Polsinelli PC
What law(s) specifically govern personal data / information?
Kansas No-Call Act (§50-670 of Article 6 of Chapter 50 of the Kansas Statutes)
Kansas Commercial Electronic Mail Act (§50-6,107 of Article 6 of Chapter 50 of the Kansas Statutes)
Kansas Consumer Protection Act (§§50-623 to 50-643 of Article 6 of Chapter 50 of the Kansas Statutes)
§50-7a01 et seq. of Article 7a of Chapter 50 of the Kansas Statutes (Data Breach Response Requirements)
§72-6214 of Article 62 of Chapter 72 of the Kansas Statutes (Right of Privacy Policies for Students)
Kansas Student Data Privacy Act (72-6313 et seq. of Article 63 of Chapter 72 of the Kansas Statutes)
§72-6318 of Article 63 of Chapter 72 of the Kansas Statutes (Student Data Breach Response Requirements)
Kansas Health Information Technology Act (§65-6821 et seq. of Article 68 of Chapter 65 of the Kansas Statutes)
§75-3520(b)(1) of Article 35 of Chapter 75 of the Kansas Statutes (Social Security Number Requirements)
§75-3520(b)(1) of Article 35 of Chapter 75 of the Kansas Statutes (Employer Discrimination Requirements)
§44-706 of Article 7 of Chapter 44 of the Kansas Statutes (Employee Drug Testing Requirements)
What are the key data protection principles in this jurisdiction?:
The Kansas No-Call Act protects consumers from unsolicited telemarketing calls and establishes a no-call list that consumers can register their phone number to indicate that they do not want to receive telemarketing calls. The Kansas Commercial Electronic Mail Act prohibits the transmission of certain forms of commercial electronic mail from either a computer located in Kansas or to a resident the sender knows is a Kansas resident.
The Kansas Consumer Protection Act protects consumers from misleading, deceptive, and unconscionable business practices. Deceptive acts and practices include certain false or misleading representations to consumers, willful exaggeration, falsehood, or ambiguity regarding material facts, and willful concealment of material facts.
The Data Breach Response Requirements set forth the circumstances whereby companies must notify Kansas residents of a breach of their personal data. The Student Data Breach Response Requirements impose similar notification obligations related to breaches of student data.
The Kansas Student Data Privacy Act sets forth the requirements for education agencies. School districts must give annual written notice to parents/guardians that student data may be shared. Student data may be disclosed to third parties when there is a data sharing agreement in place that outlines the purpose, scope, and timeline for using the data. School districts are prohibited from collecting biometric data or for using any device to assess student’s psychological or emotional state unless the student, or if a minor, the parent or guardian, consents in writing. The Act also prohibits tests, questionnaires, surveys, and exams containing any questions about the student’s personal beliefs or practices on issues such as sex, family life, morality, and religion or any questions about the student’s parents’ or guardian’s beliefs and practices on such issues, unless the parent or guardian is notified in writing and provides written permission.
The Student Privacy Policy Requirements mandate that school boards adopt a policy in accordance with the Student Data Privacy Act and federal law to protect the right of privacy of any student regarding personally identifiable records, files, and data directly related to the student. The procedures shall provide for means by which the student may inspect their records at any time and restrict the accessibility and availability of any personally identifiable records of any student unless made upon written consent of such student or parent of the student.
The Kansas Health Information Technology Act conforms to HIPAA’s Privacy Rule with respect to individual access to protected health information (PHI), proper safeguarding of PHI, and the use and disclosure of PHI for the purpose of facilitating the development and use of health information technology and the sharing of health information electronically. The Health Information Technology Act requires covered entities to provide individuals and their personal representatives with access to the individual's PHI maintained, collected, used, or disseminated by or for the covered entity in compliance with federal requirements, and covered entities are also required to implement appropriate security safeguards to protect the privacy of PHI in a manner consistent with federal law.
Under the Social Security Number Requirements, businesses are prohibited from soliciting, or requiring or using for commercial purposes an individual’s Social Security number unless the number is necessary for such person’s normal course of business and there is a specific use for such number for which no other identifying number may be used. Employers are permitted to use, collect, or release Social Security numbers for internal verification and administrative purposes.
The Employer Discrimination Requirements prohibits employers from discriminating against an employee based on race, religion, color, sex, disability, national origin or ancestry, and genetic test results. Employers cannot require, either directly or indirectly, that an employee take a genetic test.
Employees of private companies may be denied unemployment benefits if they test positive for alcohol or drugs, refuse to submit to an alcohol or drug test, or tamper with the tests. Employee privacy is protected under §44-706 of Article 7 of Chapter 44 of the Kan. Stat., which sets out drug testing requirements. Employers must treat the medical information of employees and job applicants as confidential, with the exception of information regarding the illegal use of drugs, and employers must keep these records in a separate file.
What is the supervisory authority / regulator in charge of data protection?
Kansas Attorney General.
Is there a requirement to register with a supervisory authority / regulator?
No
Is there a requirement to notify the supervisory authority / regulator?
No.
Is it possible to register with / notify the supervisory authority / regulator online?
Not applicable.
What are the key data subject rights under the data protection laws of this jurisdiction?
Kansas does not currently have a comprehensive data protection law in effect, so Kansas data subjects do not have any additional rights beyond those afforded to them in the laws described above.
DIs there a requirement to appoint a data protection officer (or equivalent)?
No
Do data protection / privacy impact assessments need to be carried out in certain circumstances?
No
Does this jurisdiction have any specific data breach notification requirements?
Data Breach Response Requirements
- When an entity becomes aware of a data breach, they are required to give notice as soon as possible without unreasonable delay to Kansas residents.
- Notification is not required if, after a good-faith, reasonable, and prompt investigation, the entity determines that the personal information has not been and is not reasonably likely to be misused.
- If more than 1,000 consumers must be notified at one time, the entity must also inform all nationwide consumer reporting agencies of the timing, distribution, and content of the notices.
- If the entity can demonstrate that the cost of providing notice would exceed USD $100,000, that the affected class exceeds 5,000 individuals, or that it lacks sufficient contact information to provide notice, substitute notice may be used. Substitute notice may include email, a conspicuous posting on the entity’s website, or notification to major statewide media outlets.
Student Data Breach Response Requirements
- In the event of a security breach of unauthorised disclosure of student data or personal identifiable information of any student, the party responsible for the breach must immediately notify each affected student, if an adult, and the parent or legal guardian of a student, if a minor.
- The party responsible for the breach must investigate the causes and consequences of the breach or unauthorised disclosure.
What restrictions apply to the international transfer of personal data / information?
None
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Yes, if businesses are doing business in the state and collecting or otherwise using personal data of Kansas residents, they will be subject to the above laws relating the use of that data.
What rules specifically deal with marketing?
See the key principles of the Kansas No-Call Act and Kansas Commercial Electronic Mail Act above.
Do different rules apply to business-to-business and business-to-consumer marketing?
No.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
See question 13 above.
What rules specifically deal with cookies?
None.
What are the consequences of non compliance with data protections laws (including marketing laws)?
Violations of the Kansas No-Call Act, Consumer Protection Act, and Commercial Electronic Mail Act are subject to civil penalties of between USD $500-$1,000 for each violation.
Violations of the Social Security Requirements are subject to civil penalties of USD $1,000 for each violation.
The Kansas Attorney General may bring an action in court for violations of the Student Data Privacy Act that may result in injunctive relief.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
Businesses that collect personal data of Kansas residents (even without being located there) should understand the legal requirements under Kansas law to ensure compliance.
What upcoming data protection developments should multinational organisations be aware of?
None at this time.