North Dakota
North Dakota Data Privacy Laws: Breach Notification & Consumer Rights (2026)
North Dakota does not have a comprehensive consumer data privacy law as of May 2026. The state's primary protection is N.D. Cent. Code Chapter 51-30, which requires businesses to notify residents and the Attorney General after a breach of unencrypted personal information. HB 1127 adds data security rules for certain financial corporations.
North Dakota takes a sectoral approach to data privacy rather than enacting a single comprehensive consumer privacy law. The state has not passed legislation equivalent to the California Consumer Privacy Act (CCPA) or the Virginia Consumer Data Protection Act (VCDPA). Instead, North Dakota residents and businesses navigate several targeted statutes that address specific aspects of data protection.
The most significant of these is N.D. Cent. Code Chapter 51-30, the state's data breach notification law. Additional protections come from Chapter 51-33 on credit security freezes, criminal identity theft statutes, and HB 1127, which targets data security for certain financial corporations. Federal laws including HIPAA, FERPA, the Gramm-Leach-Bliley Act, and the TAKE IT DOWN Act fill remaining gaps.
This guide covers every active North Dakota data privacy statute, what protections each provides, who must comply, and what penalties apply for noncompliance.
North Dakota Data Breach Notification Law (N.D. Cent. Code Chapter 51-30)
North Dakota's data breach notification statute, codified in N.D. Cent. Code Chapter 51-30, has been the state's cornerstone data privacy protection since its enactment in 2005. The law was amended in 2013 by H.B. 1435 and again in 2015 by S.B. 2214 to expand the definitions of protected information and strengthen reporting requirements.
Who Must Comply
Any person or entity that conducts business in North Dakota and owns or licenses computerized data containing personal information must comply with Chapter 51-30. This includes corporations, partnerships, sole proprietors, nonprofit organizations, and government agencies. The law applies regardless of where the entity is headquartered, so long as it holds data belonging to North Dakota residents.
What Is a Breach Under North Dakota Law
Under Section 51-30-01, a "breach of the security system" means the unauthorized acquisition of computerized data when access to personal information has not been secured by encryption or by any other method or technology that renders the electronic files, media, or databases unreadable or unusable.
There is an important exception: good-faith acquisition of personal information by an employee or agent of the entity does not constitute a breach, provided the personal information is not used or subject to further unauthorized disclosure.
Definition of Personal Information
North Dakota defines "personal information" broadly under Section 51-30-01(4). It means an individual's first name or first initial and last name in combination with any of the following data elements:
| Protected Data Element | Description |
|---|---|
| Social Security number | Full SSN in any format |
| Driver's license or state ID number | North Dakota or any other state's license or non-driver ID |
| Financial account numbers | Bank account, credit card, or debit card numbers with any required security code, access code, or password |
| Date of birth | Month, day, and year of birth |
| Mother's maiden name | As commonly used for security verification |
| Medical information | Health or medical records, health insurance information |
| Employer ID numbers | With any required security code, access code, or password |
| Digital signatures | Electronic signature data |
Information that is publicly available from federal, state, or local government records is excluded from the definition of personal information.
Encryption Safe Harbor
If personal information is encrypted or rendered unreadable or unusable through any method or technology, the data does not meet the definition of "personal information" under the statute. A breach involving only properly encrypted data does not trigger notification obligations. This encryption safe harbor gives businesses a strong incentive to encrypt personal information at rest and in transit.
Notification Requirements to Consumers
Under Section 51-30-02, any entity that experiences a breach must disclose the breach to any North Dakota resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
The notification must be made "in the most expedient time possible and without unreasonable delay." North Dakota does not set a specific day count for consumer notification. The timeline may account for the legitimate needs of law enforcement and measures necessary to determine the scope of the breach and restore the integrity of the data system.
Unlike some states that require a risk-of-harm analysis before triggering notification, North Dakota has no harm threshold. If unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person, notification is required regardless of the likelihood of actual harm.
Notification to the Attorney General
Any entity that experiences a breach affecting more than 250 individuals must also notify the North Dakota Attorney General by mail or electronic mail, without unreasonable delay. The Attorney General maintains a public data breach notices page where residents can review reported breaches.
Third-Party Notification Obligations
Under Section 51-30-03, any entity that maintains computerized data containing personal information on behalf of another entity must notify the data owner or licensee immediately upon discovering a breach. The data owner or licensee then bears the responsibility for notifying affected consumers and the Attorney General.
Methods of Notification
Section 51-30-05 establishes three permissible methods for providing breach notification:
Written notice. A letter sent to the individual's last known mailing address.
