Privacy Laws in Missouri: What You Need to Know in 2026

Missouri does not have a comprehensive consumer data privacy law like California's CCPA or Illinois's BIPA, but that does not mean residents are unprotected. The state has a patchwork of targeted statutes covering data breach notification, identity theft, Social Security number protection, credit security freezes, and — as of January 2026 — a new Insurance Data Security Act. Here is what Missouri residents need to know about their privacy rights and what steps they can take to protect themselves.

Missouri's Privacy Law Landscape: No Comprehensive Law Yet

As of mid-2026, Missouri remains one of the states that has not enacted a comprehensive consumer data privacy law. States like California, Virginia, Colorado, Connecticut, and more than a dozen others have passed broad legislation giving residents rights to access, delete, and control the sale of their personal data. Missouri has not followed suit.

The Missouri legislature has seen bills introduced in recent sessions. One notable proposal would have required online services to compensate consumers for the sale of their personal information, paying 60 percent of the revenue back to the consumer. However, no comprehensive privacy bill has passed into law.

What Missouri does have is a collection of narrower statutes that address specific privacy threats. Understanding these laws is essential for residents who want to know their rights.

Data Breach Notification Law (RSMo Section 407.1500)

Missouri's primary data privacy statute is its Data Breach Notification Law, codified at RSMo Section 407.1500. This law requires any person or business that owns or licenses personal information of Missouri residents to notify affected individuals when a security breach occurs.

Key Requirements

• Notification timeline: Businesses must notify affected individuals without unreasonable delay and no later than 45 days after determining that a breach occurred involving personal information.
• Personal information defined: The law covers combinations of a resident's name with Social Security numbers, driver's license numbers, financial account numbers, and other sensitive identifiers.
• Notification methods: Businesses may notify residents by telephone, written notice, or electronic notice.
• Attorney General notification: If more than 1,000 Missouri residents are affected, the business must also notify the Missouri Attorney General's office with details about the timing, distribution, and content of the consumer notice.
• Documentation requirement: If a business determines that a breach does not pose a reasonable risk of identity theft or fraud, it may forgo notification, but the determination must be documented in writing and maintained for five years.

This law is enforced by the Missouri Attorney General. While it does not include a private right of action for individuals, the AG can pursue enforcement actions against businesses that fail to comply.

Identity Theft Protections (RSMo Section 570.223)

Missouri treats identity theft as a serious criminal offense. Under RSMo Section 570.223, it is illegal to knowingly and with intent to deceive or defraud obtain, possess, transfer, or use another person's means of identification without lawful authority.

Penalties

• Base offense: Identity theft is a class B misdemeanor unless it results in actual theft or fraud.
• Up to $750 in damages: A class A misdemeanor punishable by up to a $1,000 fine and one year in jail.
• $750 to $5,000: A class D felony.
• $5,000 to $50,000: A class B felony.
• Over $50,000: A class A felony.
• Repeat offenders: A person previously convicted of identity theft who commits a subsequent offense involving $750 or less is guilty of a class E felony.

Courts may also order restitution, including payment for attorney fees incurred by the victim in clearing their credit history, credit rating, and any debts or liens arising from the identity theft.

Social Security Number Protection (RSMo Section 407.1355)

Missouri has a specific statute restricting how businesses and organizations may use Social Security numbers. Under RSMo Section 407.1355, businesses are prohibited from:

• Publicly posting or displaying a person's Social Security number
• Requiring a person to transmit their SSN over the internet unless the connection is secure or encrypted
• Requiring a person to use their SSN to access a website without a password or authentication device
• Using a person's SSN as part of an employee identification number

These restrictions provide a baseline of protection against one of the most commonly exploited pieces of personal data.

Credit Security Freeze (RSMo Section 407.1382)

Missouri residents have the right to place a security freeze on their credit reports, preventing new accounts from being opened in their name without their explicit authorization. This is one of the most effective tools for preventing identity theft.

How It Works

• Consumers may request a freeze by mail, internet, telephone, fax, or other electronic means offered by the credit reporting agency.
• The agency must honor the request within five business days.
• While a freeze is in place, the agency cannot change official information (name, date of birth, SSN, or address) without sending written confirmation within 30 days.
• Fees may apply: up to $5 for the first freeze and up to $10 for subsequent requests, though no fee is charged if accompanied by an identity theft incident report.

Insurance Data Security Act (Effective January 1, 2026)

The most significant recent development in Missouri's privacy landscape is the Insurance Data Security Act, signed into law as House Bill 974 and effective January 1, 2026. This law establishes data security standards specifically for insurance companies, insurance producers, and other licensed entities operating in Missouri.

