KLS Keeping Law Simple Legislation in plain English

Straight-ahead summaries built from the official bill text. We keep the source links front and center and leave the decision up to you.

Back to Wyoming

SF0065 • 2025

Data privacy-government entities.

AN ACT relating to the administration of the government; requiring government entities to adopt policies for the collection, access, security and use of personal data as specified; requiring specific personal data policies; providing definitions; specifying applicability; and providing for effective dates.

Education Privacy Technology
Did Not Pass

The latest official action shows that this bill did not move forward in that session.

Sponsor
BlockChain/Technology
Last action
2025-02-28
Official status
inactive
Effective date
3/1/2025

Plain English Breakdown

The bill did not pass and was not considered by the House Committee of the Whole on February 28, 2025.

Data Privacy Rules for Government

This act requires government entities in Wyoming to create policies for collecting, accessing, securing, and using personal data.

What This Bill Does

  • Requires government entities to make rules about collecting, accessing, storing, and using personal information.
  • Limits how government entities can share personal data with other groups or businesses.
  • Allows residents to ask for copies of their personal data from government entities.

Who It Names or Affects

  • Government entities in Wyoming
  • Residents of Wyoming who have personal information stored by government entities

Terms To Know

Deidentified data
Data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable natural person.
Personal digital identity
A unique identifier for an individual in the digital world as defined by Wyoming law.

Limits and Unknowns

  • The bill did not pass and was not considered by the House Committee of the Whole on February 28, 2025.
  • Some parts of the act will only take effect after certain dates: July 1, 2027 for counties, cities, or towns; July 1, 2028 for other political subdivisions.

Amendments

These notes stay tied to the official amendment files and metadata from the legislature.

SF0065HS001

Standing Committee • House Minerals, Business and Economic Development

Filed

Plain English: The amendment adds public institutions of higher education to the list of entities required to adopt policies for handling personal data.

  • Adds public institutions of higher education to the list of government entities that must follow specific personal data policies.
  • The exact details of how these new requirements will be implemented and enforced are not specified in this amendment text.
SF0065SW001

Committee of the Whole • Senator Rothfuss

Adopted

Plain English: The amendment adds a new provision to exempt government entities that comply with certain health and education data protection laws from additional requirements under the bill.

  • Adds an exemption for government entities that are already compliant with HIPAA (Health Insurance Portability and Accountability Act) or FERPA (Family Education Rights and Privacy Act).
  • Specifies that compliance with these existing laws is sufficient to meet the data collection and retention requirements of the bill.
  • The amendment does not specify how compliance with HIPAA or FERPA will be verified.
  • It's unclear if this exemption applies only to specific types of personal data or all data covered by the bill.
SF0065SS001

Standing Committee • Senate Minerals, Business and Economic Development

Adopted

Plain English: The amendment adds rules for government entities to transfer personal data to non-government contractors, requiring the protection of this data and its destruction once it's no longer needed.

  • Government entities can now transfer personal data to non-government contractors who help provide government services.
  • Contracts with these contractors must include requirements to protect personal data.
  • Contractors must return or destroy personal data after it is no longer necessary for the service.
  • Contractors are not allowed to keep, sell, transfer, process, or use personal data in any way except as needed for their contracted services.
  • The exact details of how contractors will protect and handle personal data are not specified beyond what is necessary for the service.

Bill History

  1. 2025-02-28 House

    H COW:H Did not consider for COW

  2. 2025-02-26 House

    H Placed on General File

  3. 2025-02-26 House

    H09 - Minerals:Recommend Amend and Do Pass 7-1-1-0-0

  4. 2025-02-13 House

    H Introduced and Referred to H09 - Minerals

  5. 2025-02-04 House

    H Received for Introduction

  6. 2025-02-03 Senate

    S 3rd Reading:Passed 31-0-0-0-0

  7. 2025-01-31 Senate

    S 3rd Reading:Laid Back

  8. 2025-01-30 Senate

    S 2nd Reading:Passed

  9. 2025-01-29 Senate

    S COW:Passed

  10. 2025-01-24 Senate

    S Placed on General File

  11. 2025-01-24 Senate

    S09 - Minerals:Recommend Amend and Do Pass 5-0-0-0-0

  12. 2025-01-14 Senate

    S Introduced and Referred to S09 - Minerals

  13. 2025-01-02 Senate

    S Received for Introduction

  14. 2024-12-28 LSO

    Bill Number Assigned

Current Bill Text

Read the full stored bill text 
25LSO-0088
2025
STATE OF WYOMING
25LSO-0088
ENGROSSED
3.0

SENATE FILE NO. SF0065

Data privacy-government entities.

Sponsored by: Select Committee on Blockchain, Financial Technology and Digital Innovation Technology

A BILL

for

AN ACT relating to the administration of the government; requiring government entities to adopt policies for the collection, access, security and use of personal data as specified; requiring specific personal data policies; providing definitions; specifying applicability; and providing for effective dates.

Be It Enacted by the Legislature of the State of Wyoming:

Section 1
.

W.S. 9
‑
21
‑
201 and 9
‑
21
‑
202 are created to read:

ARTICLE 2
DATA PRIVACY
‑
GOVERNMENT ENTITIES

9
‑
21
‑
201.

Definitions.

