Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

South Carolina - Sectoral Privacy Overview
Back

South Carolina - Sectoral Privacy Overview

September 2023

1. RIGHT TO PRIVACY/ CONSTITUTIONAL PROTECTION

The Constitutional right to privacy is found in Article I, Section 10 of the Constitution of the State of South Carolina, which provides:

'Searches and seizures; invasions of privacy. The right of the people to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures and unreasonable invasions of privacy shall not be violated, and no warrants shall be issued but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, the person or thing to be seized, and the information to be obtained.'

South Carolina common law also recognizes several common law rights of privacy (Swinton Creek Nursery v. Edisto Farm Credit, 334 S.C. 469, 514 S.E.2d 126 (1999)):

  • wrongful appropriation of personality;
  • wrongful publicizing of private affairs; and
  • wrongful intrusion into private affairs.

Wrongful Appropriation of Personality

"Wrongful appropriation of personality involves the intentional, unconsented use of the plaintiff's name, likeness, or identity by the defendant for his own benefit. The gist of the action is the violation of the plaintiff's exclusive right at common law to publicize and profit from his name, likeness, and other aspects of personal identity" (Snakenberg v. Hartford Cas. Ins. Co., 299 S.C. 164, 170, 383 S.E.2d 2, 5-6 (Ct. App. 1989)).

Wrongful Publicising of Private Affairs

To prevail on this claim, the plaintiff must show that the defendant intentionally:

  • publicized the facts;
  • the facts were of the plaintiff's private affairs;
  • the disclosure of the facts would be highly offensive and would likely cause serious mental harm to a reasonable person; and
  • the public had no legitimate interest in the facts.

If the plaintiff is a public figure, consideration of whether the defendant acted with malice may be relevant as well (Snakenberg).

Wrongful Intrusion into Private Affairs

To prevail on a claim of wrongful intrusion into private affairs, a plaintiff must show the defendant intentionally intruded into one's private affairs, that one normally expects to be free from exposure. Further, the intrusion must be substantial and unreasonable.  Examples of intentional intrusion into one's private affairs include but are not limited to prying or similar conduct, into matters of the home, family, personal relationships, and communications of the plaintiff (Snakenberg).

2. KEY PRIVACY LAWS

Confidentiality of Public Records

The South Carolina Freedom of Information Act, under §30-4-10 et seq. of Chapter 4 of Title 30 of the South Carolina Code of Laws ('S.C. Code'), establishes broad rights for access to public records held by public bodies in South Carolina.

S.C. Code §30-4-40 identifies several categories of information that a public body may exempt from disclosure. In the privacy/confidentiality realm, these exemptions include:

  • trade secrets;
  • information of a personal nature where public disclosure would constitute an unreasonable invasion of privacy (examples include gross receipts information contained in applications for business licenses, public records which include the name, address, and telephone number or other information of an individual who is handicapped or disabled, and any audio recording of the final statements of a dying victim in a call to 911 emergency services);
  • certain law enforcement records;
  • disclosure of the identity of a confidential source or disclosure of information furnished by a confidential source; and
  • various records and data otherwise deemed proprietary or confidential.

Protection of Personal Information: Financial Identity Fraud and Identity Fraud

The South Carolina Personal Financial Security Act ('the Financial Security Act'), under §16-13-500 et seq. of Article 2 of Chapter 13 of Title 16 of the S.C. Code, makes it unlawful for any person to commit financial identity fraud or identity fraud, with the use of personal identifying information or otherwise and establishes criminal penalties for violations.

The Financial Security Act defines 'personal identifying information' as including, but not limited to (S.C. Code §16-13-510(D)):

  • social security numbers;
  • driver's license numbers or state identification card numbers issued instead of a driver's license;
  • checking account numbers;
  • savings account numbers;
  • credit card numbers;
  • debit card numbers;
  • personal identification numbers;
  • electronic identification numbers;
  • digital signatures;
  • dates of birth;
  • current or former names, including first and last names, middle and last names, or first, middle, and last names, but only when the names are used in combination with, and linked to, other identifying information provided in this Section;
  • current or former addresses, but only when the addresses are used in combination with, and linked to, other identifying information provided in this Section; or
  • other numbers, passwords, or information that may be used to access a person's financial resources, numbers, or information issued by a governmental or regulatory entity that uniquely will identify an individual or an individual's financial resources.

