Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

South Carolina - Sectoral Privacy Overview
Back

South Carolina - Sectoral Privacy Overview

September 2022

1. RIGHT TO PRIVACY/ CONSTITUTIONAL PROTECTION

The Constitutional right to privacy is found in Article I, Section 10 of the Constitution of the State of South Carolina, which provides:

'Searches and seizures; invasions of privacy. The right of the people to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures and unreasonable invasions of privacy shall not be violated, and no warrants shall issue but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, the person or thing to be seized, and the information to be obtained.'

South Carolina common law also recognises several common law rights of privacy (Swinton Creek Nursery v. Edisto Farm Credit, 334 S.C. 469, 514 S.E.2d 126 (1999)):

  • wrongful appropriation of personality;
  • wrongful publicising of private affairs; and
  • wrongful intrusion into private affairs.

Wrongful Appropriation of Personality

"Wrongful appropriation of personality involves the intentional, unconsented use of the plaintiff's name, likeness, or identity by the defendant for his own benefit. The gist of the action is the violation of the plaintiff's exclusive right at common law to publicize and profit from his name, likeness, and other aspects of personal identity" (Snakenberg v. Hartford Cas. Ins. Co., 299 S.C. 164, 170, 383 S.E.2d 2, 5-6 (Ct. App. 1989)).

Wrongful Publicising of Private Affairs

To prevail on this claim, the plaintiff must show that the defendant intentionally (Snakenberg):

  • publicised the facts;
  • the facts were of the plaintiff's private affairs;
  • the disclosure of the facts would be highly offensive and would likely cause serious mental harm to a reasonable person; and
  • the public had no legitimate interest in the facts.

If the plaintiff is a public figure, consideration of whether the defendant acted with malice may be relevant as well.

Wrongful Intrusion into Private Affairs

To prevail on a claim of wrongful intrusion into private affairs, a plaintiff must show the defendant intentionally intruded into one's private affairs, that one normally expects to be free from exposure. Further, the intrusion must be substantial and unreasonable.  Examples of intentional intrusion into one's private affairs include but are not limited to prying or similar conduct, into matters of the home, family, personal relationships, and communications of the plaintiff (Snakenberg).

2. KEY PRIVACY LAWS

Confidentiality of Public Records

The South Carolina Freedom of Information Act, under §30-4-10 et seq. of Chapter 4 of Title 30 of the South Carolina Code of Laws ('S.C. Code'), establishes broad rights for access to public records held by public bodies in South Carolina.

S.C. Code §30-4-40 identifies several categories of information that a public body may exempt from disclosure. In the privacy/confidentiality realm, these exemptions include:

  • trade secrets;
  • information of a personal nature where public disclosure would constitute an unreasonable invasion of privacy (examples include gross receipts information contained in applications for business licenses, public records which include the name, address, and telephone number or other information of an individual who is handicapped or disabled, and any audio recording of the final statements of a dying victim in a call to 911 emergency services);
  • certain law enforcement records;
  • disclosure of the identity of a confidential source or disclosure of information furnished by a confidential source; and
  • various records and data otherwise deemed proprietary or confidential.

Protection of Personal Information: Financial Identity Fraud and Identity Fraud

The South Carolina Personal Financial Security Act ('the Financial Security Act'), under §16-13-500 et seq. of Article 2 of Chapter 13 of Title 16 of the S.C. Code, makes it unlawful for any person to commit financial identity fraud or identity fraud, with the use of personal identifying information or otherwise, and establishes criminal penalties for violations.

The Financial Security Act defines 'personal identifying information' as including, but not limited to (S.C. Code §16-13-510(D)):

  • social security numbers;
  • driver's license numbers or state identification card numbers issued instead of a driver's license;
  • checking account numbers;
  • savings account numbers;
  • credit card numbers;
  • debit card numbers;
  • personal identification numbers;
  • electronic identification numbers;
  • digital signatures;
  • dates of birth;
  • current or former names, including first and last names, middle and last names, or first, middle, and last names, but only when the names are used in combination with, and linked to, other identifying information provided in this Section;
  • current or former addresses, but only when the addresses are used in combination with, and linked to, other identifying information provided in this Section; or
  • other numbers, passwords, or information which may be used to access a person's financial resources, numbers, or information issued by a governmental or regulatory entity that uniquely will identify an individual or an individual's financial resources.

