South Dakota Codified Law Chapter 37-25A, the South Dakota Personal Information Protection Act (SD-PIPA), mandates specific requirements for businesses that own or license the personal information of South Dakota residents. The law requires reasonable security measures to protect this information from unauthorized access, acquisition, destruction, use, modification, or disclosure. When a breach of the security of the system occurs, a notification must be made. The notification must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the integrity of the system. For residents of South Dakota, the notification must be provided to the consumer without unreasonable delay. If the breach affects more than 250 South Dakota residents, a copy of the notification must also be provided to the Attorney General. The Attorney General’s office is responsible for overseeing compliance with consumer protection laws in South Dakota, including data breach notification requirements. Therefore, in this scenario, the notification must be provided to the Attorney General if the breach affects at least 250 residents.

South Dakota’s approach to data privacy, particularly as it relates to consumer rights and business obligations, centers on principles found in its consumer protection statutes and evolving interpretations of data handling practices. While South Dakota does not have a comprehensive, standalone data privacy law akin to California’s CCPA/CPRA, it does incorporate privacy considerations within its existing legal framework, primarily through the South Dakota Codified Laws (SDCL) related to consumer protection and unfair or deceptive trade practices. These statutes grant consumers rights and impose duties on businesses regarding how personal information is collected, used, and protected. When a business in South Dakota experiences a data breach involving personal information of its residents, the primary legal obligation is to provide notification to affected individuals and, in certain circumstances, to state agencies. SDCL Section 21-46-1 through 21-46-7 outlines the requirements for data breach notification. The law defines “personal information” broadly to include a name combined with a Social Security number, driver’s license number, or financial account number. It mandates that any person or business that owns or licenses computerized data that includes personal information shall notify any resident of South Dakota whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person. This notification must be made without unreasonable delay and must include specific content, such as the nature of the breach, the type of information involved, and steps individuals can take to protect themselves. The law also specifies the method of notification, which can be written, electronic, or, if certain conditions are met, substitute notice. The critical aspect is the promptness and clarity of the communication to safeguard consumers from potential harm resulting from the unauthorized disclosure of their sensitive data. The absence of a specific private right of action under SDCL 21-46 means enforcement is primarily through the Attorney General’s office.

The South Dakota Codified Law Chapter 37-24, concerning deceptive trade practices, specifically addresses data security and privacy. While not a comprehensive data privacy law like California’s CCPA or Virginia’s CDPA, it provides a framework for protecting consumers from unfair or deceptive acts or practices, which can include inadequate data security measures leading to breaches. When a data breach occurs, the law requires businesses to notify affected individuals without unreasonable delay. The notification must include specific details about the breach, such as the nature of the personal information compromised and steps individuals can take to protect themselves. South Dakota law does not mandate a specific waiting period before notification, but it emphasizes promptness. The law also defines “personal information” broadly, encompassing information that can be used to identify an individual. The primary enforcement mechanism is through the Attorney General’s office, which can investigate violations and seek remedies, including injunctions and civil penalties. The law does not create a private right of action for individuals to sue directly for data breaches, meaning consumers cannot initiate lawsuits themselves under this statute for privacy violations.

The South Dakota Codified Law (SDCL) Chapter 37-31, the “Data Protection and Privacy Act,” outlines specific requirements for businesses that collect and process personal information of South Dakota residents. A key aspect of this law, similar to many other state privacy statutes, is the concept of a “qualified exception” to certain consumer rights. These exceptions are designed to balance consumer privacy with legitimate business needs, particularly in areas like fraud prevention, law enforcement, and public safety. For instance, a business may be exempt from a consumer’s right to deletion if retaining the personal information is reasonably necessary to fulfill a legal obligation, prevent fraudulent or malicious activity, or assist with a lawful investigation. The law emphasizes that such exceptions must be narrowly construed and applied only to the extent necessary to achieve the stated purpose. Therefore, if a business invokes an exception, it must be able to demonstrate a clear and justifiable basis for doing so, aligning with the specific parameters of the qualified exceptions provided within the statute. This requires a careful assessment of the business’s operational context and the nature of the data processing activity in relation to the legal requirements.

