Privacy Laws in South Dakota: What You Need to Know

South Dakota may not have a comprehensive consumer data privacy law like California's CCPA or Virginia's VCDPA, but that doesn't mean residents are without protections. From the state's data breach notification requirements to the brand-new Genetic Data Privacy Act signed into law in March 2026, South Dakota has a patchwork of privacy rules that every resident should understand.

South Dakota's Privacy Framework at a Glance

Unlike states such as California, Colorado, Connecticut, and Virginia — which have enacted broad consumer data privacy laws — South Dakota takes a sector-specific approach to privacy regulation. The state relies on a combination of targeted statutes, federal laws, and the state Attorney General's enforcement authority to protect residents' personal information.

While this means South Dakota residents don't have a single, unified privacy law to point to, several important protections are in place.

The South Dakota Genetic Data Privacy Act (2026)

On March 23, 2026, Governor Larry Rhoden signed Senate Bill 49, the South Dakota Genetic Data Privacy Act, which takes effect on July 1, 2026. This is a significant new law that specifically protects the privacy of genetic information collected by direct-to-consumer genetic testing companies.

Key Provisions

• Privacy policy requirements: Companies must publish clear privacy policies detailing how they process, retain, and secure genetic data.
• Collection and disclosure notices: Companies must specifically notify consumers about how their genetic data is collected, used, and disclosed.
• Third-party sharing transparency: If de-identified genetic data is shared with third parties for research, companies must disclose this practice to consumers.
• Enforcement: The South Dakota Attorney General has enforcement authority over violations of the Act.

South Dakota Data Breach Notification Law

Enacted in 2018, South Dakota's data breach notification law (SDCL 22-40-19 through 22-40-26) establishes clear requirements for businesses that experience data breaches affecting South Dakota residents:

• 60-day notification deadline: Businesses must notify affected individuals within 60 days of discovering a data breach involving personal or protected information.
• Attorney General notification: If a breach impacts more than 250 South Dakota residents, businesses must also notify the South Dakota Attorney General.
• Personal information definition: The law covers names combined with Social Security Numbers, driver's license numbers, financial account numbers, and health information.
• Good faith investigation: Businesses must conduct a reasonable and prompt investigation after discovering a potential breach.

The Deceptive Trade Practices and Consumer Protection Act

South Dakota's Deceptive Trade Practices and Consumer Protection Act (SDCL Chapter 37-24) provides an important privacy backstop. Under this law, businesses that make false or misleading claims about their data security or privacy practices can face enforcement action. This means if a company promises to protect your data and fails to do so, the state has the authority to intervene.

Federal Laws That Apply in South Dakota

In the absence of comprehensive state privacy legislation, several federal laws provide baseline protections for South Dakota residents:

• HIPAA: Protects the privacy of health information held by healthcare providers, insurers, and their business associates.
• COPPA: Protects children under 13 from having their personal information collected online without parental consent.
• GLBA: Requires financial institutions to explain their data-sharing practices and protect sensitive customer data.
• FERPA: Protects the privacy of student education records.
• FCRA: Regulates how consumer reporting agencies collect, use, and share your credit information.

Your Privacy Rights as a South Dakota Resident

While South Dakota doesn't provide the broad data access and deletion rights found in states with comprehensive privacy laws, you still have important rights:

Under Federal Law

• Access your credit reports for free annually from each bureau
• Place credit freezes and fraud alerts at no cost
• Opt out of pre-screened credit offers
• Request your medical records from healthcare providers

Under State Law

• Receive timely notification if your data is breached
• File complaints about deceptive business practices with the Attorney General
• Control how your genetic data is used by testing companies (effective July 2026)

How to Protect Your Privacy in South Dakota

Given the limited state-level privacy protections, South Dakota residents need to be especially proactive about their privacy:

• Opt out of data brokers: Manually submit opt-out requests to people-search sites, or use a service like PrivacyOn to automatically remove your information from 100+ data broker sites.
• Monitor your credit: Place freezes and check your credit reports regularly.
• Use strong security practices: Enable two-factor authentication, use a password manager, and be cautious about sharing personal information online.
• Think twice about DNA tests: With the new Genetic Data Privacy Act, you'll have more protections starting July 2026 — but you should still carefully review any testing company's privacy policy before submitting your genetic material.

While South Dakota's privacy landscape may not be as robust as some other states, you don't have to leave your privacy to chance. PrivacyOn provides comprehensive data removal from 100+ broker sites, 24/7 dark web monitoring, and family plans for up to 5 people — giving South Dakota residents the proactive protection that state law alone doesn't yet provide.