Go to:

Kansas State Privacy Protection Rights

Kansas statewide privacy links:

Sponsored

Introduction to Kansas Privacy Rights

Kansas residents operate within a unique privacy landscape that combines federal protections with select state-specific laws addressing particular privacy concerns. Unlike comprehensive privacy states such as California, Colorado, or Virginia, Kansas has not enacted a sweeping consumer data privacy statute. Instead, the state's privacy framework consists of targeted laws addressing specific sectors and scenarios, including data breach notification, consumer reporting, telecommunications privacy, and limited biometric data protections.

The Kansas Constitution provides foundational privacy protections through Article 15, which mirrors the Fourth Amendment's protection against unreasonable searches and seizures. Kansas courts have occasionally interpreted these protections more broadly than federal courts, particularly in cases involving law enforcement searches and personal privacy expectations. However, when it comes to commercial data collection and modern digital privacy concerns, Kansas residents primarily rely on federal frameworks such as the Fair Credit Reporting Act (FCRA), the Health Insurance Portability and Accountability Act (HIPAA), and the Federal Trade Commission Act.

Compared to leading privacy states, Kansas falls into the middle tier of privacy protections. The state requires breach notification, maintains public records exemptions for certain personal information, and regulates specific data practices in the financial and telecommunications sectors. Kansas has shown legislative interest in expanding privacy protections—multiple bills addressing biometric data and consumer privacy have been introduced in recent sessions—but comprehensive privacy legislation has not yet been enacted. For Kansas residents, understanding privacy protection requires navigating this patchwork of state-specific statutes alongside federal law, while recognizing that many data collection practices remain largely unregulated at the state level.

Kansas's State Privacy Laws

Kansas's privacy framework consists of several sector-specific statutes rather than a unified privacy code. The most significant state privacy law is the Kansas Consumer Protection Act (K.S.A. 50-623 et seq.), which provides the Attorney General authority to pursue unfair or deceptive practices, including certain privacy violations. While not a comprehensive privacy statute, this law has been used to address privacy-invasive business practices and unauthorized disclosure of personal information.

The Kansas Breach of Security Notification Act (K.S.A. 50-7a01 through 50-7a02) requires any person or business that owns or licenses computerized data containing personal information to notify affected Kansas residents following a breach. "Personal information" is defined as a Kansas resident's first name or initial and last name combined with social security number, driver's license number, or financial account information. The law requires notification "in the most expedient time possible and without unreasonable delay," but does not specify a precise deadline. Notification must be made to the Kansas Attorney General's Consumer Protection Division if more than 1,000 Kansas residents are affected. Businesses may delay notification if a law enforcement agency determines notification would impede a criminal investigation.

Kansas law addresses employee privacy through several statutes. K.S.A. 44-119a prohibits employers from requiring employees or applicants to disclose usernames or passwords for personal social media accounts. Employers cannot require employees to add the employer or employment-related contacts to their personal social media, though they may require access to work-related accounts created on behalf of the employer. Additionally, K.S.A. 44-1001 through 44-1005 regulate employer access to employee personnel records, granting employees the right to review their files and dispute inaccurate information.

Financial privacy in Kansas is governed primarily by federal law, particularly the Gramm-Leach-Bliley Act, but Kansas has enacted complementary protections. K.S.A. 40-2,156 requires insurance companies to provide privacy notices and allows consumers to opt out of information sharing with non-affiliated third parties. Kansas financial institutions must also comply with federal privacy notice requirements under 15 U.S.C. § 6803, which mandates annual privacy notices explaining information collection and sharing practices.

The state has enacted limited biometric privacy protections through K.S.A. 50-7a01, which amended the breach notification law to include "biometric data" within the definition of personal information requiring breach notification. However, Kansas does not have a comprehensive biometric privacy statute comparable to Illinois's Biometric Information Privacy Act, meaning there are no specific consent requirements or restrictions on biometric data collection outside the breach context.

Telecommunications privacy receives specific attention under K.S.A. 66-2008, which restricts telephone companies from disclosing customer proprietary network information without customer approval. This statute complements federal telecommunications privacy protections under the Communications Act.

Kansas has also enacted student data privacy protections through K.S.A. 72-6385, which restricts educational technology vendors from selling student data, using it for targeted advertising, or creating student profiles for non-educational purposes. This statute provides Kansas students with protections beyond federal FERPA requirements.