The South Dakota Codified Law (SDCL) Chapter 37-31, concerning the Protection of Personal Information, outlines specific requirements for businesses that own or license personal information of South Dakota residents. When a breach of the security of the system occurs, a “reasonable security safeguard” is defined as measures taken to protect personal information from unauthorized acquisition. The law requires notification to affected individuals and, in certain circumstances, to the Attorney General. The key element here is what constitutes a “breach of the security of the system.” This is defined as unauthorized acquisition of computerized personal information that compromises the security, confidentiality, or integrity of the personal information. The law does not mandate a specific timeline for notification but implies it should be done in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement. The question revolves around identifying the trigger for these notification obligations. A confirmed unauthorized acquisition of personal information, where the risk of harm to the individual is present, initiates the legal obligation. The focus is on the acquisition itself and the potential for harm, not merely the possibility of unauthorized access or the existence of a vulnerability. Therefore, the confirmed unauthorized acquisition of computerized personal information that creates a reasonable risk of harm to the individual is the definitive trigger for the notification requirements under SDCL Chapter 37-31.

South Dakota’s approach to data privacy, particularly concerning data breaches, centers on notification requirements. South Dakota Codified Law §37-30-1 et seq. outlines these obligations. When a breach of certain unencrypted personal information occurs, the entity must notify affected South Dakota residents. The definition of “personal information” is crucial, encompassing a name combined with a social security number, driver’s license number, or other government-issued identification number, or financial account information. The law requires notification without unreasonable delay, and in any event, no later than 60 days after discovery of the breach, unless a longer period is required for law enforcement purposes. The notification must be specific, detailing the nature of the breach, the types of information involved, and steps individuals can take to protect themselves. For businesses, understanding the scope of “personal information” and the timeline for notification is paramount to compliance. The law also allows for substitute notification if the cost of direct notification is prohibitive or if the entity lacks sufficient contact information. The core principle is to inform individuals promptly about potential risks to their data.

The South Dakota Codified Law (SDCL) Chapter 37-24, specifically regarding deceptive trade practices and consumer protection, forms the basis for understanding privacy and data protection within the state. While South Dakota does not have a comprehensive, standalone data privacy law akin to California’s CCPA/CPRA or Virginia’s CDPA, the existing consumer protection statutes can be invoked when data misuse or deceptive practices related to personal information occur. SDCL 37-24-6 prohibits unfair or deceptive acts or practices in the conduct of any trade or commerce. This broad prohibition can encompass situations where a business misrepresents its data collection, usage, or security practices, leading to consumer harm. For instance, if a South Dakota-based company collecting customer data from residents of South Dakota makes false claims about how that data will be protected or shared, and a consumer suffers damages as a result, this could be considered a deceptive trade practice under SDCL 37-24-6. The statute allows for private rights of action, enabling consumers to seek damages, injunctive relief, and attorney fees. The key is to demonstrate that the practice was both deceptive (likely to mislead a reasonable consumer) and caused actual damages. The absence of a specific data privacy statute means that enforcement often relies on interpreting and applying these broader consumer protection principles to data-related issues. Therefore, a company operating in South Dakota must be mindful of its representations regarding data handling to avoid claims of deceptive practices, even without a dedicated privacy law.

South Dakota Codified Law § 37-31-7 outlines the requirements for data security breach notifications. Specifically, it mandates that a breach notification must be provided without unreasonable delay and in any event, within sixty days after the discovery of the breach. The law does not specify a minimum number of affected individuals that triggers the notification requirement; rather, it applies to any breach involving personal information. The notification must include a description of the categories of personal information involved, steps the consumer can take to protect themselves, a brief description of what happened, and contact information for the entity. The law does not mandate a specific waiting period before notifying law enforcement, nor does it require the notification to be exclusively in writing to the consumer if other reasonable methods are employed. The concept of “unreasonable delay” is central, with a default statutory period of sixty days from discovery.

The South Dakota Codified Law (SDCL) Chapter 37-24, specifically relating to Deceptive Trade Practices and Consumer Protection, includes provisions that govern unfair or deceptive acts or practices in the conduct of any trade or commerce. While not a comprehensive data privacy law like some other states, its broad language can encompass certain data handling practices that mislead consumers. For a business operating in South Dakota that collects personal information from residents, the key consideration under this chapter is whether their data collection and use practices are deceptive or unfair. A business that explicitly states it will not share customer data with third parties, but then proceeds to sell or share that data without further consent or clear disclosure, would be engaging in a deceptive practice. This is because the business is making a representation about its conduct that is false and likely to mislead a reasonable consumer. The intent behind the practice is less critical than the effect it has on the consumer’s understanding and decision-making. For instance, if a South Dakota-based online retailer, “Prairie Goods,” advertises a privacy policy stating, “Your personal information is for internal use only and will never be sold to external marketing firms,” and then subsequently shares email addresses and purchase histories with a third-party analytics company for targeted advertising, this constitutes a violation. The practice is deceptive because the consumer relied on the explicit promise of data restriction. The core of the violation lies in the misrepresentation of data handling practices, which is a prohibited act under SDCL 37-24-6. The law aims to protect consumers from such misleading commercial actions.

The South Dakota Codified Law (SDCL) Chapter 37-25A, the South Dakota Data Privacy Act, outlines specific requirements for businesses that collect and process personal information of South Dakota residents. A key aspect of this law, similar to other comprehensive state privacy statutes, is the definition of “consumer” and the rights afforded to them. The law defines a consumer as a natural person who is a resident of South Dakota. This definition is crucial because it establishes the scope of the law’s applicability. Businesses must identify whether their data subjects fall within this definition to determine their compliance obligations. The law grants consumers rights such as the right to know what personal information is collected, the right to delete personal information, and the right to opt-out of the sale of personal information. Understanding who qualifies as a consumer under SDCL 37-25A is the foundational step in implementing any data privacy program compliant with South Dakota law. The law’s intent is to protect the privacy of individuals residing within the state, irrespective of where the business processing the data is located. Therefore, the residency of the natural person is the determining factor.

The South Dakota Codified Law Chapter 37-31, specifically the “Data Privacy and Security Act,” outlines requirements for businesses that collect and process personal information of South Dakota residents. A key aspect of this law, and many similar state privacy laws, is the concept of a “data breach.” A data breach is defined as the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information. The law mandates specific actions when such a breach occurs, including notification to affected individuals and the South Dakota Attorney General. The scenario presented involves a situation where a third-party vendor, handling sensitive personal information for a South Dakota-based company, experiences an unauthorized access event. The critical factor is whether this access constitutes a compromise of the security, confidentiality, or integrity of the personal information. If the unauthorized access leads to the data being acquired or disclosed in a manner that could harm the individual, it is considered a breach under the law. The law requires the company to conduct a prompt investigation to determine the nature and scope of the incident. If the investigation concludes that personal information was indeed acquired or disclosed without authorization, the company must notify affected South Dakota residents and the Attorney General without unreasonable delay, typically within 60 days of discovery, unless a longer period is required for investigation by law enforcement. The determination of whether the vendor’s actions triggered the notification requirement hinges on whether the acquired data was encrypted or otherwise rendered unintactible, or if the unauthorized access itself, regardless of immediate exfiltration, represents a compromise of the data’s confidentiality or integrity.

South Dakota Codified Law Chapter 37-32, the “Data Protection Act,” governs data breach notification requirements for businesses that own or license the personal information of South Dakota residents. The law mandates that a breach of the security of the system, where unauthorized acquisition of computerized data that compromises the security, confidentiality, integrity, or availability of personal information occurs, must trigger notification. The law defines “personal information” broadly to include a first name or first initial and last name in combination with any one or more of the following data elements: social security number, driver’s license number, state identification card number, or account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to the individual’s financial account. The law specifies that notification must be made without unreasonable delay and no later than 60 days after discovery of the breach. However, if the breach is discovered and the entity determines that misuse of the information is not likely to occur, the notification may be delayed for a reasonable period. The law also outlines exceptions, such as when the information is encrypted, and the key is not also acquired. The primary objective is to inform affected individuals so they can take steps to protect themselves from potential harm. The Attorney General’s office is the enforcement authority for this chapter.

The South Dakota Codified Law (SDCL) Chapter 37-30, the South Dakota data privacy law, specifically addresses the obligations of businesses that collect and process personal information of South Dakota residents. A key aspect of this law, similar to other state privacy frameworks, is the definition of “business” and the thresholds that trigger its applicability. The law defines a business as any entity that conducts business in South Dakota, produces or directs its activities toward South Dakota residents, and satisfies certain revenue and data processing thresholds. For the purposes of this law, a business is considered to be conducting business in South Dakota if it targets South Dakota residents for the sale of goods or services. The revenue threshold is met if the business annually buys, sells, or shares for commercial purposes the personal information of at least 100,000 South Dakota consumers, or annually derives 50% or more of its annual revenue from buying, selling, or sharing personal information of South Dakota consumers. The scenario presented involves a company based in Delaware that markets artisanal cheeses nationwide, including to residents of South Dakota, and its online platform tracks user browsing behavior and purchase history. The company’s annual revenue is $15 million, and it processes the personal data of approximately 150,000 South Dakota residents annually, including their browsing patterns and purchase histories, for targeted advertising and product development. The crucial element here is the processing of personal data of at least 100,000 South Dakota consumers, which the company clearly exceeds. Furthermore, the company’s marketing efforts are directed towards South Dakota residents, fulfilling the “conducts business in South Dakota” criterion. Therefore, the company is subject to the provisions of SDCL Chapter 37-30.

The South Dakota Codified Law (SDCL) Chapter 37-30, the “South Dakota Data Privacy Act,” outlines specific rights for consumers regarding their personal information and obligations for businesses that collect and process this data. A key aspect of this law, similar to other comprehensive state privacy frameworks, is the definition of “sale” of personal information. For the purposes of SDCL 37-30, the term “sale” is broadly interpreted. It encompasses not only the exchange of personal information for monetary consideration but also the exchange for other valuable consideration, whether or not monetary. This means that if a business shares personal information with another entity in return for services, data, or any other benefit that holds value, it can be considered a “sale” under the law. The act requires businesses to provide consumers with the right to opt out of the sale of their personal information. Therefore, understanding what constitutes a “sale” is crucial for compliance. The scenario presented involves a South Dakota resident’s data being shared with a marketing analytics firm in exchange for market trend reports. These reports represent valuable consideration, even if no money changes hands directly for the data itself. Consequently, this transaction falls under the definition of a “sale” as per SDCL 37-30, triggering the business’s obligations to provide opt-out rights to the consumer.

The South Dakota Codified Law (SDCL) Chapter 37-26, the South Dakota Data Privacy Act, outlines specific requirements for businesses that collect and process personal information of South Dakota residents. A key aspect of this law, similar to other comprehensive state privacy statutes, is the definition of “sale” of personal information. Under SDCL 37-26-1(20), “sale” is broadly defined to include the exchange of personal information for monetary consideration, but also extends to exchanges for other valuable consideration. This includes sharing data with third parties for targeted advertising purposes, even if no direct monetary payment is made, if the sharing provides a benefit to the business that can be quantified or is otherwise of value. The intent behind this broad definition is to capture a wide range of data monetization practices that could impact consumer privacy. Therefore, if a South Dakota-based healthcare provider shares anonymized patient demographic data with a pharmaceutical research firm in exchange for early access to clinical trial results and specialized market analysis reports, this exchange would likely constitute a “sale” under SDCL 37-26-1(20) because the research firm’s reports and early access represent valuable consideration, even in the absence of direct monetary payment. This broad interpretation ensures that consumers are informed and have control over how their data is used for commercial gain, regardless of the specific form of compensation. The law aims to provide consumers with rights such as access, correction, deletion, and opt-out of the sale of their personal information, reinforcing the principle of data minimization and user control.