Electronic notice. Email or other electronic communication, provided the notice complies with the federal Electronic Signatures in Global and National Commerce Act (15 U.S.C. Section 7001).
Substitute notice. An entity may use substitute notice if it demonstrates that the cost of providing direct notice would exceed $250,000, the affected class exceeds 500,000 individuals, or the entity does not have sufficient contact information. Substitute notice requires all three of the following: email notice (if the entity has email addresses), conspicuous posting on the entity's website, and notification to major statewide media.
Delayed Notice for Law Enforcement
Section 51-30-04 allows notification to be delayed if a law enforcement agency determines that it would impede a criminal investigation. The entity must provide notification as soon as the law enforcement agency advises that the notification will no longer compromise the investigation.
Alternate Compliance
Section 51-30-06 provides that an entity is deemed in compliance with Chapter 51-30 if it maintains its own notification procedures as part of an information security policy, provided those procedures are consistent with the timing requirements of the statute. Entities that comply with breach notification requirements under federal law (such as HIPAA or GLBA) are also considered compliant.
Enforcement and Penalties
The North Dakota Attorney General enforces Chapter 51-30 under the authority provided in Chapter 51-15. Under Section 51-30-07, a violation of Chapter 51-30 is treated as a violation of Chapter 51-15.
| Enforcement Tool | Details |
|---|---|
| Civil penalties | Up to $5,000 per violation |
| Injunctive relief | Temporary or permanent injunction |
| Attorney fees and costs | Recoverable by the state |
| Investigation powers | Full Chapter 51-15 investigative authority |
There is no private right of action under Chapter 51-30. Individual consumers cannot file lawsuits against businesses for breach notification failures. Enforcement authority belongs exclusively to the Attorney General.
HB 1127: Financial Corporation Data Security (Effective August 1, 2025)
In 2025, North Dakota significantly expanded its data protection framework by enacting House Bill 1127, signed by Governor Kelly Armstrong on April 11, 2025. The law creates Chapter 13-01.2 of the North Dakota Century Code and imposes comprehensive data security requirements on certain financial corporations. Analysts have described HB 1127 as closely mirroring the FTC's Gramm-Leach-Bliley Act Safeguards Rule, extending equivalent protections to non-bank financial entities that were previously subject only to Chapter 51-30.
Who Is Covered by HB 1127
HB 1127 applies to financial corporations regulated by the North Dakota Department of Financial Institutions that are not otherwise regulated as banks or credit unions. Covered entities include:
- Trust companies
- Mortgage lenders
- Cryptocurrency kiosk operators
- Collection agencies
- Debt settlement providers
- Money brokers
- Money transmitters
- Payday lenders
Banks, credit unions, and entities already regulated under other frameworks are expressly excluded.
Required Information Security Program
Every covered financial corporation must develop and maintain a comprehensive, written information security program tailored to the organization's size, complexity, and the sensitivity of the customer information it handles. The program must include:
- Designation of one or more employees responsible for overseeing the program
- Risk assessment identifying reasonably foreseeable threats
- Evaluation of existing policies and procedures
- Implementation of appropriate controls to manage identified threats
- Annual penetration testing and regular testing of security measures
- Multifactor authentication for systems containing customer information
- Employee security awareness training
- Periodic review of data retention policies
Data Disposal Requirements
HB 1127 requires covered entities to securely dispose of all customer information within two years of the information being used in connection with a product or service, unless the information is necessary for ongoing business operations, required to be retained by law, or disposal is not reasonably feasible.
Breach Notification Under HB 1127
Financial corporations covered by HB 1127 must notify the Department of Financial Institutions as soon as possible and no later than 45 days after discovering a breach involving the information of at least 500 consumers. A breach is considered "discovered" on the first day the institution becomes aware of the event. Knowledge held by any employee, officer, or agent is attributed to the institution.
Penalties Under HB 1127
| Penalty Type | Amount |
|---|---|
| Per-violation fine | Up to $100,000 |
| Continuing violation | $1,000 per day after service of an order |
| Cease-and-desist orders | Issued by the Department of Financial Institutions |
| License consequences | Suspension or revocation |
| Personnel actions | Removal of responsible executives or employees |
These penalties are substantially more severe than those under Chapter 51-30 and reflect the heightened data security expectations for financial institutions.
Insurance Data Security (N.D. Cent. Code Chapter 26.1-02.2)
North Dakota regulates data security in the insurance industry through Chapter 26.1-02.2. This chapter was updated by Senate Bill 2088 during the 69th Legislative Assembly, with updated requirements effective August 1, 2025.
