Go to:

North Dakota State Privacy Protection Rights

North Dakota statewide privacy links:

Sponsored

Introduction to North Dakota Privacy Rights

North Dakota maintains a moderate approach to privacy protection, balancing individual rights with public transparency and business interests. Unlike comprehensive privacy states such as California or Virginia, North Dakota has not enacted a broad consumer data privacy law. Instead, the state relies on a patchwork of sector-specific statutes, federal regulations, and common law principles to protect resident privacy.

The privacy landscape in North Dakota is shaped primarily by targeted statutes addressing specific concerns: data breach notification requirements under North Dakota Century Code Chapter 51-30, employment privacy protections, financial data security, and limitations on government surveillance. The state's approach reflects its smaller population and traditionally conservative legislative philosophy, which tends to favor existing frameworks over sweeping new regulations.

Compared to states with comprehensive privacy laws, North Dakota offers fewer statutory consumer rights regarding data collection, use, and sale. However, the state provides robust protections in certain areas, particularly regarding government records access and criminal justice information. North Dakota residents benefit from strong open records laws that provide transparency into government operations while simultaneously protecting genuinely private information from disclosure.

The state's Constitution provides limited explicit privacy protections, but Article I, Section 12 guarantees that "the right of the people to be secure in their persons, houses, papers and effects against unreasonable searches and seizures shall not be violated." This provision, along with statutory protections and evolving case law, forms the foundation of privacy rights for North Dakota's approximately 780,000 residents. Understanding these protections is essential for anyone seeking to safeguard personal information, access public records, or navigate privacy issues in employment, healthcare, or consumer transactions.

North Dakota's State Privacy Laws

North Dakota's privacy framework consists of several targeted statutes rather than a single comprehensive law. The most significant consumer-facing privacy statute is the North Dakota Data Breach Notification Law, codified in North Dakota Century Code Section 51-30-02. This law requires any person or business conducting business in North Dakota that owns or licenses computerized data including personal information to disclose any breach of security to affected residents.

Under N.D.C.C. § 51-30-02, "personal information" means an individual's first name or first initial and last name combined with one or more of the following: Social Security number, driver's license number, state identification card number, financial account number, credit or debit card number, or security code/access code/password that would permit access to a financial account. The law requires notification without unreasonable delay, though it does not specify an exact timeline in days.

Financial Privacy: North Dakota has enacted specific protections for financial information under N.D.C.C. Chapter 6-08.6, which governs the confidentiality of financial institution records. This statute complements federal laws like the Gramm-Leach-Bliley Act and provides that financial records maintained by financial institutions are confidential. Financial institutions may only disclose customer information with customer authorization, pursuant to legal process, or as otherwise permitted by law. North Dakota also restricts the disclosure of Social Security numbers under N.D.C.C. § 44-04-18.15, prohibiting government entities from publicly posting or displaying Social Security numbers.

Employee Privacy Rights: North Dakota provides several workplace privacy protections. Under N.D.C.C. § 14-02.4-08, employers cannot require employees or applicants to disclose usernames or passwords for personal social media accounts, request access to personal social media accounts, or compel employees to add anyone to their contact lists. This protection, enacted in 2015, places North Dakota among states recognizing that social media privacy extends into the employment context.

The state also protects employee personnel records under N.D.C.C. § 44-04-18.27, exempting personnel records from public disclosure with certain exceptions. Employees have the right to review their own personnel files under common law principles, though North Dakota has not enacted a comprehensive personnel file access statute like some states.

Genetic Privacy: North Dakota Century Code Section 23-12.4-01 through 23-12.4-05 establishes protections for genetic information. Under this law, genetic testing may only be performed with informed written consent, and results are confidential. The statute prohibits discrimination based on genetic information in employment and insurance contexts, supplementing federal protections under the Genetic Information Nondiscrimination Act (GINA).

Library Records: Under N.D.C.C. § 40-38-12, library patron records, including circulation records and registration information, are confidential and may not be disclosed except pursuant to court order, with patron consent, or to recover overdue materials. This protection ensures that North Dakotans' reading habits and research interests remain private.

