Background

Missouri does not have a comprehensive consumer privacy statute, and its consumers cannot demand that a business disclose, delete or stop selling their personal data as a matter of state statutory right. That does not mean, however, that Missouri is a privacy vacuum.

Missouri currently relies on a patchwork of sector-specific laws for its data privacy and protection regulation. These laws include a broadly worded consumer protection law known as the Missouri Merchandising Practices Act (MMPA) and industry-specific regulations, such as the newly enacted Insurance Data Security Act. In recent years, the Missouri Attorney General’s Office has aggressively pursued data privacy and data security enforcement actions through the MMPA against some of the nation’s largest technology and financial services companies.

The MMPA as Missouri’s Privacy Enforcement Tool

The MMPA, codified at Section 407.020 et seq of the Missouri Revised Statutes, is often described as Missouri’s “mini FTC Act”. It declares unlawful “the act, use or employment by any person of any deception, fraud, false pretense, false promise, misrepresentation, unfair practice or the concealment, suppression, or omission of any material fact in connection with the sale or advertisement of any merchandise in trade or commerce”.

Missouri courts have interpreted an “unfair practice” under the MMPA to be “unrestricted, all-encompassing and exceedingly broad”. See Ports Petroleum Co, Inc of Ohio v Nixon, 37 S.W.3d 237, 240 (Mo. banc 2001). Critically, the MMPA does not require proof of intent to deceive. Defendants’ conduct, not their intent, determines whether a violation has occurred. This objective standard makes the MMPA a potent tool for addressing privacy violations when a company may not have intended to cause harm but nonetheless engaged in practices that were deceptive or unfair.

The MMPA provides for both public and private enforcement:

• the Attorney General may seek injunctive relief, restitution, disgorgement of profits, civil penalties, and recovery of investigative and prosecution costs under Section 407.100; and
• private plaintiffs who purchase or lease merchandise primarily for personal, family or household purposes may bring civil actions to recover actual damages, and courts have discretion to award punitive damages and attorneys’ fees under Section 407.025.

Recent Attorney MMPA General Enforcement Actions

Tax preparation pixel litigation

In July 2023, the Missouri Attorney General sued H&R Block, TaxSlayer and TaxAct (Case No 2322-CC01433), alleging that the companies installed tracking pixels (specifically the Meta Pixel and related tools) on their online tax preparation platforms. The petition alleged that these pixels transmitted sensitive financial information to Meta, Google and other technology companies, including consumers’ names, adjusted gross income, refund amounts, filing status, dependent information, and whether consumers visited pages related to particular types of income, deductions or tax credits. The Attorney General alleged that this data sharing occurred without consumers’ knowledge or consent and in direct contradiction of the companies’ privacy policies, which assured users that their personal information would be safeguarded. The petition asserted claims for misrepresentation, omission, deception and unfair practices under the MMPA.

Both TaxAct and TaxSlayer subsequently settled with the state. TaxAct resolved the matter in November 2023 for USD195,000 and agreed to modify its data-sharing capabilities. TaxSlayer settled on similar terms. Litigation against H&R Block continued in Jackson County as of the last available reporting.

Google location-tracking settlement

Missouri participated in a 40-state coalition that investigated Google for allegedly misleading users about location data collection. The investigation allegedly revealed that Google continued to track users’ locations even when the “Location History” setting was turned off through a separate “Web & App Activity” setting. In November 2022, Google agreed to a historic USD391.5 million multistate settlement requiring greater transparency regarding location data collection.

Blackbaud data breach settlement

In October 2023, the Attorney General participated in a settlement with software company Blackbaud related to a 2020 ransomware breach that exposed the personal, financial and health information of millions of consumers. The Attorney General alleged that Blackbaud committed unfair and deceptive practices under the MMPA by failing to implement reasonable data security measures and delaying notifying affected consumers. The multistate settlement totalled USD49.5 million. 

Meta youth safety litigation

Missouri joined 33 states in October 2023 in suing Meta, alleging that Facebook and Instagram employed manipulative design features targeting young users. Among other things, the complaint alleged that Meta violated the Children’s Online Privacy Protection Act (COPPA) by collecting data from users under 13 years of age without parental consent. The Missouri Attorney General alleged misrepresentation, deception, concealment and unfair practices under the MMPA.