S.C. Code §16-13-510(E) defines 'financial resources' as:

  • existing money and financial wealth contained in a checking account, savings account, line of credit, or otherwise;
  • a pension plan, retirement fund, annuity, or other fund which makes payments monthly or periodically to the recipient; and
  • the establishment of a line of credit or an amount of debt whether by loan, credit card, or otherwise for the purpose of obtaining goods, services, or money.

A person is guilty of financial identity fraud, pursuant to S.C. Code §16-13-510(B), when that person, without authorisation and with intent:

  • appropriates the financial resources of the other individual to the person's own use or the use of a third party;
  • devises a scheme or artifice to defraud; or
  • obtains money, property, or services by means of false or fraudulent pretences, representations, or promises obtains or records identifying information which would assist in accessing the financial records of the other individual or accesses or attempts to access the financial resources of the other individual through the use of identifying information.

A person is guilty of identity fraud when such person uses personal identifying information of another individual for the purpose of obtaining employment or avoiding identification by a law enforcement officer, criminal justice agency, or another governmental agency, including, but not limited to, law enforcement, detention, and correctional agencies or facilities (S.C. Code §16-13-510(C)).

A person found guilty of violating the Financial Security Act is guilty of a felony and must be fined in the discretion of the court or imprisoned for not more than ten years, or both. In addition, the court may order restitution to the victim pursuant to §17-25-322 of Article 3 of Chapter 25 of Title 17 of the S.C. Code.

3. HEALTH DATA

Physicians' Patient Records Act

South Carolina's Physicians' Patient Records Act, under §44-115-10 et seq. of Chapter 115 of Title 44 of the S.C. Code, addresses ownership of physicians' patient records and the release of those records.

The physician is the owner of medical records (including medical bills) in their possession that were made in treating a patient and of records transferred to them concerning prior treatment of the patient (S.C. Code §44-115-20).

Pursuant to S.C. Code §44-115-30, a patient or their legal representative have a right to receive a copy of their medical record, or have the record transferred to another physician, upon request, when accompanied by a written authorisation from the patient or their legal representative to release the record.

Pursuant to S.C. Code §44-115-40, a physician cannot release a patient's medical records unless there is express written consent from the patient, or an individual authorised by the law to act on behalf of the patient. 

Pursuant to S.C. Code §44-115-50, in good faith, a physician is authorised to release a patient's medical records for claims processing to an insurance company representative without liability or disciplinary action.

A physician is not permitted to sell medical records to anyone with the exception that they can sell medical records to another South Carolina licensed physician, osteopath, or hospital or unless the sale is approved by the South Carolina Board of Medical Examiners. Prior to the sale of medical records, the physician must publish public notice of their intention to sell the records in a newspaper of general circulation in the area of their practice at least three times in the 90 days preceding the sale. The notice must advise patients that they may retrieve their records if they prefer that their records not be included in the sale (S.C. Code §44-115-130).

S.C. Code §44-115-150 provides that all other provisions of the law concerning medical records are applicable, including the authority of a court to obtain medical records.

Pursuant to S.C. Code §44-115-60, a physician has the right to withhold a patient's entire medical record or chose to provide a summary or a portion the patient's medical record instead. However, medical records cannot be withheld because of unpaid bill(s) for medical services (S.C. Code §44-115-70).

Prescription Information Privacy

The Prescription Information Privacy Act, under §44-117-10 et seq. of Article 1 of Chapter 117 of Title 44 of the S.C. Code, prohibits the transfer or receipt of prescription drug information without the written consent of the patient or a person authorised by law to act on behalf of the patient.

Privacy of Genetic Information

Pursuant to §38-93-40 of Chapter 93 of Title 38 of the S.C. Code and subject to some exceptions, genetic information is confidential and must not be disclosed to a third party in a manner that allows identification of the individual tested without first obtaining the written informed consent of that individual or a person legally authorised to consent on behalf of the individual.  A health insurer may not require an individual to consent to the disclosure of genetic information to the insurer as a condition for obtaining health insurance coverage.

4. FINANCIAL DATA

South Carolina does not have any specific statutory protections for financial data. However, some financial data may meet the definition of 'personal identifying information', and therefore businesses holding financial data may be subject to the notification requirements of §39-1-90 of Chapter 1 of Title 39 of the S.C. Code ('the Breach Notification Law') as described herein.

The breach notification requirements of the Breach Notification Law do not apply to a bank or financial institution that is subject to and in compliance with the privacy and security provisions of the Gramm-Leach-Bliley Act of 1999 ('GLBA'). Moreover, any financial institution in compliance with the federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice ('the Interagency Guidance') is considered to be in compliance with the statute.

