data protections must default to the highest level of protection.

Settings for the protections required under this section must be set at the highest level of protection by default.

See S.C. Code Ann. § 39-80-40(G) (added by Act No. 96, 2026 S.C. Acts).

Primary law

A covered online service must give users and visitors easy-to-use tools to disable non-essential design features and to limit time spent on the service.

A covered online service must provide a user or visitor to the service with easily accessible and easy-to-use tools to: (1) disable design features including, but not limited to, all covered design features, that are not necessary to provide the covered online service by allowing users to opt out of the use of all such design features or any combination of such design features; (2) limit the amount of time the user spends on the covered online service;

See S.C. Code Ann. § 39-80-30(A) (added by Act No. 96, 2026 S.C. Acts).

Primary law

Users must be offered an opt-out from personalized recommendation systems, and the opt-out must be the default setting for known minors.

A covered online service must provide to a user the option to opt out of personalized recommendation systems, except for optimizations based on the user's expressed preferences. A covered online service must establish this option as a default setting for any individual the covered online service knows to be a minor.

See S.C. Code Ann. § 39-80-30(B) (added by Act No. 96, 2026 S.C. Acts).

Primary law

Covered online services must give parents easy-to-use protective tools that are on by default for known minors, including account-setting management, purchase restrictions, time-spent viewing, usage limits, time-of-day restrictions, and notice to the minor.

Covered online services must provide parents with accessible and easy-to-use tools to help parents protect and support minors using the covered online services and these shall be on by default for any individual the covered online service knows to be a minor. (B) The parental tools provided by the covered online services shall provide to the parents the ability to: (1) manage the minor's account settings and change and control the minor's privacy and account settings; and (2) restrict a minor's purchases and other financial transactions. (C) Among the parental tools provided by covered online services shall be one to enable parents to view the total time spent on a covered online service by a user the covered online service knows is a minor and allow the parent to place limits on the minor's use of the covered online service. The parental tools provided by covered online services must also offer parents the ability to restrict a minor's use of the covered online service during times of day specified by the parents, including during school hours and at night. (D) Covered online services must notify a minor when any of the tools described in this section are in effect and what settings have been applied.

See S.C. Code Ann. § 39-80-50 (added by Act No. 96, 2026 S.C. Acts).

Primary law

Act 96 includes retention minimization, geolocation-default, notification-curfew, profiling-limit, highest-default, and parental-monitoring-notice duties for minors.

A covered online service shall only retain a minor's personal data as long as necessary to provide the specific elements of an online service with which a minor has knowingly engaged. (C) Covered online services may not facilitate targeted advertising to minors. (D) Precise geolocation information of minors cannot be collected by default unless necessary to the provision of the covered online service. An obvious notice to the minor must be provided when precise geolocation information is being collected or used. (E) A covered online service must provide users with accessible and easy-to-use tools to prevent notifications and push alerts to an individual during specified times. To comply with this requirement, a covered online service must offer the user the option to prevent notifications and push alerts to an individual the covered online service knows is a minor between the hours of ten p.m. and six a.m. seven days a week year round and between the months of August and May between the hours of eight a.m. and three p.m. Monday through Friday in the minor's local time zone. (F) A covered online service shall not profile an individual the covered online service knows is a minor, unless profiling is necessary to providing the covered online service with which a minor has knowingly requested and is limited to only the aspects of the covered online service with which a minor is actively and knowingly engaged. (G) Settings for the protections required under this section must be set at the highest level of protection by default. (H) If a covered online service allows parental monitoring or is required to provide parental monitoring by law, then it must provide obvious notice to the minor when they are being monitored.

See S.C. Code Ann. § 39-80-40(B)-(H) (added by Act No. 96, 2026 S.C. Acts).

Primary law

Covered online services must create harm-reporting mechanisms for parents, minors, and schools and may not facilitate ads to known minors for products prohibited for minors.

Covered online services shall establish mechanisms for parents, minors, and schools to report harm to minors on covered online services, especially those harms that pose an imminent threat to a minor. (B) Covered online services are prohibited from facilitating ads directed to minors for products prohibited for minors including, but not limited to, narcotic drugs, tobacco products, gambling, and alcohol to users the covered online services know are minors.