Other Attorney General MMPA enforcement

Beyond filing MMPA enforcement lawsuits, the Missouri Attorney General has a powerful investigative tool at its disposal: the civil investigative demand (CID). Under Section 407.040 of the Missouri Revised Statutes, when it appears to the Attorney General that a person has engaged in or is engaging in any method, act, use, practice or solicitation declared unlawful under the MMPA – or when the Attorney General believes an investigation is in the public interest – the Attorney General may issue a CID requiring a person to appear and testify or to produce relevant documentary material or physical evidence. A CID functions similarly to an administrative subpoena and is a pre-litigation investigative mechanism.

The Attorney General’s CID power is not unlimited. Both the statute and constitutional principles constrain the scope of any demand, and a business that receives a CID is not without recourse. A business may petition the court to set aside or limit a CID, and such challenges can raise both statutory and constitutional arguments.

The Missouri Attorney General has also promulgated privacy-related regulations under the MMPA. Most recently, the Attorney General instituted an age verification regulation for websites containing sexually explicit material. The rule, 15 CSR 60-18.010 et seq, applies to any website, application or self-contained sexual content segment where a “substantial portion” – defined as 33% or more – of publicly available content is “pornographic for minors”. It mandates that covered entities verify users’ ages through one of several methods:

• digital identification, defined as information stored on a digital network that serves as proof of the identity of an individual;
• government-issued photo identification;
• a commercially reasonable method that relies on public or private transactional data to verify the age of the individual, such as records from mortgage, education and employment entities; or
• an equally effective alternative method approved by the Attorney General.

As implemented in other states, approved age verification methods may include facial analysis technology, where the user submits selfies from which an AI algorithm estimates whether the individual is over the age of 18.

The rule expressly prohibits covered entities from retaining personally identifying information after the verification process is complete, reflecting an awareness of the data privacy risks inherent in identity verification at scale. Some platforms have elected to geo-block Missouri users rather than comply with the new rule.

The Injury Hurdle: Why Private MMPA Claims Are So Difficult

While the Attorney General has wide latitude in bringing MMPA enforcement actions, private plaintiffs face a far more constrained counterpart, particularly with respect to the statute’s damages requirements. Section 407.025 and associated case law require private plaintiffs to establish three elements:

• that the plaintiff acted as a reasonable consumer in light of all circumstances;
• that the unlawful method, act or practice would cause a reasonable person to enter into the transaction that resulted in damages; and
• that there are individual damages with “sufficiently definitive and objective evidence to allow the loss to be calculated with a reasonable degree of certainty”.

The first hurdle may result in dismissal early on at the pleading stage. Whether an alleged practice is likely to mislead a reasonable consumer is distinct from the heightened pleading standard for fraud claims, but it imposes a meaningful threshold that privacy plaintiffs must clear before reaching discovery or damages questions.

This last requirement – the “ascertainable loss” standard – is the central obstacle for privacy plaintiffs. Missouri courts have strictly applied this standard to require concrete, quantifiable evidence of monetary loss.

The implications for privacy cases are significant. Traditional privacy harms – such as lost time, anxiety, reputational risk, or the abstract diminution in the value of personal data – are inherently difficult to reduce to a dollar figure. A plaintiff whose browsing data was secretly shared with an advertising platform may feel genuinely violated, but that may not easily translate to provable loss under the MMPA. 

Missouri courts have recognised the “benefit-of-the-bargain” rule as a viable damages theory in MMPA cases. Under this approach, damages are measured as the difference between the actual value of the property and its value as represented. In theory, a plaintiff could argue that a service promising data confidentiality was worth less than what was paid because the provider was secretly sharing data with third parties. However, this theory remains untested.

Taken together, the reasonable consumer and ascertainable loss requirements create formidable obstacles for establishing privacy harm under the MMPA. No Missouri court has yet sustained a private MMPA claim arising from unauthorised data sharing, data breach or similar conduct.

In Kuhns v Scottrade, Inc., 868 F.3d 711 (8th Cir. 2017), the Eighth Circuit affirmed the dismissal of MMPA claims brought by customers alleging that a brokerage firm failed to implement adequate data security measures and failed to discover and promptly notify customers of a data breach. The court noted that the MMPA requires the alleged unlawful act to occur in relation to a sale of merchandise and that it result in identifiable financial harm connected to the merchandising practice. The claims did not meet these requirements because the defendant did not sell data security services, but rather implemented security measures inducing customers to transfer their personal information in order to obtain its brokerage services. The decision underscores that businesses facing data breach litigation in Missouri may have viable defences under the MMPA’s merchandise and loss requirements, but it also highlights the importance of ensuring that representations about data security practices are accurate and not misleading.

