Can I use third-party email marketing tools that collect personal information in South Carolina? What are the requirements?

Requirements for Using Third-Party Email Marketing Tools in South Carolina

If you are using third-party email marketing tools that collect personal information in South Carolina, you must comply with the South Carolina Insurance Data Security Act ^[1.1], the South Carolina Consumer Protection Code ^[3.1], and the Collection of and maintenance and disposition of records containing social security numbers by public agencies ^[2.1].

Under the South Carolina Insurance Data Security Act, licensees must develop, implement, and maintain a comprehensive written information security program based on the licensee’s risk assessment and that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee’s information system ^[1.1]. If you are collecting personal information through third-party email marketing tools, you must ensure that the information is protected and that you have appropriate safeguards in place to prevent unauthorized access or disclosure of the information.

Additionally, under the South Carolina Consumer Protection Code, a person may not, with the intent to defraud, harass, cause harm or wrongfully obtain anything of value, including, but not limited to, financial resources or personal identifying information, make, place, or initiate a call or text message or engage in conduct that results in the display of misleading, false or inaccurate caller identification information on the receiving party’s telephone or otherwise circumvent caller identification technology that allows the receiving party to identify from what phone number, location, or organization the call or text message has originated from or misrepresent the origin and nature of the call or text message ^[3.1]. This means that you must ensure that any personal information collected through third-party email marketing tools is accurate and not misleading.

Furthermore, under the Collection of and maintenance and disposition of records containing social security numbers by public agencies, a public body may not collect a social security number or any portion of it containing six digits or more from an individual unless authorized by law to do so or unless the collection of the social security number is otherwise imperative for the performance of that body’s duties and responsibilities as prescribed by law ^[2.1]. Social security numbers collected by a public body must be relevant to the purpose for which collected and must not be collected until and unless the need for social security numbers has been clearly documented. If you are collecting social security numbers through third-party email marketing tools, you must ensure that the collection is authorized by law or imperative for the performance of your duties and responsibilities as prescribed by law.

In summary, if you are using third-party email marketing tools that collect personal information in South Carolina, you must ensure that you have appropriate safeguards in place to protect the information, that the information is accurate and not misleading, and that the collection of social security numbers is authorized by law or imperative for the performance of your duties and responsibilities as prescribed by law.

Source(s):

• [1.1] Notification requirements following cybersecurity event.
• [2.1] Collection of and maintenance and disposition of records containing social security numbers by public agencies.
• [3.1] Accuracy of caller identification information required; exceptions.

Jurisdiction

South Carolina

• Privacy