# South Dakota Consumer Privacy Law[^about] South Dakota has no comprehensive consumer-privacy statute. The operative state laws are the breach-notification act (SDCL §§ 22-40-19 to 22-40-26), a knowledge-gated deceptive-practices chapter, the new Genetic Data Privacy Act effective July 1, 2026, and a social-media data-portability law arriving July 1, 2027 — with the federal overlay carrying the rest. ## Which privacy laws apply to your business in South Dakota? {#which-privacy-laws-apply} **Short answer.** South Dakota has no comprehensive consumer-privacy law. The state framework is sectoral: a breach-notification statute that reaches any person or business that conducts business in the state and owns or licenses computerized personal or protected information of residents [^q1-breach-scope]; a deceptive-trade-practices chapter that polices only *knowing* misstatements, including misstatements about data practices [^q1-udap-knowing]; and — effective July 1, 2026 — the Genetic Data Privacy Act, which imposes privacy-policy, consent, security, and deletion duties on direct-to-consumer genetic-testing companies [^q1-genetic-duty]. Unlike California or Colorado, South Dakota has not enacted an omnibus privacy statute, so its residents have no general state-law rights to access, delete, or correct their personal data, no right to opt out of sale or targeted advertising, and no recognized universal opt-out signal; businesses face no state notice-at-collection, consent, or data-protection-assessment duties. What fills the gap is a layered framework. The breach act sets the one statewide data-incident duty for every business. The federal overlay carries the rest of the program: Section 5 of the FTC Act reaches deceptive or unfair privacy practices nationwide, the Gramm-Leach-Bliley Act governs financial institutions, HIPAA governs covered health entities and their business associates, and the Children's Online Privacy Protection Act governs services directed to children under 13. Two recent enactments narrow the gap at the sectoral level. The Genetic Data Privacy Act (Senate Bill 49, signed March 30, 2026, and codified at S.D. Codified Laws §§ 37-24-59 to 37-24-64) takes effect July 1, 2026 and is covered in its own section below. A second 2026 law, Senate Bill 111, gives users of the very largest social-media platforms a data-portability right beginning July 1, 2027 — a service with more than one hundred million active monthly users must hand a requesting user a portable copy of the user's personal data [^q1-social-copy]. This note is written to stay durable: if South Dakota later enacts a comprehensive law, a program built to the breach act and the federal overlay upgrades rather than restarts. ## What must your privacy policy contain in South Dakota? {#privacy-policy-contents} **Short answer.** No South Dakota statute requires a general commercial privacy policy or fixes what one must say. The only South Dakota privacy-policy publication mandate addressed here arrives July 1, 2026: a direct-to-consumer genetic-testing company must make available, in plain language, both a privacy policy with basic, essential information about its collection, disclosure, and use of genetic data and a prominent, publicly available privacy notice covering its access, consent, data collection, deletion, disclosure, maintenance, retention, security, and transfer practices [^q2-genetic-policy]. For everyone else, the governing rule is truthfulness: under Section 5 of the FTC Act, a policy that misstates how you actually collect, use, share, or secure data is a deceptive practice [^q2-ftc5-deceptive]. In practice, the drafting question in South Dakota is less *what must be included* and more *does the policy match actual practice*. Build the policy from the federal and sectoral overlay: the GLBA privacy-notice rules if you are a financial institution, a COPPA notice if your service is directed to children under 13, and — for a HIPAA covered entity — a notice of the uses and disclosures of protected health information and of the individual's rights and the entity's duties [^q2-hipaa-notice]. For other businesses, follow best practice: describe the categories of data collected, the purposes, the third parties you share with, and how users exercise any choices you offer, then honor what you wrote. The state-law backstop is narrower here than in most states. A privacy-policy misstatement violates S.D. Codified Laws § 37-24-6 only if it is made *knowingly* — the statute has no unfairness prong and does not reach innocent or negligent drafting errors [^q2-udap-knowing]. That makes the FTC, not the state deceptive-practices chapter, the practical check on policy accuracy for most companies, though the attorney general can and does use § 37-24-6 where the knowledge element is provable. ## Do you need consent to collect or share genetic data in South Dakota? {#genetic-data-consent} **Short answer.