Video Rental Privacy: Although streaming has largely replaced video rental, N.D.C.C. § 47-21.1-04 continues to protect video service customer records, requiring written consent before disclosure of personally identifiable information regarding video materials rented or purchased.

Freedom of Information / Open Records in North Dakota

North Dakota's public records law is formally known as the Open Records Statute, codified primarily in North Dakota Century Code Chapter 44-04. This law establishes a strong presumption of openness for government records, reflecting North Dakota's constitutional commitment to transparent government. Section 44-04-18 specifically addresses public access to records.

Under N.D.C.C. § 44-04-18, all records of a public entity are presumed to be open to the public unless specifically exempted by law. "Record" is defined broadly to include books, papers, maps, photographs, cards, tapes, recordings, or other documentary materials regardless of physical form or characteristics. This definition encompasses electronic records, emails, text messages, and digital databases maintained by government entities.

Who Can Request Records: Any person may request public records. North Dakota does not require requesters to be residents, identify themselves, or state a reason for the request. Requests may be made orally or in writing, though written requests are advisable for documentation purposes.

Response Timeline: While the Open Records Statute does not specify an exact timeline for responses, N.D.C.C. § 44-04-18(3) requires that the public entity respond to requests "in a timely manner." North Dakota Attorney General opinions have interpreted this to mean agencies should respond within a reasonable time based on the complexity and volume of the request, typically within a few business days for simple requests. If records cannot be provided immediately, the agency must notify the requester of the delay and provide an estimated timeline.

Exemptions: North Dakota law includes numerous specific exemptions protecting genuinely private or sensitive information. Key exemptions under N.D.C.C. § 44-04-18.1 include:

Fee Schedule: Under N.D.C.C. § 44-04-18(3), public entities may charge reasonable fees for copying records. Fees must be limited to actual costs of locating, making, and providing copies. Many agencies charge $0.25 per page for standard photocopies. Electronic records provided via email typically incur minimal or no costs. Agencies may require prepayment if fees are expected to exceed $50.

Appeals Process: If a request is denied, the requester may seek review through several mechanisms. The requester should first appeal to the agency head or governing body. If still unsatisfied, the requester may request an opinion from the North Dakota Attorney General's office, which provides advisory opinions on open records matters. Finally, requesters may file suit in district court seeking a writ of mandamus to compel disclosure. Under N.D.C.C. § 44-04-18(11), if the court finds the agency wrongfully withheld records, the requester may recover attorney's fees and costs.

HIPAA and Health Privacy

The Health Insurance Portability and Accountability Act (HIPAA) establishes nationwide standards for health information privacy, and these protections apply fully to covered entities operating in North Dakota, including hospitals, clinics, health insurance companies, and healthcare clearinghouses. HIPAA's Privacy Rule, Security Rule, and Breach Notification Rule create baseline protections that North Dakota providers must follow.

North Dakota has enacted additional state-level health privacy protections that, in some cases, exceed HIPAA requirements. Under N.D.C.C. § 23-01-10, communications between physicians and patients are privileged and confidential. This physician-patient privilege can only be waived by the patient and extends beyond HIPAA's covered entities to include all licensed physicians practicing in North Dakota.

Mental health records receive particularly strong protection under North Dakota law. N.D.C.C. § 25-03.1-42 establishes strict confidentiality for records of individuals receiving mental health services. These records cannot be disclosed without written consent except in limited circumstances: when necessary for treatment, when required by court order, when necessary to protect the patient or others from harm, or when required by law for commitment proceedings.

North Dakota law also addresses HIV/AIDS confidentiality under N.D.C.C. § 23-07.4-03, which prohibits disclosure of HIV test results without written consent except to the tested individual, healthcare providers involved in care, the state health officer for epidemiological purposes, or pursuant to court order. This protection supplements HIPAA's requirements and provides explicit statutory protection for particularly sensitive health information.

Accessing Your Medical Records: Under both HIPAA and North Dakota law, patients have the right to access and obtain copies of their medical records. Healthcare providers must respond to requests within 30 days under HIPAA, though most North Dakota providers respond more quickly. Providers may charge reasonable fees for copying records, typically limited to actual copying costs. North Dakota residents who believe their health information has been improperly disclosed can file complaints with the U.S. Department of Health and Human Services Office for Civil Rights or pursue private legal action for violations of state confidentiality statutes.