Freedom of Information / Open Records in Kansas

Kansas's open records framework operates under the Kansas Open Records Act (KORA), codified at K.S.A. 45-215 through 45-223. This statute establishes a presumption that public records are open to the public unless specifically exempted by law. KORA defines "public record" broadly to include any recorded information maintained by or for a public agency, regardless of format, that documents governmental activity.

Under K.S.A. 45-218(a), any person may submit a request to inspect public records, and the public agency must comply "as soon as possible" but not later than three business days after receipt of the request. If the agency cannot meet this deadline, it must provide a detailed written explanation of why additional time is needed and when the records will be available. The agency may take additional time if the request is broad, requires redaction, or involves voluminous records, but must demonstrate that it is making reasonable efforts to comply promptly.

KORA contains numerous exemptions protecting personal privacy and sensitive information. K.S.A. 45-221(a) lists specific categories of exempt records, including:

Criminal investigation records are temporarily closed under K.S.A. 45-221(a)(10) while investigations are ongoing, but must be opened once the investigation concludes or prosecution is completed, subject to specific exceptions.

Kansas agencies may charge reasonable fees for copying records. K.S.A. 45-219 permits agencies to charge actual costs for staff time exceeding one hour when fulfilling requests requiring redaction or document retrieval. Standard copying fees typically range from $0.25 to $0.50 per page, though agencies must publish their fee schedules. Fees cannot be charged merely to inspect records.

If an agency denies a records request, the requester may file a written appeal with the agency head within 30 days. If the denial is upheld, the requester may petition the district court for an order compelling disclosure under K.S.A. 45-222. Courts may award attorney fees and costs to prevailing requesters. The Kansas Attorney General's office also provides an informal mediation process for KORA disputes, though participation is voluntary.

HIPAA and Health Privacy

The Health Insurance Portability and Accountability Act (HIPAA) establishes the baseline for medical privacy protection in Kansas, applying to covered entities including healthcare providers, health plans, and healthcare clearinghouses. HIPAA's Privacy Rule (45 CFR Part 160 and Part 164, Subparts A and E) restricts how covered entities use and disclose protected health information (PHI) without patient authorization.

Kansas has enacted supplementary health privacy protections that exceed federal HIPAA requirements in certain contexts. The Kansas Mental Health Records Act (K.S.A. 65-5601 through 65-5605) provides enhanced protections for mental health treatment records. These records cannot be disclosed without patient consent except in limited circumstances, including court orders, emergency treatment situations, or when necessary to protect the patient or others from harm. Mental health records receive greater protection than general medical records, with stricter consent requirements and disclosure limitations.

Kansas law also protects HIV/AIDS-related information under K.S.A. 65-6002, which prohibits disclosure of HIV test results without written consent except in specific circumstances such as reporting to public health authorities or notification of exposed healthcare workers. Unauthorized disclosure can result in criminal penalties.

Under KORA, medical treatment records maintained by public healthcare facilities are explicitly exempt from disclosure under K.S.A. 45-221(a)(2), providing an additional layer of protection for patients receiving care at public hospitals or clinics.

Kansas residents can protect their medical records by understanding their rights under HIPAA, including the right to access their own medical records (typically within 30 days of request), request amendments to inaccurate information, receive an accounting of disclosures, and file complaints with the U.S. Department of Health and Human Services Office for Civil Rights if they believe their privacy rights have been violated. Kansas residents should request copies of their medical records periodically, review them for accuracy, and understand that healthcare providers must provide a Notice of Privacy Practices explaining how PHI may be used and disclosed.

Consumer Data Privacy Rights

Kansas residents do not currently benefit from a comprehensive state consumer data privacy law comparable to California's Consumer Privacy Act or Virginia's Consumer Data Protection Act. This means most commercial data collection, processing, and sharing activities are governed by federal law and industry self-regulation rather than Kansas-specific requirements.

The primary federal framework protecting Kansas consumers is the Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 et seq., which governs consumer reporting agencies and the use of consumer reports for credit, employment, insurance, and similar purposes. Under FCRA, Kansas residents have the right to:

Kansas law supplements FCRA through the Kansas Consumer Credit Code (K.S.A. 16a-1-101 et seq.), which regulates credit transactions and provides additional consumer protections. K.S.A. 50-719 through 50-724 regulate consumer reporting agencies operating in Kansas, requiring registration with the Kansas Attorney General and compliance with specific accuracy and disclosure requirements.