** Yes — beginning July 1, 2026 [^q3-effective]. South Dakota's Genetic Data Privacy Act requires a direct-to-consumer genetic-testing company to obtain the consumer's express consent to collect, disclose, or use genetic data: an initial consent describing the uses of the data, who has access to test results, and how the data may be shared, plus a separate consent — naming the recipient — for each transfer or disclosure to any person other than the company's vendors and service providers [^q3-consents]. Express consent means an affirmative written response, which may be presented and captured electronically [^q3-coverage]. The consent architecture is tiered, and each tier is separate: consent for each use of the genetic data or biological sample beyond the primary purpose of the testing service, consent to retain the biological sample after the initial testing is complete, informed consent under the federal human-research rules for research transfers, and a separate consent before genetic-data-based marketing [^q3-consents]. The act's coverage is broader than the label suggests — a covered company is one that *offers* genetic-testing products or services directly to consumers, or one that merely *analyzes, collects, or uses* genetic data collected via a direct-to-consumer product and supplied by the consumer, and genetic data means any non-de-identified data, regardless of format, concerning a consumer's genetic characteristics [^q3-coverage]. The act also creates operational duties beyond consent. The company must maintain a security program [^q3-security-program], give the consumer a process to access genetic data, delete the account and data, and request destruction of the biological sample, and offer revocation mechanisms without any unnecessary steps — at least one of them in the primary medium the company uses to communicate with the consumer [^q3-rights]. A revocation must be honored within thirty days, and a sample-storage revocation requires destruction of the sample within thirty days [^q3-revocation]. Enforcement belongs to the attorney general, who may seek a civil penalty of up to five thousand dollars per violation [^q3-penalty]; the act contains no private right of action and no cure period. The exemptions matter as much as the duties. The act does not apply to HIPAA protected health information held by covered entities or business associates, to samples or data generated for medical screening, diagnosis, or treatment, to higher-education institutions and entities they own, to law-enforcement forensic labs during criminal investigations, to entities using genetic data only in federally compliant research, or to licensed hospitals and their owned or affiliated labs and facilities [^q3-exemptions]. The practical target is the consumer ancestry-and-wellness testing market and the downstream businesses that consume its data. ## What must your contracts with vendors and service providers say? {#vendor-contracts} **Short answer.** South Dakota has no omnibus data-processing-agreement requirement — no state statute prescribes controller-to-processor terms, audit rights, deletion clauses, or subprocessor flow-downs for general commercial contracts. The one sectoral exception is the Genetic Data Privacy Act: from July 1, 2026, a service provider under contract with a direct-to-consumer genetic-testing company is subject by statute to the same confidentiality obligations as the company itself, for all biological samples, genetic data, and consumer-identity information in its possession [^q4-service-provider]. For genetic-testing companies, the vendor line is also a consent line: transfers to the company's own vendors and service providers ride the initial consent, while every transfer to anyone else requires a separate, recipient-named express consent [^q4-transfer-consent]. That makes it worth papering data recipients as service providers under contract wherever the relationship genuinely fits, and flowing the statutory confidentiality duty into the contract text explicitly. Outside the genetic act, vendor data terms are supplied by the federal regimes that apply to your business: the GLBA Safeguards Rule requires financial institutions to oversee service providers and to bind them by contract to implement and maintain appropriate safeguards [^q4-glba-safeguards], and HIPAA requires a business-associate agreement with mandatory data-protection, breach-reporting, and subcontractor terms before sharing protected health information [^q4-hipaa-baa]. For insurance companies, treat insurer-specific information-security rules and NAIC Model #668 adoption status as a separate diligence item; this article does not use those rules as the source of a South Dakota vendor-contract mandate. Where no regime is in scope, carry the standard protections forward as best practice: processing limited to instructions, confidentiality, reasonable security, breach notification back to your business, and return or deletion of data at the end of the engagement. ## When must you notify people of a data breach in South Dakota? {#breach-notification} **Short answer.