During the 2019 legislative session in North Dakota, a bill (HB1485) was introduced by Representative Kasper-Fargo to address the issue of data protection in North Dakota. After analysis, lawmakers concluded that much work was still to be done before finalizing a privacy bill. The question of pushing for federal oversight of consumer privacy over state-led initiatives was a big item on the debate table.
In light of the decision to further study the issue, HB1485 was completely amended from its original version. Instead of establishing data protection guidelines, the bill established a much-needed legislative study to closely examine the complex issue of consumer data privacy.
The Original Bill
HB1485 was originally introduced by a group of seven Representatives and five Senators. Although inspired by the California Consumer Privacy Act, the North Dakota consumer privacy protection act proposal closely mimicked the bill that is currently being considered in Washington State.
As introduced, House Bill No. 1485 would have prohibited covered entities from disclosing any part of a record containing an individual’s personal information to any person other than the individual who is the subject of the record, without the individual’s express written consent. To obtain it, the organization would need to mail or email a one-to-two-page summary describing, among other things, how, when, where, and to whom the entity buys, receives, sells, and shares an individual’s personal information.
The bill also would have permitted an individual to take civil action to recover damages, costs, and fees if a covered entity purchased, received, sold, or shared the individual’s personal information in violation of the law.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
Let’s Study It Before Diving Into It
For all intents and purposes of the bill introducers, the carefully crafted text of House Bill No. 1485 was crossed out and rewritten to establish a mandatory Legislative Management study on protections, enforcements, and remedies regarding the disclosure of consumers’ personal data.
The Legislature voted 43–2 to pass the bill commissioning a study of data issues that apply to individuals residing in North Dakota.
The goal of the study was to analyze and review the privacy laws of other states and applicable federal laws. The legislative management was set to report its conclusions, as well as any legislation required to implement its recommendations, to the 67th legislative assembly.
No Go
After the lengthy mandatory study session, and crafting a new bill based on the conclusions that were gleaned, North Dakota’s lawmakers proposed the consumer privacy bill HB1330.
It did not make the grade.
HB1330, introduced at the 67th legislative session as scheduled in the preceding bill HB1485, was turned down when the State House of Representatives Committee on Industry, Business, and Labor voted 12–1 against advancing House Bill 1330.
Unlike bills being considered in Virginia and Washington, HB1330 was a problematic bill from the onset. It was quite simply not comprehensive enough.
Tom Kading, R-N.D., HB1330’s lead sponsor, made an initial case to move the bill forward, but the ensuing hearing was dominated by opposing testimony from a prominent group of industries and agencies.
In his introduction to the committee hearing, Kading summed up his bill as an attempt to control the proliferation of personal data sales among Big Tech companies by requiring opt-in consent that would apply to 24 categories of personal data. The protected data within the bill included a wide range of information, including personal details, financial information, health information, and other miscellaneous forms of personally identifiable data. Also included in the bill was the right of action that allows consumers to sue up to $100,000.
“This bill provides reasonable protection for the small consumer,” Kading said. “Opting in to allow the sharing of personal data is certainly reasonable. … The everyday person can’t follow each and every one of these bills like the lobbyists. Those sitting behind me, who represents Big Tech, diligently track these bills and are looking to protect the interests of Big Tech. They might argue that California regulations or federal regulations are a better solution than North Dakota regulations, but I doubt most of you here would agree.”
The proposed legislation received little support following Kading’s statements, which raised a string of clarification questions from committee members before the opposition teed off on the proposal’s shortcomings. The opposition was quick to point out some glaring issues, including a lack of clarity on definitions.
A dozen or so letters from many industries, written in advance of the hearing, all had the same underlying recommendation for the bill: “DO NOT PASS”.
“While the bill is very simple in its approach, consumer privacy is not a simple concept and the bill raises a number of concerns for our members,” said Internet Association Director of State Government Affairs, Northwest Region Rose Feliciano, one of nine industry representatives that shared opposing testimony with the committee.
“The definition of protected data only includes a list of vague terms that are considered ‘protected data’ but does not further define words like child or interests,” Feliciano said. “It’s not clear if the child’s information would include an individual that is 13 years or younger as defined by the Children’s Online Privacy Protection Act or if there’s an alternative age in mind. Additionally, the purpose of the bill is to prohibit the sale of personal data, but the bill does not define the term ‘sale.'”
Another point of opposition was that the bill covered every business with no limitation on the size or type of activity the business practices.
What is the Outlook For the North Dakota Data Privacy Law?
There is a general agreement among North Dakota lawmakers to pass privacy legislation that gives consumers the right to know how data is used, collected, and shared; delete personal information; and opt out of the sharing of personal data that does not have a legitimate purpose.
The crux of the debate regarding the North Dakota privacy act is whether to wait for a robust federal law that protects all Americans equally or to focus on state-initiated legislation. In the meantime, that question remains on the debate table in North Dakota.
Centraleyes State Privacy Law Tracking
Centraleyes has you covered on the latest updates to state privacy policies. Check out our other articles on pertinent laws like California’s CPRA, Colorado’s CPA, Utah’s UCPA, and Virginia’s VCDPA.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
