Kansas - Sectorial Privacy Overview
The Kansas Supreme Court has recognised the common law tort claim of invasion of privacy (Dotson v. McLaughlin, 531 P.2d 1 (Kan. 1975)). Kansas generally follows the Second Restatement of Torts' approach regarding privacy claims (see Froelich v. Adair, 516 P.2d 993 (Kan. 1973)). Thus, under Kansas law, common law invasion of privacy claims generally fall into four categories:
- Kansas courts recognise the tort of intrusion upon seclusion, which occurs when a defendant intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another, or their private affairs or concerns, if the intrusion would be highly offensive to a reasonable person (Froelich v. Adair, 516 P.2d 993 (Kan. 1973)).
- Kansas courts recognise the tort of unreasonable appropriation of name or likeness, which occurs when the defendant appropriates to their own use or benefit the name or likeness of another (Froelich v. Adair, 516 P.2d 993 (Kan. 1973)). The interest protected by this tort is in the exclusive use of one's own identity, in so far as that use may be of benefit to oneself or to others (§652 Restatement of Torts (Second)). The rule created is in the nature of a property right.
- Kansas courts recognise the tort of publicity given to private life (see Froelich v. Adair, 516 P.2d 993 (Kan. 1973)), which occurs when the defendant has publicised matters concerning the private life of another, in a way that would be highly offensive to a reasonable person. To constitute an invasion of privacy, the matter publicised must be a true statement of fact and must not be of legitimate concern to the public (§652D Restatement of Torts (Second)). The First Amendment to the Constitution provides certain free-speech protections, so there is an open question as to whether liability can be constitutionally imposed (see Special Note on Relation of §652D to the First Amendment of the Constitution, Restatement of Torts (Second) §652D).
- Finally, Kansas courts recognise the tort of publicly placing another person in a false light, which occurs when a defendant gives to another publicity, placing the plaintiff before the public in a false light of a kind highly offensive to a reasonable person (see Froelich v. Adair, 516 P.2d 993 (Kan. 1973)). The defendant must have had knowledge of or acted in reckless disregard as to the falsity of the publicised matter and the false light in which the other would be placed (§652D Restatement of Torts (Second)). The plaintiff need not be defamed to bring an action for this form of invasion of privacy.
Kansas has several key privacy-related statutes, including:
- Kansas No-Call Act ('the No-Call Act'), under §50-670 of Article 6 of Chapter 50 of the Kansas Statutes ('Kan. Stat.'));
- Kansas Commercial Electronic Mail Act, under §50-6,107 of Article 6 of Chapter 50 of the Kan. Stat.;
- Kansas Consumer Protection Act, under §§50-623 to 50-643 of Article 6 of Chapter 50 of the Kan. Stat.; and
- the data breach response requirements ('the Data Breach Requirements Act'), under §50-7a01 et seq. of Article 7a of Chapter 50 of the Kan. Stat..
The No-Call Act regulates the creation and enforcement of a no-call list, and the Kansas Commercial Electronic Mail Act prohibits the transmission of certain forms of 'commercial electronic mail' from either a computer located in Kansas or to a resident the sender knows is a Kansas resident. For a more detailed explanation of the No-Call Act and Commercial Electronic Mail Act, see section 7 below.
The Kansas Consumer Protection Act shields Kansas consumers from deceptive or fraudulent business practices. The Data Breach Requirements Act explain the circumstances in which Kansans whose personal data is compromised must be notified in the event of a breach. For a more detailed explanation of the Kansas Consumer Protection Act and the Data Breach Requirements Act, see section 9 below.
Kansas Health Information Technology Act
The Kansas legislature conformed State law to the federal Health Insurance Portability and Accountability Act of 1996 ('HIPAA') and its privacy and security rules, under Part 164 of Title 45 of the Code of Federal Regulations ('C.F.R.') ('the HIPAA Privacy and Security Rules'), in the Kansas Health Information Technology Act ('the Health Act') under §65-6821 et seq. of Article 68 of Chapter 65 of the Kan. Stat.. The Health Act's stated purpose is to harmonise state law with the HIPAA Privacy Rule with respect to individual access to protected health information ('PHI'), proper safeguarding of PHI, and the use and disclosure of PHI for the purpose of facilitating the development and use of health information technology and the sharing of health information electronically.
In order to harmonise state law with HIPAA, the Kansas statute adopts HIPAA's Privacy Rule definitions for many key terms, including 'covered entity', 'disclosure', 'health care', 'health care provider', 'health information', 'individually identifiable health information', and 'protected health information' (Kan. Stat. §65-6822).
