The following law(s) specifically govern personal data / information:
Except for data breach notification statutes and specific laws pertaining to personal health information, Missouri has no state law like California Consumer Privacy Act that covers personal data.
There is no explicit data privacy provision in the Missouri Constitution.
Tort Law. The tort of invasion of privacy has been identified and described in the Restatement (Second) of Torts § 652 (1977) (“Restatement”) and includes: 1) intrusion upon seclusion; 2) public disclosure of private facts; 3) appropriation of name or likeness; and 4) publicly placing a person in false light. Other torts and causes of action related to privacy may include defamation, assault and battery, trespass, breach of confidentiality, intentional infliction of emotional distress, negligence, and right of publicity.
Mo. Rev. Stat. § 570.223 Identity Theft
Mo. Rev. Stat. § 407.1500 Data Breach Notification
Mo Rev Stat § 407.1355 Social Security Numbers
Mo. Rev. St. §§542.400 - 542.422 Wiretapping Act
Mo. Rev Stat § 191.227 Medical Record Disclosures
Mo. Rev Stat §§ 407.430-407.436 Credit User Protection Law
Mo. Rev Stat § 569.095 Tampering with Computer Data
Mo. Rev Stat § 161.096 Statewide Longitudinal Data System, Regulation on Student Data Accessibility
The key data protection principles in this jurisdiction are:
No general principles.
The supervisory authority / regulator in charge of data protection is:
No central data privacy supervisory authority or regulator except for Missouri Attorney General.
Is there a requirement to register with a supervisory authority / regulator?
No registration required.
Is there a requirement to notify the supervisory authority / regulator?
No notification required.
Is it possible to register with / notify the supervisory authority / regulator online?
The key data subject rights under the data protection laws of this jurisdiction are:
No key rights except for notice in event of data breach.
Is there a requirement to appoint a data protection officer (or equivalent)?
No statutory requirement for a data protection officer.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Not currently but some proposed legislation has included such requirement similar to the EU General Data Protection Regulation.
Does this jurisdiction have any specific data breach notification requirements?
Mo. Rev. St. §§ 407.1500
Data Breach Notification. Any person that maintains or possesses records or data containing personal information of residents of Missouri that the person does not own or license, or any person that conducts business in Missouri that maintains or possesses records or data containing personal information of a resident of Missouri that the person does not own or license, shall notify the owner or licensee of the information of any breach of security immediately following discovery of the breach, consistent with the legitimate needs of law enforcement as provided in this section.
Definition of Personal Information. For Missouri residents, an individual's first name or first initial and last name in combination with any one or more of the following data elements that relate to the individual if any of the data elements are not encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable or unusable: (a) social security number; (b) driver's license number or other unique identification number created or collected by a government body; (c) financial account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account; (d) unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual's financial account; (e) medical information; or (f) health insurance information.
Definition of Breach. Unauthorized access to and unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality, or integrity of the personal information. Good faith acquisition of personal information by a person or that person's employee or agent for a legitimate purpose of that person is not a breach of security, provided that the personal information is not used in violation of applicable law or in a manner that harms or poses an actual threat to the security, confidentiality, or integrity of the personal information.
Content of Notice. The notice shall at minimum include a description of the following: (a) the incident in general terms; (b) the type of personal information that was obtained as a result of the breach of security; (c) a telephone number that the affected consumer may call for further information and assistance, if one exists; (d) contact information for consumer reporting agencies; (e) advice that directs the affected consumer to remain vigilant by reviewing account statements and monitoring free credit reports.
Timing. The notification requirement is triggered upon discovery or notification of a breach of the security of the system. Notification must be without unreasonable delay, consistent with the legitimate needs of law enforcement, or with any measures necessary to determine the scope of the breach, identify the individuals affected, and restore the reasonable integrity, security and confidentiality of the data system. In the event of a breach affecting over 1000 people, the attorney general’s office and consumer reporting agencies (CRA) must be notified without unreasonable delay and must be informed of the timing, distribution, and content of the notices sent to Missouri residents.
Penalty. The Missouri Attorney General may enforce this law by seeking actual damages for a wilful and knowing violation and/or a civil penalty not to exceed $150,000 per breach.
Exemptions. An exemption from this notification statute may apply to an entity that is otherwise covered by a federal law such as the GLBA or HIPAA. As noted above, encrypted information is exempt so long as the breach doesn’t contain information or access code to decrypt the information but the Missouri statute does not define encryption.
The following restrictions apply to the international transfer of personal data / information:
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
The following rules specifically deal with marketing:
None that are specific to marketing.
Do different rules apply to business-to-business and business-to-consumer marketing?
The following rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc):
MO Rev Stat § 407.1123 Unsolicited electronic mail without either return email address or toll-free number prohibited.
Federal laws such as CAN-SPAM and TCPA apply.
The following rules specifically deal with cookies:
No specific state laws.
The consequences of non compliance with data protections laws (including marketing laws) are:
No state regulator except for Missouri Attorney General who may impose fines under data breach notification statutes discussed above.
In broad terms, multinational organisations should be aware of the following key factors if they process personal data / information from individuals within this jurisdiction, without being located there:
Multinational organisations should be aware of the following upcoming data protection developments: