Can I ensure that my company is compliant with expanding privacy protections in South Dakota? What are the requirements?

To ensure that your company is compliant with expanding privacy protections in South Dakota, you must follow the requirements outlined in the relevant documents.

Annual Privacy Notice

Under SDAR 20:06:45:05, a licensee must provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship. This notice must be provided at least once in any period of 12 consecutive months during which that relationship exists.

Revised Privacy Notices

Under SDAR 20:06:45:08, a licensee may not disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party other than as described in the initial notice that the licensee provided to that consumer under § 20:06:45:04, unless the licensee has provided to the consumer a clear and conspicuous revised notice that accurately describes its policies and practices.

Information Security Program

Each licensee must implement a comprehensive written information security program that includes administrative, technical, and physical safeguards for the protection of customer information under SDAR 20:06:45:20. The administrative, technical, and physical safeguards included in the information security program shall be appropriate to the size and complexity of the licensee and the nature and scope of its activities.

Relationship to State Laws

Nothing in SDAR 20:06:45 preempts or supersedes existing state law related to medical records, or health or insurance information privacy under SDAR 20:06:45:31.

Information to be included in privacy notices.

Under SDAR 20:06:45:06, the initial, annual, and revised privacy notices that a licensee provides shall include each of the following items of information, in addition to any other information the licensee wishes to provide, that applies to the licensee and to the consumers to whom the licensee sends its privacy notice:

• The categories of nonpublic personal financial information that the licensee collects;
• The categories of nonpublic personal financial information that the licensee discloses;
• The categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information, other than those parties to whom the licensee discloses information under §§ 20:06:45:14 and 20:06:45:15;
• The categories of nonpublic personal financial information about the licensee’s former customers that the licensee discloses and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information about the licensee’s former customers, other than those parties to whom the licensee discloses information under §§ 20:06:45:14 and 20:06:45:15;
• If a licensee discloses nonpublic personal financial information to a nonaffiliated third party under § 20:06:45:13 (and no other exception in §§ 20:06:45:14 and 20:06:45:15 applies to that disclosure), a separate description of the categories of information the licensee discloses and the categories of third parties with whom the licensee has contracted;
• An explanation of the consumer’s right under subdivision 20:06:45:10(1) to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties, including the methods by which the consumer may exercise that right at that time;
• Any disclosures that the licensee makes under § 603(d)(2)(A)(iii) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)) (that is, notices regarding the ability to opt out of disclosures of information among affiliates);
• The licensee’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; and
• Any disclosure that the licensee makes under subdivision 20:06:45:06(2).

Therefore, to ensure compliance with expanding privacy protections in South Dakota, your company must provide annual privacy notices, revised privacy notices, implement an information security program, comply with existing state laws related to medical records, or health or insurance information privacy, and include specific information in privacy notices as outlined in SDAR 20:06:45:06.

^{[1.1][1.2][1.3][1.4][1.6]}

Source(s):

• [1.1] Revised privacy notices.
• [1.2] Information to be included in privacy notices.
• [1.3] Annual privacy notice to customers required.
• [1.4] Relationship to state laws.
• [1.6] Information security program.

Jurisdiction

South Dakota

• Privacy