5. EMPLOYMENT DATA

South Carolina law does not have any specific statutory protections for employment data. However, employment data may meet the definition of 'personal identifying information', and therefore employers may be subject to the notification requirements of the Breach Notification Law as described herein.

6. ONLINE PRIVACY

South Carolina does not have any such statutory provisions addressing online privacy or behavioural advertising.

7. UNSOLICITED COMMERCIAL COMMUNICATIONS

Telephone Communications

The South Carolina Telephone Privacy Protection Act ('the Telephone Privacy Act'), under §37-21-10 et seq. of Chapter 21 of Title 37 of the S.C. Code, puts limitations on those telephone solicitations made to South Carolina residents, requires certain disclosures at the outset of any such solicitation, and provides for remedies and penalties for violations of the Telephone Privacy Act.

Application and Exemptions

The Telephone Privacy Act applies to any person who makes a call or text to a residence in South Carolina or to a wireless telephone with a South Carolina area code, that is a 'telephone solicitation', made for the purpose of offering or advertising a property, good, or service for sale, lease, license, or investment, including offering or advertising an extension of credit, or prize promotion.

A 'telephone solicitation' does not include:

  • a political campaign-related call made, or a text or media message sent, in compliance with the federal Telephone Consumer Protection Act of 1991;
  • calls or texts made with the consumer's prior express invitation or permission;
  • calls or texts to a consumer with whom the caller has an established business relationship; and
  • calls or texts to a consumer with whom the caller has a personal relationship.

Restrictions and Limitation

Absent prior written consent, a telephone solicitation cannot be initiated other than between 8:00 am and 9:00 pm local time at the consumer's location.

At the outset of the call, the telephone solicitor must identify themselves, identify the person on whose behalf the call is being made, and provide the following information:

  • telephone number and address at which the telephone solicitor can be contacted;
  • the purpose of the solicitation;
  • that no purchase or payment is necessary to take part in a prize promotion if one is offered;
  • the option to be added to the solicitor's 'do not call' list if the consumer requests to be put on that list, and confirmation that the consumer will be put on that list; and
  • certain cost information and terms and conditions of any goods and services that are the subject of the solicitation.

In the event the consumer expresses a desire not to hear the offer, the solicitor must end the call immediately. Subject to certain exceptions, all calls must display accurate caller identification information, and when live telephone solicitors are unavailable to speak with the consumer within two seconds of a completed greeting, the telephone solicitor must play a pre-recorded message and provide certain opt-out information.

Telephone solicitations may not be directed to a consumer when a consumer has expressed a desire not to be contacted or if that consumer's number is on the National Do Not Call Registry.

Remedies and Penalties

A person who is aggrieved by a violation of the Telephone Privacy Act is entitled to seek to enjoin the violation and to recover actual losses in addition to damages in the amount of $1,000 for each violation. If the court finds a willful violation, the court may, in its discretion, increase the amount of the award to an amount not exceeding $5,000 for each violation. The person initiating the action for a violation of Chapter 21 may be awarded reasonable attorneys' fees and court costs.

The administrator of the South Carolina Department of Consumer Affairs ('SCDCA'), upon finding a violation of the Telephone Privacy Act, may issue an administrative order requiring the person to cease and desist, to return property or money received in violation of Chapter 21 and imposing penalties of up to $5,000 for each violation. The SCDCS may bring a civil action seeking similar relief, including injunctive relief. Any money received in the enforcement of the Telephone Privacy Act will be retained by the SCDCA for the administration of Title 37.

The South Carolina Attorney General ('AG') may investigate and enforce violations of the Telephone Privacy Act, by bringing an action to enjoin a violation of Chapter 21 by any person and to recover damages for an aggrieved person or persons in the amount of $5,000 for each violation. If the court finds a willful violation, the court, in its discretion, also may award a civil penalty of not more than $5,000 for each violation. In an action brought by the AG, the AG may recover reasonable expenses incurred by the State or local governmental agency or department in investigating and preparing the case, and attorneys' fees.

Commercial Solicitation Using Personal Information Obtained from a State Agency or Local Government

The South Carolina Family Privacy Protection Act ('the Family Protection Act'), under §30-2-10 et seq. of Article 1 of Chapter 2 of Title 30 of the S.C. Code, prevents any person from knowingly obtaining or using personal information 'obtained from a state agency, local government, or other political subdivision' of South Carolina for commercial solicitation.  