S.C. Code §16-13-510(E) defines 'financial resources' as:

  • existing money and financial wealth contained in a checking account, savings account, line of credit, or otherwise;
  • a pension plan, retirement fund, annuity, or other fund that makes payments monthly or periodically to the recipient; and
  • the establishment of a line of credit or an amount of debt whether by loan, credit card, or otherwise for the purpose of obtaining goods, services, or money.

A person is guilty of financial identity fraud, pursuant to S.C. Code §16-13-510(B), when that person, without authorization and with intent:

  • appropriates the financial resources of the other individual to the person's own use or the use of a third party;
  • devises a scheme or artifice to defraud; or
  • obtains money, property, or services by means of false or fraudulent pretenses, representations, or promises obtains or records identifying information which would assist in accessing the financial records of the other individual or accesses or attempts to access the financial resources of the other individual through the use of identifying information.

A person is guilty of identity fraud when such a person uses the personal identifying information of another individual for the purpose of obtaining employment or avoiding identification by a law enforcement officer, criminal justice agency, or another governmental agency, including, but not limited to, law enforcement, detention, and correctional agencies or facilities (S.C. Code §16-13-510(C)).

A person found guilty of violating the Financial Security Act is guilty of a felony and must be fined at the discretion of the court or imprisoned for not more than ten years, or both. In addition, the court may order restitution to the victim pursuant to §17-25-322 of Article 3 of Chapter 25 of Title 17 of the S.C. Code.

3. HEALTH DATA

Physicians' Patient Records Act

South Carolina's Physicians' Patient Records Act, under §44-115-10 et seq. of Chapter 115 of Title 44 of the S.C. Code, addresses ownership of physicians' patient records and the release of those records.

The physician is the owner of medical records (including medical bills) in their possession that were made in treating a patient and of records transferred to them concerning prior treatment of the patient (S.C. Code §44-115-20).

Pursuant to S.C. Code §44-115-30, a patient or their legal representative has a right to receive a copy of their medical record, or have the record transferred to another physician, upon request, when accompanied by written authorization from the patient or their legal representative to release the record.

Pursuant to S.C. Code §44-115-40, a physician cannot release a patient's medical records unless there is express written consent from the patient, or an individual authorized by the law to act on behalf of the patient. 

Pursuant to S.C. Code §44-115-50, in good faith, a physician is authorized to release a patient's medical records for claims processing to an insurance company representative without liability or disciplinary action.

A physician is not permitted to sell medical records to anyone with the exception that they can sell medical records to another South Carolina licensed physician, osteopath, or hospital, or unless the sale is approved by the South Carolina Board of Medical Examiners. Prior to the sale of medical records, the physician must publish a public notice of their intention to sell the records in a newspaper of general circulation in the area of their practice at least three times in the 90 days preceding the sale. The notice must advise patients that they may retrieve their records if they prefer that their records not be included in the sale (S.C. Code §44-115-130).

S.C. Code §44-115-150 provides that all other provisions of the law concerning medical records are applicable, including the authority of a court to obtain medical records.

Pursuant to S.C. Code §44-115-60, a physician has the right to withhold a patient's entire medical record or choose to provide a summary or a portion of the patient's medical record instead. However, medical records cannot be withheld because of unpaid bill(s) for medical services (S.C. Code §44-115-70).

Prescription Information Privacy

The Prescription Information Privacy Act, under §44-117-10 et seq. of Article 1 of Chapter 117 of Title 44 of the S.C. Code, prohibits the transfer or receipt of prescription drug information without the written consent of the patient or a person authorized by law to act on behalf of the patient.

Privacy of Genetic Information

Pursuant to §38-93-40 of Chapter 93 of Title 38 of the S.C. Code and subject to some exceptions, genetic information is confidential and must not be disclosed to a third party in a manner that allows identification of the individual tested without first obtaining the written informed consent of that individual or a person legally authorized to consent on behalf of the individual.  A health insurer may not require an individual to consent to the disclosure of genetic information to the insurer as a condition for obtaining health insurance coverage.