For data broker removal, Kansas residents must approach each data broker individually, as Kansas law does not require data brokers to provide a unified opt-out mechanism. Major people-search sites that Kansas residents should address include:

Each site has different opt-out procedures, typically requiring submission of personal information to verify identity before removal. Complete removal from data broker databases requires persistent effort, as information may reappear from other sources.

Kansas residents also benefit from federal sector-specific privacy laws including the Telephone Consumer Protection Act (TCPA), which restricts telemarketing calls and requires businesses to honor Do Not Call requests; the CAN-SPAM Act, governing commercial email; and the Children's Online Privacy Protection Act (COPPA), protecting children under 13.

The Kansas Attorney General's Consumer Protection Division investigates privacy violations under the Kansas Consumer Protection Act and can be reached at 120 SW 10th Avenue, 2nd Floor, Topeka, KS 66612-1597, or by calling (785) 296-3751. Consumers can file complaints online at www.ag.ks.gov.

Employment Background Checks & Privacy

Employment background checks in Kansas are governed by federal law, primarily the Fair Credit Reporting Act (FCRA), alongside Kansas-specific statutes addressing criminal records and employee privacy. Understanding these regulations is essential for Kansas job seekers concerned about background screening.

Under FCRA, employers who use third-party consumer reporting agencies for background checks must:

Kansas does not have a statewide ban-the-box law restricting when employers may inquire about criminal history. Employers in Kansas may ask about criminal convictions on initial applications, though they must comply with federal Equal Employment Opportunity Commission (EEOC) guidance requiring individualized assessment of criminal history relevance to the position. However, some Kansas municipalities, including Wichita, have considered local ban-the-box ordinances affecting government hiring.

Kansas criminal records are maintained by the Kansas Bureau of Investigation (KBI). Under K.S.A. 22-4707 through 22-4710, certain criminal records may be expunged, effectively sealing them from public view and employment background checks. Kansas allows expungement of:

Serious violent crimes, sex offenses, and certain other felonies are generally not eligible for expungement. Once expunged, Kansas law provides that the conviction is deemed never to have occurred, and individuals may legally answer "no" when asked about criminal history on employment applications, with limited exceptions for positions requiring disclosure by law.

Under K.S.A. 22-4710, conviction records typically remain on Kansas criminal history reports indefinitely unless expunged. However, the EEOC guidance followed by many employers suggests criminal convictions should not automatically disqualify applicants, particularly when offenses are old or unrelated to job responsibilities.

Kansas residents who discover inaccurate information on employment background checks should immediately dispute the errors with both the consumer reporting agency that produced the report and the information furnisher (typically the court or law enforcement agency). Under FCRA, reporting agencies must investigate disputes within 30 days and correct or delete inaccurate information. Applicants should also notify the employer of the inaccuracy and request reconsideration.

The Kansas Bureau of Investigation provides criminal history record checks through its website (www.accesskansas.org) for a fee of $20. Individuals can request their own records to review accuracy before employers obtain them, allowing time to correct errors or pursue expungement if eligible.

Protecting Yourself in Kansas

Kansas residents concerned about privacy should take proactive steps to limit public exposure of personal information and protect themselves from identity theft and privacy violations. Here is a comprehensive, step-by-step approach:

Step 1: Remove Information from People-Search Sites

Begin by searching for your name on major people-search websites including Spokeo, WhitePages, BeenVerified, Intelius, MyLife, PeopleFinder, Radaris, and TruthFinder. Each site has an opt-out process, typically found in the privacy policy or help section. You will generally need to locate your listing, copy the URL, and submit an opt-out request with identity verification. This process must be repeated for each site and may need to be done periodically as information reappears from public record aggregation.

Step 2: Freeze Your Credit

Kansas residents can freeze their credit reports with all three major credit bureaus at no cost under federal law (15 U.S.C. § 1681c-2). Contact:

A credit freeze prevents new creditors from accessing your credit report, blocking most identity thieves from opening accounts in your name. You can temporarily lift the freeze when applying for legitimate credit. Kansas residents should also consider freezing reports with secondary consumer reporting agencies like ChexSystems (banking), LexisNexis (insurance), and Innovis.