Who Must Comply
All individuals and entities licensed by the North Dakota Insurance Department must comply, including insurance companies, producers and agencies, third-party administrators, managing general agents, and other licensed organizations.
Key Requirements
Licensed insurers must conduct a self-assessment and implement a written Information Security Program commensurate with the licensee's size, complexity, and the nature of its activities. Minimum elements include designating employees to oversee the program, identifying reasonably foreseeable threats, assessing the likelihood and impact of those threats, reviewing the sufficiency of existing policies, and implementing appropriate controls.
Cybersecurity Event Reporting
Licensees must promptly investigate potential cybersecurity events and notify the Insurance Commissioner within three business days if certain thresholds are met. The consumer notification standards from Chapter 51-30 are incorporated by reference.
Licensees subject to HIPAA may be exempt from certain program requirements, but they are not exempt from the notification obligations to the Insurance Commissioner.
Credit Security Freeze Rights (N.D. Cent. Code Chapter 51-33)
North Dakota law gives consumers the right to place a security freeze on their credit file under Chapter 51-33. A security freeze prohibits a consumer reporting agency from releasing any information in the consumer's credit file without express authorization.
How Credit Freezes Work in North Dakota
A credit security freeze prevents creditors from accessing your credit report, which effectively stops anyone from opening new credit accounts in your name without your knowledge. When you place a freeze, the consumer reporting agency must provide you with a personal identification number (PIN) or password within five business days. You use this PIN to temporarily lift or permanently remove the freeze when needed.
Cost and Timeline
Under both North Dakota law and the federal Economic Growth, Regulatory Relief, and Consumer Protection Act of 2018, credit freezes are free for all consumers. There is no charge to place, temporarily lift, or remove a security freeze.
Enforcement
Chapter 51-33 provides both private enforcement (consumers can sue directly) and enforcement by the Attorney General. This is one of the few North Dakota data privacy statutes that grants individuals a private right of action.
Identity Theft Protections in North Dakota
Criminal Identity Theft Statute
Identity theft is a criminal offense under N.D. Cent. Code Chapter 12.1-23 (Theft and Related Offenses). The statute addresses both identity theft that causes economic loss and identity theft for other purposes.
| Offense Level | Conditions | Maximum Penalty |
|---|---|---|
| Class A misdemeanor | First offense, no economic loss | Up to 360 days in jail, $3,000 fine |
| Class C felony | Economic loss of any amount (first offense) | Up to 5 years in prison, $10,000 fine |
| Class B felony | Economic loss exceeding $1,000 | Up to 10 years in prison, $20,000 fine |
| Class C felony | Second or subsequent offense (any amount) | Up to 5 years in prison, $10,000 fine |
A person can be charged with identity theft regardless of whether the victim suffers actual economic or monetary loss. Simply using another person's identifying information without authorization is sufficient for prosecution.
Reporting Identity Theft
The North Dakota Attorney General's Consumer Protection Division recommends that identity theft victims take immediate steps including:
- File a police report with your local law enforcement agency
- Contact the three major credit bureaus (Equifax, Experian, TransUnion) to place fraud alerts
- Consider placing a credit security freeze under Chapter 51-33
- File a complaint with the FTC at IdentityTheft.gov
- Contact the Attorney General's Consumer Protection Division at (701) 328-3404
AG Enforcement Actions
Google Location Tracking Settlement (November 2022)
In November 2022, Attorney General Drew Wrigley joined a 40-state coalition that reached a $391.5 million multistate settlement with Google over deceptive location-tracking practices. North Dakota received $4.1 million from the settlement.
The investigation found that Google continued tracking users' location data even after they had explicitly disabled location settings, beginning in 2018. As part of the settlement, Google agreed to provide enhanced transparency when users adjust location settings, make key tracking details easily accessible, and offer detailed explanations about data collection types and usage. This remains the largest multistate Attorney General privacy settlement in U.S. history.
Federal Laws That Protect North Dakota Residents
Because North Dakota has not enacted a comprehensive consumer privacy law, federal statutes play a critical role in protecting residents' personal information.
TAKE IT DOWN Act (Pub. L. 119-12, Signed May 19, 2025)
The TAKE IT DOWN Act is the first federal law specifically targeting nonconsensual intimate imagery (NCII) and deepfake sexual content. President Trump signed it on May 19, 2025. Platform compliance obligations became enforceable by the FTC on May 19, 2026.