The Health Act requires that covered entities provide individuals and their personal representatives with access to the individual's PHI maintained, collected, used, or disseminated by or for the covered entity in compliance with the federal requirements found in 45 C.F.R. §164.524 (Kan. Stat. §65-6824(a)). Covered entities must also implement appropriate administrative, technical, and physical safeguards to protect the privacy of PHI in a manner consistent with federal law obligations under 45 C.F.R. §164.530(c) (Kan. Stat. §65-6824(b)).
Kan. Stat. §65-6825 governs the use and disclosure of PHI. Covered entities may disclose PHI to a health information organisation without an authorisation, if the covered entity is a party to a current participation agreement with an approved health information organisation at the time the disclosure is made; the covered entity discloses the individual's PHI to that approved health information organisation in a manner consistent with the established procedures of the approved health information organisation; and the covered entity gives appropriate notice to the individual whose information is to be disclosed or the individual's personal representative (Kan. Stat. §65-6825(b)). Covered entities may also disclose PHI without authorisation to state agencies for public health purposes as required by law (Kan. Stat. §65-6829).
The Health Act also establishes an advisory council on health information technology. The council advises the Kansas Secretary of Health and Environment and is composed of 23 voting members. The council members are designated by statute and serve alternating four-year terms, and the council is required to meet at least four times per year (Kan. Stat. §65-6835).
The Health Act generally requires that health care records be furnished to a patient, a patient's authorised representative, or any other person or entity legally authorised to obtain or reproduce such health care records within 30 days of receipt of an authorisation signed by a patient or the patient's representative (Kan. Stat. §65-6836). Health care providers may withhold copies of patient records under certain limited circumstances, including when the health care provider reasonably believes that providing copies of the records will cause substantial harm to the patient or another person (Kan. Stat. §65-6836(b)). Health care providers may also require payment of certain charges before furnishing the patient's health care records. Health care providers, patients, authorised representatives, or any other entity authorised by law to obtain health care records may bring an action to enforce this Section, but the entity bringing the action must first attempt to confer in good faith (Kan. Stat. §65-6836(c)).
Kansas regulates and protects financial data and data security through its Data Breach Requirements Act. Kansas's breach notification law protects 'personal information', which is defined as a consumer's first and last name or first initial and last name plus one or more of the following data elements (Kan. Stat. §50-7a01(g) and §50-6,139b(a)(3)) :
- social security number;
- driver's license number or state identification card number; or
- financial account number or credit card number alone or in combination with any required security code, access code, or password that would permit access to a consumer's financial account.
As discussed in more detail in section 9 below, Kansas law requires reasonable investigation and notification in the event of a security breach.
Employee Surveillance and Monitoring
A federal district court in Kansas held that an employer that monitored its employees' personal phone calls without providing notice could be found liable for the Kansas common law tort of intrusion on seclusion, when the employees had a reasonable expectation of privacy in the content of their calls (Ali v. Douglas Cable Communications, 929 F. Supp. 1362 (D. Kan. 1996) (denying employees' motion for summary judgment)).
Social Security Numbers
Kansas law places significant restrictions on the use of social security numbers. Generally, businesses may not 'solicit, require or use for commercial purposes an individual's social security number unless such number is necessary for such person's normal course of business and there is a specific use for such number for which no other identifying number may be used' (§75-3520(b)(1) of Article 35 of Chapter 75 of the Kan. Stat.), but employers may collect, use, or release social security numbers for internal verification or administrative purposes (Kan. Stat. §75-3520(b)(3)(B)), and while most records filed with the state securities commissioner of the Kansas Insurance Department are public, records containing social security numbers are not to be disclosed (§17-12a,607(b)(5) of Article 12a of Chapter 17 of the Kan. Stat.).
Kansas Acts Against Discrimination
Kansas prohibits employers from discriminating against an employee based on race, religion, colour, sex, disability, national origin or ancestry, and genetic test results. To protect employee privacy, employers cannot require, either directly or indirectly, that an employee take a genetic test (§44-1009(a)(9) of Article 10 of Chapter 44 of the Kan. Stat.). Kansas employers should also take care to follow federal anti-discrimination laws. For example, the Americans with Disabilities Act of 1990 ('ADA') requires individuals with disabilities to disclose private health information to employers in certain instances in order to obtain protection under the ADA. Federal law sets out specific privacy standards that regulate when employers may seek information contained in medical examinations and make medical inquiries of employees and job applicants - employers should take care to comply with these standards.