Step 3: Opt Out of Prescreened Credit Offers

Reduce junk mail and limit exposure by opting out of prescreened credit and insurance offers at www.optoutprescreen.com or by calling 1-888-567-8688. This removes your name from lists that credit bureaus sell to creditors for marketing purposes.

Step 4: Register with Do Not Call Lists

Register your phone numbers with the National Do Not Call Registry at www.donotcall.gov or 1-888-382-1222 to reduce telemarketing calls. Kansas residents can also register with the Kansas No Call List, administered by the Kansas Attorney General, though the federal registry is generally more comprehensive.

Step 5: Request Kansas Public Records Review

Submit Kansas Open Records Act requests to county and state agencies that maintain your records to review what information is publicly available. Focus on:

While most public records cannot be removed simply because they are accurate and legally public, reviewing them helps you understand your exposure and identify any errors requiring correction.

Step 6: Pursue Expungement if Eligible

If you have eligible criminal records, pursue expungement through the Kansas district court where the conviction occurred. The process involves filing a petition, paying filing fees (which may be waived for indigent petitioners), and potentially attending a hearing. The Kansas Judicial Branch website (www.kscourts.org) provides expungement information and forms. Successfully expunged records are removed from public view and employment background checks.

Step 7: Contact Key Kansas Privacy Agencies

Establish relationships with agencies that can assist with privacy protection:

Step 8: Monitor and Maintain Privacy Protections

Privacy protection requires ongoing vigilance. Review credit reports annually, monitor financial accounts regularly, update opt-out requests periodically, and stay informed about Kansas privacy legislation that may provide additional tools for protecting personal information.

Kansas Data Breach Notification

Kansas's data breach notification law, codified at K.S.A. 50-7a01 through 50-7a02, establishes requirements for businesses and individuals that experience security breaches involving Kansas residents' personal information. Understanding these requirements helps Kansas residents know what to expect when breaches occur and hold entities accountable for compliance.

The statute defines a "security breach" as unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information. "Personal information" includes a Kansas resident's first name or initial and last name combined with any of the following unencrypted elements:

Any person or business that owns or licenses computerized data containing personal information must notify affected Kansas residents following a breach. Notification must occur "in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the computerized data system."

Unlike some states with specific deadlines (such as 30, 45, or 60 days), Kansas law does not establish a precise timeframe, creating flexibility but also ambiguity. In practice, most businesses notify within 30-60 days of discovering a breach, though complex breaches may take longer to investigate.

If a breach affects more than 1,000 Kansas residents, the entity must also notify the Kansas Attorney General's Consumer Protection Division. This notification allows the Attorney General to monitor significant breaches and take enforcement action if necessary.

Notification may be delayed if a law enforcement agency determines that notification would impede a criminal investigation. The law enforcement agency must provide written notice of the delay, and notification must occur after the agency determines it will no longer compromise the investigation.

Notification must include:

The statute provides exceptions to notification requirements. No notification is required if, after appropriate investigation and consultation with relevant law enforcement, the entity reasonably determines that the breach will not likely result in harm to affected individuals. However, this determination must be documented.

Kansas law does not specify civil penalties for breach notification violations, but the Kansas Attorney General can pursue enforcement under the Kansas Consumer Protection Act (K.S.A. 50-623 et seq.) for unfair or deceptive practices. Affected individuals may also have private causes of action for damages resulting from failure to implement reasonable security measures or provide timely notification, though Kansas has not enacted a specific private right of action for breach notification violations.

Children's Privacy (Kansas)

Children's privacy in Kansas is protected through a combination of federal law and Kansas-specific statutes addressing educational technology and school records. The primary federal framework is the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. § 6501 et seq., which applies nationwide, including to Kansas-based operators and operators serving Kansas children.

COPPA requires operators of websites or online services directed to children under 13, or operators with actual knowledge they are collecting information from children under 13, to:

The Federal Trade Commission enforces COPPA, and Kansas parents who believe a website or service has violated COPPA can file complaints at www.ftc.gov.

Kansas has enacted specific protections for student data privacy through K.S.A. 72-6385, the Student Data Privacy Act. This statute restricts how educational technology vendors and service providers may use student data. Key provisions include:

This statute applies to "school service providers," defined as entities that contract with Kansas schools to provide digital educational services. It provides Kansas students with privacy protections beyond federal FERPA requirements by restricting commercial uses of educational data.

The Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g, protects student education records at schools receiving federal funding. FERPA gives parents of students under 18 (and students 18 or older) the right to inspect and review education records, request corrections, and control disclosure of personally identifiable information. Kansas schools must comply with FERPA, and parents can file complaints with the U.S. Department of Education's Family Policy Compliance Office.

Kansas parents concerned about their children's privacy should review school technology policies, understand what platforms and services schools use, exercise FERPA rights to review education records, and teach children about online privacy practices. The Kansas State Department of Education (www.ksde.org) provides resources on student data privacy and FERPA compliance.

Frequently Asked Questions

1. Does Kansas have a comprehensive consumer data privacy law like California's CCPA?

No. Kansas has not enacted a comprehensive consumer data privacy law. Kansas residents' rights regarding commercial data collection are governed primarily by federal laws such as FCRA and sector-specific state statutes addressing breach notification, financial privacy, and telecommunications. Multiple bills proposing broader privacy protections have been introduced in the Kansas Legislature but have not been enacted as of 2024.

2. How long does a Kansas agency have to respond to an open records request?

Under the Kansas Open Records Act (K.S.A. 45-218), public agencies must respond to records requests "as soon as possible" but not later than three business days after receipt. If the agency cannot comply within three business days, it must provide a detailed written explanation of why additional time is needed and when records will be available. Agencies may take longer for complex or voluminous requests but must demonstrate reasonable efforts to comply promptly.

3. Can I have my criminal record expunged in Kansas?

Yes, under certain circumstances. K.S.A. 22-4707 through 22-4710 allow expungement of some misdemeanor and felony convictions after completion of sentence and a waiting period (typically three years for misdemeanors, five years for felonies). Serious violent crimes, sex offenses, and some other felonies are not eligible. Arrest records that did not result in conviction and successfully completed diversion agreements may also be expunged. You must petition the district court where the conviction occurred.

4. What must Kansas employers do before conducting a background check?

If using a third-party consumer reporting agency, Kansas employers must comply with the Fair Credit Reporting Act (FCRA). This requires providing a standalone written disclosure that a background check will be conducted, obtaining written consent from the applicant, and providing pre-adverse action notice (including a copy of the report and summary of rights) if they intend to take adverse employment action based on the report. Kansas does not have a statewide ban-the-box law, so employers may ask about criminal history on initial applications.

5. How quickly must businesses notify Kansas residents of a data breach?

Kansas law (K.S.A. 50-7a01) requires notification "in the most expedient time possible and without unreasonable delay," but does not specify a precise deadline. Notification may be delayed if law enforcement determines it would impede a criminal investigation. In practice, most businesses notify within 30-60 days of discovering a breach. If more than 1,000 Kansas residents are affected, the business must also notify the Kansas Attorney General.

6. Can Kansas employers require access to my personal social media accounts?

No. K.S.A. 44-119a prohibits Kansas employers from requiring employees or applicants to disclose usernames or passwords for personal social media accounts. Employers also cannot require employees to add the employer or employment-related contacts to personal social media accounts. However, employers may require access to work-related accounts created on behalf of the employer for business purposes.

7. Are my medical records protected in Kansas beyond federal HIPAA requirements?

Yes, in certain contexts. Kansas provides enhanced protections for mental health treatment records under K.S.A. 65-5601 through 65-5605, which impose stricter consent and disclosure requirements than HIPAA. Kansas also specifically protects HIV/AIDS test results under K.S.A. 65-6002. Additionally, medical treatment records maintained by public healthcare facilities are exempt from disclosure under the Kansas Open Records Act (K.S.A. 45-221(a)(2)).

8. How do I remove my information from people-search websites in Kansas?

Kansas does not have a law requiring data brokers to provide a unified opt-out mechanism, so you must contact each people-search site individually. Major sites like Spokeo, WhitePages, BeenVerified, Intelius, MyLife, and PeopleFinder each have opt-out processes, typically accessible through their privacy policies or help sections. You will generally need to locate your listing, verify your identity, and submit an opt-out request. This process must be repeated periodically as information may reappear from public record aggregation. Kansas residents concerned about persistent data broker issues can file complaints with the Kansas Attorney General's Consumer Protection Division.

Last reviewed: Apr 8, 2026 Updated: Apr 8, 2026