See S.C. Code Ann. § 39-80-60(A)-(B) (added by Act No. 96, 2026 S.C. Acts).

Primary law

The act took effect upon the Governor's approval, which occurred on February 5, 2026 — there is no phased compliance schedule.

This act takes effect upon approval by the Governor. Ratified the 3rd day of February, 2026. Approved the 5th day of February, 2026.

See Act No. 96, 2026 S.C. Acts, § 4.

Primary law

Each year by July 1 a covered online service must issue a public report by an independent third-party auditor on its minor-facing design features, data use, and business practices and submit it to the Attorney General.

Annually, on or before July first, the covered online service must issue a public report prepared by an independent third-party auditor that contains a detailed description of the covered online service as it pertains to minors, including its covered design features, its use of personal data, and its business practices as they pertain to minors. The public report must be submitted to the Attorney General who shall post it in a prominent place on his internet website.

See S.C. Code Ann. § 39-80-70(A) (added by Act No. 96, 2026 S.C. Acts).

Primary law

Section 5 of the FTC Act declares unfair or deceptive acts or practices in or affecting commerce unlawful, supplying the federal deception baseline for data-practice claims.

Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.

See 15 U.S.C. § 45(a)(1).

Primary law

SCUTPA is construed under FTC and federal-court interpretations of FTC Act § 5, supplying the state-law deception hook for privacy-policy claims.

It is the intent of the legislature that in construing paragraph (a) of this section the courts will be guided by the interpretations given by the Federal Trade Commission and the Federal Courts to Section 5(a) (1) of the Federal Trade Commission Act (15 U.S.C. 45(a)(1)), as from time to time amended.

See S.C. Code Ann. § 39-5-20(b).

Primary law

Private SCUTPA recovery requires an ascertainable loss and an individual action, with treble actual damages for willful or knowing violations and fee-shifting.

Any person who suffers any ascertainable loss of money or property, real or personal, as a result of the use or employment by another person of an unfair or deceptive method, act or practice declared unlawful by Section 39-5-20 may bring an action individually, but not in a representative capacity, to recover actual damages. If the court finds that the use or employment of the unfair or deceptive method, act or practice was a willful or knowing violation of Section 39-5-20, the court shall award three times the actual damages sustained and may provide such other relief as it deems necessary or proper. Upon the finding by the court of a violation of this article, the court shall award to the person bringing such action under this section reasonable attorney's fees and costs.

See S.C. Code Ann. § 39-5-140(a).

Primary law

Covered online services must prominently publish clear, easy-to-understand information describing their minors' design safety, privacy protections, and parental tools.

Covered online services are required to provide comprehensive, clear, conspicuous, and easy-to-understand information in a prominent location describing the design safety for minors, the privacy protections for minors, and the parental tools that the covered online service has adopted pursuant to this chapter.

See S.C. Code Ann. § 39-80-60(E) (added by Act No. 96, 2026 S.C. Acts).

Primary law

A covered online service using personalized recommendation systems must describe in its terms and conditions how the systems serve information to minors and how minors or parents can opt out or control them.

Each covered online service that utilizes personalized recommendation systems is required to describe in its terms and conditions, in a clear, conspicuous, and easy-to-understand manner, how the systems are used to provide information to minors and information regarding how minors or their parents can opt out of or control the systems.

See S.C. Code Ann. § 39-80-60(D) (added by Act No. 96, 2026 S.C. Acts).

Primary law

A HIPAA covered entity must give individuals a notice describing the uses and disclosures of their protected health information and their rights and the entity's legal duties.

an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information

See 45 C.F.R. § 164.520.

Primary law

The GLBA Safeguards Rule requires a financial institution to oversee its service providers, including by requiring them by contract to implement and maintain appropriate safeguards for customer information.

Oversee service providers, by: (1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; (2) Requiring your service providers by contract to implement and maintain such safeguards; and (3) Periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards.

See 16 C.F.R. § 314.4(f)(2).

Primary law

HIPAA requires a written business-associate contract that establishes the permitted uses and disclosures of protected health information and binds the business associate to safeguard it.

A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract;

See 45 C.F.R. § 164.504(e)(2).

Primary law

An insurance licensee must exercise due diligence in selecting third-party service providers and require them to implement appropriate administrative, technical, and physical safeguards for nonpublic information.