Consumer Data Privacy Rights

Unlike California, Virginia, Colorado, and other states with comprehensive consumer privacy laws, North Dakota has not enacted broad legislation granting residents rights to access, delete, or control their personal data held by businesses. North Dakota consumers therefore rely primarily on federal consumer protection laws and sector-specific state statutes.

The Fair Credit Reporting Act (FCRA) provides North Dakota residents with important rights regarding credit information. Under FCRA, North Dakotans can request free annual credit reports from each of the three major credit bureaus (Equifax, Experian, and TransUnion) through AnnualCreditReport.com. Consumers have the right to dispute inaccurate information, and credit reporting agencies must investigate disputes within 30 days. Negative information generally must be removed after seven years, with bankruptcy information removed after ten years.

North Dakota law supplements FCRA protections through N.D.C.C. § 51-30-02, which requires businesses to notify consumers of data breaches involving their personal information. While this provides notification rights, it does not grant consumers the ability to control how businesses collect or use their data prospectively.

Removing Information from Data Brokers: Data broker websites like Spokeo, Whitepages, BeenVerified, and PeopleFinder aggregate public records and other information about North Dakota residents. While North Dakota law does not require these companies to honor opt-out requests, many data brokers provide voluntary opt-out mechanisms:

The process must typically be repeated for each data broker site, as there is no centralized opt-out registry. New listings may appear as data brokers refresh their databases from public records sources, requiring periodic monitoring.

Telemarketing and Do Not Call: North Dakota residents can register phone numbers on the National Do Not Call Registry at DoNotCall.gov or by calling 1-888-382-1222. North Dakota enforces federal telemarketing rules and maintains limited state-level telemarketing restrictions under N.D.C.C. Chapter 51-28, which requires telemarketers to register with the North Dakota Attorney General's office and prohibits certain deceptive practices.

Identity Theft Protections: Under N.D.C.C. § 12.1-23-11, identity theft is a criminal offense in North Dakota. Victims can place fraud alerts on credit reports, file police reports, and access protections under the federal Identity Theft and Assumption Deterrence Act. The North Dakota Attorney General's Consumer Protection Division provides resources for identity theft victims at ag.nd.gov.

Employment Background Checks & Privacy

North Dakota employers conducting background checks on applicants and employees must comply with both federal law (primarily the Fair Credit Reporting Act) and state-specific requirements. Understanding these rules is essential for job seekers concerned about privacy and accuracy of background information.

Under the Fair Credit Reporting Act (FCRA), employers who use third-party consumer reporting agencies to conduct background checks must provide written notice to applicants, obtain written authorization, and provide adverse action notices if they take negative employment action based on the report. These requirements apply to all North Dakota employers using consumer reporting agencies.

What Employers Can Access: North Dakota employers can access criminal conviction records through the North Dakota Bureau of Criminal Investigation. The BCI maintains criminal history records and provides access to authorized entities. Criminal convictions remain on records indefinitely in North Dakota, as the state does not automatically expunge convictions after a set period.

Employers may consider felony and misdemeanor convictions when making hiring decisions, but the consideration must be job-related. Under Equal Employment Opportunity Commission (EEOC) guidance, employers should conduct individualized assessments considering the nature of the crime, time elapsed, and nature of the job.

Ban-the-Box: North Dakota has not enacted a statewide ban-the-box law prohibiting employers from inquiring about criminal history on initial applications. Private employers may ask about criminal history at any point in the hiring process. However, state government agencies follow policies that generally delay criminal history inquiries until later in the hiring process for certain positions.

Credit Reports: North Dakota has not enacted specific restrictions on employer use of credit reports beyond FCRA requirements. Employers may obtain and consider credit reports with proper authorization and compliance with FCRA notice requirements.

Social Media: As noted earlier, N.D.C.C. § 14-02.4-08 prohibits employers from requiring applicants or employees to disclose social media passwords or add supervisors to personal social media contacts. Employers may still view publicly available social media content and may maintain policies regarding employee use of social media.