Under Section 3 of the Act, covered platforms must provide a process for people to request the removal of intimate photos or videos shared without their consent. When a covered platform receives a valid request, it must remove the content and any known identical copies within 48 hours. The FTC treats violations as unfair or deceptive trade practices under the FTC Act, with civil penalties up to $53,088 per violation.
In advance of the May 2026 enforcement deadline, FTC Chairman Andrew Ferguson sent formal warning letters to more than a dozen major platforms, including Meta, Apple, Microsoft, TikTok, Reddit, Snapchat, and X. North Dakota residents who are victims of NCII can submit removal requests directly through covered platforms under this federal framework.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA protects health information held by covered entities (health plans, health care clearinghouses, and health care providers that transmit health information electronically). Under HIPAA's Privacy Rule, North Dakota residents have the right to access their medical records and request corrections. The North Dakota Department of Health and Human Services oversees state-level compliance.
North Dakota law allows health care providers to charge up to $20 for the first 25 pages of medical records and $0.75 per page thereafter. However, HIPAA's "reasonable, cost-based fee" standard may override this state fee schedule when it provides greater protection to the consumer.
Family Educational Rights and Privacy Act (FERPA)
FERPA protects student education records at institutions receiving federal funding. The North Dakota Department of Public Instruction enforces FERPA compliance across public K-12 schools. Students and parents have the right to inspect education records within 45 days of a request and to request amendments to inaccurate records.
The North Dakota Statewide Longitudinal Data System (SLDS) follows strict state and federal privacy standards, including FERPA, when managing education data across state systems.
Gramm-Leach-Bliley Act (GLBA)
The GLBA requires financial institutions to explain their information-sharing practices and to safeguard sensitive consumer data. The FTC's Safeguards Rule, updated in 2023, requires covered financial institutions to implement comprehensive security programs. North Dakota's HB 1127 was specifically modeled after the GLBA Safeguards Rule to extend similar protections to non-bank financial corporations.
Children's Online Privacy Protection Act (COPPA)
COPPA requires website operators and online services directed at children under 13 to obtain verifiable parental consent before collecting personal information. This federal law applies to all businesses operating in North Dakota that collect data from children online.
FTC Act Section 5
The Federal Trade Commission Act Section 5 prohibits unfair or deceptive acts or practices in commerce. The FTC regularly uses Section 5 authority to pursue data security failures and deceptive privacy policies. The Google location-tracking settlement, announced in November 2022 and involving 40 state attorneys general including North Dakota, arose from conduct that also implicated FTC Act standards.
American Privacy Rights Act (APRA)
Congress introduced the American Privacy Rights Act in April 2024 as a potential federal comprehensive privacy law. The bill passed the House Energy and Commerce Committee but stalled over disputes about preemption of state laws, a private right of action, and automated decision-making provisions. The 118th Congress adjourned in January 2025 without passing APRA. The bill was not reintroduced in the 119th Congress (2025-2026) as of May 2026. North Dakota residents have no federal comprehensive privacy rights as a result.
Proposed State Privacy Legislation
North Dakota has attempted but not yet enacted comprehensive consumer privacy legislation. During the 2025 legislative session (69th Legislative Assembly), a proposed bill would have prohibited the sale of a user's protected data without consent and authorized a private right of action with minimum damages. The bill did not advance through the legislative process.
A previous attempt, HB 1330, also proposed comprehensive data protection requirements but failed to pass. As of May 2026, North Dakota remains without a comprehensive consumer data privacy law.
Businesses operating in North Dakota should monitor the 70th Legislative Assembly (2027) and subsequent sessions, as national momentum toward comprehensive state privacy laws continues to grow. Twenty-two states had enacted comprehensive consumer privacy laws as of May 2026.
How North Dakota Compares to Other States
North Dakota's sectoral approach differs significantly from states with comprehensive privacy laws. Here is how the state compares on key provisions.
| Feature | North Dakota | California (CCPA/CPRA) | Virginia (VCDPA) | Iowa (ICDPA) |
|---|---|---|---|---|
| Comprehensive privacy law | No | Yes | Yes | Yes |
| Breach notification law | Yes (Ch. 51-30) | Yes (Civ. Code 1798.82) | Yes (Code 18.2-186.6) | Yes (Ch. 715C) |
| AG notification threshold | 250+ individuals | 500+ residents | 1,000+ residents | 500+ residents |
| Specific notification deadline | No set deadline | 72 hours (certain entities) | 60 days | No set deadline |
| Consumer right to access data | No | Yes | Yes | Yes |
| Consumer right to delete data | No | Yes | Yes | Yes |
| Consumer right to opt out of sales | No | Yes | Yes | Yes |
| Private right of action (breach) | No | Yes (limited) | No | No |
| Credit freeze law | Yes (Ch. 51-33) | Yes | Yes | Yes |
| Financial data security law | Yes (HB 1127) | Yes (CCPA applies) | No specific law | No specific law |
Tips for Businesses Operating in North Dakota
Businesses that collect or process personal information of North Dakota residents should take the following compliance steps.