Definitions

'Personal Information' is defined as information that identifies or describes an individual including, but not limited to, an individual's photograph or digitised image, social security number, date of birth, driver's identification number, name, home address, home telephone number, medical or disability information, education level, financial status, bank account numbers, account or identification number issued by or used, or both, by any federal or state governmental agency or private financial institution, employment history, height, weight, race, other physical details, signature, biometric identifiers, and any credit records or reports.

'Commercial solicitation' is defined as contact by telephone, mail, or electronic mail for the purpose of selling or marketing a consumer product or service.

'Commercial solicitation' does not include contact for the purpose of:

  • offering membership in a credit union;
  • notification of continuing education opportunities;
  • selling or marketing banking, insurance, securities, or commodities services provided by an institution or entity defined in or required to comply with the GLBA; or
  • contacting persons for political purposes using information on file with state or local voter registration offices.

Violations and Penalties

A person knowingly violating this statutory provision is guilty of a misdemeanour and if convicted must be fined an amount no more than $500 or imprisoned for a term not to exceed one year or both.

8. PRIVACY POLICIES

There are no state statutes regarding privacy policies for private entities.

9. DATA DISPOSAL/CYBERSECURITY/DATA SECURITY

Insurance Data Security

The South Carolina Insurance Data Security Act ('the Insurance Data Security Act'), under §38-99-10 et seq. of Chapter 99 of Title 38 of the S.C. Code, establishes standards for data security, requires those licensees regulated by the South Carolina Department of Insurance ('SCDOI') to develop, implement, and maintain a written information security program, and establishes an investigation and notification framework following a cybersecurity event.

Application and Exemptions

A 'licensee' subject to the Insurance Data Security Act is a person licensed, authorised to operate, or registered, or required to be licensed, authorised, or registered pursuant to the insurance laws of South Carolina but does not include a purchasing group or a risk retention group chartered and licensed in a state other than South Carolina or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.

Certain licensees are exempt, including:

Definitions

'Information system' means a discrete set of electronic information resources organised for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialised system such as industrial or process controls systems, telephone switching and private branch exchange systems, and environmental control systems.

'Nonpublic information' means information that is not publicly available information and is:

  • business-related information of a licensee the tampering with which, or unauthorised disclosure, access, or use of which, would cause a material adverse impact to the business, operations, or security of the licensee;
  • any information concerning a consumer which because of name, number, personal mark, or other identifier can be used to identify such consumer, in combination with any one or more of the following data elements:
    • social security number;
    • driver's license number or nondriver identification card number;
    • account number, credit or debit card number;
    • security code, access code, or password that would permit access to a consumer's financial account; or
    • biometric records;
  • any information or data, except age or gender, in any form or medium created by or derived from a health care provider or a consumer and that relates to:
    • the past, present, or future physical, mental or behavioural health or condition of a consumer or a member of the consumer's family;
    • the provision of health care to a consumer; or
    • payment for the provision of health care to a consumer.

Obligations of Licensees

Each licensee must develop, implement, and maintain a comprehensive written information security program, based on a risk assessment performed by the licensee that contains administrative, technical, and physical safeguards to protect nonpublic information and the licensee's information system.

Each licensee must designate someone to be responsible for its information security program, identify internal and external threats to nonpublic information (including those associated with third-party service providers), consider appropriate controls for managing those threats, and implement an information security program using appropriate security measures.

Each licensee must establish a written incident response plan. In the event of a cybersecurity event, each licensee must report, no later than 72 hours after determining that such an event has occurred, certain information to the Director of the SCDOI.

Each licensee must use due diligence in selecting third-party service providers, and require any such third-party service provider to implement appropriate security controls.

At least annually, each licensee must assess the effectiveness of the security measures and safeguards it implements, and regularly test and monitor systems and procedures.

Annually, each licensee must submit a written statement, by 15 February, to the Director of the SCDOI, certifying the licensee's compliance with the Insurance Data Security Act.

Violations and Enforcement

The Director of the SCDOI has authority to investigate any licensee to determine compliance with and violations of the Insurance Data Security Act, and may take necessary and appropriate action to enforce the law.

A licensee who violated the Insurance Data Security Act is subject to those penalties set out in S.C. Code §38-2-10. These include fines in various amounts, based in part on whether or not the violation is willful; license revocation or suspension; and the right to enforce civil and criminal proceedings.