4. FINANCIAL DATA

South Carolina does not have any specific statutory protections for financial data. However, some financial data may meet the definition of 'personal identifying information', and therefore businesses holding financial data may be subject to the notification requirements of §39-1-90 of Chapter 1 of Title 39 of the S.C. Code ('the Breach Notification Law') as described herein.

The breach notification requirements of the Breach Notification Law do not apply to a bank or financial institution that is subject to and in compliance with the privacy and security provisions of the Gramm-Leach-Bliley Act of 1999 ('GLBA'). Moreover, any financial institution in compliance with the federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice ('the Interagency Guidance') is considered to be in compliance with the statute.

5. EMPLOYMENT DATA

South Carolina law does not have any specific statutory protections for employment data. However, employment data may meet the definition of 'personal identifying information', and therefore employers may be subject to the notification requirements of the Breach Notification Law as described herein.

6. ONLINE PRIVACY

South Carolina does not have any such statutory provisions addressing online privacy or behavioral advertising.

7. UNSOLICITED COMMERCIAL COMMUNICATIONS

Telephone Communications

The South Carolina Telephone Privacy Protection Act ('the Telephone Privacy Act'), under §37-21-10 et seq. of Chapter 21 of Title 37 of the S.C. Code, puts limitations on those telephone solicitations made to South Carolina residents, requires certain disclosures at the outset of any such solicitation, and provides for remedies and penalties for violations of the Telephone Privacy Act.

Application and Exemptions

The Telephone Privacy Act applies to any person who makes a call or text to a residence in South Carolina or to a wireless telephone with a South Carolina area code, that is a 'telephone solicitation', made for the purpose of offering or advertising a property, good, or service for sale, lease, license, or investment, including offering or advertising an extension of credit, or prize promotion.

A 'telephone solicitation' does not include:

  • a political campaign-related call made, or a text or media message sent, in compliance with the federal Telephone Consumer Protection Act of 1991;
  • calls or texts made with the consumer's prior express invitation or permission;
  • calls or texts to a consumer with whom the caller has an established business relationship; and
  • calls or texts to a consumer with whom the caller has a personal relationship.

Restrictions and Limitation

Absent prior written consent, a telephone solicitation cannot be initiated other than between 8:00 am and 9:00 pm local time at the consumer's location.

At the outset of the call, the telephone solicitor must identify themselves, identify the person on whose behalf the call is being made, and provide the following information:

  • telephone number and address at which the telephone solicitor can be contacted;
  • the purpose of the solicitation;
  • that no purchase or payment is necessary to take part in a prize promotion if one is offered;
  • the option to be added to the solicitor's 'do not call' list if the consumer requests to be put on that list, confirmation that the consumer will be put on that list; and
  • certain cost information and terms and conditions of any goods and services that are the subject of the solicitation.

In the event the consumer expresses a desire not to hear the offer, the solicitor must end the call immediately. Subject to certain exceptions, all calls must display accurate caller identification information, and when live telephone solicitors are unavailable to speak with the consumer within two seconds of a completed greeting, the telephone solicitor must play a pre-recorded message and provide certain opt-out information.

Telephone solicitations may not be directed to a consumer when a consumer has expressed a desire not to be contacted or if that consumer's number is on the National Do Not Call Registry.

Remedies and Penalties

A person who is aggrieved by a violation of the Telephone Privacy Act is entitled to seek to enjoin the violation and to recover actual losses in addition to damages in the amount of $1,000 for each violation. If the court finds a willful violation, the court may, in its discretion, increase the amount of the award to an amount not exceeding $5,000 for each violation. The person initiating the action for a violation of Chapter 21 may be awarded reasonable attorneys' fees and court costs.

The administrator of the South Carolina Department of Consumer Affairs ('SCDCA'), upon finding a violation of the Telephone Privacy Act, may issue an administrative order requiring the person to cease and desist, from returning property or money received in violation of Chapter 21 and imposing penalties of up to $5,000 for each violation. The SCDCS may bring a civil action seeking similar relief, including injunctive relief. Any money received in the enforcement of the Telephone Privacy Act will be retained by the SCDCA for the administration of Title 37.

