open-agreements 0.7.7 → 0.8.0

package/skills/legal-explainers/data-privacy-law-explainer/content/north-carolina.md

@@ -0,0 +1,205 @@
+---
+jurisdiction: "North Carolina"
+slug: north-carolina
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-11"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/north-carolina
+license: CC BY 4.0
+stale: false
+---
+
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/north-carolina · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+
+# North Carolina Consumer Privacy Law[^about]
+
+North Carolina has no comprehensive consumer-privacy statute. The Identity Theft Protection Act governs breach notice, Social Security numbers, data disposal, and security freezes, with express Chapter 75 bridges for specific sections.
+
+
+## At a glance
+
+| Question | North Carolina |
+| --- | --- |
+| **Law coverage** | No comprehensive law |
+| **Summary** | North Carolina has not enacted a comprehensive consumer-privacy law; the operative statute is the Identity Theft Protection Act, whose breach-notification, Social Security number, disposal, and security-freeze sections expressly bridge violations into § 75-1.1. |
+| **Main law** | Identity Theft Protection Act, N.C. Gen. Stat. §§ 75-60 to 75-66 (Article 2A of Chapter 75) — North Carolina has no comprehensive consumer-privacy law; breach-notification, Social Security number, disposal, and security-freeze sections contain express § 75-1.1 bridges |
+| **Privacy policy required?** | No North Carolina statute mandates a general consumer privacy policy or fixes its contents; a materially misleading statement can support a § 75-1.1 or FTC Act § 5 deception theory if the required elements are met, alongside GLBA, HIPAA, and COPPA where those apply |
+| **Who does it cover?** | Any business that owns, licenses, maintains, or possesses personal information of North Carolina residents — in any form, computerized or paper — with no revenue or consumer-volume threshold |
+| **Can consumers sue?** | Limited path |
+| **Privacy policy rule** | No state policy checklist |
+| **Consent for sensitive data?** | No special rule |
+| **Browser opt-out signals?** | Not required |
+| **Lawsuit detail** | Yes for specific bridged ITPA sections — an injured consumer can use § 75-16 for mandatory treble damages where the section expressly makes the violation a § 75-1.1 violation; § 75-66 separately allows civil damages under G.S. 1-539.2C |
+| **Who enforces it?** | North Carolina Attorney General (Consumer Protection Division) |
+
+## Which privacy laws apply to your business in North Carolina? {#which-privacy-laws-apply}
+
+**Short answer.** There is no comprehensive North Carolina consumer-privacy law. The operative state statute is the Identity Theft Protection Act [^itpa-7560-title], an Article of Chapter 75 that governs breach notification, Social Security numbers, record disposal, and credit-report security freezes rather than data handling generally. Its breach-notice duty reaches any business that owns or licenses personal information of North Carolina residents, or that conducts business in North Carolina and owns or licenses personal information in any form — computerized, paper, or otherwise [^itpa-7565-scope] — with no revenue or consumer-volume threshold.
+
+North Carolina residents have no general state-law rights to access, delete, correct, or port their personal data, no right to opt out of its sale, and businesses face no state notice-at-collection, consent, data-protection-assessment, or processor-contract duties. What the state has instead is the Identity Theft Protection Act (ITPA), N.C. Gen. Stat. §§ 75-60 through 75-66, plus a handful of sector-specific statutes: school-technology operators may not target advertising based on school-use information or sell or rent student data [^itpa-115c-student-targeting] [^itpa-115c-student], and health insurers may not refuse coverage, raise group premium rates, or charge higher premiums because of genetic information [^itpa-583215-genetic].
+
+The rest of a North Carolina privacy program rides the federal and sectoral overlay. Section 5 of the FTC Act reaches deceptive or unfair privacy practices nationwide; the Gramm-Leach-Bliley Act governs financial institutions; HIPAA governs covered health entities and their business associates; and the Children's Online Privacy Protection Act governs services directed to children under 13. None of those is a North Carolina statute, but together with the ITPA they are what actually shapes a compliant North Carolina-facing program today.
+
+Pending proposals could change that, but no comprehensive consumer-privacy law has been enacted as of this review. A program built to the ITPA and the federal overlay would upgrade rather than restart if North Carolina later adopted an omnibus privacy statute.
+
+## Can a consumer sue your business over a data breach in North Carolina? {#breach-lawsuit-treble-damages}
+
+**Short answer.** Yes, if the consumer was injured and the violated section supplies the bridge. The breach-notification section itself says a violation is a violation of the state's unfair-trade-practices act, and an injured individual may bring a private action [^bridge-7565-per-se]. Once a Chapter 75 violation injures a person, the damages remedy is not discretionary: judgment shall be rendered for treble the amount fixed by the verdict [^bridge-7516-treble]. A prevailing party may also recover a reasonable attorney fee in the court's discretion on a finding of willfulness and an unwarranted refusal to resolve the matter [^bridge-75161-fees].
+
+This three-statute chain is the defining feature of the ITPA sections that expressly use it. Breach notification, Social Security number protection, consumer security freezes, protected-consumer freezes, and record disposal each declare that a violation is a violation of N.C. Gen. Stat. § 75-1.1 [^bridge-7565-per-se] [^bridge-7562-ssn] [^bridge-7563-freeze] [^bridge-75631-protected-freeze] [^bridge-7564-disposal], the section declaring unfair or deceptive acts or practices in or affecting commerce unlawful [^bridge-7511-udap]. Section 75-16 then supplies the private action and its mandatory trebling. The practical consequence: a plaintiff who proves one of those bridged violations does not need to separately establish that the conduct was unfair or deceptive — the statute does that work — and a court that assesses damages has no discretion to decline trebling.
+
+Two limits keep the bridge from being a strict-liability lottery. First, injury is an element: § 75-65 says no private action may be brought unless the individual is injured as a result of the violation, so a breach with no resulting harm does not by itself support a suit [^bridge-7565-per-se]. Second, causes of action under the Article may not be assigned, which cuts against claim aggregation by third parties [^bridge-7565-assignment]. Neither limit changes the headline for businesses: a notification failure after a breach converts directly into treble-damages exposure to every injured resident.
+
+## What must your North Carolina privacy policy contain? {#privacy-policy-contents}
+
+**Short answer.** No North Carolina statute requires a general consumer privacy policy or fixes what it must say. The binding rule is that whatever you publish has to be true: a materially misleading policy statement can support a deception claim under § 75-1.1 [^policy-7511-udap] and under Section 5 of the FTC Act [^policy-ftc5-deceptive], if the required elements are met. In North Carolina that truthfulness rule has unusual teeth for injured consumers, because damages assessed in a private Chapter 75 action are trebled [^policy-7516-treble].
+
+The drafting question in North Carolina is therefore less *what must be included* and more *does the policy match actual practice*. Where a sectoral regime applies, that regime supplies the contents: a financial institution may not share nonpublic personal information with nonaffiliated third parties without first giving the consumer a GLBA privacy notice [^policy-glba-notice]; a HIPAA covered entity must give individuals a notice of the uses and disclosures of their protected health information and of their rights and the entity's duties [^policy-hipaa-notice]; and an operator of a child-directed service must post notice of what it collects from children, how it uses it, and its disclosure practices [^policy-coppa-notice].
+
+For everyone else, follow best practice — describe the categories of data collected, the purposes, the third parties you share with, and how users exercise any choices you offer — and then honor it. Because trebling under § 75-16 is automatic once damages are assessed, an inaccurate privacy policy is structurally more dangerous in North Carolina than in states where multiplied damages are left to the court's discretion: every material promise in the policy can become part of a deception theory for an injured reader if the statement is misleading and damages requirements are met.
+
+## What must your contracts with vendors say? {#vendor-contracts}
+
+**Short answer.** North Carolina has no omnibus data-processing-agreement requirement — no state statute prescribes controller-to-processor terms, audit rights, deletion clauses, or subprocessor flow-downs for general commercial contracts. The state does impose a disposal duty: covered businesses must take reasonable measures against unauthorized access to or use of personal information in connection with or after disposal [^vendor-7564-duty]. For paper and electronic media, those measures must include monitored policies for shredding, burning, pulverizing, destroying, or erasing records so the information cannot practicably be read or reconstructed [^vendor-7564-measures].
+
+The vendor contract the state addresses directly is an implementation option for that disposal duty: a business may, after due diligence, enter into a written contract with — and monitor compliance by — a record-destruction vendor to destroy personal information consistently with the disposal statute [^vendor-7564-contract]. The disposal statute is worth taking seriously because it has its own express § 75-1.1 bridge, with one employee-specific softening: damages caused by nonmanagerial employees are not trebled unless the business was negligent in training, supervising, or monitoring them [^vendor-7564-treble]. Due diligence on a destruction vendor should ordinarily include reviewing an independent audit, checking references or third-party certification, or evaluating the vendor's information-security policies — the statute lists those routes itself.
+
+Data-hosting and service-provider relationships are touched only on the breach side: a business that maintains or possesses records containing personal information it does not own or license must notify the owner or licensee immediately following discovery of a security breach [^vendor-7565-maintainer]. That allocation — the vendor tells you, you tell your customers — is a reason to put breach-notice timing, cooperation, and cost terms into every vendor agreement even though no North Carolina statute requires them. Where a federal regime is in scope, it supplies the contracting obligations: the GLBA Safeguards Rule requires financial institutions to oversee service providers and bind them by contract to maintain safeguards [^vendor-glba-safeguards], and HIPAA requires a business-associate agreement with required use limits, safeguards, breach reporting, and subcontractor flow-down terms [^vendor-hipaa-baa]. Outside those verticals, carrying the same protections forward — processing limited to instructions, confidentiality, reasonable security, breach notification back to your business, and return or deletion at the end of the engagement — is best practice rather than state-law compulsion.
+
+## What rights do North Carolina consumers have over their personal data? {#consumer-rights}
+
+**Short answer.** Not the comprehensive-statute set. North Carolina law gives consumers no general rights to access, delete, correct, or port their personal data, no right to opt out of its sale or of targeted advertising, and no requirement that businesses honor universal opt-out signals such as Global Privacy Control. The rights that do exist are narrower and identity-theft-shaped: any consumer may place a security freeze on their credit report [^rights-7563-freeze], a business may not sell or intentionally disclose a Social Security number to a third party without written consent where it has reason to believe the recipient lacks a legitimate purpose [^rights-7562-ssn], and a person who has objected to disclosure can sue anyone who knowingly publishes their personal information anyway [^rights-7566-publication].
+
+The security freeze is the most operationally complete right. A freeze prohibits a consumer reporting agency from releasing the consumer's credit report or any information in it without the consumer's express authorization [^rights-7563-effect], and electronic placement, lifting, and removal must be free [^rights-7563-free]. A parallel mechanism protects children under 16 and incapacitated adults [^rights-7561-protected-definition]: a consumer reporting agency must place a protected-consumer security freeze within 30 days of a qualifying request by the protected consumer's representative [^rights-75631-protected].
+
+The publication right under § 75-66 is narrow but carries its own civil action: any person whose property or person is injured by a violation may sue for civil damages [^rights-7566-remedy]. Its definition of *personal information* is broader than the breach statute's, sweeping in biometric data, fingerprints, and passwords. Beyond those, North Carolina consumers rely on sector-specific protections — student data, genetic information in insurance, and the federal regimes — rather than on a general data-rights statute. Pending proposals could change that, but no comprehensive consumer-privacy law has been enacted as of this review.
+
+## When must you notify people of a data breach in North Carolina? {#breach-notification}
+
+**Short answer.** Without unreasonable delay, once you discover or are notified of a security breach. The notification may be paced only by the legitimate needs of law enforcement and by measures necessary to determine contact information, determine the scope of the breach, and restore the integrity, security, and confidentiality of the data system [^breach-7565-timing]. A *security breach* is an incident of unauthorized access to and acquisition of unencrypted and unredacted records containing personal information where illegal use has occurred, is reasonably likely to occur, or creates a material risk of harm to a consumer; encrypted records count if the confidential process or key is also acquired [^breach-7561-definition]. Every consumer-noticed breach also triggers a report to the Attorney General's Consumer Protection Division — there is no headcount floor [^breach-7565-ag].
+
+This is where North Carolina imposes its hardest operational duties, and the statutory text quoted here reflects the section as amended in 2025 by S.L. 2025-25, § 29. *Personal information* means a person's first name or initial and last name combined with identifying information as defined in the State's identity-theft law [^breach-7561-personal-info]; for breach purposes, the statute excludes electronic identification numbers, email names or addresses, internet account numbers, internet identification names, a parent's legal surname before marriage, and passwords unless that information would permit access to a person's financial account or resources [^breach-7565-exclusions]. Encryption and redaction are built into the trigger [^breach-7561-encryption] [^breach-7561-redaction], and the harm element (illegal use occurred, is reasonably likely, or material risk of harm) gives the statute a risk threshold many state breach laws lack.
+
+The notice itself has fixed contents: a general description of the incident, the type of personal information involved, the business's protective acts, a contact number, advice to remain vigilant, and the contact details for the consumer reporting agencies, the FTC, and the North Carolina Attorney General's Office [^breach-7565-contents]. Written, electronic, and direct telephonic notice are all permitted, with substitute notice available above a 500,000-person or 250,000-dollar threshold or where contact information, consent, or affected-person identification is lacking [^breach-7565-substitute]. When notice goes to more than 1,000 persons at one time, the business must also notify the nationwide consumer reporting agencies of the timing, distribution, and content of the notice [^breach-7565-cra].
+
+The Attorney General report is not a formality: the statutory report must describe the nature of the breach, the number of affected consumers, investigation and prevention steps, and the timing, distribution, and content of the consumer notice [^breach-7565-ag]. Assume a North Carolina breach notice may draw regulatory attention, and remember from the private-lawsuit discussion above that a notification failure is per se a § 75-1.1 violation carrying treble-damages exposure to injured residents [^breach-7565-per-se].
+
+## How is privacy law enforced in North Carolina? {#ag-enforcement}
+
+**Short answer.** For injured consumers, enforcement turns on the specific ITPA sections that expressly bridge into § 75-1.1 and on Chapter 75's civil action. The breach-notification section says a violation is a § 75-1.1 violation and allows a private action only for an injured individual [^enforce-7565-per-se]; § 75-16 then gives an injured person a right of action and requires trebling when damages are assessed [^enforce-7516-treble]. There is no cure period, no right-to-fix window, and no contracting around the Article: any waiver of its provisions is contrary to public policy and is void and unenforceable [^enforce-7565-waiver].
+
+The absence of a cure period is a structural point, not an oversight — North Carolina has no comprehensive privacy act of the kind that typically grants one, so enforcement follows the state's existing unfair-and-deceptive-practices framework for bridged claims [^enforce-7511-udap]. The Attorney General's Consumer Protection Division is the operative privacy regulator for breach reporting because every consumer-noticed breach report must be sent there, with the nature of the breach, affected-consumer count, investigation steps, prevention steps, and notice details [^enforce-7565-ag-report].
+
+Pending proposals could change that, but no comprehensive consumer-privacy law has been enacted as of this review. The durable planning assumption is the current one: injured-consumer treble-damages suits where a section expressly bridges to § 75-1.1, Attorney General breach-report intake under § 75-65(e1), and sector regulators (the FTC, federal banking agencies, HHS) layered on top for businesses inside the federal regimes. For the student-privacy statute the Attorney General is also the named enforcer — it may bring a civil action for injunctive and other equitable relief, and that section creates no private right of action [^enforce-115c-ag].
+
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-11. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not North Carolina. This article synthesizes North Carolina primary law and is not legal advice from a North Carolina-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+
+[^itpa-7560-title]: **N.C. Gen. Stat. § 75-60** — "This Article shall be known and may be cited as the ‘Identity Theft Protection Act’." *N.C. Gen. Stat. § 75-60.* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-60.html>
+
+[^itpa-7565-scope]: **N.C. Gen. Stat. § 75-65** — "Any business that owns or licenses personal information of residents of North Carolina or any business that conducts business in North Carolina that owns or licenses personal information in any form (whether computerized, paper, or otherwise) shall provide notice to the affected person that there has been a security breach following discovery or notification of the breach." *N.C. Gen. Stat. § 75-65(a).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-65.html>
+
+[^itpa-115c-student-targeting]: **N.C. Gen. Stat. § 115C-401.2** — "Engage in targeted advertising on the operator's site, service, or application, or target advertising on any other site, service, or application if the targeting of the advertising is based on any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operator's site, service, or application for K-12 school purposes." *N.C. Gen. Stat. § 115C-401.2(b)(1).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_115C/GS_115C-401.2.html>
+
+[^itpa-115c-student]: **N.C. Gen. Stat. § 115C-401.2** — "Sell or rent a student's information, including covered information." *N.C. Gen. Stat. § 115C-401.2(b)(3).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_115C/GS_115C-401.2.html>
+
+[^itpa-583215-genetic]: **N.C. Gen. Stat. § 58-3-215** — "No insurer shall: (1) Raise the premium or contribution rates paid by a group for a group health benefit plan on the basis of genetic information obtained about an individual member of the group. (2) Refuse to issue or deliver a health benefit plan because of genetic information obtained about any person to be insured by the health benefit plan. (3) Charge a higher premium rate or charge for a health benefit plan because of genetic information obtained about any person to be insured by the health benefit plan." *N.C. Gen. Stat. § 58-3-215(c).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_58/GS_58-3-215.html>
+
+[^bridge-7565-per-se]: **N.C. Gen. Stat. § 75-65** — "A violation of this section is a violation of G.S. 75-1.1. No private right of action may be brought by an individual for a violation of this section unless such individual is injured as a result of the violation." *N.C. Gen. Stat. § 75-65(i).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-65.html>
+
+[^bridge-7516-treble]: **N.C. Gen. Stat. § 75-16** — "If any person shall be injured or the business of any person, firm or corporation shall be broken up, destroyed or injured by reason of any act or thing done by any other person, firm or corporation in violation of the provisions of this Chapter, such person, firm or corporation so injured shall have a right of action on account of such injury done, and if damages are assessed in such case judgment shall be rendered in favor of the plaintiff and against the defendant for treble the amount fixed by the verdict." *N.C. Gen. Stat. § 75-16.* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-16.html>
+
+[^bridge-75161-fees]: **N.C. Gen. Stat. § 75-16.1** — "In any suit instituted by a person who alleges that the defendant violated G.S. 75-1.1, the presiding judge may, in his discretion, allow a reasonable attorney fee to the duly licensed attorney representing the prevailing party, such attorney fee to be taxed as a part of the court costs and payable by the losing party, upon a finding by the presiding judge that: (1) The party charged with the violation has willfully engaged in the act or practice, and there was an unwarranted refusal by such party to fully resolve the matter which constitutes the basis of such suit" *N.C. Gen. Stat. § 75-16.1.* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-16.1.html>
+
+[^bridge-7562-ssn]: **N.C. Gen. Stat. § 75-62** — "A violation of this section is a violation of G.S. 75-1.1." *N.C. Gen. Stat. § 75-62(d).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-62.html>
+
+[^bridge-7563-freeze]: **N.C. Gen. Stat. § 75-63** — "A violation of this section is a violation of G.S. 75-1.1." *N.C. Gen. Stat. § 75-63(g).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-63.html>
+
+[^bridge-75631-protected-freeze]: **N.C. Gen. Stat. § 75-63.1** — "A violation of this section is a violation of G.S. 75-1.1." *N.C. Gen. Stat. § 75-63.1(g).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-63.1.html>
+
+[^bridge-7564-disposal]: **N.C. Gen. Stat. § 75-64** — "A violation of this section is a violation of G.S. 75-1.1, but any damages assessed against a business because of the acts or omissions of its nonmanagerial employees shall not be trebled as provided in G.S. 75-16 unless the business was negligent in the training, supervision, or monitoring of those employees." *N.C. Gen. Stat. § 75-64(f).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-64.html>
+
+[^bridge-7511-udap]: **N.C. Gen. Stat. § 75-1.1** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are declared unlawful." *N.C. Gen. Stat. § 75-1.1(a).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-1.1.html>
+
+[^bridge-7565-assignment]: **N.C. Gen. Stat. § 75-65** — "Causes of action arising under this Article may not be assigned." *N.C. Gen. Stat. § 75-65(j).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-65.html>
+
+[^policy-7511-udap]: **N.C. Gen. Stat. § 75-1.1** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are declared unlawful." *N.C. Gen. Stat. § 75-1.1(a).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-1.1.html>