** Within sixty days. After discovering or being notified of a breach of system security, an information holder must disclose the breach to any South Dakota resident whose personal or protected information was, or is reasonably believed to have been, acquired by an unauthorized person, not later than sixty days from discovery, unless law enforcement needs a delay [^q5-notice-duty]. If the breach exceeds two hundred fifty residents, the information holder must also disclose it to the attorney general [^q5-ag-threshold], and any breach requiring resident notice triggers notice to the nationwide consumer reporting agencies without unreasonable delay [^q5-cra-notice]. The trigger is the unauthorized acquisition of unencrypted computerized data — or encrypted data together with the encryption key — that materially compromises personal or protected information [^q5-trigger]. South Dakota uses a distinctive two-tier data definition. *Personal information* is name-keyed: a name plus a Social Security number, government-issued ID number, financial-account access combination, health information, or an employer ID with an access credential. *Protected information* needs no name at all — a username or email address combined with a password or security-question answer, or a financial-account number with its access code, is enough on its own [^q5-protected-info]. A credential-stuffing incident can therefore be reportable in South Dakota even where a name-keyed statute would not reach it. Notice may be written or electronic, with substitute notice (email plus website posting plus statewide media) available where the cost would exceed two hundred fifty thousand dollars, the affected class exceeds five hundred thousand persons, or contact information is insufficient [^q5-methods]. An information holder may also follow its own notification procedure if that procedure is part of an information-security policy and is otherwise consistent with the statute's timing requirements [^q5-own-policy]. An information holder regulated by federal law — HIPAA and GLBA are expressly named — that follows its federal regulator's breach procedures is deemed compliant if it notifies affected residents under that federal regime [^q5-federal]. There are no statutory content requirements for the notice itself, and there is no private right of action anywhere in the breach act — enforcement is taken up in the next section. > [!NOTE] > **Practice note.** > > South Dakota's risk-of-harm exemption is not a silent off-ramp. An information holder may skip resident notice only after an appropriate investigation *and notice to the attorney general*, and it must keep its written no-harm determination for at least three years [^q5-harm-offramp]. Treat the harm analysis as something you file with the state, not an internal memo — and remember the over-250-resident attorney-general disclosure applies to any breach under the statute. ## Can a consumer sue your business in South Dakota over privacy? {#consumer-lawsuit} **Short answer.** Rarely. Neither the breach-notification statute nor the Genetic Data Privacy Act creates a private right of action. Breach enforcement belongs to the attorney general, who may prosecute each failure to disclose as a deceptive act and seek a civil penalty of up to ten thousand dollars per day per violation, plus attorney's fees [^q6-breach-enforcement]; genetic-act enforcement is an attorney-general civil penalty of up to five thousand dollars per violation [^q6-genetic-penalty]. The only general consumer path is S.D. Codified Laws § 37-24-31, which permits a civil action for actual damages by a person adversely affected by an act declared unlawful under § 37-24-6 [^q6-pra] — and § 37-24-6 reaches only *knowing* deceptive acts [^q6-udap-knowing]. That combination makes South Dakota one of the least hospitable states for private privacy litigation. The deceptive-practices private action carries no statutory damages, no fee-shifting, and no injunctive relief for private plaintiffs — recovery is limited to actual damages — and because liability runs through § 37-24-6, the plaintiff must prove the defendant acted knowingly. A negligent breach-notification failure or an innocent privacy-policy misstatement therefore sits outside the statute. The practical enforcer of South Dakota privacy law is the attorney general's Consumer Protection division, which holds the investigative and penalty toolkit under chapter 37-24 and is the named enforcement channel for both the breach act and the genetic-privacy sections. ## Will social-media users get a right to take their data with them in South Dakota? {#social-media-data-portability} **Short answer.** Yes — for the very largest platforms, beginning July 1, 2027 [^q7-effective]. A second 2026 enactment, Senate Bill 111, requires a social-media service with more than one hundred million active monthly users (and whose primary focus is not charity or religion) to give a requesting user a copy of the user's personal data in a format that is portable, readily usable, and transmittable to another service without impediment [^q7-data-copy]. The law, codified at S.D. Codified Laws §§ 53-12-51 to 53-12-55, goes beyond a one-time download. Covered platforms must implement a transparent, third-party-accessible interoperability interface that lets users expose a common set of personal data to other services and lets permissioned third parties access the user's content [^q7-interop], and must offer social-graph exports in a machine-readable, license-fee-free format — as a single export or as continuous exports running at