The South Carolina Attorney General ('AG') may investigate and enforce violations of the Telephone Privacy Act, by bringing an action to enjoin a violation of Chapter 21 by any person and to recover damages for an aggrieved person or persons in the amount of $5,000 for each violation. If the court finds a willful violation, the court, in its discretion, also may award a civil penalty of not more than $5,000 for each violation. In an action brought by the AG, the AG may recover reasonable expenses incurred by the State or local governmental agency or department in investigating and preparing the case, and attorneys' fees.

Commercial Solicitation Using Personal Information Obtained from a State Agency or Local Government

The South Carolina Family Privacy Protection Act ('the Family Protection Act'), under §30-2-10 et seq. of Article 1 of Chapter 2 of Title 30 of the S.C. Code, prevents any person from knowingly obtaining or using personal information 'obtained from a state agency, local government, or other political subdivision' of South Carolina for commercial solicitation.  

Definitions

'Personal Information' is defined as information that identifies or describes an individual including, but not limited to, an individual's photograph or digitized image, social security number, date of birth, driver's identification number, name, home address, home telephone number, medical or disability information, education level, financial status, bank account numbers, account or identification number issued by or used, or both, by any federal or state governmental agency or private financial institution, employment history, height, weight, race, other physical details, signature, biometric identifiers, and any credit records or reports.

'Commercial solicitation' is defined as contact by telephone, mail, or electronic mail for the purpose of selling or marketing a consumer product or service.

'Commercial solicitation' does not include contact for the purpose of:

  • offering membership in a credit union;
  • notification of continuing education opportunities;
  • selling or marketing banking, insurance, securities, or commodities services provided by an institution or entity defined in or required to comply with the GLBA; or
  • contacting persons for political purposes using the information on file with state or local voter registration offices.

Violations and Penalties

A person knowingly violating this statutory provision is guilty of a misdemeanor and if convicted must be fined an amount no more than $500 or imprisoned for a term not to exceed one year or both.

8. PRIVACY POLICIES

There are no state statutes regarding privacy policies for private entities.

9. DATA DISPOSAL/CYBERSECURITY/DATA SECURITY

Insurance Data Security

The South Carolina Insurance Data Security Act ('the Insurance Data Security Act'), under §38-99-10 et seq. of Chapter 99 of Title 38 of the S.C. Code, establishes standards for data security, requires those licensees regulated by the South Carolina Department of Insurance ('SCDOI') to develop, implement, and maintain a written information security program, and establishes an investigation and notification framework following a cybersecurity event.

Application and Exemptions

A 'licensee' subject to the Insurance Data Security Act is a person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of South Carolina but does not include a purchasing group or a risk retention group chartered and licensed in a state other than South Carolina or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.

Certain licensees are exempt, including:

Definitions

'Information system' means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic information, as well as any specialized system such as industrial or process controls systems, telephone switching, and private branch exchange systems, and environmental control systems.

'Nonpublic information' means information that is not publicly available information and is:

  • business-related information of a licensee the tampering with which, or unauthorized disclosure, access, or use of which, would cause a material adverse impact to the business, operations, or security of the licensee;
  • any information concerning a consumer which because of name, number, personal mark, or other identifier can be used to identify such consumer, in combination with any one or more of the following data elements:
    • social security number;
    • driver's license number or nondriver identification card number;
    • account number, credit or debit card number;
    • security code, access code, or password that would permit access to a consumer's financial account; or
    • biometric records;
  • any information or data, except age or gender, in any form or medium created by or derived from a health care provider or a consumer and that relates to:
    • the past, present, or future physical, mental or behavioral health or condition of a consumer or a member of the consumer's family;
    • the provision of health care to a consumer; or
    • payment for the provision of health care to a consumer.

Obligations of Licensees

Each licensee must develop, implement, and maintain a comprehensive written information security program, based on a risk assessment performed by the licensee that contains administrative, technical, and physical safeguards to protect nonpublic information and the licensee's information system.

Each licensee must designate someone to be responsible for its information security program, identify internal and external threats to nonpublic information (including those associated with third-party service providers), consider appropriate controls for managing those threats, and implement an information security program using appropriate security measures.