+
+[^policy-ftc5-deceptive]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* <https://www.law.cornell.edu/uscode/text/15/45#:~:text=Unfair%20methods%20of%20competition%20in,commerce%2C%20are%20hereby%20declared%20unlawful.>
+
+[^policy-7516-treble]: **N.C. Gen. Stat. § 75-16** — "if damages are assessed in such case judgment shall be rendered in favor of the plaintiff and against the defendant for treble the amount fixed by the verdict" *N.C. Gen. Stat. § 75-16.* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-16.html>
+
+[^policy-glba-notice]: **GLBA § 502** — "Except as otherwise provided in this subchapter, a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 6803 of this title." *15 U.S.C. § 6802(a).* <https://www.law.cornell.edu/uscode/text/15/6802#:~:text=Except%20as%20otherwise%20provided%20in,section%206803%20of%20this%20title.>
+
+[^policy-hipaa-notice]: **HIPAA Notice of Privacy Practices** — "an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information" *45 C.F.R. § 164.520.* <https://www.law.cornell.edu/cfr/text/45/164.520#:~:text=an%20individual%20has%20a%20right,respect%20to%20protected%20health%20information>
+
+[^policy-coppa-notice]: **COPPA** — "to provide notice on the website of what information is collected from children by the operator, how the operator uses such information, and the operator’s disclosure practices for such information" *15 U.S.C. § 6502(b)(1)(A)(i).* <https://www.law.cornell.edu/uscode/text/15/6502#:~:text=to%20provide%20notice%20on%20the,disclosure%20practices%20for%20such%20information>
+
+[^vendor-7564-duty]: **N.C. Gen. Stat. § 75-64** — "Any business that conducts business in North Carolina and any business that maintains or otherwise possesses personal information of a resident of North Carolina must take reasonable measures to protect against unauthorized access to or use of the information in connection with or after its disposal." *N.C. Gen. Stat. § 75-64(a).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-64.html>
+
+[^vendor-7564-measures]: **N.C. Gen. Stat. § 75-64** — "The reasonable measures must include: (1) Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of papers containing personal information so that information cannot be practicably read or reconstructed. (2) Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media and other nonpaper media containing personal information so that the information cannot practicably be read or reconstructed." *N.C. Gen. Stat. § 75-64(b)(1)-(2).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-64.html>
+
+[^vendor-7564-contract]: **N.C. Gen. Stat. § 75-64** — "A business may, after due diligence, enter into a written contract with, and monitor compliance by, another party engaged in the business of record destruction to destroy personal information in a manner consistent with this section." *N.C. Gen. Stat. § 75-64(c).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-64.html>
+
+[^vendor-7564-treble]: **N.C. Gen. Stat. § 75-64** — "A violation of this section is a violation of G.S. 75-1.1, but any damages assessed against a business because of the acts or omissions of its nonmanagerial employees shall not be trebled as provided in G.S. 75-16 unless the business was negligent in the training, supervision, or monitoring of those employees." *N.C. Gen. Stat. § 75-64(f).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-64.html>
+
+[^vendor-7565-maintainer]: **N.C. Gen. Stat. § 75-65** — "Any business that maintains or possesses records or data containing personal information of residents of North Carolina that the business does not own or license, or any business that conducts business in North Carolina that maintains or possesses records or data containing personal information that the business does not own or license shall notify the owner or licensee of the information of any security breach immediately following discovery of the breach, consistent with the legitimate needs of law enforcement as provided in subsection (c) of this section." *N.C. Gen. Stat. § 75-65(b).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-65.html>
+
+[^vendor-glba-safeguards]: **GLBA Safeguards Rule** — "Requiring your service providers by contract to implement and maintain such safeguards" *16 C.F.R. § 314.4(f)(2).* <https://www.law.cornell.edu/cfr/text/16/314.4#:~:text=Requiring%20your%20service%20providers%20by,implement%20and%20maintain%20such%20safeguards>
+
+[^vendor-hipaa-baa]: **HIPAA Business Associate Contracts** — "A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410; (D) In accordance with § 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information" *45 C.F.R. § 164.504(e)(2).* <https://www.law.cornell.edu/cfr/text/45/164.504#:~:text=A%20contract%20between%20the%20covered,with%20respect%20to%20such%20information>
+
+[^rights-7563-freeze]: **N.C. Gen. Stat. § 75-63** — "A consumer may place a security freeze on the consumer's credit report by making a request to a consumer reporting agency in accordance with this subsection." *N.C. Gen. Stat. § 75-63(a).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-63.html>
+
+[^rights-7562-ssn]: **N.C. Gen. Stat. § 75-62** — "Sell, lease, loan, trade, rent, or otherwise intentionally disclose an individual's social security number to a third party without written consent to the disclosure from the individual, when the party making the disclosure knows or in the exercise of reasonable diligence would have reason to believe that the third party lacks a legitimate purpose for obtaining the individual's social security number." *N.C. Gen. Stat. § 75-62(a)(6).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-62.html>
+
+[^rights-7566-publication]: **N.C. Gen. Stat. § 75-66** — "It shall be a violation of this section for any person to knowingly broadcast or publish to the public on radio, television, cable television, in a writing of any kind, or on the internet, the personal information of another with actual knowledge that the person whose personal information is disclosed has previously objected to any such disclosure." *N.C. Gen. Stat. § 75-66(a).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-66.html>
+
+[^rights-7563-effect]: **N.C. Gen. Stat. § 75-63** — "A security freeze shall prohibit, subject to exceptions in subsection ( l ) of this section, the consumer reporting agency from releasing the consumer's credit report or any information from it without the express authorization of the consumer." *N.C. Gen. Stat. § 75-63(a).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-63.html>
+
+[^rights-7563-free]: **N.C. Gen. Stat. § 75-63** — "A consumer reporting agency shall not charge a fee to put a security freeze in place, remove a freeze, or lift a freeze pursuant to subsection (d) or (j) of this section, provided that any such request is made electronically." *N.C. Gen. Stat. § 75-63(o).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-63.html>
+
+[^rights-7561-protected-definition]: **N.C. Gen. Stat. § 75-61** — "An individual (i) who is under the age of 16 at the time a request for the placement of a security freeze is made pursuant to G.S. 75-63.1 or (ii) who is incapacitated or for whom a guardian or guardian ad litem has been appointed." *N.C. Gen. Stat. § 75-61(11a).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-61.html>
+
+[^rights-75631-protected]: **N.C. Gen. Stat. § 75-63.1** — "A consumer reporting agency shall place a protected consumer security freeze on the protected consumer's credit report or on the protected consumer's file in accordance with subsection (b) of this section within 30 days of all of the following conditions being satisfied" *N.C. Gen. Stat. § 75-63.1(a).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-63.1.html>
+
+[^rights-7566-remedy]: **N.C. Gen. Stat. § 75-66** — "Any person whose property or person is injured by reason of a violation of this section may sue for civil damages pursuant to the provisions of G.S. 1-539.2C." *N.C. Gen. Stat. § 75-66(e).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-66.html>
+
+[^breach-7565-timing]: **N.C. Gen. Stat. § 75-65** — "The disclosure notification shall be made without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (c) of this section, and consistent with any measures necessary to determine sufficient contact information, determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system." *N.C. Gen. Stat. § 75-65(a).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-65.html>
+
+[^breach-7561-definition]: **N.C. Gen. Stat. § 75-61** — "An incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer. Any incident of unauthorized access to and acquisition of encrypted records or data containing personal information along with the confidential process or key shall constitute a security breach." *N.C. Gen. Stat. § 75-61(14).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-61.html>
+
+[^breach-7565-ag]: **N.C. Gen. Stat. § 75-65** — "In the event a business provides notice to an affected person pursuant to this section, the business shall notify without unreasonable delay the Consumer Protection Division of the Attorney General's Office of the nature of the breach, the number of consumers affected by the breach, steps taken to investigate the breach, steps taken to prevent a similar breach in the future, and information regarding the timing, distribution, and content of the notice." *N.C. Gen. Stat. § 75-65(e1).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-65.html>
+
+[^breach-7561-personal-info]: **N.C. Gen. Stat. § 75-61** — "A person's first name or first initial and last name in combination with identifying information as defined in G.S. 14-113.20(b). Personal information does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, including name, address, and telephone number, and does not include information made lawfully available to the general public from federal, state, or local government records." *N.C. Gen. Stat. § 75-61(10).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-61.html>
+
+[^breach-7565-exclusions]: **N.C. Gen. Stat. § 75-65** — "For the purposes of this section, personal information shall not include electronic identification numbers, email names or addresses, internet account numbers, internet identification names, parent's legal surname prior to marriage, or a password unless this information would permit access to a person's financial account or resources." *N.C. Gen. Stat. § 75-65(a).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-65.html>
+
+[^breach-7561-encryption]: **N.C. Gen. Stat. § 75-61** — "The use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without use of a confidential process or key." *N.C. Gen. Stat. § 75-61(8).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-61.html>
+
+[^breach-7561-redaction]: **N.C. Gen. Stat. § 75-61** — "The rendering of data so that it is unreadable or is truncated so that no more than the last four digits of the identification number is accessible as part of the data." *N.C. Gen. Stat. § 75-61(13).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-61.html>
+
+[^breach-7565-contents]: **N.C. Gen. Stat. § 75-65** — "The notice shall be clear and conspicuous. The notice shall include all of the following: (1) A description of the incident in general terms. (2) A description of the type of personal information that was subject to the unauthorized access and acquisition. (3) A description of the general acts of the business to protect the personal information from further unauthorized access. (4) A telephone number for the business that the person may call for further information and assistance, if one exists. (5) Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports. (6) The toll-free numbers and addresses for the major consumer reporting agencies. (7) The toll-free numbers, addresses, and website addresses for the Federal Trade Commission and the North Carolina Attorney General's Office, along with a statement that the individual can obtain information from these sources about preventing identity theft." *N.C. Gen. Stat. § 75-65(d).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-65.html>
+
+[^breach-7565-substitute]: **N.C. Gen. Stat. § 75-65** — "Substitute notice, if the business demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000) or that the affected class of subject persons to be notified exceeds 500,000, or if the business does not have sufficient contact information or consent to satisfy subdivisions (1), (2), or (3) of this subsection, for only those affected persons without sufficient contact information or consent, or if the business is unable to identify particular affected persons, for only those unidentifiable affected persons." *N.C. Gen. Stat. § 75-65(e)(4).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-65.html>
+
+[^breach-7565-cra]: **N.C. Gen. Stat. § 75-65** — "In the event a business provides notice to more than 1,000 persons at one time pursuant to this section, the business shall notify, without unreasonable delay, the Consumer Protection Division of the Attorney General's Office and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. § 1681a(p), of the timing, distribution, and content of the notice." *N.C. Gen. Stat. § 75-65(f).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-65.html>
+
+[^breach-7565-per-se]: **N.C. Gen. Stat. § 75-65** — "A violation of this section is a violation of G.S. 75-1.1. No private right of action may be brought by an individual for a violation of this section unless such individual is injured as a result of the violation." *N.C. Gen. Stat. § 75-65(i).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-65.html>
+
+[^enforce-7565-per-se]: **N.C. Gen. Stat. § 75-65** — "A violation of this section is a violation of G.S. 75-1.1. No private right of action may be brought by an individual for a violation of this section unless such individual is injured as a result of the violation." *N.C. Gen. Stat. § 75-65(i).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-65.html>
+
+[^enforce-7516-treble]: **N.C. Gen. Stat. § 75-16** — "If any person shall be injured or the business of any person, firm or corporation shall be broken up, destroyed or injured by reason of any act or thing done by any other person, firm or corporation in violation of the provisions of this Chapter, such person, firm or corporation so injured shall have a right of action on account of such injury done, and if damages are assessed in such case judgment shall be rendered in favor of the plaintiff and against the defendant for treble the amount fixed by the verdict." *N.C. Gen. Stat. § 75-16.* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-16.html>
+
+[^enforce-7565-waiver]: **N.C. Gen. Stat. § 75-65** — "Any waiver of the provisions of this Article is contrary to public policy and is void and unenforceable." *N.C. Gen. Stat. § 75-65(g).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-65.html>
+
+[^enforce-7511-udap]: **N.C. Gen. Stat. § 75-1.1** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are declared unlawful." *N.C. Gen. Stat. § 75-1.1(a).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-1.1.html>
+
+[^enforce-7565-ag-report]: **N.C. Gen. Stat. § 75-65** — "In the event a business provides notice to an affected person pursuant to this section, the business shall notify without unreasonable delay the Consumer Protection Division of the Attorney General's Office of the nature of the breach, the number of consumers affected by the breach, steps taken to investigate the breach, steps taken to prevent a similar breach in the future, and information regarding the timing, distribution, and content of the notice." *N.C. Gen. Stat. § 75-65(e1).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_75/GS_75-65.html>
+
+[^enforce-115c-ag]: **N.C. Gen. Stat. § 115C-401.2** — "The Attorney General, upon ascertaining that an operator has violated this section, may bring a civil action seeking injunctive and other equitable relief." *N.C. Gen. Stat. § 115C-401.2(g).* <https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_115C/GS_115C-401.2.html>

package/skills/legal-explainers/data-privacy-law-explainer/content/north-dakota.md

@@ -0,0 +1,169 @@
+---
+jurisdiction: "North Dakota"
+slug: north-dakota
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-12"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/north-dakota
+license: CC BY 4.0
+stale: false
+---
+
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/north-dakota · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+
+# North Dakota Consumer Privacy Law[^about]
+
+North Dakota has no comprehensive consumer-privacy statute. Chapter 51-30 governs breach notification, enforced through the ch. 51-15 consumer-fraud law, and a 2025 chapter imposes data-security duties on state-regulated financial corporations.