least every twenty-four hours [^q7-graph-export]. Personal data obtained through the interface must be secured in accordance with the company's own privacy notice and security practices [^q7-security]. One structural gap stands out: the codified sections impose duties but contain no enforcement provision — no civil penalty, no private right of action, and no express grant of authority to the attorney general appears in §§ 53-12-51 to 53-12-55 — so how the mandate will be enforced remains an open question ahead of the effective date. Given the hundred-million-user gate, the law is a monitoring item for platform counsel and a non-event for nearly every other South Dakota business. [^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org) · Maintained by [UseJunior](https://usejunior.com). Last reviewed 2026-06-11. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not South Dakota. This article synthesizes South Dakota primary law and is not legal advice from a South Dakota-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship. [^q1-breach-scope]: **S.D. Codified Laws § 22-40-19** — "(3) ‘Information holder,’ any person or business that conducts business in this state, and that owns or licenses computerized personal or protected information of residents of this state;" *S.D. Codified Laws § 22-40-19(3).* [^q1-udap-knowing]: **S.D. Codified Laws § 37-24-6** — "It is a deceptive act or practice for any person to: (1) Knowingly act, use, or employ any deceptive act or practice, fraud, false pretense, false promises, or misrepresentation or to conceal, suppress, or omit any material fact in connection with the sale or advertisement of any merchandise or the solicitation of contributions for charitable purposes, regardless of whether any person has in fact been misled, deceived, or damaged thereby;" *S.D. Codified Laws § 37-24-6(1).* [^q1-genetic-duty]: **S.D. Codified Laws § 37-24-60** — "To safeguard the confidentiality, integrity, privacy, and security of a consumer's genetic data, a direct-to-consumer genetic testing company shall: (1) Make available to the consumer in plain language: (a) A privacy policy that includes basic, essential information about the company's collection, disclosure, and use of genetic data; and (b) A prominent, publicly available privacy notice that includes information about the company's access, consent, data collection, deletion, disclosure, maintenance, retention, security, and transfer practices; and how the company uses genetic data;" *S.D. Codified Laws § 37-24-60(1).* [^q1-social-copy]: **S.D. Codified Laws § 53-12-51** — "If a user requests a copy of the user's personal data being held by a social media service with more than one hundred million active monthly users and whose primary focus is not charity or religion, the social media service must provide the personal data in a format that: (1) Is portable to the extent technically feasible; (2) Is readily usable to the extent practicable; and (3) Allows the user to transmit the data to another social media service, without impediment." *S.D. Codified Laws § 53-12-51 (effective July 1, 2027).* [^q2-genetic-policy]: **S.D. Codified Laws § 37-24-60(1)** — "(1) Make available to the consumer in plain language: (a) A privacy policy that includes basic, essential information about the company's collection, disclosure, and use of genetic data; and (b) A prominent, publicly available privacy notice that includes information about the company's access, consent, data collection, deletion, disclosure, maintenance, retention, security, and transfer practices; and how the company uses genetic data;" *S.D. Codified Laws § 37-24-60(1).* [^q2-ftc5-deceptive]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* [^q2-hipaa-notice]: **HIPAA Notice of Privacy Practices** — "an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information" *45 C.F.R. § 164.520.* [^q2-udap-knowing]: **S.D. Codified Laws § 37-24-6** — "It is a deceptive act or practice for any person to: (1) Knowingly act, use, or employ any deceptive act or practice, fraud, false pretense, false promises, or misrepresentation or to conceal, suppress, or omit any material fact in connection with the sale or advertisement of any merchandise or the solicitation of contributions for charitable purposes, regardless of whether any person has in fact been misled, deceived, or damaged thereby;" *S.D. Codified Laws § 37-24-6(1).* [^q3-effective]: **S.D. Codified Laws § 37-24-59 (effective date)** — "Effective July 1, 2026" *S.D. Codified Laws §§ 37-24-59 to 37-24-64 (SL 2026, ch. 164; effective July 1, 2026).