Each licensee must establish a written incident response plan. In the event of a cybersecurity event, each licensee must report, no later than 72 hours after determining that such an event has occurred, certain information to the Director of the SCDOI.

Each licensee must use due diligence in selecting third-party service providers, and require any such third-party service provider to implement appropriate security controls.

At least annually, each licensee must assess the effectiveness of the security measures and safeguards it implements, and regularly test and monitor systems and procedures.

Annually, each licensee must submit a written statement, by 15 February, to the Director of the SCDOI, certifying the licensee's compliance with the Insurance Data Security Act.

Violations and Enforcement

The Director of the SCDOI has the authority to investigate any licensee to determine compliance with and violations of the Insurance Data Security Act, and may take necessary and appropriate action to enforce the law.

A licensee who violates the Insurance Data Security Act is subject to those penalties set out in S.C. Code §38-2-10. These include fines in various amounts, based in part on whether or not the violation is willful; license revocation or suspension; and the right to enforce civil and criminal proceedings.

Computer Crime Act

The South Carolina Computer Crime Act, under §16-16-10 et seq. of Chapter 16 of Title 16 of the S.C. Code, makes it a crime for a person to wilfully, knowingly, maliciously, and without authorization to access a computer, computer system, or computer network (S.C. Code §16-16-20):

  • for the purpose of a scheme to defraud, obtaining anything by false pretenses, or committing any other crime;
  • to modify or damage the computer or data contained on the computer; or
  • to introduce a computer contaminant into the computer, computer system, or network.   

In addition to criminal penalties and any other civil remedies available, the computer owner may bring a civil action against a person convicted under the Computer Crime Act for compensatory damages, restitution, and attorney's fees.

Disposal

Disposal Requirements for Business Records Containing Personal Information

Pursuant to §37-20-190 of Chapter 20 of Title 37 of the S.C. Code, a business must dispose of any business record that contains personal identifying information of a consumer by shredding, erasing, or using other means to make it unreadable or decipherable.

This law does not apply to a bank or financial institution in compliance with the security and privacy provisions of the GLBA, or a health insurer subject to and in compliance with the HIPAA Privacy and Security Rules, under Part 164 of Title 45 of the Code of Federal Regulations.

Disposal Requirements for Personal Information held by Public Bodies

Pursuant to §30-2-310(C) of Article 3 of Chapter 2 of Title 30 of the S.C. Code, a public body must dispose of any record that contains personal identifying information of a consumer by shredding, erasing or using other means to make it unreadable or decipherable.

Breach Notification for Private Organizations

S.C. Code §39-1-90(D)(1) requires any person doing business in South Carolina to notify residents of security breaches, specifies the circumstances under which notice is to be provided and the mechanisms for such notice, and provides legal remedies and potential penalties for failure to provide the required notices.

The statute applies to every individual or organization doing business in South Carolina ('business') that holds 'personal identifying information'. The statute exempts two types of organizations from its coverage:

  • a bank or financial institution that is subject to and in compliance with the privacy and security provisions of the federal GLBA. 
  • any financial institution in compliance with the federal Interagency Guidance. 

Definition of Personal Identifying Information

'Personal identifying information' means the first name or first initial and last name in combination with one or more of the following of a South Carolina resident, when unencrypted and unredacted:

  • social security number;
  • driver's license number or state identification card number;
  • financial account number, or credit card or debit card number in combination with any required security code, access code, or password that would permit access to a resident's financial account; or
  • other numbers or information that may be used to access a person's financial accounts or numbers, or information issued by a governmental or regulatory entity that uniquely will identify an individual.

The term does not include information that is lawfully obtained from publicly available information, or from federal, state, or local governmental records lawfully made available to the general public.

Requirement to Notify Following a Security Breach

A business must notify the owner or licensee of personal identifying information following the discovery that personal identifying information that has not been encrypted or redacted has been or is reasonably likely to have been acquired by an unauthorized person, when the illegal use of the information has occurred, is reasonably likely to occur, or the use of the information creates a material risk of harm to the owner of the information.

Notice to Affected Individuals and Timing

A business must notify the owner or licensee of the personal identifying information 'in the most expedient time possible and without unreasonable delay' following the discovery of the breach. The statute does not specify a specific timeframe.