(a)

As used in this article:

(i)

"Deidentified data" means data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable natural person or personal digital identity or a device linked to a natural person or personal digital identity, if the government entity that possesses the data takes reasonable measures to ensure the data cannot be associated with a natural person or personal digital identity;

(ii)

"Government entity" means the state and all its political subdivisions, agencies, instrumentalities and institutions and any local government entity. "Government entity" shall not include the judicial branch of government or any law enforcement agency in Wyoming;

(iii)

"Identified or identifiable natural person" means a natural person who can be readily identified, directly or indirectly, by reference to an identifier such as a name, an identification number, specific geolocation data or an online identifier;

(iv)

"Law enforcement agency" means a county, municipal, college or university police force, Wyoming highway patrol, the division of criminal investigation, the department of corrections or any state or local agency or political subdivision or part of an agency or political subdivision to the extent that the primary purpose of the agency or political subdivision, or part thereof, is the prevention or investigation of crime or the enforcement of penal, traffic, regulatory or criminal laws. "Law enforcement agency" shall not include the office of any city, county or district attorney or other division of the attorney general;

(v)

"Personal data" means information that is linked or reasonably linkable to an identified or identifiable natural person or personal digital identity and does not include deidentified data;

(vi)

"Personal digital identity" means as defined in W.S. 8
‑
1
‑
102(a)(xviii).

9
‑
21
‑
202.

Limitations on personal data by government entities; conflict of laws.

(a)

No government entity shall purchase, sell, trade or transfer personal data without the express written consent of the natural person except as otherwise expressly provided by law and except that:

(i)

A government entity may transfer personal data to another government entity provided that the other government entity complies with this article;

(ii)

A government entity may transfer personal data to nongovernment entity contracted by the government entity to provide or assist with government services provided by the government entity. Any contract for services with a nongovernment entity shall include requirements for the protection of personal data consistent with this article. Any personal data transferred pursuant to this paragraph shall be returned or destroyed by the nongovernment entity once the personal data is no longer necessary for the provision of the government service. No nongovernment entity shall maintain, sell, transfer, process or otherwise use the personal data in any manner except as necessary to provide the contracted service;

(iii)

A government entity may petition the elected governing person or body with direct authority over the government entity for an exception to this subsection on a case by case basis. The elected governing person or body, in the elected governing person's or body's discretion, may publicly approve in writing an exception to this subsection not to exceed a term of two (2) years per petition; and

(iv)

Nothing in this subsection shall be construed to prohibit the transfer of personal data in a manner that is otherwise compliant with the Health Insurance Portability and Accountability Act or the Family Education Rights and Privacy Act.

(b)

Any Wyoming resident may request a copy of their personal data from any government entity maintaining it.

The government entity may charge a fee for production of the requested personal data consistent with fees authorized to be charged under the Wyoming Public Records Act, W.S. 16
‑
4
‑
201 through 16
‑
4
‑
205.

(c)

A Wyoming resident who objects to the accuracy, completeness, pertinence, timeliness, relevance, retention, dissemination or denial of access to the resident's own personal data that is maintained by a government entity may, individually or through a duly authorized representative, file an objection with the government entity that maintains the data. The government entity maintaining the personal data shall, within sixty (60) days of the receipt of an objection:

(i)

Investigate the validity of the objection;

(ii)

If the objection is found to be meritorious after investigation, alter the contents of, or the methods for holding, or the dissemination or use of the personal data, or delete or grant access to it;

(iii)

If the objection is found to lack merit after investigation, provide the resident the opportunity to have a statement reflecting the resident's views maintained and disseminated with the personal data in question;

(iv)

Notify the resident in writing of any decision regarding the resident's objection.

(d)

To the extent that a provision of this article conflicts with another provision of state or federal law, the other provision shall control.

Section 2.

W.S. 9
‑
21
‑
203 is created to read:

9
‑
21
‑
203.

Personal data collection and retention by government entities.

(a)

In addition to the policies required under W.S. 9
‑
21
‑
101, if applicable, each government entity that collects or retains personal data shall adopt, enforce and maintain a policy regarding the collection, access, retention, security and use of personal data consistent with all applicable federal and state laws, including this article.

(b)

No government entity shall collect or maintain more personal data than is reasonably necessary for the performance of the government entity's lawful functions. All personal data collected and maintained by government entities shall be necessary for a specific pre
‑
defined purpose.

(c)

No government entity shall maintain personal data for longer than three (3) years without an express written policy identifying the extended retention period and providing a reasonable justification for the extended retention period. Statutory retention requirements provided for in W.S. 9
‑
2
‑
405 through 9
‑
2
‑
413 constitute a reasonable justification.

(d)

A government entity to which the Health Insurance Portability and Accountability Act or the Family Education Rights and Privacy Act applies that is compliant with a written data collection and retention policy that meets the requirements of the Health Insurance Portability and Accountability Act or the Family Education Rights and Privacy Act shall be deemed compliant with this section.

Section 3.

Not later than January 1, 2026, the state chief information officer in consultation with the state archivist shall develop sample policies for use by state agencies, counties, cities, towns and other political subdivisions consistent with the requirements of this act.

Section 4
.

W.S. 9
‑
2
‑
203 as created by section 2 of this act shall be effective as to counties, cities or towns on July 1, 2027 and as to each political subdivision of the state other than state agencies, counties, cities or towns on July 1, 2028. All state agencies, counties, cities, towns and other political subdivisions shall adopt any necessary policies and procedures to meet the requirements of this act.

Section 5
.

(a)

Section 2 of this act is effective July 1, 2026
.

(b)

Sections 1, 3, 4 and 5 of this act are effective immediately upon completion of all acts necessary for a bill to become law as provided by Article 4, Section 8 of the Wyoming Constitution.

(END)

1
SF0065