* [^q3-consents]: **S.D. Codified Laws § 37-24-60(3)** — "(3) Obtain the consumer's express consent to collect, disclose, or use the consumer's genetic data, including: (a) Initial express consent that describes the uses of genetic data collected through a genetic testing product or service and specifies who has access to the test results and how the genetic data may be shared; (b) Separate express consent, which must include the name of the person receiving the information, for each transfer or disclosure of the consumer's genetic data or biological sample to any person other than the company's vendors and service providers; (c) Separate express consent for each use of the consumer's genetic data or the biological sample beyond the primary purpose of the genetic testing product or service; (d) Separate express consent to retain any biological sample provided by the consumer following completion of the initial testing service requested by the consumer; (e) Informed consent, in compliance with federal policy for the protection of human research subjects under 45 C.F.R. part 46 (November 25, 2025), to transfer or disclose the consumer's genetic data to a third-party for research purposes, or for research conducted under the control of the company for publication or generalizable knowledge purposes; and (f) Separate express consent for marketing by the direct-to-consumer genetic testing company, to another consumer, based on the consumer's genetic data, or by a third party, to another consumer, based on the consumer having ordered or purchased a genetic testing product or service;" *S.D. Codified Laws § 37-24-60(3).* [^q3-coverage]: **S.D. Codified Laws § 37-24-59** — "(4) ‘Direct-to-consumer genetic testing company,’ an entity that: (a) Offers genetic testing products or services directly to consumers; or (b) Analyzes, collects, or uses genetic data collected via a direct-to-consumer genetic testing product or service that is provided to the company by the consumer; (5) ‘Express consent,’ an affirmative written response, which may be presented and captured electronically; (6) ‘Genetic data,’ data other than de-identified data, regardless of format, which concerns a consumer's genetic characteristics; and" *S.D. Codified Laws § 37-24-59(4)-(6).* [^q3-security-program]: **S.D. Codified Laws § 37-24-60(4)** — "(4) Develop, implement, and maintain a security program to protect the consumer's genetic data against unauthorized access, disclosure, or use;" *S.D. Codified Laws § 37-24-60(4).* [^q3-rights]: **S.D. Codified Laws § 37-24-60(5)-(6)** — "(5) Provide a process for the consumer to: (a) Access the consumer's genetic data; (b) Delete the consumer's account and genetic data; and (c) Request and obtain the destruction of the consumer's biological sample; and (6) Provide mechanisms, without any unnecessary steps, for the consumer to revoke any consent of the consumer. At least one mechanism must utilize the primary medium through which the company communicates to the consumer." *S.D. Codified Laws § 37-24-60(5)-(6).* [^q3-revocation]: **S.D. Codified Laws § 37-24-61** — "If a consumer revokes consent pursuant to § 37-24-60, the company must honor the consumer's revocation of consent within thirty days. If a consumer revokes consent to store the consumer's biological sample, the company must destroy the consumer's biological sample within thirty days of receiving the consumer's revocation of consent." *S.D. Codified Laws § 37-24-61.* [^q3-penalty]: **S.D. Codified Laws § 37-24-63** — "The attorney general, upon petition to the court, may impose a civil penalty against a person for violating § 37-24-60, 37-24-61, or 37-24-62. The amount of the civil penalty may not exceed five thousand dollars per violation." *S.D. Codified Laws § 37-24-63.* [^q3-exemptions]: **S.D. Codified Laws § 37-24-64** — "The provisions of §§ 37-24-60 to 37-24-63, inclusive, do not apply to: (1) Protected health information collected by a covered entity or business associate, as those terms are defined in 45 C.F.R. § 160.103 (November 25, 2025); (2) A biological sample that is obtained or genetic data that is generated for the purpose of a consumer's medical screening, diagnosis, or treatment; (3) A public or private institution of higher education; (4) An entity owned or operated by a public or private institution of higher education; (5) A forensic laboratory that is operated by, associated with, or under contract with, a law enforcement agency, when performing forensic analysis or related services as part of a criminal investigation; (6) An entity that analyzes, collects, or uses genetic data or biological samples only in the context of research, as defined in 24 C.F.R. § 164.501 (November 25, 2025), in a manner that complies with the federal policy of the protection of human research subjects under 45 C.F.R. part 46 (November 25, 2025); the Guideline for Good Clinical Practice issued by the International Council for Harmonisation (January 6, 2025); or the United States Food and Drug Administration policy for the protection of human subjects under 21 C.F.R. part 50 (December 4, 2025) and 21 C.F.R. part 56 (December 4, 2025); or (7) A hospital licensed under chapter 34-12, including any laboratory or health care facility owned, operated by, or affiliated with the hospital." *S.D. Codified Laws § 37-24-64.* [^q4-service-provider]: **S.D. Codified Laws § 37-24-62** — "A service provider under contract with a direct-to-consumer genetic testing company is subject to the same confidentiality obligations as the direct-to-consumer genetic testing company, as set forth in § 37-24-60, with respect to all biological samples, genetic data, and information regarding the identity of any consumer that is in the service provider's possession." *S.D. Codified Laws § 37-24-62.