Private employees may be denied unemployment benefits if the employee tests positive for alcohol or drugs, refuses to submit to an alcohol or drug test, or tampers with the test. However, employee privacy is protected under §44-706 of Article 7 of Chapter 44 of the Kan. Stat., which sets out testing requirements. Employers must treat medical information of employees and job applicants as confidential, with the exception of information regarding the illegal use of drugs, and employers must keep these records in a separate file (§21-34-10 of Article 34 of Agency 21 of the Kansas Administrative Regulations).
Public employers are authorised by statute to drug test employees in safety-sensitive roles once the individual is given a conditional offer of employment (§75-4362(a) of Article 43 of Chapter 75 of the Kan. Stat.). Moreover, Kan. Stat. §75-4362(g) defines safety-sensitive positions. Public employees generally may not be terminated solely due to positive results of a drug test unless the employee previously had a valid positive test result, has undergone a drug evaluation, and successfully completes any education or treatment program recommended as a result of the evaluation (Kan. Stat. §75-4362(d)). Test results must remain confidential, but the results may be used in hearings before the state civil service board regarding disciplinary action taken against the employee (Kan. Stat. §75-4362(e)).
Federal law regarding children's data is codified in the Children's Online Privacy Protection Act of 1998 ('COPPA'). The Federal Trade Commission ('FTC') regulates the Children's Online Privacy Protection Rule of 1999 ('COPPA Rule'), which regulates the conduct of websites or online service operators directed to children under 13 years of age and websites or online services that have actual knowledge they are collecting personal information online from children under 13 years of age.
The Kansas Consumer Protection Act
Kansas law prohibits certain deceptive acts and practices in connection with consumer transactions (Kan. Stat. §50-626). Deceptive acts and practices include certain false or misleading representations to consumers, wilful exaggeration, falsehood, innuendo, or ambiguity regarding material facts, and wilful concealment of material facts, among other practices. See Kan. Stat. §50-626(b)(1) to (14) for a list of deceptive acts and practices (note that this list is not comprehensive and that additional conduct may constitute deceptive acts and practices under the statute). Since the list is not comprehensive, certain deceptive online practices may constitute a violation of the Kansas Consumer Protection Act.
Unsolicited commercial communications are governed by two Kansas statutes: the Kansas Commercial Electronic Mail Act and the No-Call Act. Violations of the Kansas Commercial Electronic Mail Act and the No-Call Act constitute unconscionable acts or practices under the Kansas Consumer Protection Act.
The Kansas Commercial Electronic Mail Act
The Kansas Commercial Electronic Mail Act prohibits the transmission of certain forms of 'commercial electronic mail' from either a computer located in Kansas or to a resident the sender knows is a Kansas resident (Kan. Stat. §50-6,107(c)). The Kansas Commercial Electronic Mail Act prohibits using a third party's internet domain without permission from that third party and prohibits misrepresenting or obscuring any information identifying the point of origin of the transmission path of a commercial electronic mail message. The Kansas Commercial Electronic Mail Act also prohibits commercial electronic mail messages from containing false or misleading information in the subject line.
Commercial electronic mail messages must also contain instructions, in text as large of the majority of the text in the transmission, for the recipient to notify the sender not to send any subsequent communications (Kan. Stat. §50-6,107(c)(1)). Messages must include a valid sender operated return email address to which the recipient may reply to notify the sender not to send any further messages. The message must also include the legal name of the person or entity initiating the transmission, the sender's physical address for the receipt of US mail or a toll-free telephone number that the recipient may call to notify the sender not to send any subsequent communications. Messages containing advertising material for viewing, use, consumption, sale, lease, or rental only by persons over 18 years of age have additional requirements and must include 'ADV:ADL' in the first eight characters of the subject line (Kan. Stat. §50-6,107(c)(1)).
The Commercial Electronic Mail Act also prohibits transmission of commercial electronic mail messages from a computer in Kansas or to an email address the sender knows is held by a Kansas resident, after the recipient of the transmission has notified the sender not to send any subsequent communications (Kan. Stat. §50-6,107(c)(2)). If the recipient has notified the sender not to send any subsequent communications, the sender may not give, transfer, sell or otherwise share the recipient's email address with any third party, unless it is to direct the third party to place the email address on a do not contact list (Kan. Stat. §50-6,107(c)(3)).
The Commercial Electronic Mail Act prohibits assisting in the transmission of a commercial electronic mail message, when the person providing the assistance knows, that the initiator of the commercial electronic mail message is engaged, or intends to engage, in any act or practice that violates the Kansas Consumer Protection Act (Kan. Stat. §50-6,107(c)(4)).