South Dakota Codified Law § 37-29-1 defines a “consumer” as an individual who is a resident of South Dakota. The law, often referred to as the South Dakota Consumer Privacy Act (SDCPA), grants specific rights to these consumers regarding their personal information collected by businesses. A “business” under the SDCPA is defined as a legal entity that collects consumers’ personal information, does business in South Dakota, and satisfies certain thresholds related to annual revenue, the number of consumers whose personal information it buys, sells, or shares, or the amount of revenue derived from selling personal information. The threshold for annual revenue is \(50 million or more\). The threshold for the number of consumers whose personal information is bought, sold, or shared is \(100,000 or more\). The threshold for revenue derived from selling personal information is \(50% or more of the entity’s annual revenue\). For an entity to be subject to the SDCPA, it must meet at least one of these thresholds. In this scenario, the entity has an annual revenue of \(45 million\), which is below the \(50 million\) threshold. It also processes the personal information of \(90,000\) consumers, which is below the \(100,000\) threshold. Furthermore, it does not sell personal information. Therefore, the entity does not meet any of the applicability thresholds and is not considered a “business” subject to the SDCPA. The SDCPA’s scope is designed to capture larger entities that engage significantly with consumer data within the state.

South Dakota Codified Law § 37-31-6 outlines the requirements for reasonable security measures for personal information. This statute mandates that businesses collecting personal information must implement and maintain reasonable security measures to protect that information from unauthorized access, acquisition, destruction, use, modification, or disclosure. The law does not specify a single, universally mandated set of security protocols, but rather requires a flexible, risk-based approach. The determination of what constitutes “reasonable” is context-dependent, taking into account the nature and volume of the information collected, the cost of implementing security measures, and the potential harm to individuals if the information is compromised. For example, a small local bakery collecting only customer names and email addresses for a newsletter would likely have different reasonable security requirements than a large online retailer handling credit card numbers and social security information. The focus is on the proportionality of the security measures to the sensitivity and quantity of the data.

South Dakota Codified Law Chapter 37-30, the South Dakota Personal Information Protection Act, outlines specific requirements for businesses that collect and maintain personal information of South Dakota residents. The law is triggered when a business, regardless of its physical location, collects and maintains personal information of South Dakota residents. The definition of “personal information” under this law is broad, encompassing a first and last name or a unique identifying number, symbol, or characteristic, combined with any one or more of the following data points: Social Security number, driver’s license number, state identification card number, passport number, checking account number, savings account number, credit card number, debit card number, or any other financial account number. The law mandates that businesses implement and maintain reasonable security measures to protect personal information from unauthorized acquisition. It also requires businesses to provide notification to affected individuals in the event of a data breach. The scope of the law extends to entities that own or license personal information of South Dakota residents, even if they do not directly collect it. The core principle is the protection of sensitive personal data for residents of South Dakota.

The South Dakota Codified Law (SDCL) Chapter 37-24, specifically the South Dakota Data Privacy Act, outlines consumer rights regarding personal information. A key aspect of this law is the definition of “personal information” and the obligations placed upon businesses that collect, process, and disclose such data. SDCL 37-24-23(1) defines personal information broadly, encompassing data that can be used to identify, relate to, describe, be capable of being associated with, or is reasonably capable of being associated, directly or indirectly, with a particular consumer or household. This includes, but is not limited to, information such as names, addresses, email addresses, social security numbers, financial account numbers, biometric data, and internet browsing history. The scenario describes a business that collects website visitor IP addresses and browsing patterns. IP addresses, when capable of being linked to an individual, fall under the broad definition of personal information in South Dakota. Similarly, browsing patterns, when associated with an identifiable individual or household, also constitute personal information. Therefore, a business collecting and processing this data is subject to the provisions of the South Dakota Data Privacy Act. The Act mandates that businesses provide consumers with notice about their data collection practices, offer mechanisms for consumers to exercise their rights (such as access, correction, and deletion of personal information), and implement reasonable security measures to protect this data. The core principle is transparency and consumer control over their personal data. The question probes the understanding of what constitutes personal information under South Dakota law and the implications for businesses handling such data.