* [^q4-transfer-consent]: **S.D. Codified Laws § 37-24-60(3)(b)** — "(b) Separate express consent, which must include the name of the person receiving the information, for each transfer or disclosure of the consumer's genetic data or biological sample to any person other than the company's vendors and service providers;" *S.D. Codified Laws § 37-24-60(3)(b).* [^q4-glba-safeguards]: **GLBA Safeguards Rule** — "Requiring your service providers by contract to implement and maintain such safeguards" *16 C.F.R. § 314.4(f)(2).* [^q4-hipaa-baa]: **HIPAA Business Associate Contracts** — "A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410; (D) In accordance with § 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information;" *45 C.F.R. § 164.504(e).* [^q5-notice-duty]: **S.D. Codified Laws § 22-40-20** — "Following the discovery by or notification to an information holder of a breach of system security an information holder shall disclose in accordance with § 22-40-22 the breach of system security to any resident of this state whose personal or protected information was, or is reasonably believed to have been, acquired by an unauthorized person. A disclosure under this section shall be made not later than sixty days from the discovery or notification of the breach of system security, unless a longer period of time is required due to the legitimate needs of law enforcement as provided under § 22-40-21." *S.D. Codified Laws § 22-40-20.* [^q5-ag-threshold]: **S.D. Codified Laws § 22-40-20 (attorney-general notice)** — "Any information holder that experiences a breach of system security under this section shall disclose to the attorney general by mail or electronic mail any breach of system security that exceeds two hundred fifty residents of this state." *S.D. Codified Laws § 22-40-20.* [^q5-cra-notice]: **S.D. Codified Laws § 22-40-24** — "If an information holder discovers circumstances that require notification pursuant to § 22-40-20 the information holder shall also notify, without unreasonable delay, all consumer reporting agencies, as defined under 15 U.S.C. § 1681a in effect as of January 1, 2018, and any other credit bureau or agency that compiles and maintains files on consumers on a nationwide basis, of the timing, distribution, and content of the notice." *S.D. Codified Laws § 22-40-24.* [^q5-trigger]: **S.D. Codified Laws § 22-40-19(1)** — "(1) ‘Breach of system security,’ the unauthorized acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by any person that materially compromises the security, confidentiality, or integrity of personal or protected information maintained by the information holder." *S.D. Codified Laws § 22-40-19(1).* [^q5-protected-info]: **S.D. Codified Laws § 22-40-19(5)** — "(5) ‘Protected information,’ includes: (a) A user name or email address, in combination with a password, security question answer, or other information that permits access to an online account; and (b) Account number or credit or debit card number, in combination with any required security code, access code, or password that permits access to a person's financial account;" *S.D. Codified Laws § 22-40-19(5).* [^q5-methods]: **S.D. Codified Laws § 22-40-22** — "A disclosure under § 22-40-20 may be provided by: (1) Written notice; (2) Electronic notice, if the electronic notice is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 in effect as of January 1, 2018, or if the information holder's primary method of communication with the resident of this state has been by electronic means; or (3) Substitute notice, if the information holder demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars, that the affected class of persons to be notified exceeds five hundred thousand persons, or that the information holder does not have sufficient contact information and the notice consists of each of the following: (a) Email notice, if the information holder has an email address for the subject persons; (b) Conspicuous posting of the notice on the information holder's website, if the information holder maintains a website page; and (c) Notification to statewide media." *S.D. Codified Laws § 22-40-22(3).* [^q5-own-policy]: **S.D. Codified Laws § 22-40-23** — "Notwithstanding § 22-40-22, if an information holder maintains its own notification procedure as part of an information security policy for the treatment of personal or protected information and the policy is otherwise consistent with the timing requirements of this section, the information holder is in compliance with the notification requirements of § 22-40-22 if the information holder notifies each person in accordance with the information holder's policies in the event of a breach of system security." *S.D. Codified Laws § 22-40-23.* [^q5-federal]: **S.D. Codified Laws § 22-40-26** — "Notwithstanding any other provisions in §§ 22-40-19 to 22-40-26, inclusive, any information holder that is regulated by federal law or regulation, including the Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191, as amended) or the Gramm Leach Bliley Act (15 U.S.C. § 6801 et seq., as amended) and that maintains procedures for a breach of system security pursuant to the laws, rules, regulations, guidance, or guidelines established by its primary or functional federal regulator is deemed to be in compliance with this chapter if the information holder notifies affected South Dakota residents in accordance with the provisions of the applicable federal law or regulation." *S.D. Codified Laws § 22-40-26.