Disputing Inaccurate Records: If a criminal background check contains errors, individuals should contact the North Dakota Bureau of Criminal Investigation to request correction. The BCI can be reached at:

North Dakota Bureau of Criminal Investigation
PO Box 1054
Bismarck, ND 58502-1054
Phone: (701) 328-5500

For errors in consumer reports prepared by background screening companies, individuals should dispute directly with the consumer reporting agency under FCRA procedures, which require investigation within 30 days.

Protecting Yourself in North Dakota

North Dakota residents can take concrete steps to protect personal privacy and control information available about them. This practical guide provides actionable strategies specific to North Dakota's legal framework.

Step 1: Freeze Your Credit

Credit freezes prevent identity thieves from opening new accounts in your name. Under federal law effective September 2018, credit freezes are free. Contact each credit bureau:

You'll receive a PIN or password to lift the freeze when you need to apply for credit. Consider also freezing reports at Innovis (1-800-540-2505) and the National Consumer Telecom & Utilities Exchange (1-866-349-5355).

Step 2: Opt Out of People-Search Sites

Systematically remove your information from major data broker sites. Create a spreadsheet to track opt-out requests:

Major sites to address include Spokeo, Whitepages, Intelius, PeopleFinder, BeenVerified, MyLife, TruthFinder, and Instant Checkmate. This process is time-consuming but significantly reduces your digital footprint.

Step 3: Request Record Sealing or Expungement

North Dakota provides limited opportunities for sealing or expunging criminal records. Under N.D.C.C. § 12-60.1-01, individuals may petition for sealing of records for certain offenses:

To petition for record sealing, file a petition in the district court where the conviction occurred. The court will consider factors including rehabilitation, time elapsed, and public safety. Approval is not guaranteed and requires demonstration of good cause.

For arrests that did not result in conviction, you may petition for return of fingerprints and destruction of arrest records under N.D.C.C. § 12-60-16.3.

Step 4: Monitor Your Open Records Footprint

Public records maintained by North Dakota government agencies may contain your information. Submit open records requests to county recorders, court clerks, and other agencies to understand what information is publicly available. While most records cannot be removed, knowing what exists helps you manage your privacy.

Step 5: Register with Do Not Call Lists

Register all phone numbers at DoNotCall.gov to reduce telemarketing calls. The registration is permanent and free.

Step 6: Use Privacy-Protective Practices

Key Contacts:

North Dakota Attorney General Consumer Protection Division
1720 Burlington Drive, Suite C
Bismarck, ND 58504-7736
Phone: 1-800-472-2600
Website: ag.nd.gov/ConsumerProtection

North Dakota Department of Health
600 E. Boulevard Ave.
Bismarck, ND 58505
Phone: (701) 328-2372

North Dakota Data Breach Notification

North Dakota's data breach notification law, codified in N.D.C.C. § 51-30-02 through § 51-30-07, establishes requirements for businesses and government entities that experience security breaches involving personal information of North Dakota residents.

Who Must Notify: Any person or business that conducts business in North Dakota and owns or licenses computerized data that includes personal information must provide notification of breaches. This applies to both North Dakota-based entities and out-of-state businesses with North Dakota customers. Third-party data processors that experience breaches must notify the data owner, who then has notification obligations to affected individuals.

What Triggers Notification: Notification is required when there is unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information. "Personal information" means an individual's first name or initial and last name combined with Social Security number, driver's license number, state ID number, financial account number, or credit/debit card number with any required security code.

Importantly, notification is not required if the business determines through reasonable investigation that the breach has not caused and is not reasonably likely to cause harm to affected individuals. This harm-threshold determination must be documented.

Notification Timeline: Under N.D.C.C. § 51-30-02, notification must be made "without unreasonable delay." The statute does not specify an exact number of days, giving businesses some flexibility to investigate the breach and determine its scope. However, "unreasonable delay" has been interpreted to mean notification should generally occur within a few weeks absent exceptional circumstances requiring extended investigation. Notification may be delayed if law enforcement determines it would impede a criminal investigation, but only for the period specified by law enforcement.