The scenario describes a situation where a South Dakota-based company, “Prairie Analytics,” collects sensitive personal data, including health information, from residents of South Dakota. They intend to share this data with a third-party marketing firm located in a state with less stringent data protection laws. South Dakota Codified Law Chapter 37-25A, the South Dakota Data Privacy Act, governs the collection, processing, and sharing of personal information. While the Act does not explicitly create a private right of action for data breaches or unauthorized disclosures, it mandates certain security measures and notification requirements in the event of a breach. The core principle tested here is the extraterritorial reach and the obligations of South Dakota businesses when handling resident data, even if processing occurs elsewhere. The Act’s provisions apply to businesses that conduct business in South Dakota and collect and process personal information of South Dakota residents. The critical aspect is that Prairie Analytics is a South Dakota-based company, and the data pertains to South Dakota residents. Therefore, regardless of where the third-party firm is located, the South Dakota law’s principles regarding data handling and security obligations would apply to Prairie Analytics’ actions concerning its South Dakota customers’ data. The Act emphasizes reasonable security measures and, in the event of a breach, requires notification to affected individuals and potentially the Attorney General. The prompt does not specify a breach; it concerns the *intent* to share data. The Act does not prohibit sharing data with third parties outright, but it does require that such sharing be conducted in a manner consistent with the Act’s principles, including maintaining reasonable security. The question asks about the legal obligation *before* any potential breach or improper use by the third party. The Act’s focus is on the South Dakota entity’s responsibility for the data of South Dakota residents. The most accurate statement regarding Prairie Analytics’ obligations under South Dakota law, given the information provided, is that they must ensure their data sharing practices comply with the Act’s requirements for protecting the personal information of South Dakota residents, which includes having appropriate contractual safeguards and ensuring the third party adheres to comparable data protection standards to mitigate risks of misuse or unauthorized access, even if the Act doesn’t mandate specific contractual clauses for third-party sharing. The Act’s general provisions on data protection and security implicitly extend to how data is handled when shared.

South Dakota Codified Law Chapter 37-24, the “Data Breach Notification Act,” outlines specific requirements for businesses that experience a data breach involving personal information of South Dakota residents. The law mandates that notification must be made without unreasonable delay and in any event no later than forty-five days after the discovery of the breach. This timeframe is crucial for allowing affected individuals to take necessary steps to protect themselves from potential harm, such as identity theft or financial fraud. The law defines “personal information” broadly to include names, social security numbers, driver’s license numbers, financial account numbers, and other data that, if compromised, could lead to identity theft or financial loss. Businesses are required to provide specific details in the notification, including a description of the breach, the types of personal information involved, and steps individuals can take to protect themselves. The law also specifies acceptable methods of notification, such as written communication, electronic communication, or, if those methods are insufficient, substitute notification. The forty-five-day period is a hard deadline, and failure to comply can result in enforcement actions by the South Dakota Attorney General. The core principle is to ensure timely and meaningful notification to South Dakota residents whose personal information has been compromised, thereby empowering them to mitigate potential risks.

The scenario describes a situation where a South Dakota resident’s personal information was compromised due to a data breach at a company operating primarily in California but serving customers nationwide, including South Dakota. The key legal consideration here is the applicability of South Dakota’s data breach notification law, SDCL Chapter 37-30. This chapter mandates that any person or entity that conducts business in South Dakota and owns or licenses computerized personal information of South Dakota residents must notify affected residents in the event of a security breach. The law defines “personal information” broadly to include names, social security numbers, driver’s license numbers, and financial account information. The breach involved names and email addresses, which fall under this definition. The notification requirement is triggered when there is an unauthorized acquisition of computerized personal information that creates a risk of identity theft or other harm. The law specifies the content of the notification, which must include a description of the incident, the type of information involved, and steps individuals can take to protect themselves. While the company may have other obligations under California law or federal laws like HIPAA if applicable, the question specifically asks about the South Dakota legal framework. The notification must be made without unreasonable delay, not to exceed 60 days, unless a law enforcement investigation requires a delay. In this case, the company’s responsibility to notify South Dakota residents stems from its business operations within the state and the compromise of their personal data, irrespective of the company’s primary location of operation.

