North Dakota: An Overview of Data Protection & Data Privacy Law

Data is growing rapidly. Due to this global growth, data protection has become a serious concern. To regulate the responsible collection, processing, and sharing of users’ data, regulatory authorities around the world have introduced strict data protection laws. However, not every country or even every state in the US has a comprehensive data protection regulation yet.

North Dakota, like some other US states, has yet to pass comprehensive laws such as the California Privacy Rights Act (CPRA) or the Virginia Consumer Data Protection Act (VCDPA) in Virginia. The state of North Dakota recognizes the need and significance of a data protection regulation and it also attempted to introduce one such regulation. However, the bill fell short in its initial stages, and thus, it never passed. This blog aims to provide readers with a quick overview of the North Dakota data privacy bill HB 1330 and what businesses must do in the absence of a comprehensive privacy law.

North Dakota HB 1330

The bill defined a covered entity as an entity operating in a limited liability company, corporate, partnership, or any legal context, collecting, processing, and selling users’ protected data. Protected data, on the other hand, was defined as any data that included users’ location, interests, screen name, website address, professional history, browsing history, purchase history, and residence details, amongst others.

The bill prohibited covered entities against the sale of protected data unless the covered entity obtains a user’s consent. The bill was proposed to implement an opt-in model where the covered entity was required to let users opt-in for the sale of each type of their protected data.

Covered entities that violate any of the law's provisions could be fined no less than $10,000 and must pay reasonable attorney’s fees. In the event of a wilful violation, the violator could be fined no less than $100,000.

Current State of Data Protection Laws in North Dakota

North Dakota does not yet have a comprehensive privacy law, but it recognizes the need for regulation. Businesses, on the other hand, have not been without regulation since multiple federal laws apply in the state of North Dakota that demand compliance for user privacy rights and data protection.

For instance, the HIPAA regulation governs the country's healthcare sectors, providing detailed data protection provisions for protected health information (PHI). Hence, entities that collect, process, share, and sell PHI must demonstrate compliance to avoid legal consequences. Moreover, compliance with industry standards and regional regulatory requirements also demonstrates a business’s credibility, which ultimately builds trust.