Computer Crime Act

The South Carolina Computer Crime Act, under §16-16-10 et seq. of Chapter 16 of Title 16 of the S.C. Code, makes it a crime for a person to wilfully, knowingly, maliciously, and without authorisation to access a computer, computer system, or computer network (S.C. Code §16-16-20):

  • for the purpose of a scheme to defraud, obtaining anything by false pretenses, or committing any other crime;
  • to modify or damage the computer or data contained on the computer; or
  • to introduce a computer contaminant into the computer, computer system, or network.   

In addition to criminal penalties and any other civil remedies available, the computer owner may bring a civil action against a person convicted under the Computer Crime Act for compensatory damages, restitution, and attorney's fees.

Disposal

Disposal Requirements for Business Records Containing Personal Information

Pursuant to §37-20-190 of Chapter 20 of Title 37 of the S.C. Code, a business must dispose of any business record that contains personal identifying information of a consumer by shredding, erasing, or using other means to make it unreadable or decipherable.

This law does not apply to a bank or financial institution in compliance with the security and privacy provisions of the GLBA, or a health insurer subject to and in compliance with the HIPAA Privacy and Security Rules, under Part 164 of Title 45 of the Code of Federal Regulations.

Disposal Requirements for Personal Information held by Public Bodies

Pursuant to §30-2-310(C) of Article 3 of Chapter 2 of Title 30 of the S.C. Code, a public body must dispose of any record that contains personal identifying information of a consumer by shredding, erasing or using other means to make it unreadable or decipherable.

Breach Notification for Private Organisations

S.C. Code §39-1-90(D)(1) requires any person doing business in South Carolina to notify residents of security breaches, specifies the circumstances under which notice is to be provided and the mechanisms for such notice, and provides legal remedies and potential penalties for failure to provide the required notices.

The statute applies to every individual or organisation doing business in South Carolina ('business') that holds 'personal identifying information'. The statute exempts two types of organisations from its coverage:

  • a bank or financial institution that is subject to and in compliance with the privacy and security provisions of the federal GLBA. 
  • any financial institution in compliance with the federal Interagency Guidance. 

Definition of Personal Identifying Information

'Personal identifying information' means the first name or first initial and last name in combination with one or more of the following of a South Carolina resident, when unencrypted and unredacted:

  • social security number;
  • driver's license number or state identification card number;
  • financial account number, or credit card or debit card number in combination with any required security code, access code, or password that would permit access to a resident's financial account; or
  • other numbers or information which may be used to access a person's financial accounts or numbers, or information issued by a governmental or regulatory entity that uniquely will identify an individual.

The term does not include information that is lawfully obtained from publicly available information, or from federal, state, or local governmental records lawfully made available to the general public.

Requirement to Notify Following a Security Breach

A business must notify the owner or licensee of personal identifying information following the discovery that personal identifying information that has not been encrypted or redacted has been or is reasonably likely to have been acquired by an unauthorised person, when the illegal use of the information has occurred, is reasonably likely to occur, or the use of the information creates a material risk of harm to the owner of the information.

Notice to Affected Individuals and Timing

A business must notify the owner or licensee of the personal identifying information 'in the most expedient time possible and without unreasonable delay' following discovery of the breach. The statute does not specify a specific timeframe.

The business may delay the notification if law enforcement determines that notification impedes a criminal investigation.

Form of Notice

Notice may be provided in writing, via electronic means if the primary method of communications is by electronic means or is consistent with the provisions of the federal Electronic Signatures in Global and National Commerce Act of 2000 ('E-Sign Act') and the South Carolina Uniform Electronic Transactions Act, under §26-6-10 et seq. of Chapter 6 of Title 26 of the S.C. Code, or telephone.

Substitute notice may be allowed in the event that the cost of notice exceeds certain thresholds or the agency has insufficient contact information:

  • email notice;
  • conspicuous posting of notice on the agency's website; or
  • notification to major statewide media.

Additional Notice Requirement

If a business notifies more than 1,000 persons at one time, then the business must also notify, without unreasonable delay, the South Carolina Consumer Services Division of the SCDCA, and all the major credit bureaus, of the timing, distribution, and content of the notice.

Legal Remedies and Penalties

A South Carolina resident injured by a violation of this statute may institute a civil action to recover damages in the case of a willful and knowing violation, institute a civil action that is limited to actual damages resulting from a negligent violation of the statute, seek an injunction to enforce compliance, and if successful recover attorney's fees and court costs.