+
+
+## At a glance
+
+| Question | North Dakota |
+| --- | --- |
+| **Law coverage** | No comprehensive law |
+| **Summary** | North Dakota has not enacted a comprehensive consumer-privacy law — the operative state framework is the ch. 51-30 breach-notification statute, enforced by the Attorney General through the ch. 51-15 consumer-fraud law, plus a 2025 information-security chapter for state-regulated financial corporations, with everything else riding the federal and sectoral overlay. |
+| **Main law** | N.D. Cent. Code ch. 51-30 (breach notification) — North Dakota has no comprehensive consumer-privacy law; ch. 51-30 plus the consumer-fraud law (ch. 51-15) and the 2025 financial-corporation data-security chapter (ch. 13-01.2) are the operative state framework |
+| **Privacy policy required?** | No North Dakota statute mandates a consumer privacy policy or fixes its contents; a policy that misstates practices can be a deceptive practice under N.D. Cent. Code ch. 51-15 and FTC Act § 5, with GLBA, HIPAA, and COPPA supplying contents where those regimes apply |
+| **Who does it cover?** | Any person that owns or licenses computerized data including personal information of North Dakota residents — no revenue or consumer-volume threshold; the 2025 data-security chapter reaches financial corporations regulated by the Department of Financial Institutions |
+| **Can consumers sue?** | Limited path |
+| **Privacy policy rule** | No state policy checklist |
+| **Consent for sensitive data?** | No special rule |
+| **Browser opt-out signals?** | Not required |
+| **Lawsuit detail** | Not expressly under ch. 51-30 — the Attorney General enforces it — but a ch. 51-30 violation is deemed a ch. 51-15 violation, and § 51-15-09 preserves private claims, with treble damages for knowing conduct, against a defendant who acquired money or property through an unlawful practice |
+| **Who enforces it?** | North Dakota Attorney General; Commissioner of the Department of Financial Institutions for the 2025 financial-corporation data-security chapter |
+
+## Which privacy laws apply to your business in North Dakota? {#which-privacy-laws-apply}
+
+**Short answer.** There is no comprehensive North Dakota consumer-privacy law. The operative state statute for most businesses is chapter 51-30 of the Century Code, a breach-notification law that applies to any person that owns or licenses computerized data that includes personal information of North Dakota residents — with no revenue or consumer-volume threshold [^stat-51-30-02-duty]. Day-to-day data practices are policed instead by the state consumer-fraud law, chapter 51-15, which declares deceptive acts or practices in connection with the sale or advertisement of merchandise unlawful [^stat-51-15-02-deception]. And since 2025, a third state law applies to one sector: chapter 13-01.2 requires every state-regulated *financial corporation* to develop, implement, and maintain a comprehensive information security program [^stat-13-01-2-program].
+
+North Dakota residents do not have general state-law rights to access, delete, correct, or port their personal data, and no state statute gives them a right to opt out of its sale or requires businesses to honor universal opt-out signals. There are likewise no state notice-at-collection, consent, data-protection-assessment, or processor-contract duties of the kind found in other states' comprehensive consumer-privacy acts. What North Dakota has instead is a sectoral, layered framework: the breach-notification chapter sets the one statewide incident-response duty, the consumer-fraud law supplies the enforcement engine, and the 2025 financial-corporation chapter adds a GLBA-style security program for entities the Department of Financial Institutions regulates. The consumer-fraud law sweeps broadly — *merchandise* is defined to include intangibles and services as well as goods [^stat-51-15-01-merchandise] — so data-related misrepresentations by most consumer-facing businesses fall within its reach.
+
+The rest of a North Dakota-facing privacy program rides the federal and sectoral overlay. Section 5 of the FTC Act reaches deceptive or unfair privacy and data-security practices nationwide; the Gramm-Leach-Bliley Act governs financial institutions; HIPAA governs covered health entities and their business associates; and the Children's Online Privacy Protection Act governs services directed to children under 13. None of those is a North Dakota statute, but together with chapters 51-30, 51-15, and 13-01.2 they are what actually shapes a compliant program today. This note is written to stay durable: if North Dakota later enacts a comprehensive law, a program built to this overlay upgrades rather than restarts.
+
+## What must your North Dakota privacy policy contain? {#privacy-policy-contents}
+
+**Short answer.** No North Dakota statute requires a general consumer privacy policy or fixes what it must say. For most businesses the governing rule is that whatever you publish has to be true: under Section 5 of the FTC Act, a policy that misstates how you collect, use, share, retain, or secure data is a deceptive practice [^fed-ftc5-deceptive], and North Dakota's consumer-fraud law reaches the same conduct as a deceptive act or practice — and separately condemns practices that are unconscionable or cause substantial, unavoidable injury to consumers [^q2-stat-51-15-02-unlawful]. Where a sectoral regime applies, that regime supplies the contents instead [^fed-hipaa-notice].
+
+In practice the drafting question in North Dakota is less what must be included and more does the policy match actual practice. Build the policy from the federal and sectoral overlay. A financial institution must give consumers a privacy notice before disclosing nonpublic personal information to nonaffiliated third parties under the GLBA [^fed-glba-notice]. A HIPAA covered entity must give individuals a notice of the uses and disclosures of their protected health information and of their rights and the entity's legal duties [^fed-hipaa-notice]. An operator of a website or online service directed to children must post notice of what information it collects from children, how it uses that information, and its disclosure practices [^fed-coppa-notice]. For everyone else, follow best practice — describe the categories of data collected, the purposes, the third parties you share with, and how users exercise any choices you offer — and then honor it, because the enforceable obligation is consistency between the statement and the conduct. There is no North Dakota-mandated checklist to cite here, which is itself the point: the contents are overlay-driven, not state-statute-driven.
+
+## What must your contracts with vendors say? {#vendor-contracts}
+
+**Short answer.** North Dakota has no omnibus data-processing-agreement requirement — no state statute prescribes controller-to-processor terms, audit rights, deletion clauses, or subprocessor flow-downs for general private-sector contracts. The one state law that mandates vendor contract terms is sector-specific: a *financial corporation* covered by the 2025 data-security chapter must oversee its service providers, including by requiring them by contract to implement and maintain appropriate safeguards [^stat-13-01-2-vendor-oversight].