* [^q5-harm-offramp]: **S.D. Codified Laws § 22-40-20 (risk-of-harm exemption)** — "An information holder is not required to make a disclosure under this section if, following an appropriate investigation and notice to the attorney general, the information holder reasonably determines that the breach will not likely result in harm to the affected person. The information holder shall document the determination under this section in writing and maintain the documentation for not less than three years." *S.D. Codified Laws § 22-40-20.* [^q6-breach-enforcement]: **S.D. Codified Laws § 22-40-25** — "The attorney general may prosecute each failure to disclose under the provisions of §§ 22-40-19 to 22-40-26, inclusive, as a deceptive act or practice under § 37-24-6. In addition to any remedy provided under chapter 37-24, the attorney general may bring an action to recover on behalf of the state a civil penalty of not more than ten thousand dollars per day per violation. The attorney general may recover attorney's fees and any costs associated with any action brought under this section." *S.D. Codified Laws § 22-40-25.* [^q6-genetic-penalty]: **S.D. Codified Laws § 37-24-63** — "The attorney general, upon petition to the court, may impose a civil penalty against a person for violating § 37-24-60, 37-24-61, or 37-24-62. The amount of the civil penalty may not exceed five thousand dollars per violation." *S.D. Codified Laws § 37-24-63.* [^q6-pra]: **S.D. Codified Laws § 37-24-31** — "Any person who claims to have been adversely affected by any act or a practice declared to be unlawful by § 37-24-6 shall be permitted to bring a civil action for the recovery of actual damages suffered as a result of such act or practice." *S.D. Codified Laws § 37-24-31.* [^q6-udap-knowing]: **S.D. Codified Laws § 37-24-6** — "It is a deceptive act or practice for any person to: (1) Knowingly act, use, or employ any deceptive act or practice, fraud, false pretense, false promises, or misrepresentation or to conceal, suppress, or omit any material fact in connection with the sale or advertisement of any merchandise or the solicitation of contributions for charitable purposes, regardless of whether any person has in fact been misled, deceived, or damaged thereby;" *S.D. Codified Laws § 37-24-6(1).* [^q7-effective]: **S.D. Codified Laws § 53-12-51 (effective date)** — "Effective July 1, 2027" *S.D. Codified Laws §§ 53-12-51 to 53-12-55 (SL 2026, ch. 197; effective July 1, 2027).* [^q7-data-copy]: **S.D. Codified Laws § 53-12-51** — "If a user requests a copy of the user's personal data being held by a social media service with more than one hundred million active monthly users and whose primary focus is not charity or religion, the social media service must provide the personal data in a format that: (1) Is portable to the extent technically feasible; (2) Is readily usable to the extent practicable; and (3) Allows the user to transmit the data to another social media service, without impediment." *S.D. Codified Laws § 53-12-51 (effective July 1, 2027).* [^q7-interop]: **S.D. Codified Laws § 53-12-52** — "A social media company operating a social media service with more than one hundred million active monthly users and whose primary focus is not charity or religion shall implement a transparent, third-party-accessible interoperability interface subject to § 53-12-51 to allow the social media service's users to choose to: (1) Expose a common set of the user's personal data to other social media services; and (2) Enable third parties to access content created by the user and to be notified when new or updated content is available, with the user's permission." *S.D. Codified Laws § 53-12-52 (effective July 1, 2027).* [^q7-graph-export]: **S.D. Codified Laws § 53-12-53** — "(2) A social media service shall make the export available in a machine readable format; (3) A social media service shall make the export using a publicly available technical standard that is free from: (a) Licensing fees; and (b) Patent restrictions that any social media service can freely use; (4) The social media service shall allow a user to choose between a single export or continuous, ongoing exports, which must occur at least every twenty-four hours;" *S.D. Codified Laws § 53-12-53(4) (effective July 1, 2027).* [^q7-security]: **S.D. Codified Laws § 53-12-54** — "A social media company operating a social media service with more than one hundred million active monthly users and whose primary focus is not charity or religion shall secure all personal data obtained through an interoperability interface and safeguard the privacy and security of a user's personal data obtained from other social media services through the interoperability interface, in accordance with the social media company's privacy notice and administrative, technical, and physical data security practices." *S.D. Codified Laws § 53-12-54 (effective July 1, 2027).*