The South Dakota Codified Law (SDCL) Chapter 37-30, the “Data Privacy Act,” grants consumers specific rights regarding their personal information collected by businesses. Among these rights is the right to opt-out of the sale of personal information. The law defines “sale” broadly, encompassing the exchange of personal information for monetary or other valuable consideration. This includes situations where a business shares data with a third party for targeted advertising purposes, even if no direct payment is made, if the sharing provides a benefit to the business. The law requires businesses to provide clear notice and a mechanism for consumers to opt-out of such sales. Understanding the scope of “sale” is crucial for businesses to ensure compliance and for consumers to exercise their privacy rights effectively. The scenario describes a data broker in South Dakota that collects consumer data and shares it with marketing firms in exchange for access to those firms’ customer lists for its own marketing efforts. This reciprocal exchange of data, even if not a direct monetary transaction, constitutes a “sale” under SDCL 37-30-3(15) because it involves the exchange of personal information for other valuable consideration, which in this case is the access to valuable customer lists that aids the data broker’s business operations. Therefore, the data broker must provide consumers with an opt-out mechanism for this practice.

The South Dakota Codified Law (SDCL) Chapter 37-24, specifically Section 37-24-34, addresses the requirements for data security. This section mandates that any person conducting business in South Dakota that owns or licenses computerized personal information shall implement and maintain reasonable security measures to protect the confidentiality and integrity of the personal information. The law does not specify a particular percentage or numerical threshold for the number of affected individuals that triggers these obligations; rather, it focuses on the nature of the data and the business’s responsibility to protect it. Therefore, any breach involving computerized personal information necessitates adherence to these security provisions. The question asks about the minimum number of South Dakota residents whose compromised computerized personal information would require a business to adhere to the data security provisions outlined in SDCL Chapter 37-24. Since the law applies to any business that owns or licenses computerized personal information and experiences a breach, the threshold is not based on a specific number of individuals. The obligation is triggered by the compromise of such data, regardless of how many South Dakota residents are affected. Thus, even a single South Dakota resident’s compromised data necessitates compliance with the reasonable security measures.

South Dakota Codified Law § 37-30-3.1(3) defines “consumer” as an individual who is a resident of South Dakota. This definition is crucial for determining the applicability of the South Dakota Consumer Privacy Act (SDCPA). The SDCPA grants specific rights to consumers regarding their personal information. Therefore, understanding who qualifies as a South Dakota resident is the foundational step in applying the law’s provisions. The Act does not rely on the physical presence of an individual within South Dakota at the time of data collection, but rather on their established residency. This distinction is important for businesses that operate online and may collect data from individuals across various states. The focus is on the individual’s domicile or primary place of abode.

South Dakota’s approach to data privacy, particularly concerning the rights of consumers and the obligations of businesses, is often compared to broader federal frameworks and other state-specific laws. While South Dakota does not have a comprehensive data privacy law akin to the California Consumer Privacy Act (CCPA) or the California Privacy Rights Act (CPRA), it does have specific provisions that address certain aspects of data handling and consumer rights, particularly within the context of data breaches and the collection of personal information by certain entities. For instance, South Dakota Codified Law (SDCL) Chapter 9-29, which pertains to municipal powers, and SDCL Chapter 37-20, concerning trade secrets, touch upon data protection indirectly. However, a direct private right of action for general data privacy violations, similar to what exists in some other states for specific types of data or breaches, is not a prominent feature of South Dakota law. The emphasis tends to be on breach notification and, in some contexts, on the protection of sensitive commercial information. Therefore, when considering a scenario where a consumer believes their personal data has been mishandled, the available legal avenues in South Dakota would likely depend on the specific nature of the data, the context of its collection, and whether a breach or other specific statutory violation has occurred, rather than a broad, enumerated right to sue for any privacy infringement.