Method of Notification: Notification must be provided by one of the following methods:

If the cost of notification exceeds $250,000, the number of affected individuals exceeds 500,000, or the business does not have sufficient contact information, substitute notice is permitted. Substitute notice consists of email notice if email addresses are available, conspicuous posting on the business's website, and notification to major statewide media.

Notification to Attorney General: If a breach affects more than 250 North Dakota residents, the business must also notify the North Dakota Attorney General's office. This notification should be made to the Consumer Protection Division.

Content Requirements: Notifications must include a description of the incident, the type of information compromised, steps the business is taking to investigate and prevent future breaches, contact information for credit reporting agencies, and advice that individuals can obtain information about identity theft protection from the Attorney General's office and the Federal Trade Commission.

Penalties: Violations of the data breach notification law are subject to enforcement by the North Dakota Attorney General under the state's consumer protection laws. Civil penalties may be imposed for knowing violations. Additionally, affected individuals may have private causes of action for damages resulting from negligent failure to secure data, though North Dakota courts have not extensively addressed this issue.

Children's Privacy (North Dakota)

Children's privacy in North Dakota is protected through a combination of federal laws and state-specific provisions addressing educational records and online data collection.

The federal Children's Online Privacy Protection Act (COPPA) applies nationwide, including in North Dakota, and requires websites and online services directed to children under 13 to obtain verifiable parental consent before collecting personal information. COPPA also requires privacy policies, limits on data collection, and reasonable security measures. The Federal Trade Commission enforces COPPA, and violations can result in substantial penalties. North Dakota-based websites and apps directed to children must comply with COPPA requirements.

Educational records of North Dakota students are protected by the federal Family Educational Rights and Privacy Act (FERPA), which applies to all schools receiving federal funding. FERPA grants parents rights to access their children's educational records, request corrections, and control disclosure of personally identifiable information. When students turn 18 or attend postsecondary institutions, these rights transfer to the student.

North Dakota law supplements FERPA protections through N.D.C.C. § 15.1-23, which addresses student records and confidentiality. Educational agencies must maintain confidentiality of student records and may only disclose information as permitted by FERPA and state law. Directory information (name, address, dates of attendance, degrees received) may be disclosed unless parents opt out.

Under N.D.C.C. § 15.1-19-17, schools must have policies regarding student privacy in the context of surveys, evaluations, and instructional materials. Parents have the right to inspect instructional materials and opt their children out of certain surveys or assessments that collect sensitive personal information.

North Dakota law also protects children in the child welfare system. Records related to child abuse and neglect investigations maintained by the Department of Human Services are confidential under N.D.C.C. § 50-25.1-05.1 and generally not subject to public disclosure, protecting children's privacy during vulnerable times.

Practical Steps for Parents: North Dakota parents can protect children's privacy by reviewing school privacy policies, opting out of directory information disclosure if desired, monitoring children's online activities, and teaching children not to share personal information online. Parents should also periodically search for their children's names online to identify any concerning information that should be addressed.

Frequently Asked Questions

Can I remove my information from North Dakota public records?

Generally, no. North Dakota's Open Records Statute creates a presumption of public access to government records. If your information appears in legitimate public records (court documents, property records, business licenses), it typically cannot be removed. However, you may be able to seal certain criminal records under N.D.C.C. § 12-60.1-01 if you meet eligibility requirements, such as completing sentence requirements and waiting periods. For records containing errors, you can request corrections from the maintaining agency. While you cannot remove information from official public records, you can work to remove or suppress information from third-party websites that aggregate public records data by using their opt-out procedures.

How do I access my criminal background check in North Dakota?

To obtain your own criminal history record, contact the North Dakota Bureau of Criminal Investigation. You can request a record check by submitting a completed application form, fingerprints, and the required fee (currently $20 for a state check). Mail requests to ND BCI, PO Box 1054, Bismarck, ND 58502-1054, or visit in person at 3600 East Boulevard Ave, Bismarck. You can also request your FBI criminal history record through approved channelers. Allow 2-3 weeks for processing. Having your official criminal history record helps you verify accuracy and understand what employers see during background checks.

Does North Dakota have a comprehensive consumer privacy law like California's CCPA?