A licensee shall: (1) exercise due diligence in selecting its third-party service provider; and (2) require a third-party service provider to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that are accessible to, or held by, the third-party service provider.

See S.C. Code Ann. § 38-99-20(F).

Primary law

A business maintaining computerized personal identifying information it does not own must notify the data owner or licensee of a breach immediately following discovery.

A person conducting business in this State and maintaining computerized data or other data that includes personal identifying information that the person does not own shall notify the owner or licensee of the information of a breach of the security of the data immediately following discovery, if the personal identifying information was, or is reasonably believed to have been, acquired by an unauthorized person.

See S.C. Code Ann. § 39-1-90(B).

Primary law

Resident notice is required when unencrypted, unredacted personal identifying information was or is reasonably believed acquired by an unauthorized person and illegal use has occurred, is reasonably likely, or creates a material risk of harm — in the most expedient time possible and without unreasonable delay.

A person conducting business in this State, and owning or licensing computerized data or other data that includes personal identifying information, shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of this State whose personal identifying information that was not rendered unusable through encryption, redaction, or other methods was, or is reasonably believed to have been, acquired by an unauthorized person when the illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to the resident. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (C), or with measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

See S.C. Code Ann. § 39-1-90(A).

Primary law

A breach of the security of the system is the unauthorized access to and acquisition of unprotected computerized data compromising personal identifying information, qualified by illegal use or material risk of harm.

"Breach of the security of the system" means unauthorized access to and acquisition of computerized data that was not rendered unusable through encryption, redaction, or other methods that compromises the security, confidentiality, or integrity of personal identifying information maintained by the person, when illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to a resident.

See S.C. Code Ann. § 39-1-90(D)(1).

Primary law

Personal identifying information is name plus an unencrypted Social Security, driver's license or state ID, or financial-account number, or other numbers or information usable to access financial accounts or uniquely identify an individual.

"Personal identifying information" means the first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of this State, when the data elements are neither encrypted nor redacted: (a) social security number; (b) driver's license number or state identification card number issued instead of a driver's license; (c) financial account number, or credit card or debit card number in combination with any required security code, access code, or password that would permit access to a resident's financial account; or (d) other numbers or information which may be used to access a person's financial accounts or numbers or information issued by a governmental or regulatory entity that uniquely will identify an individual.

See S.C. Code Ann. § 39-1-90(D)(3).

Primary law

Notice to more than 1,000 persons at one time triggers notice to the Consumer Protection Division of the Department of Consumer Affairs and the nationwide consumer reporting agencies.

If a business provides notice to more than one thousand persons at one time pursuant to this section, the business shall notify, without unreasonable delay, the Consumer Protection Division of the Department of Consumer Affairs and all consumer reporting agencies that compile and maintain files on a nationwide basis, as defined in 15 U.S.C. Section 1681a(p), of the timing, distribution, and content of the notice.

See S.C. Code Ann. § 39-1-90(K).

Primary law

The breach statute allows written, electronic, telephonic, or substitute notice and treats a business's own consistent notification procedures as compliant if they satisfy the timing requirements.

The notice required by this section may be provided by: (1) written notice; (2) electronic notice, if the person's primary method of communication with the individual is by electronic means or is consistent with the provisions regarding electronic records and signatures in Section 7001 of Title 15 U.S.C. and Chapter 6, Title 11 of the 1976 Code; (3) telephonic notice; or (4) substitute notice, if the person demonstrates that the cost of providing notice exceeds two hundred fifty thousand dollars or that the affected class of subject persons to be notified exceeds five hundred thousand or the person has insufficient contact information. Substitute notice consists of: (a) e-mail notice when the person has an e-mail address for the subject persons; (b) conspicuous posting of the notice on the web site page of the person, if the person maintains one; or (c) notification to major statewide media. (F) Notwithstanding subsection (E), a person that maintains its own notification procedures as part of an information security policy for the treatment of personal identifying information and is otherwise consistent with the timing requirements of this section is considered to be in compliance with the notification requirements of this section if the person notifies subject persons in accordance with its policies in the event of a breach of security of the system.

See S.C. Code Ann. § 39-1-90(E)-(F).

Primary law

The breach statute excludes GLBA-compliant banks and financial institutions and treats financial institutions compliant with the federal interagency response-program guidance as compliant with the section.