+
+Where a federal or sectoral regime is in scope, it supplies the contracting obligations: the GLBA Safeguards Rule requires financial institutions to require their service providers by contract to implement and maintain appropriate safeguards [^fed-glba-safeguards], and HIPAA requires a written business-associate agreement with mandatory data-protection, breach-reporting, and downstream-subcontractor terms before protected health information changes hands [^fed-hipaa-baa]. The 2025 North Dakota chapter imports the same model into state law for entities regulated by the Department of Financial Institutions — selection diligence, contractual safeguard requirements, and periodic risk-based reassessment of each provider [^stat-13-01-2-vendor-oversight].
+
+Outside those regimes, the prudent move is to carry the same protections forward as a matter of best practice — processing limited to documented instructions, confidentiality, reasonable security, breach notification back to your business, and return or deletion of data at the end of the engagement — even though no North Dakota statute compels them. The breach-notification chapter touches vendors only narrowly: a person that maintains computerized personal information it does not own must notify the owner or licensee immediately after discovering a breach [^q3-stat-51-30-03-vendor-notice], which is a reason to fix notice timelines and cooperation duties in the contract before an incident, not after.
+
+## When must you notify people of a data breach in North Dakota? {#breach-notification}
+
+**Short answer.** Any person that owns or licenses computerized data including personal information must notify every North Dakota resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person [^q4-stat-51-30-02-resident-notice]. If the breach exceeds two hundred fifty individuals, the person must also notify the Attorney General, and the disclosure must be made in the most expedient time possible and without unreasonable delay [^stat-51-30-02-ag-timing]. A reportable breach is the unauthorized acquisition of computerized data when access to personal information has not been secured by encryption or an equivalent method [^stat-51-30-01-breach-def].
+
+This is the one prong where North Dakota imposes a hard statutory duty, so it is the center of any North Dakota incident-response plan. The trigger is *acquisition* of unencrypted data — encryption is a safe harbor built into the definition of a breach, and good-faith acquisition by an employee or agent does not count if the information is not further misused [^stat-51-30-01-breach-def]. The definition of *personal information* is notably broad: beyond the usual name-plus-identifier combinations — Social Security number, driver's license or state ID number, financial-account or card number with its access code — it also reaches a resident's name combined with date of birth, mother's maiden name, medical information, health insurance information, an employer-assigned ID number with an access code, or an electronic signature [^stat-51-30-01-personal-info]. Several of those elements, such as date of birth, are not breach-notice triggers in most states, so a multistate incident can be reportable in North Dakota even when it is not reportable elsewhere.
+
+The mechanics follow the familiar national pattern. A vendor that maintains data it does not own must notify the owner or licensee immediately following discovery [^q4-stat-51-30-03-vendor-notice]. Notice may be delayed if a law enforcement agency determines it would impede a criminal investigation, and must then be made once the agency clears it [^stat-51-30-04-delay]. Notice may be written or electronic, with substitute notice — email, conspicuous website posting, and statewide media — available when the cost of direct notice would exceed two hundred fifty thousand dollars, the affected class exceeds five hundred thousand persons, or contact information is insufficient [^stat-51-30-05-substitute]. Two compliance off-ramps matter in practice: a person that follows its own breach-notification procedures under an information security policy consistent with the chapter's timing requirements is deemed compliant [^stat-51-30-06-own-policy], and financial institutions following the federal interagency guidance, as well as HIPAA covered entities, business associates, and subcontractors subject to the HIPAA breach-notification rule, are deemed compliant as well [^stat-51-30-06-deemed-compliance].
+
+## What does North Dakota's 2025 financial data-security law require? {#financial-data-security}
+
+**Short answer.** In 2025 North Dakota enacted chapter 13-01.2, which requires every covered *financial corporation* to develop, implement, and maintain a comprehensive information security program [^q5-stat-13-01-2-program]. The chapter reaches entities regulated by the Department of Financial Institutions other than banks and credit unions — *financial corporation* is defined as all entities regulated by the department, excluding financial institutions and credit unions [^stat-13-01-2-scope] — so it covers nondepository licensees such as lenders, brokers, and servicers under the department's supervision.
+
+The chapter is built on the model of the federal GLBA Safeguards Rule, which likewise requires designating a qualified individual to oversee, implement, and enforce the information security program [^q5-fed-glba-qualified]. The North Dakota version requires the same designation [^stat-13-01-2-qualified], a written risk assessment, and risk-based safeguards that include encrypting all customer information in transit over external networks and at rest, with compensating controls allowed only when the qualified individual approves them after finding encryption infeasible [^stat-13-01-2-encryption]. Multifactor authentication is required for any individual accessing any information system unless the qualified individual approves an equivalent or stronger control in writing [^stat-13-01-2-mfa]. The program must also cover penetration testing and vulnerability assessments [^stat-13-01-2-testing], personnel training [^stat-13-01-2-training], service-provider oversight, an incident response plan [^stat-13-01-2-irp], and an annual written report to the board or a senior officer [^stat-13-01-2-annual-report].
+
+The chapter adds its own regulator-notification clock, separate from the chapter 51-30 consumer-notice duty: after discovering a *notification event* involving the information of at least five hundred consumers, the financial corporation must notify the Commissioner of the Department of Financial Institutions as soon as possible and no later than forty-five days after discovery [^stat-13-01-2-notify]. The chapter's one carve-out is narrow on its face: section 13-01.2-04 states that the written-risk-assessment, penetration-testing and vulnerability-assessment, incident-response-plan, and annual-reporting elements do not apply to *financial institutions* that maintain customer information concerning fewer than five thousand consumers [^stat-13-01-2-exemption]. For a covered entity, the practical upshot is that a program already built to the FTC Safeguards Rule maps nearly one-to-one onto the new state chapter, but the forty-five-day report runs to the state commissioner and must be tracked alongside the federal thirty-day FTC notice [^q5-fed-glba-ftc-notice].
+
+## Can a consumer sue your business in North Dakota over privacy? {#consumer-lawsuit}
+
+**Short answer.** The breach-notification chapter is built for public enforcement: the Attorney General may enforce it with all the powers and remedies of the consumer-fraud law, and a violation of the breach chapter is deemed a violation of chapter 51-15 [^stat-51-30-07-ag-enforce]. But the chapter expressly states that its remedies are not exclusive and sit on top of all other causes of action and remedies under chapter 51-15 or otherwise provided by law [^stat-51-30-07-not-exclusive], and chapter 51-15 itself preserves private claims: it does not bar any claim for relief by any person against a defendant who acquired money or property through an unlawful practice, with treble damages available for knowing conduct plus mandatory costs and attorney's fees [^stat-51-15-09-private].
+
+Public enforcement is the primary channel. The Attorney General may seek and obtain a district-court injunction against any practice declared unlawful by the consumer-fraud law [^stat-51-15-07-injunction], and the court may assess a civil penalty of up to five thousand dollars for each violation [^stat-51-15-11-penalty]. Because a breach-chapter violation is deemed a chapter 51-15 violation, those tools — investigation, subpoenas, injunctions, cease-and-desist orders, and penalties — all apply to a failure to give breach notice.