No. North Dakota has not enacted comprehensive consumer privacy legislation comparable to California's Consumer Privacy Act, Virginia's Consumer Data Protection Act, or similar laws in other states. North Dakota residents do not have statutory rights to request deletion of their data from businesses, opt out of data sales, or access information about data collection practices. Instead, North Dakotans rely on federal laws (like FCRA for credit information and HIPAA for health data) and sector-specific state statutes. Privacy advocates have periodically proposed comprehensive privacy legislation in the North Dakota legislature, but as of 2024, no such law has been enacted.

What should I do if I receive a data breach notification from a company?

If you receive a breach notification, take immediate action: (1) Review the notification carefully to understand what information was compromised; (2) If Social Security numbers were involved, place a fraud alert or credit freeze with the three major credit bureaus; (3) Monitor your credit reports closely for several months; (4) Change passwords for any affected accounts and enable two-factor authentication; (5) Watch for suspicious emails or calls from scammers attempting to exploit the breach; (6) Keep the notification letter for your records; (7) If you experience identity theft as a result, file a report with local police and the FTC at IdentityTheft.gov; (8) Consider placing a free credit freeze, which provides stronger protection than fraud alerts. Many companies offer free credit monitoring for affected individuals—take advantage if offered.

Can my employer in North Dakota ask for my social media passwords?

No. North Dakota Century Code Section 14-02.4-08 explicitly prohibits employers from requiring employees or applicants to disclose usernames, passwords, or other authentication information for accessing personal social media accounts. Employers also cannot require you to add supervisors or colleagues to your personal social media contacts, access your personal social media in the employer's presence, or compel you to reproduce content from personal social media. However, this law does not prevent employers from viewing your publicly available social media content or enforcing policies about professional conduct on social media. Employers may still maintain social media policies regarding company-related communications and may request access to employer-provided devices or accounts.

How long do I have to respond to a public records request if I'm a government employee?

North Dakota's Open Records Statute requires government entities to respond "in a timely manner" under N.D.C.C. § 44-04-18(3), but does not specify an exact number of business days. Attorney General opinions and best practices suggest that simple requests should be acknowledged within 1-3 business days, with records provided shortly thereafter if readily available. For complex requests requiring review of multiple records or legal analysis, agencies should notify requesters of the delay and provide an estimated completion timeline. Unreasonable delays may result in the requester seeking a court order compelling production. Government employees handling records requests should consult their agency's legal counsel and establish written procedures for timely responses. If denial is warranted, the denial should be in writing with specific citation to applicable exemptions.

Can I seal or expunge my criminal record in North Dakota?

North Dakota provides limited sealing opportunities under N.D.C.C. § 12-60.1-01, but does not offer true expungement that destroys records. You may petition to seal records for certain misdemeanor convictions after three years from completion of sentence (including probation) if you have no subsequent convictions. Class C felony convictions may be sealed five years after completion of sentence if you have no subsequent felonies. More serious felonies generally cannot be sealed. The petition must be filed in the district court where the conviction occurred, and the court will consider factors including your rehabilitation, employment status, and public safety. Approval is discretionary, not automatic. If your case was dismissed or you were acquitted, you can petition for destruction of arrest records under N.D.C.C. § 12-60-16.3. Juvenile records may be sealed under separate provisions in N.D.C.C. § 27-20.3-02. Consult with an attorney to evaluate eligibility for your specific situation.

Are my medical records protected if I see a therapist or mental health provider in North Dakota?

Yes, mental health records receive strong protection in North Dakota. Under N.D.C.C. § 25-03.1-42, records of individuals receiving mental health treatment are confidential and cannot be disclosed without your written consent except in limited circumstances: when necessary for your treatment, pursuant to court order, when necessary to protect you or others from imminent harm, or as required for involuntary commitment proceedings. These protections supplement federal HIPAA requirements and apply to all mental health providers in North Dakota. Your mental health provider must give you a Notice of Privacy Practices explaining how your information may be used and disclosed. You have the right to access your records, request amendments, and file complaints if you believe your privacy has been violated. Mental health records are also exempt from disclosure under North Dakota's Open Records law, ensuring they remain private even if maintained by government facilities.

Last reviewed: Apr 8, 2026 Updated: Apr 8, 2026