This section does not apply to a bank or financial institution that is subject to and in compliance with the privacy and security provision of the Gramm-Leach-Bliley Act. (J) A financial institution that is subject to and in compliance with the federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice, issued March 7, 2005, by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision, as amended, is considered to be in compliance with this section.

See S.C. Code Ann. § 39-1-90(I)-(J).

Primary law

A knowing and wilful violation of the breach statute draws an administrative fine of $1,000 per resident whose information was accessible, decided by the Department of Consumer Affairs.

A person who knowingly and wilfully violates this section is subject to an administrative fine in the amount of one thousand dollars for each resident whose information was accessible by reason of the breach, the amount to be decided by the Department of Consumer Affairs.

See S.C. Code Ann. § 39-1-90(H).

Primary law

An insurance licensee must notify the Director of Insurance within 72 hours of determining a cybersecurity event occurred when South Carolina is its home state or at least 250 South Carolina consumers are involved and a regulatory-notice or material-harm condition is met.

A licensee shall notify the director no later than seventy-two hours after determining that a cybersecurity event has occurred when either of the following criteria are met: (1) South Carolina is the licensee's state of domicile in the case of an insurer, or the licensee's home state in the case of a producer; or (2) the licensee reasonably believes that the nonpublic information involved is of no less than two hundred and fifty consumers residing in this State, and the cybersecurity event: (a) impacts the licensee of which notice is required to be provided to any governmental body, self-regulatory agency, or any other supervisory body pursuant to state or federal law; or (b) has a reasonable likelihood of materially harming a consumer residing in this State or a material part of the normal operations of the licensee.

See S.C. Code Ann. § 38-99-40(A).

Primary law

The breach statute gives an injured resident a private right of action — damages for a wilful and knowing violation, actual damages for a negligent violation, an injunction, and attorney's fees and costs if successful.

A resident of this State who is injured by a violation of this section, in addition to and cumulative of all other rights and remedies available at law, may: (1) institute a civil action to recover damages in case of a wilful and knowing violation; (2) institute a civil action that must be limited to actual damages resulting from a violation in case of a negligent violation of this section; (3) seek an injunction to enforce compliance; and (4) recover attorney's fees and court costs, if successful.

See S.C. Code Ann. § 39-1-90(G).

Primary law

SCUTPA gives any person suffering an ascertainable loss an individual-only private action, with mandatory treble damages for willful or knowing violations and mandatory attorney's fees and costs.

Any person who suffers any ascertainable loss of money or property, real or personal, as a result of the use or employment by another person of an unfair or deceptive method, act or practice declared unlawful by Section 39-5-20 may bring an action individually, but not in a representative capacity, to recover actual damages. If the court finds that the use or employment of the unfair or deceptive method, act or practice was a willful or knowing violation of Section 39-5-20, the court shall award three times the actual damages sustained and may provide such other relief as it deems necessary or proper. Upon the finding by the court of a violation of this article, the court shall award to the person bringing such action under this section reasonable attorney's fees and costs.

See S.C. Code Ann. § 39-5-140(a).

Primary law

The Attorney General enforces the minors' design code; a violating service is liable for treble the financial damages incurred, and officers and employees may be personally liable for wilful and wanton violations.

The Attorney General shall enforce the provisions contained in this chapter. (B) A covered online service shall be liable for treble the financial damages incurred as a result of a violation of this chapter. (C) The officers and employees of a covered online service may be held personally liable for wilful and wanton violations of this chapter.

See S.C. Code Ann. § 39-80-80 (added by Act No. 96, 2026 S.C. Acts).

Primary law

The minors' design code bans dark patterns and makes their use an unlawful trade practice under SCUTPA § 39-5-20, importing SCUTPA's penalties and damages.

Covered online services are prohibited from using dark patterns. (1) Use of dark patterns by a covered online service shall constitute an unlawful trade practice under Section 39-5-20 of the South Carolina Unfair Trade Practices Act. (2) A covered online service that violates the provisions of this section are subject to the provisions, penalties, and damages of the South Carolina Unfair Trade Practices Act.

See S.C. Code Ann. § 39-80-60(C) (added by Act No. 96, 2026 S.C. Acts).