South Carolina does not yet have a comprehensive consumer data privacy law on par with California's CCPA or Virginia's VCDPA. However, the state has taken meaningful steps in specific areas — most notably with the Age-Appropriate Code Design Act signed by Governor Henry McMaster in February 2026, which establishes strong protections for children and teens online. Combined with existing data breach notification requirements and sector-specific regulations, South Carolina's privacy landscape offers more protection than many residents realize. Here is a full breakdown of what the law covers, what it does not, and how to protect yourself.
The Age-Appropriate Code Design Act (2026)
The most significant recent development in South Carolina privacy law is the Age-Appropriate Code Design Act, signed into law by Governor McMaster in February 2026. This law focuses specifically on protecting minors in the digital environment and imposes substantial obligations on online services.
Who It Applies To
The law targets online services, platforms, and applications that are "reasonably likely to be accessed" by minors (users under 18). A business falls under the law's scope if it meets any one of the following thresholds:
- Annual gross revenue of $25 million or more
- Processes the personal data of 50,000 or more consumers
- Derives 50% or more of annual revenue from the sale of personal data
Key Protections for Minors
The Age-Appropriate Code Design Act requires covered businesses to:
- Default to high privacy settings for accounts identified as belonging to minors
- Conduct Data Protection Impact Assessments (DPIAs) before launching new features or products that minors are likely to access
- Prohibit profiling minors by default unless there is a compelling reason and appropriate safeguards in place
- Restrict collection of geolocation data from minors unless strictly necessary for the service being provided
- Provide clear, age-appropriate privacy notices that minors can actually understand
- Avoid using dark patterns or manipulative design techniques that encourage minors to weaken their privacy settings
Why This Law Matters
South Carolina's Age-Appropriate Code Design Act follows similar legislation in California and reflects a growing national consensus that children and teenagers need stronger online protections than what federal law (COPPA) currently provides. COPPA only covers children under 13. South Carolina's law extends meaningful protections to all minors under 18, addressing the significant gap for teenagers whose data is heavily collected and monetized by social media platforms, gaming services, and ad-tech companies.
South Carolina Insurance Data Security Act
Effective January 1, 2019, the South Carolina Insurance Data Security Act was one of the first state laws to adopt the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law. It applies specifically to insurance companies, agents, and other entities licensed by the South Carolina Department of Insurance.
Under this law, insurance licensees must:
- Develop a comprehensive written information security program
- Conduct regular risk assessments
- Implement security measures based on the size and complexity of the licensee
- Investigate and report cybersecurity events to the Director of Insurance within 72 hours
- Oversee the security practices of third-party service providers handling nonpublic information
While this law is narrow in scope — covering only the insurance industry — it set an important precedent as one of the earliest state-level cybersecurity regulations in the Southeast.
Data Breach Notification Law
South Carolina's data breach notification requirements are codified at S.C. Code Ann. § 39-1-90. This law requires any person or business conducting business in South Carolina to notify residents when their personal identifying information has been — or is reasonably believed to have been — accessed by an unauthorized person.
The law defines "personal identifying information" as a person's first name or initial and last name combined with one or more of the following:
- Social Security number
- Driver's license number or state identification card number
- Financial account number (with access codes or passwords)
Notification must be made in the most expedient time possible and without unreasonable delay. If more than 1,000 residents are affected, the entity must also notify the Consumer Protection Division of the South Carolina Department of Consumer Affairs and major consumer reporting agencies.
Identity Theft Protection Act
The Identity Theft Protection Act (S.C. Code § 37-20-110 et seq.) provides additional safeguards for South Carolina residents. It grants consumers the right to place a security freeze on their credit reports at no charge and establishes penalties for identity theft. The law also restricts businesses from printing more than the last five digits of a credit card number on receipts, reducing exposure of financial data in everyday transactions.
No Comprehensive Consumer Privacy Rights Yet
Despite the protections listed above, South Carolina residents do not currently have broad rights to access, delete, correct, or port their personal data held by most businesses. You cannot opt out of data broker sales or targeted advertising under South Carolina law. Until the state passes a comprehensive consumer privacy statute, these rights remain unavailable — and your personal information continues to be collected, shared, and sold with minimal oversight.
How South Carolina Compares to Neighboring States
South Carolina's lack of a comprehensive privacy law is notable given the progress made by its neighbors. Virginia was among the first states in the nation to pass the VCDPA (effective January 2023). North Carolina has been actively pursuing its own comprehensive legislation. Georgia has introduced multiple privacy bills in recent sessions. South Carolina's Age-Appropriate Code Design Act is a strong step in the area of children's privacy, but it does not fill the broader gap in general consumer data protection.
For residents, this means that while your children may benefit from enhanced online protections, your own personal data — including your name, address, phone number, browsing history, purchase history, and more — can still be freely collected and sold by data brokers and other companies without your explicit consent.
What South Carolina Residents Can Do Now
Waiting for comprehensive legislation is not a strategy. Here are practical steps you can take today to protect your privacy:
- Remove your data from broker sites: People-search sites like Spokeo, BeenVerified, Whitepages, and Radaris likely have detailed profiles about you. Submit opt-out requests to each one individually, or use a removal service to handle it for you.
- Place a credit freeze: Under the Identity Theft Protection Act, you can freeze your credit at all three major bureaus at no cost. This prevents unauthorized accounts from being opened in your name.
- Review your children's online accounts: Take advantage of the protections in the Age-Appropriate Code Design Act by reviewing the privacy settings on your children's accounts and ensuring platforms are complying with the new requirements.
- Audit app permissions: Regularly review which apps have access to your location, contacts, photos, and microphone on your phone, and revoke any that are not necessary.
- Use strong, unique passwords: A password manager can help you maintain unique credentials for every account, dramatically reducing your risk in the event of a breach.
Get Comprehensive Protection Now
PrivacyOn offers South Carolina residents the kind of ongoing data protection that state law does not yet provide. PrivacyOn removes your personal information from over 100 data broker sites, monitors for new exposures around the clock, and includes dark web monitoring to alert you if your credentials appear in a breach. Family plans cover up to 5 people starting at $8.33 per month — giving your entire household real privacy protection today, not years from now.
What to Watch For
South Carolina's legislature is expected to continue considering broader consumer privacy legislation in upcoming sessions. The trends are clear — greater transparency requirements, consumer control over personal data, and restrictions on the processing of sensitive data are coming. The question for South Carolina is not whether a comprehensive privacy law will pass, but when.
In the meantime, the combination of the Age-Appropriate Code Design Act, the Insurance Data Security Act, the data breach notification law, and the Identity Theft Protection Act provides a foundation — but it is not enough. Proactive data management remains the most effective way for South Carolina residents to protect their personal information in an environment where legislation has not yet caught up with the scale of data collection happening every day.