As matters currently stand, the Missouri Attorney General – who faces none of the damages, pleading or standing constraints that burden private litigants – has been the primary enforcer of the MMPA in the data privacy space.

Missouri’s Wiretapping Law and the Online Tracking Frontier

Missouri is a one-party consent state as regards its wiretapping and electronic surveillance laws, Section 542.400 et seq of the Missouri Revised Statutes. This stands in contrast to “two-party” or “all-party” consent jurisdictions such as California and Florida, where all participants must consent for a recording to be lawful. The one-party consent framework means that, in most circumstances, businesses recording customer service calls or other communications face a less onerous legal standard in Missouri than they would in an all-party consent jurisdiction.

However, Missouri’s one-party consent rule comes with an important caveat. Under Missouri’s wiretapping statute, it is lawful for one party to a communication to intercept that communication only where the interception is not carried out “for the purpose of committing any criminal or tortious act”. This “tortious purpose” exception is a distinctive feature of Missouri’s wiretapping statute and has emerged as a significant source of litigation risk in the online tracking context.

A growing number of plaintiffs across the country have brought wiretapping claims against companies that deploy online tracking technologies such as the Meta Pixel on their websites. The theory is straightforward: when a company embeds a tracking pixel that intercepts and transmits the contents of a user’s communications to a third party such as Facebook, the company has “intercepted” a “wire communication” within the meaning of the wiretapping statute.

This theory has gained traction in Missouri. In Jane Doe v SSM Health Care Corporation, No 2222-CC10014-01 (Mo. Cir. Ct. City of St Louis, filed 25 September 2024), the plaintiff alleged that SSM Health embedded Meta Pixel and Facebook’s Conversions API on its hospital websites and patient portal, which caused patients’ sensitive medical information –  including search queries about medical conditions, doctor appointments and patient portal interactions – to be secretly transmitted to Facebook along with personally identifying information such as Facebook user IDs and IP addresses. The plaintiff asserted, among other claims, that SSM Health violated Missouri’s wiretapping statute by intercepting patients’ wire communications for the purpose of committing criminal and tortious acts, including invasion of privacy, breach of the fiduciary duty of confidentiality, and conversion of patients’ personal health information. While the parties settled in November 2025, the case notably survived a motion to dismiss, signalling that Missouri courts are willing to entertain wiretapping claims premised on deployment of online tracking technologies.

The implications are significant. Unlike the MMPA’s private right of action, which requires proof of ascertainable monetary loss, the Missouri wiretapping statute provides for statutory damages (liquidated damages computed at the rate of USD100 per day of violation or USD10,000, whichever is greater), punitive damages (for wilful or intentional violations) and attorneys’ fees. The question remains open as to whether Missouri’s wiretapping statute extends to data practices such as pixel tracking, session replay technology, or the covert sharing of browsing data with third parties.

Other Privacy-Related Statutes

Although Missouri lacks a comprehensive privacy law, it has enacted several narrower statutes that touch on data protection, including the following under the Missouri Revised Statutes:

• Section 407.1355 prohibits the public posting or display of Social Security numbers, requires secure transmission of Social Security numbers over the internet, and bars employers from requiring employees to use their Social Security numbers as employee identification numbers;
• Section 407.433 restricts the disclosure of credit and debit card account numbers on sales receipts, prohibiting the display of more than the last five digits; and
• Section 362.422 mirrors federal Gramm-Leach-Bliley Act requirements to prohibit financial institutions from disclosing non-public personal information to non-affiliated third parties and requiring privacy notices to customers.

These provisions, while limited in scope, reflect a legislative awareness of specific data protection risks and should be accounted for in any Missouri-focused compliance programme.

Biometric Privacy

Missouri has not enacted a general biometric privacy statute. There is no Missouri law analogous to the Illinois Biometric Information Privacy Act, which has generated a wave of class action litigation in that state. Missouri businesses that collect fingerprints, facial geometry or other biometric identifiers are not subject to a standalone state law governing biometric data collection, consent, retention or destruction.