Likewise, it is a violation of the Commercial Electronic Mail Act to knowingly sell, give, or otherwise distribute or possess with the intent to sell, give, or distribute software that (Kan. Stat. §50-6,107(c)(5)):
- is primarily designed or produced for the purpose of facilitating or enabling the falsification of electronic mail transmission information or other routing information;
- has only limited commercially significant purpose or use other than to facilitate or enable the falsification of electronic mail transmission information or other routing information; or
- is marketed by that person or another acting in concert with that person with that person's knowledge for use in facilitating or enabling the falsification of electronic mail transmission information or other routing information.
Violations of this Section are unconscionable acts and practices under the Kansas Consumer Protection Act and are subject to civil penalties of not less than $500 nor more than $10,000 for each such violation (Kan. Stat. §50-6,107(g) and (j)).
The No-Call Act
The No-Call Act requires that all telephone solicitors who make unsolicited consumer telephone calls:
- identify themselves;
- identify the business on whose behalf such person is soliciting;
- identify the purpose of the call immediately upon making contact by telephone with the person who is the object of the telephone solicitation;
- promptly discontinue the solicitation if the person being solicited gives a negative response at any time during the consumer telephone call;
- hang up the phone, or in the case of an automatic dialing-announcing device operator, disconnect the automatic dialing-announcing device from the telephone line within 25 seconds of the termination of the call by the person being called; and
- a live operator or an automated dialing-announcing device shall answer the line within five seconds of the beginning of the call.
The No-Call Act prohibits telephone solicitors from withholding the display of their telephone number from a caller identification service when that number is being used for telemarketing purposes (Kan. Stat. §50-670(c)). Additionally, telephone solicitors are prohibited from transmitting any written information by facsimile machine or computer to a consumer after the consumer requests orally or in writing that such transmissions cease (Kan. Stat. §50-670(d)).
Violations of the No-Call Act constitute unconscionable acts or practices under the Kansas Consumer Protection Act (Kan. Stat. §50-670(h)).
Currently, Kansas law does not require privacy policies. Privacy policies are written statements that explain how websites collect, use, disclose, or secure the personally identifiable information of website users. Privacy policies are often supplemented and operate in conjunction with a website's Terms of Service.
Data Security and Breach Notification Obligations
The primary Kansas law governing data security and breach notification obligations is the Data Breach Requirements Act. Kansas's breach notification law protects 'personal information' (see section 4 above for a definition). Although, personal information does not include 'publicly available information that is lawfully made available to the general public from federal, state or local government records' (Kan. Stat. §50-7a01(g)).
Kansas's data breach notification obligations apply to any 'person that conducts business in [Kansas], or a government, governmental subdivision or agency that owns or licenses computerised data that includes personal information' (Kan. Stat. §50-7a02(a)).
If, after a prompt and reasonable investigation, the owner or licensor of personal information determines that the data has been accessed and acquired and is reasonably likely to be 'misused', the breached entity must give 'notice as soon as possible to the affected Kansas resident. Notice must be made in the most expedient time possible and without unreasonable delay', consistent with law enforcement needs (Kan. Stat. §50-7a02(a)). The notice must be given to all affected Kansas residents. An individual or commercial entity that maintains data that includes personal information that the individual or entity does not own or license must notify the owner or licensee of the information following a data breach if the personal information is reasonably believed to have been accessed and acquired by an unauthorised person (Kan. Stat. §50-7a02(b)).
Enforcement of Kansas's Breach Notification Law
Except for violations by insurance companies, the Kansas Attorney General ('AG') is also empowered, though not exclusively, to bring actions for breach notification violations under the Data Breach Requirements Act. For breach notification violations by an insurance company, enforcement authority is vested solely in the Kansas Insurance Commissioner of the Kansas Insurance Department (Kan. Stat. §50-7a02(h)).
For violations of Kansas's Data Breach Requirements Act, the AG may bring an action in law or in equity 'and for other relief that may be appropriate' (Kan. Stat. §50-7a02(g)). This remedy is 'not-exclusive' and may allow for private causes of action to address violations (see In re Target Corp. Customer Data Sec. Breach Litig., 66 F. Supp. 3d 1154, 1169 (D. Minn. 2014). At least one court has noted that the Data Breach Requirements Act is ambiguous as to whether a private cause of action exists for breach notification violations (see In re Target Corp. Customer Data Sec. Breach Litig., 66 F. Supp. 3d 1154, 1169 (D. Minn. 2014) (denying a motion to dismiss)).
Breach Notification Obligations relating to Student Data
§72-6318 of Article 63 of Chapter 72 of the Kan. Stat. imposes similar notification obligations relating to student data. In the event of a security breach or unauthorised disclosure of student data or personally identifiable information of any student, whether by a school district, the department, the state board of education, state agency, or other entity or third party given access to student data or personally identifiable information of any student, the school district, department, state board of education, state agency, or other entity or third party shall immediately notify each affected student, if an adult, or the parent or legal guardian of the student, if a minor, of the breach or unauthorised disclosure and investigate the causes and consequences of the breach or unauthorised disclosure (Kan. Stat. §72-6318).