The business may delay the notification if law enforcement determines that notification impedes a criminal investigation.

Form of Notice

Notice may be provided in writing, via electronic means if the primary method of communications is by electronic means or is consistent with the provisions of the federal Electronic Signatures in Global and National Commerce Act of 2000 ('E-Sign Act') and the South Carolina Uniform Electronic Transactions Act, under §26-6-10 et seq. of Chapter 6 of Title 26 of the S.C. Code, or telephone.

Substitute notice may be allowed in the event that the cost of notice exceeds certain thresholds or the agency has insufficient contact information:

  • email notice;
  • conspicuous posting of notice on the agency's website; or
  • notification to major statewide media.

Additional Notice Requirement

If a business notifies more than 1,000 persons at one time, then the business must also notify, without unreasonable delay, the South Carolina Consumer Services Division of the SCDCA, and all the major credit bureaus, of the timing, distribution, and content of the notice.

Legal Remedies and Penalties

A South Carolina resident injured by a violation of this statute may institute a civil action to recover damages in the case of a willful and knowing violation, institute a civil action that is limited to actual damages resulting from a negligent violation of the statute, seek an injunction to enforce compliance, and if successful recover attorney's fees and court costs.

The SCDCA is authorized to assess an administrative fine of up to $1,000 for each resident whose information was accessible as a result of a breach, in the event that a business knowingly and willingly violates the statute.

10. OTHER SPECIFIC JURISDICTIONAL REQUIREMENTS

Information held by State Agencies

State Agency Privacy Policies

The Family Protection Act requires all state agencies, boards, commissions, institutions, departments, and other state entities, by whatever name known, to create privacy policies to ensure that the collection of personal information is limited to that required by the state agency and necessary to fulfill a legitimate public purpose.

S.C. Code §30-2-40(A) requires every state agency with a website to clearly display its privacy policy and contact information for the person at the state agency responsible for the privacy policy.

Breach Notification for State Agencies

§1-11-490 of Article 1 of Chapter 11 of Title 1 of the S.C. Code requires state agencies to notify residents of security breaches, specifies the circumstances under which notice is to be provided and the mechanisms for such notice, and provides legal remedies and potential penalties for failure to provide the required notices.

'Personal information' is defined as (consistent with S.C. Code §16-13-510(D)):

  • social security numbers;
  • driver's license numbers or state identification card numbers issued instead of a driver's license;
  • checking account numbers;
  • savings account numbers;
  • credit card numbers;
  • debit card numbers;
  • personal identification numbers;
  • electronic identification numbers;
  • digital signatures;
  • dates of birth;
  • current or former names, including first and last names, middle and last names, or first, middle, and last names, but only when the names are used in combination with, and linked to, other identifying information provided in this Section;
  • current or former addresses, but only when the addresses are used in combination with, and linked to, other identifying information provided in this Section; or
  • other numbers, passwords, or information that may be used to access a person's financial resources, numbers, or information issued by a governmental or regulatory entity that uniquely will identify an individual or an individual's financial resources.

A state agency must notify the owner or licensee of personal information following the discovery that personal information that has not been encrypted or redacted has been or is reasonably likely to have been acquired by an unauthorized person, when the illegal use of the information has occurred, is reasonably likely to occur, or the use of the information creates a material risk of harm to the owner of the information.

Notice may be provided in writing, via electronic means if the primary method of communications is by electronic means or is consistent with the provisions of the federal E-Sign Act and the South Carolina Uniform Electronic Transactions Act, or telephone.

Substitute notice may be allowed in the event that the cost of notice exceeds certain thresholds or the agency has insufficient contact information:

  • email notice;
  • conspicuous posting of notice on the agency's website; or
  • notification to major statewide media

If the agency notifies more than 1,000 persons at one time, then the agency must also notify, without unreasonable delay, the SCDCA, and all the major credit bureaus, of the timing, distribution, and content of the notice.

A South Carolina resident injured by a violation of this statute may institute a civil action to recover damages, seek an injunction to enforce compliance, and if successful recover attorney's fees and court costs.

