North Dakota Biometric Privacy Laws: Collection, Consent & Penalties (2026)

North Dakota takes a fragmented approach to biometric privacy. Unlike states that have enacted comprehensive biometric privacy laws or folded biometric protections into broad consumer privacy statutes, North Dakota addresses biometric data through narrow provisions scattered across its criminal code, breach notification framework, and insurance regulations.

If you are looking for a single law that governs how businesses collect, store, and use fingerprints, facial scans, or iris patterns in North Dakota, it does not exist. What the state does offer are criminal penalties for identity theft involving biometric data and sector-specific security requirements for insurance companies.

For an overview of North Dakota's broader privacy framework, see the parent guide to [North Dakota Data Privacy Laws](/us-laws/data-privacy-laws/north-dakota-data-privacy-laws).

Identity Theft Law: Biometric Data as Protected Information

The most direct biometric protection in North Dakota law comes from the state's identity theft statute.

In 2019, Governor Doug Burgum signed Senate Bill 2262, which amended N.D.C.C. 12.1-23-11 to expand the definition of personal identifying information. The amendment, effective August 1, 2019, added three new categories to the list of protected data:

• An individual's payment card information
• An individual's biometric data
• Numbers, documents, or information that can be used to access another person's financial records

Under this statute, a person commits a criminal offense by obtaining, attempting to obtain, transferring, recording, or using another individual's personal identifying information, including biometric data, to obtain anything of value without the person's consent.

The penalties are structured by severity:

• Class A misdemeanor for basic unauthorized use of personal identifying information
• Class C felony for more serious offenses or those involving larger amounts
• Class B felony for using a skimmer or scanning device to obtain payment card, credit card, or state identification information without authorization

This law protects against the criminal misuse of biometric data, but it does not regulate routine business collection practices. An employer using fingerprint scanners for timekeeping or a retailer deploying facial recognition technology would not violate this statute as long as the biometric data is not used to commit identity fraud.

Breach Notification Law: Limited Biometric Coverage

North Dakota's breach notification law (N.D.C.C. 51-30-01 through 51-30-07) requires entities that experience a security breach involving personal information to notify affected individuals and, in certain cases, the Attorney General.

The statute defines personal information as an individual's first name or first initial and last name combined with one or more of the following unencrypted data elements:

• Social Security number
• Driver's license number or non-driver photo identification card number
• Financial account numbers, credit card numbers, or debit card numbers (with any required access codes or security codes)
• Date of birth
• Mother's maiden name
• Medical information (health history, condition, treatment, or diagnosis)
• Health insurance policy number or subscriber identification number
• Employer-assigned identification number with associated security credentials
• Digitized or electronic signature

Biometric data is not explicitly listed in this definition. A standalone breach of biometric records, such as a database of fingerprint templates or facial recognition data, would not trigger notification requirements under this law unless the breach also involved one of the enumerated data elements above.

When a breach does trigger the law, these requirements apply:

• Timing: Notice must be provided in the most expedient time possible and without unreasonable delay
• AG notification: The entity must notify the Attorney General when the breach affects more than 250 individuals
• Method: Written notice, electronic notice (compliant with the federal E-SIGN Act), or substitute notice when costs exceed $250,000 or more than 500,000 individuals are affected
• Delayed notice: Law enforcement may request a delay if notification would impede a criminal investigation

Insurance Data Security Act: Biometric Records Covered

The Insurance Data Security Act (N.D.C.C. 26.1-02.2) provides the most explicit biometric data protection in North Dakota law, though it applies only to entities licensed by the North Dakota Insurance Department.

This law, modeled after the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law, defines "nonpublic information" to include biometric records. Insurance licensees must:

• Develop and maintain a comprehensive written information security program
• Conduct risk assessments that account for biometric and other sensitive data
• Implement safeguards appropriate to the size, complexity, and nature of the licensee's activities
• Investigate cybersecurity events and notify the Insurance Commissioner when required

The Insurance Department oversees compliance with these requirements and can take enforcement action against licensees that fail to protect nonpublic information, including biometric records.

Consumer Fraud Act: General Enforcement Tool

While North Dakota lacks a biometric-specific enforcement mechanism, the Consumer Fraud Act (N.D.C.C. 51-15) gives the Attorney General broad authority to pursue deceptive or fraudulent business practices. If a company made false representations about its biometric data practices, such as claiming it does not collect facial recognition data when it does, the AG could potentially bring an enforcement action under this statute.

The Consumer Fraud Act also serves as the enforcement backbone for the breach notification law. Under N.D.C.C. 51-30-07, violations of the breach notification requirements are treated as violations of Chapter 51-15, giving the AG access to these remedies:

• Civil penalties of up to $5,000 per offense
• Temporary or permanent injunctions
• Recovery of reasonable attorney fees, expenses, and investigation costs

No Comprehensive Consumer Privacy Law

As of 2026, North Dakota has not enacted a comprehensive consumer privacy law similar to those passed in states like California, Colorado, or Kentucky. States with comprehensive privacy laws typically classify biometric data as "sensitive data" requiring heightened consent and giving consumers specific rights over their biometric information.

North Dakota's 69th Legislative Assembly (2025) did not introduce any bills establishing a comprehensive consumer data privacy framework or a standalone biometric privacy law. The session's most significant privacy-related legislation was HB 1127, which created new data security and breach notification requirements for financial institutions regulated by the Department of Financial Institutions, effective August 1, 2025.

Without a comprehensive privacy law, North Dakota residents lack several protections available in other states:

• No right to know what biometric data a business has collected about them
• No right to request deletion of biometric data
• No right to opt out of biometric data collection or sale
• No requirement for businesses to obtain consent before collecting biometric data
• No mandated retention or destruction schedules for biometric data
• No private right of action for biometric data misuse

Employer and Workplace Biometric Use

North Dakota does not regulate employer use of biometric data. Companies operating in the state can deploy fingerprint scanners for time and attendance tracking, use facial recognition for building access, or implement other biometric identification systems without obtaining employee consent or providing specific notice under state law.

This stands in contrast to states like Illinois, where employers must provide written notice and obtain informed consent before collecting biometric identifiers, and face significant litigation risk under BIPA's private right of action.

Employers in North Dakota should still be aware that federal laws, including the Americans with Disabilities Act (ADA) and the Genetic Information Nondiscrimination Act (GINA), may restrict certain types of biometric data collection in the workplace. Additionally, if a North Dakota employer has workers in states with biometric privacy laws, those states' laws may apply to employees located there.

How North Dakota Compares

North Dakota's biometric privacy protections rank among the weakest in the country:

States with the strongest protections include Illinois, which provides a private right of action and detailed requirements for biometric data handling, and Texas and Washington, which have standalone biometric privacy statutes enforced by state regulators.

States with moderate protections include those that have enacted comprehensive privacy laws classifying biometric data as sensitive, such as Colorado, Connecticut, and Kentucky.

States with limited protections like North Dakota address biometric data only through criminal identity theft statutes, sector-specific regulations, or breach notification laws that may or may not explicitly cover biometric identifiers.

More North Dakota Laws

• North Dakota Whistleblower Laws
• North Dakota Recording Laws
• North Dakota Recording Laws
• North Dakota Recording Laws
• North Dakota Data Privacy Laws
• North Dakota Recording Laws
• North Dakota Recording Laws
• North Dakota Recording Laws

Sources and References

This article references North Dakota statutes, official state government publications, and analysis from legal authorities. For the full text of the statutes referenced, visit the North Dakota Legislative Branch website. For guidance on data breach reporting, visit the North Dakota Attorney General.

This article provides general legal information about North Dakota biometric privacy laws. It is not legal advice. Consult a qualified attorney for guidance on your specific situation. Laws and regulations change frequently. Verify current requirements through official North Dakota government sources.