Kansas has been relatively slow to engage with data privacy legislation compared to neighboring states like Nebraska (which enacted its Data Privacy Act in 2024) and Iowa (which enacted its ICDPA in 2023). However, the enactment of laws in both neighboring states has accelerated Kansas legislative attention to the issue. Senate Bill 283 and House Bill 2237, introduced in the 2023–2024 sessions, represent Kansas' most substantive privacy proposals to date. Both bills are modeled on the Virginia CDPA framework and have received initial committee hearings. Kansas legislators have cited both the consumer protection rationale and the need for businesses operating in multiple states to have consistent requirements as reasons to move forward. The Kansas Chamber of Commerce has been involved in negotiations over bill language, and early indications suggest that — as in other Republican-led states that have passed privacy laws (Texas, Montana, Nebraska) — a relatively business-friendly Virginia-model law is the most likely outcome if Kansas acts.
Kansas legislators begin studying privacy legislation from other states but no formal comprehensive bills are introduced in this period.
SB 283 and HB 2237 introduced — Kansas' first comprehensive data privacy proposals. Both receive initial committee hearings but do not advance to votes.
Nebraska and Iowa enact privacy laws. Kansas legislators note that Kansas businesses operating in those states now have compliance obligations — strengthening the case for a Kansas law to create consistency.
Privacy advocates and business groups in Kansas are in discussions ahead of the 2025 session. A bill modeled on the Virginia/Nebraska framework is expected to be introduced with broader support.
Kansas' proposed privacy legislation closely follows the Virginia CDPA model, which has become the standard template for Republican-controlled state legislatures. The bill would provide standard consumer rights — access, correction, deletion, portability, opt-out of sale and targeted advertising — and require explicit consent for sensitive data. It would apply to businesses processing data of 100,000 or more Kansas consumers, or 25,000+ consumers if data sales exceed 25% of revenue. Enforcement would rest with the Kansas Attorney General with a 30-day cure period. There is no private right of action in the current proposed language.
If enacted as currently drafted, Kansas residents would receive the following privacy rights:
Confirm whether a business processes your personal data and request a copy of it.
Request correction of inaccurate personal data a business holds about you.
Request deletion of personal data that has been collected about you.
Receive your data in a portable, machine-readable format.
Prevent businesses from selling your personal data to third parties.
Stop businesses from using your data for cross-context behavioral advertising.
Opt out of automated decision-making in significant life decisions.
Businesses cannot penalize you for exercising your privacy rights.
The rights listed above are proposed, not enacted. They reflect the bill's current draft language and may change significantly before passage — or the bill may not pass at all. Until Kansas enacts a comprehensive privacy law, residents have limited state-level data privacy rights. Check our Active Laws page to see which states have enacted protections.
Kansas has lagged primarily due to legislative bandwidth rather than strong ideological opposition. The Kansas legislature has been focused on other priorities, and unlike states where a high-profile data breach or scandal prompted urgent action, Kansas has not had a triggering event that created public pressure for rapid passage. Additionally, the Kansas Chamber of Commerce — influential in the Republican-controlled legislature — has sought specific language adjustments before endorsing a bill. As neighboring states have enacted laws (creating compliance complexity for businesses operating across state lines), the practical case for a Kansas law has strengthened, and advocates expect this to accelerate the timeline.
| Feature | Kansas (Proposed) | Virginia (Active) | California (Active) |
|---|---|---|---|
| Comprehensive privacy rights | Proposed | ✅ Yes | ✅ Yes |
| Right to delete | Proposed | ✅ Yes | ✅ Yes |
| Opt out of sale of data | Proposed | ✅ Yes | ✅ Yes |
| Sensitive data protections | Proposed | ✅ Yes | ✅ Yes |
| Enforcement agency | TBD | VA Attorney General | CA Privacy Protection Agency |
| Private right of action | TBD | No | Yes (breach only) |
| Currently enforceable | ❌ No | ✅ Yes | ✅ Yes |
Even though Kansas does not yet have a comprehensive privacy law, you are not without options:
Privacy laws pass because constituents demand them. If you believe Kansas residents deserve strong data privacy rights, contact your state legislature. Find your representatives at OpenStates.org — it takes only a few minutes to send a message that matters.
Use our Opt-Out Guide to see what rights you have today and get direct opt-out links for major companies.
Privacy legislation moves quickly. Subscribe to our newsletter and we'll alert you the moment Kansas passes a new privacy bill, a vote is scheduled, or a major amendment changes the bill's scope. You'll also receive our monthly digest of all U.S. privacy law changes — free, always.