That said, Missouri does regulate biometric data in at least one narrow context. Section 313.817(5), enacted as part of the state’s Licensed Gaming Activities framework, prohibits excursion gambling boats (known locally as riverboat casinos) from requiring patrons to provide fingerprints, retinal scans, biometric forms of identification, or patron-tracking cards as a condition of entry.

Businesses operating in Missouri should not assume that the absence of a general biometric privacy law eliminates risk entirely. The MMPA’s broad prohibition against unfair and deceptive practices could apply to biometric data collection that is misleading or inadequately disclosed.

Healthcare Data Privacy

Healthcare data privacy is an area of evolving complexity in Missouri. Missouri has enacted a patchwork of state statutes protecting the confidentiality of specific categories of medical information. These include laws governing the confidentiality of HIV records (Section 191.656), genetic information (Section 375.1309), mental health records (Section 630.140), cancer registry data (Section 192.655) and newborn hearing screening results (Section 191.928). Abortion reports submitted to the Department of Health and Senior Services are also subject to confidentiality requirements under Section 188.070. These laws intersect with Missouri’s unsettled legal landscape for reproductive and gender transition services, which present significant questions about the handling and reporting of sensitive health data for businesses in the healthcare sector, particularly when complying with the Attorney General’s investigations into such services.

The Insurance Data Security Act – New Compliance Requirements

One of the most significant recent developments in Missouri’s data privacy landscape is the Insurance Data Security Act, which took effect on 1 January 2026. This law establishes comprehensive data security standards for insurers, insurance producers and other licensed entities operating in the state. Missouri’s enactment aligns the state with the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law, which has now been adopted by more than 30 states.

The Act imposes substantial new compliance obligations on covered entities, with limited exemptions for certain licensees already subject to the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act. At its core, the law requires each licensee to develop and maintain a written information security programme tailored to the organisation’s size, complexity, use of third-party service providers, and the sensitivity of the non-public information it handles. The law imposes a four-business-day notification requirement for cybersecurity incidents that meet a certain threshold (such as when an event involves 250 or more Missouri consumers’ non-public information), which is notably more compressed than the general breach notification standard in Section 407.1500. For insurers and producers that had not previously been subject to a sector-specific data security mandate at the state level, the Act represents a meaningful shift in the compliance landscape.

Legislative Updates

The Missouri legislature has declined to advance any recent bills proposing to enact a comprehensive consumer privacy act. However, the Missouri legislature is currently considering Senate Bill No 1359, which proposes a Biometric Information Privacy Act (BIPA). Unlike Illinois’ BIPA, which is consent-centric and enforced through a private right of action, Missouri’s BIPA would limit liability by creating a safe harbour for businesses using biometric identifiers, so long as those businesses meet certain compliance standards for consumer notice, retention policies and data security.

The Missouri legislature is also reviewing a proposed Artificial Intelligence Transparency and Accountability Act (SB 1324), which would require labelling of AI-generated content and consent for using a real person’s likeness. SB 1324 would authorise enforcement by the Attorney General and by private plaintiffs.

The state house is reviewing House Bill No 3393, which would prohibit social media platforms from allowing persons under 16 years of age to create or maintain accounts separate from a parent or guardian, while minors aged 16 or 17 could hold accounts only with verified parental consent. The bill would also targets “addictive or manipulative platform design” by prohibiting features such as infinite-scroll mechanisms and auto-playing content without time-limit controls. The bill would also create a private right of action for parents or legal guardians of harmed minors.

Conclusion

Missouri’s privacy enforcement landscape is defined by the creative and aggressive application of the MMPA rather than by a purpose-built privacy statute. The Attorney General’s office has demonstrated a willingness to reach data collection, use and sharing practices through the MMPA’s broad prohibition on unfair and deceptive conduct. While the courts have yet to fully test those theories, the enforcement record alone carries compliance weight. Companies operating in or serving Missouri consumers would be well advised to audit their data practices with the pixel litigation in mind, scrutinise privacy disclosures for accuracy against actual data use, and account for the sector-specific obligations layered beneath the MMPA – particularly where health data, financial information or minors are involved.

The absence of a comprehensive privacy law in Missouri should not be mistaken for the absence of meaningful privacy risk. To the contrary, the current patchwork of statutes and regulations heightens operational risk and requires diligent, ongoing compliance review.