The SCDCA is authorised to assess an administrative fine of up to $1,000 for each resident whose information was accessible as a result of a breach, in the event that a business knowingly and willingly violates the statute.

10. OTHER SPECIFIC JURISDICTIONAL REQUIREMENTS

Information held by State Agencies

State Agency Privacy Policies

The Family Protection Act requires all state agencies, boards, commissions, institutions, departments, and other state entities, by whatever name known, to create privacy policies to ensure that the collection of personal information is limited to that required by the state agency and necessary to fulfil a legitimate public purpose.

S.C. Code §30-2-40(A) requires every state agency with a website to clearly display its privacy policy and contact information for the person at the state agency responsible for the privacy policy.

Breach Notification for State Agencies

§1-11-490 of Article 1 of Chapter 11 of Title 1 of the S.C. Code requires state agencies to notify residents of security breaches, specifies the circumstances under which notice is to be provided and the mechanisms for such notice, and provides legal remedies and potential penalties for failure to provide the required notices.

'Personal information' is defined as (consistent with S.C. Code §16-13-510(D)):

  • social security numbers;
  • driver's license numbers or state identification card numbers issued instead of a driver's license;
  • checking account numbers;
  • savings account numbers;
  • credit card numbers;
  • debit card numbers;
  • personal identification numbers;
  • electronic identification numbers;
  • digital signatures;
  • dates of birth;
  • current or former names, including first and last names, middle and last names, or first, middle, and last names, but only when the names are used in combination with, and linked to, other identifying information provided in this Section;
  • current or former addresses, but only when the addresses are used in combination with, and linked to, other identifying information provided in this Section; or
  • other numbers, passwords, or information which may be used to access a person's financial resources, numbers, or information issued by a governmental or regulatory entity that uniquely will identify an individual or an individual's financial resources.

A state agency must notify the owner or licensee of personal information following the discovery that personal information that has not been encrypted or redacted has been or is reasonably likely to have been acquired by an unauthorised person, when the illegal use of the information has occurred, is reasonably likely to occur, or the use of the information creates a material risk of harm to the owner of the information.

Notice may be provided in writing, via electronic means if the primary method of communications is by electronic means or is consistent with the provisions of the federal E-Sign Act and the South Carolina Uniform Electronic Transactions Act, or telephone.

Substitute notice may be allowed in the event that the cost of notice exceeds certain thresholds or the agency has insufficient contact information:

  • email notice;
  • conspicuous posting of notice on the agency's website; or
  • notification to major statewide media

If the agency notifies more than 1,000 persons at one time, then the agency must also notify, without unreasonable delay, the SCDCA, and all the major credit bureaus, of the timing, distribution, and content of the notice.

A South Carolina resident injured by a violation of this statute may institute a civil action to recover damages, seek an injunction to enforce compliance, and if successful recover attorney's fees and court costs.

The SCDCA is authorised to assess an administrative fine of up to $1,000 for each resident whose information was accessible as a result of a breach, in the event that an agency knowingly and willingly violates the statute.

Proposed/Pending Legislation or Regulation

These bills have merely been introduced, and there is no indication that they will be passed or enacted.

South Carolina Biometric Data Privacy Act

House Bill ('HB') 3063 for the South Carolina Biometric Data Privacy Act would provide certain requirements for a business that collects a consumer's biometric information, to allow the consumer to request that a business delete the collected biometric information and to prohibit the sale of biometric information, to establish certain standards of care for a business that collects biometric information, to establish a procedure for a consumer to opt out of the sale of biometric information, to prohibit a business from discriminating against a consumer who opts out of the sale of their biometric information, and to provide a penalty.

South Carolina Data Privacy Act

HB 3016 for the South Carolina Data Privacy Act would provide that a search warrant must be issued before certain electronic data may be seized by a law enforcement agency, to require the law enforcement agency to notify the owner of the electronic device, data, or information specified in the search warrant, to prohibit a law enforcement agency from collecting certain information from a third-party without a search warrant, and to prohibit the use of information obtained in violation of this Act.

South Carolina Cellular Data Privacy Protection Act

HB 3014 for the South Carolina Cellular Data Privacy Protection Act ('the Cellular Data Act') would prohibit a mobile telecommunications provider from selling a customer's personal data to a third party, to impose a penalty, and to authorise the AG to investigate and enforce alleged violations of the Cellular Data Act.