Key Provisions

• Security program requirement: Licensees must implement a comprehensive information security program to protect nonpublic consumer information.
• Incident notification: Licensees must notify the Insurance Director within four business days when a cybersecurity event involving nonpublic information meets a reporting threshold.
• Threshold for notification: Notification is required when a cybersecurity event involves 250 or more Missouri consumers' nonpublic information and has a reasonable likelihood of materially harming a Missouri resident or the licensee's normal business operations.
• Investigation requirements: Licensees must promptly investigate cybersecurity events and assess the nature and scope of the incident.

While this law applies specifically to the insurance industry, it represents a meaningful step toward stronger data security standards in Missouri.

Missouri Merchandising Practices Act (MMPA)

Though not a privacy law per se, the Missouri Merchandising Practices Act (MMPA) under RSMo Chapter 407 provides a consumer protection framework that can be applied to deceptive data practices. The MMPA prohibits deception, fraud, false promises, misrepresentation, unfair practices, and omissions of material fact in consumer transactions.

This means that if a company makes misleading claims in its privacy policy or engages in deceptive data collection practices, Missouri residents and the Attorney General may be able to pursue action under the MMPA. The statute has been used to address privacy-related misconduct even without a dedicated comprehensive privacy law.

How Missouri Compares to Other States

Missouri's privacy protections lag behind the leaders but are roughly typical for states without comprehensive legislation. Here is how it stacks up:

• California (CCPA/CPRA): Gives residents the right to know what data is collected, request deletion, opt out of sales, and correct inaccurate data. Missouri offers none of these broad rights.
• Illinois (BIPA): Provides the strongest biometric data protections in the country, with a private right of action. Missouri has no biometric privacy law.
• Texas (TDPSA): Enacted a comprehensive consumer data privacy law effective July 2024. Missouri has not followed suit.
• Iowa and Indiana: Both have passed comprehensive privacy laws that took or will take effect between 2025 and 2026. Missouri has not.
• Tennessee: Passed the Tennessee Information Protection Act effective July 2025. Missouri remains without equivalent legislation.

Missouri's 45-day breach notification window is reasonable compared to other states, but the absence of comprehensive consumer rights leaves residents with fewer tools to control how their data is collected, used, and sold.

What Missouri Residents Can Do to Protect Their Privacy

Because Missouri's laws provide limited proactive privacy rights, residents need to take matters into their own hands. Here are the most effective steps:

1. Place a credit freeze. Contact all three major credit bureaus (Equifax, Experian, TransUnion) to freeze your credit. This is free under federal law and is the single best defense against identity theft.
2. Monitor for data breaches. Use breach notification services and monitor your credit reports. Missouri businesses are required to notify you within 45 days of a breach, but the sooner you act, the better.
3. Opt out of data brokers. Hundreds of people-search sites publish your name, home address, phone number, email, and family connections. Opting out one site at a time is tedious and temporary, since brokers re-scrape public records regularly.
4. Use a data removal service. PrivacyOn automates the opt-out process across more than 100 data broker sites, continuously monitors for re-listings, and includes dark web monitoring. For Missouri residents who lack the broad legal protections that states like California or Illinois provide, proactive data removal is one of the most effective ways to reduce your digital exposure.
5. Review your privacy settings. Audit the privacy settings on your social media accounts, apps, and online services. Limit what you share publicly.
6. File complaints with the Attorney General. If you believe a business has violated Missouri's existing privacy statutes or engaged in deceptive data practices, file a complaint with the Missouri Attorney General's office at ago.mo.gov.

Removing Your Personal Information From Data Brokers

Without a comprehensive privacy law, Missouri residents cannot compel most companies to delete their personal data on request. Data brokers like Spokeo, BeenVerified, TruePeopleSearch, Whitepages, and Radaris collect public records and make your information freely available to anyone who searches your name. This information can be used for unwanted contact, stalking, scams, and identity theft.

Opting out of each site individually is a time-consuming process, and your information typically reappears within weeks as brokers re-scrape their sources. PrivacyOn handles this entire process for Missouri residents by submitting removal requests to more than 100 data broker sites, tracking every removal, and continuously re-filing when your data resurfaces. Combined with 24/7 monitoring and dark web scanning, it provides the kind of ongoing protection that Missouri's current laws do not.

The Bottom Line

Missouri's privacy laws provide a basic safety net through breach notification, identity theft penalties, SSN protections, and credit freeze rights. The 2026 Insurance Data Security Act is a welcome addition for policyholders. But without a comprehensive consumer data privacy law, Missouri residents lack the rights to access, delete, or control the sale of their personal information that residents of other states enjoy. Until the legislature acts, the best strategy for Missouri residents is to combine the protections that do exist with proactive steps like credit freezes, data broker opt-outs, and continuous monitoring through services like PrivacyOn.