The South Dakota Codified Law Chapter 37-24, specifically the data breach notification provisions, outlines the responsibilities of entities that own or license computerized data that includes personal information. When a breach of the security of the system occurs, and the unauthorized acquisition of computerized data that includes personal information is reasonably believed to have occurred, the entity must provide notification. The law specifies that notification must be made without unreasonable delay, but no later than 60 days after the discovery of the breach, unless a longer period is required for specific law enforcement investigations. The definition of personal information under South Dakota law includes an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not encrypted, or is encrypted and the key to the encryption is also acquired: social security number, driver’s license number, or identification card number issued by the state, account number, credit or debit card number, or in the case of an account, any required security code, access password, or personal identification number that would permit access to an individual’s financial account. The law also details what constitutes reasonable security measures, which can include encryption and data minimization. In the scenario provided, the entity discovered the breach on March 15th. The notification must be sent no later than 60 days after this discovery. Therefore, the latest date for notification is May 14th. The explanation does not involve any mathematical calculation. The core concept being tested is the statutory timeline for data breach notification under South Dakota law.

South Dakota Codified Law § 37-24-1 defines a “consumer” as an individual who is a resident of South Dakota. The law also defines “personal information” broadly to include information that identifies or can be reasonably linked to a specific consumer or household. The critical aspect of South Dakota’s privacy law, as established in Chapter 37-24, is its focus on the sale of personal information. The law specifically addresses situations where a business sells personal information of consumers. A “sale” is defined under SDCL § 37-24-1(6) as an exchange of personal information for monetary or other valuable consideration. This definition is crucial because it delineates the trigger for certain obligations. For instance, if a business collects personal information from a South Dakota resident and then shares or provides access to that information to a third party in exchange for payment or other valuable consideration, this constitutes a sale. The law requires businesses that meet certain thresholds, such as processing or storing the personal information of at least 100,000 consumers or deriving 50% or more of their annual revenue from selling personal information, to provide consumers with the right to opt-out of the sale of their personal information. Therefore, understanding the precise definition of “sale” and “consumer” is paramount to determining the applicability of South Dakota’s data protection provisions. The scenario describes a company collecting data and then sharing it with a marketing analytics firm for a fee, which directly aligns with the statutory definition of a sale of personal information.

The South Dakota Codified Law (SDCL) Chapter 37-34, specifically pertaining to data privacy and security, outlines requirements for businesses that own or license computerized personal information. When a breach of the security of the system occurs, and the acquisition of unencrypted data is reasonably believed to have occurred, the entity must notify affected South Dakota residents. The notification must be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary for the entity to determine the scope of the breach and restore the integrity of the system. The law does not prescribe a specific number of days for notification, but rather emphasizes expediency and reasonableness in the context of the breach’s impact and the entity’s response capabilities. The notification should include specific details about the breach, the type of information compromised, and steps individuals can take to protect themselves. The core principle is to inform individuals promptly to mitigate potential harm, balancing the need for timely disclosure with the operational realities of investigating and securing systems after a breach. This aligns with the broader trend in data privacy legislation that prioritizes consumer protection through transparency and timely communication.

South Dakota Codified Law Chapter 37-31, the South Dakota Data Privacy and Security Act, provides specific rights and obligations concerning the processing of personal information. A critical aspect of this law, similar to other comprehensive privacy frameworks, is the definition of what constitutes “personal information” and the scope of its protection. The law defines personal information broadly to include information that can be used to identify, relate to, describe, be reasonably capable of being associated with, or be directly or indirectly linked with a particular consumer or household. This encompasses data such as names, addresses, email addresses, online identifiers, device identifiers, IP addresses, and even information that, when combined with other information, could reasonably identify an individual. The law’s intent is to protect individuals from unauthorized access, use, disclosure, alteration, or destruction of their personal data. Understanding this broad definition is crucial for businesses to accurately assess which data they collect and process falls under the purview of the South Dakota statute and to implement appropriate safeguards and respond to consumer requests accordingly. The specific wording of the definition emphasizes the potential for identification, either directly or indirectly, highlighting the comprehensive nature of the protection afforded.