Responsibilities of Kansas Agency Department Heads
§75-7240 of Article 72 of Chapter 75 of the Kan. Stat. imposes additional data security and breach notification obligations on Kansas executive branch agency heads.
Under Kansas law, Kansas executive branch agency heads are solely responsible for security of all data and information technology resources under their agency's purview, irrespective of the location of the data or resources. Locations of data may include (Kan. Stat. §75-7240(a)):
- agency sites;
- agency real property;
- infrastructure in state data centers;
- third-party locations; and
- in transit between locations.
Kansas executive breach agency heads are also required to ensure that an agency-wide information security program is in place and must designate an information security officer to administer the agency's information security program that reports directly to executive leadership. Agencies must participate in CISO-sponsored state-wide cybersecurity program initiatives and services and implement policies and standards to ensure that all the agency's data and information technology resources are maintained in compliance with applicable state and federal laws and rules and regulations (Kan. Stat. §75-7240).
Kansas law additionally requires that Kansas executive branch agency heads implement appropriate cost-effective safeguards to reduce, eliminate or recover from identified threats to data and information technology resources and include all appropriate cybersecurity requirements in the agency's request for proposal specifications for procuring data and information technology systems and services (Kan. Stat. §75-7240).
The agency heads must submit a cybersecurity assessment report to the CISO by 16 October of each even-numbered year and must ensure that the agency conducts annual internal assessments of its security program (Kan. Stat. §75-7240).
Agency heads are required to participate in an annual agency leadership training that includes information about cyber attacks and data breaches and reporting obligations (Kan. Stat. §75-7240).
In the event of a breach or suspected breach of system security or an unauthorised exposure of that information, agencies must comply with the notification requirements set out in the Data Breach Requirements Act and applicable federal laws and rules and regulations. Additionally, agency heads must notify the CISO within 48 hours after discovery of a breach, suspected breach, or unauthorised exposure. If the breach, suspected breach, or unauthorised exposure involves election data, the agency head must also notify the Secretary of State.
The Kansas Consumer Protection Act
The Kansas Consumer Protection Act imposes data retention and related obligations on holders of 'personal information' (Kan. Stat. §50-6,139b). The Kansas Consumer Protection Act's data security obligations apply to all 'holders' of personal information. A holder is 'a person who, in the ordinary course of business, collects, maintains or possesses, or causes to be collected, maintained or possessed, the personal information of any other person' (Kan. Stat. §50-6,139b(a)(1) of the Kan. Stat. Ann).
The Kansas Consumer Protection Act, imposes two requirements on holders of personal information (Kan. Stat. §50-6,139b(b)).
First, the Kansas Consumer Protection Act requires holders to implement and maintain reasonable procedures and practices appropriate to the nature of the information, and exercise reasonable care to protect the personal information from unauthorised access, use, modification, or disclosure. However, if federal or state law or regulation governs the procedures and practices of the holder, and the holder complies with relevant federal or state law or regulations, then the holder is deemed to be in compliance with the Kansas Consumer Protection Act's obligations. However, if the holder of personal information fails to comply with relevant federal or state law or regulations, the holder's failure is prima facie evidence of a violation of its obligations under the Kansas Consumer Protection Act.
Second, unless otherwise required by federal law or regulation, the Kansas Consumer Protection Act requires that holders take reasonable steps to destroy or arrange for the destruction of any records within such holder's custody or control containing any person's personal information when such holder no longer intends to maintain or possess such records. The holder must destroy the records by shredding, erasing, or otherwise modifying the personal identifying information in the records to make it unreadable or undecipherable through any means.
Enforcement of the Kansas Consumer Protection Act
The Kansas AG has exclusive authority to bring an action for violation of data security obligations set forth in the Kansas Consumer Protection Act. Each record that is 'not destroyed' in compliance with Kansas's data retention law is 'a separate unconscionable act' under Kansas's Consumer Protection Act and subject to civil penalties under that Section (Kan. Stat. §50-6,139b(d)).
Voter Registration Records
Kansas law includes protections for certain information contained in voter registration records to protect privacy. No voter registration record shall be made available for public inspection or copying unless the individual's social security number, driver's license number, nondriver's identification card number or any part thereof, has been removed or otherwise been rendered unreadable (§25-2320(b) of Article 23 of Chapter 25 of the Kan. Stat.).