The SCDCA is authorized to assess an administrative fine of up to $1,000 for each resident whose information was accessible as a result of a breach, in the event that an agency knowingly and willingly violates the statute.

South Carolina Court Decisions/Pending Decisions

In Planned Parenthood S. Atl. V. State, January 5, 2023, the South Carolina Supreme Court held "that the decision to terminate a pregnancy rests upon the utmost personal and private considerations imaginable, and implicates a woman's right to privacy. While this right is not absolute, and must be balanced against the State's interest in protecting unborn life, this Act, which severely limits – and in many instances completely forecloses – abortion, is an unreasonable restriction upon a woman's right to privacy and is therefore unconstitutional."

In the unpublished Opinion No. 2022-UP-409 in Gilchrist v. Carolinas, November 16, 2022, the Court of Appeals of South Carolina held that the Public Service Commission of South Carolina did not err and that Duke Energy Carolinas did not violate the plaintiff's constitutional right to privacy in a case where the plaintiffs appealed an order of the Public Service Commission of South Carolina arguing it had erred in dismissing their complaint that Duke Energy violated their right to privacy, by installing a smart meter on their property without their consent, and that Duke Energy's collection of power usage data via smart meter constituted taking of private property.

Proposed/Pending Legislation or Regulation

These bills have merely been introduced, and there is no indication that they will be passed or enacted.

Amendment to S.C. Code §16-17-470

Senate Bill ('SB') 141 was introduced in the South Carolina Senate to amend the S.C. Code by amending §16-17-470 relating to eavesdropping, peeping, and voyeurism, revising existing terms and defining other necessary terms, and increasing the penalty when the victim is a minor. Invasion of privacy is a key component.

Amendment to S.C. Code §16-25-130

SB 147 was introduced into the South Carolina Senate (and South Carolina House of Representatives) to amend the S.C. Code by amending §16-25-130 to establish an address confidentiality program, that a victim of domestic violence, dating violence, human trafficking, stalking, harassment, or sexual offense may use a designated address rather than their residential address to conceal their place of residence from assailants or probable assailants. Also requires non-profit victim assistance organizations that serve domestic violence etc. victims to protect the confidentiality and privacy of their clients, and prohibits employees, volunteers, etc. of these organizations from testifying in actions or proceedings about communications made by a client or records kept during the course of the organization providing services.

Law Enforcement Personal Information Privacy Protection Act

SB 252 was introduced in the South Carolina Senate and signed into law on May 19, 2023, effective date July 1, 2024. The Law Enforcement Personal Information Privacy Protection Act would provide law enforcement officers the option of making personal contact information held by state or local governments confidential and not subject to disclosure. Additionally, this would give former and active members of the judiciary the same option to make personal contact information held by state or local governments confidential and not subject to disclosure, but for provided limited exceptions including Driver's Privacy Protection Act of 1994 and Fair Credit Reporting Act of 1970.

Addition to S.C. Code §16-3-760

House Bill ('HB') 3058 was introduced in the South Carolina House to amend the S.C. Code by adding §16-3-760 to define necessary terms, create the offense of cyber harassment, provide penalties, and delineate exceptions. It defines 'private image' and that disclosure of such is an offense, etc.

Amendment to S.C. Code §59-65-470

HB 3289 was introduced in the South Carolina House to amend the S.C. Code by amending §59-65-470 to have the state Department of Education create, publish, and provide to all public schools in the state a list of alternative education programs that can award a high school degree or equivalency credit. The contact information of the students will be provided to those institutions unless the student has opted out from disclosure under the Family Education Rights and Privacy Act.

Addition to S.C. Code Title 44 Chapter 83

HB 3479 authorizes the use of electronic monitoring devices by residents of long-term care facilities in certain circumstances authorizes the Department Of Health And Environmental Control to fine facilities that discriminate against residents who use these devices, and establishes criminal penalties for tampering with the devices.

Addition to S.C. Code §59-150-145

HB 3872 was introduced in the South Carolina House to amend the S.C. Code by adding §59-150-145 to exempt certain personally identifiable information concerning lottery claims from nonconsensual disclosure or release under the Freedom of Information Act ('FOIA'). Additionally provides that the lottery commission may disclose certain information concerning lottery claims without consent.

Feedback