Implement encryption. Encrypting personal information at rest and in transit provides a safe harbor under Chapter 51-30. If a breach occurs but all affected data was properly encrypted, notification obligations are not triggered.
Develop a breach response plan. Have written procedures in place for detecting breaches, assessing scope, notifying affected individuals, and reporting to the Attorney General when more than 250 individuals are affected.
Review third-party contracts. If you share personal information with service providers, ensure contracts require immediate notification to you upon discovery of any breach.
Know your sector-specific obligations. Financial corporations covered by HB 1127 must maintain written information security programs, dispose of customer data within two years, and report breaches to the Department of Financial Institutions within 45 days. Insurance licensees must comply with Chapter 26.1-02.2 cybersecurity requirements.
Assess TAKE IT DOWN Act obligations. Platforms that host user-generated content or deal in intimate imagery must have a functioning removal process in place. Violations are treated as FTC Act violations with per-violation civil penalties.
Monitor legislative developments. North Dakota may enact comprehensive privacy legislation in the 2027 session. Businesses should stay informed about proposed bills and begin preparing for broader compliance obligations.
More North Dakota Laws
North Dakota's data privacy laws are part of a broader set of legal protections. Explore other North Dakota legal topics:
- State Data Privacy Laws Overview
- North Dakota Recording Laws
- North Dakota AI Meeting Recording Laws
- North Dakota Alimony Laws
- North Dakota At-Will Employment Laws
- North Dakota Car Accident Laws
- North Dakota Car Seat Laws
- North Dakota Child Custody Laws
- North Dakota Child Support Laws
- North Dakota Common Law Marriage Laws
- North Dakota Deepfake Laws
- North Dakota Divorce Laws
- North Dakota Dog Bite Laws
- North Dakota Emancipation Laws
- North Dakota Expungement Laws
- North Dakota Hit and Run Laws
- North Dakota Landlord-Tenant Laws
- North Dakota Lemon Laws
Sources and References
- N.D. Cent. Code Chapter 51-30: Notice of Security Breach for Personal Information(ndlegis.gov).gov
- N.D. Cent. Code Chapter 51-33: Consumer Credit Report Security Freezes(ndlegis.gov).gov
- N.D. Cent. Code Chapter 12.1-23: Theft and Related Offenses(ndlegis.gov).gov
- N.D. Cent. Code Chapter 26.1-02.2: Insurance Data Security(ndlegis.gov).gov
- N.D. Cent. Code Chapter 51-15: Consumer Fraud(ndlegis.gov).gov
- North Dakota HB 1127: Financial Corporation Data Security (69th Legislative Assembly)(ndlegis.gov).gov
- N.D. Cent. Code Chapter 13-01.2: Financial Institution Data Security Program(ndlegis.gov).gov
- North Dakota Attorney General: Data Breach Notices(attorneygeneral.nd.gov).gov
- North Dakota Attorney General: Wrigley Announces Google Settlement Over Location Tracking Practices(attorneygeneral.nd.gov).gov
- North Dakota Attorney General: Identity Theft Resources(attorneygeneral.nd.gov).gov
- North Dakota Attorney General: Credit Security Freeze(attorneygeneral.nd.gov).gov
- North Dakota Insurance Department: Cybersecurity Reporting(insurance.nd.gov).gov
- North Dakota Department of Financial Institutions: Consumer Protection(nd.gov).gov
- North Dakota Department of Public Instruction: FERPA(nd.gov).gov
- North Dakota Health and Human Services: HIPAA Privacy(hhs.nd.gov).gov
- North Dakota Statewide Longitudinal Data System: Privacy(slds.nd.gov).gov
- FTC: Take It Down Act Enforcement Starts Now (May 2026)(ftc.gov).gov
- FTC: Complying With the Take It Down Act(ftc.gov).gov
- FTC: Gramm-Leach-Bliley Act(ftc.gov).gov
- HHS: HIPAA for Individuals(hhs.gov).gov
- Federal E-SIGN Act (15 U.S.C. Section 7001)(govinfo.gov).gov