+
+The private path is narrower than the public one, and its boundary comes from the statutory text. Section 51-15-09 conditions private recovery on the defendant having acquired money or property by means of the unlawful practice, so the claim fits most naturally where a data-related misrepresentation induced a purchase — a privacy promise that helped sell the product — and less naturally where the only wrong is a bare failure to notify after a breach. No quoted authority in this note resolves how far courts will take that bridge from the breach chapter into § 51-15-09, so treat the private exposure as real but untested at its edges. A private claim under the consumer-fraud law must be brought within four years, and the clock does not start until the aggrieved party discovers the facts constituting the violation [^stat-51-15-12-limitations]. The treble-damages and fee-shifting provisions make even individually small claims economically viable for plaintiffs when knowing conduct can be shown [^stat-51-15-09-private], which is the practical reason to treat published privacy statements in North Dakota with the same care as advertising copy.
+
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-12. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not North Dakota. This article synthesizes North Dakota primary law and is not legal advice from a North Dakota-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+
+[^stat-51-30-02-duty]: **N.D. Cent. Code § 51-30-02** — "Any person that owns or licenses computerized data that includes personal information, shall disclose any breach of the security system following discovery or notification of the breach in the security of the data to any resident of the state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." *N.D. Cent. Code § 51-30-02.* <https://ndlegis.gov/cencode/t51c30.pdf>
+
+[^stat-51-15-02-deception]: **N.D. Cent. Code § 51-15-02** — "The act, use, or employment by any person of any deceptive act or practice, fraud, false pretense, false promise, or misrepresentation, with the intent that others rely thereon in connection with the sale or advertisement of any merchandise, whether or not any person has in fact been misled, deceived, or damaged thereby, is declared to be an unlawful practice." *N.D. Cent. Code § 51-15-02.* <https://ndlegis.gov/cencode/t51c15.pdf>
+
+[^stat-13-01-2-program]: **N.D. Cent. Code § 13-01.2-02** — "A financial corporation shall develop, implement, and maintain a comprehensive information security program." *N.D. Cent. Code § 13-01.2-02(1).* <https://ndlegis.gov/cencode/t13c01-2.pdf>
+
+[^stat-51-15-01-merchandise]: **N.D. Cent. Code § 51-15-01** — "‘Merchandise’ means any objects, wares, goods, commodities, intangibles, real estate, charitable contributions, or services." *N.D. Cent. Code § 51-15-01(3).* <https://ndlegis.gov/cencode/t51c15.pdf>
+
+[^fed-ftc5-deceptive]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* <https://www.law.cornell.edu/uscode/text/15/45#:~:text=Unfair%20methods%20of%20competition%20in,commerce%2C%20are%20hereby%20declared%20unlawful.>
+
+[^q2-stat-51-15-02-unlawful]: **N.D. Cent. Code § 51-15-02** — "The act, use, or employment by any person of any deceptive act or practice, fraud, false pretense, false promise, or misrepresentation, with the intent that others rely thereon in connection with the sale or advertisement of any merchandise, whether or not any person has in fact been misled, deceived, or damaged thereby, is declared to be an unlawful practice. The act, use, or employment by any person of any act or practice, in connection with the sale or advertisement of any merchandise, which is unconscionable or which causes or is likely to cause substantial injury to a person which is not reasonably avoidable by the injured person and not outweighed by countervailing benefits to consumers or to competition, is declared to be an unlawful practice." *N.D. Cent. Code § 51-15-02.* <https://ndlegis.gov/cencode/t51c15.pdf>
+
+[^fed-hipaa-notice]: **HIPAA Notice of Privacy Practices** — "an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information" *45 C.F.R. § 164.520.* <https://www.law.cornell.edu/cfr/text/45/164.520#:~:text=an%20individual%20has%20a%20right,respect%20to%20protected%20health%20information>
+
+[^fed-glba-notice]: **GLBA privacy notice** — "Except as otherwise provided in this subchapter, a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 6803 of this title." *15 U.S.C. § 6802(a).* <https://www.law.cornell.edu/uscode/text/15/6802#:~:text=Except%20as%20otherwise%20provided%20in,section%206803%20of%20this%20title.>
+
+[^fed-coppa-notice]: **COPPA notice requirement** — "to provide notice on the website of what information is collected from children by the operator, how the operator uses such information, and the operator’s disclosure practices for such information" *15 U.S.C. § 6502(b)(1)(A)(i).* <https://www.law.cornell.edu/uscode/text/15/6502#:~:text=to%20provide%20notice%20on%20the,disclosure%20practices%20for%20such%20information>
+
+[^stat-13-01-2-vendor-oversight]: **N.D. Cent. Code § 13-01.2-03(8)** — "A financial corporation shall oversee service providers by: a. Taking reasonable steps to select and retain service providers capable of maintaining appropriate safeguards for customer information; b. Requiring, by contract, the financial corporation's service providers implement and maintain appropriate safeguards; and c. Periodically assessing the financial corporation's service providers based on the risk they present, and the continued adequacy of the service providers' safeguards." *N.D. Cent. Code § 13-01.2-03(8).* <https://ndlegis.gov/cencode/t13c01-2.pdf>
+
+[^fed-glba-safeguards]: **GLBA Safeguards Rule** — "Requiring your service providers by contract to implement and maintain such safeguards" *16 C.F.R. § 314.4(f)(2).* <https://www.law.cornell.edu/cfr/text/16/314.4#:~:text=Requiring%20your%20service%20providers%20by,implement%20and%20maintain%20such%20safeguards>
+
+[^fed-hipaa-baa]: **HIPAA Business Associate Contracts** — "A contract between the covered entity and a business associate must" *45 C.F.R. § 164.504(e)(2).* <https://www.law.cornell.edu/cfr/text/45/164.504#:~:text=A%20contract%20between%20the%20covered,and%20a%20business%20associate%20must>
+
+[^q3-stat-51-30-03-vendor-notice]: **N.D. Cent. Code § 51-30-03** — "Any person that maintains computerized data that includes personal information that the person does not own shall notify the owner or licensee of the information of the breach of the security of the data immediately following the discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person." *N.D. Cent. Code § 51-30-03.* <https://ndlegis.gov/cencode/t51c30.pdf>
+
+[^q4-stat-51-30-02-resident-notice]: **N.D. Cent. Code § 51-30-02** — "Any person that owns or licenses computerized data that includes personal information, shall disclose any breach of the security system following discovery or notification of the breach in the security of the data to any resident of the state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." *N.D. Cent. Code § 51-30-02.* <https://ndlegis.gov/cencode/t51c30.pdf>
+
+[^stat-51-30-02-ag-timing]: **N.D. Cent. Code § 51-30-02** — "In addition, any person that experiences a breach of the security system as provided in this section shall disclose to the attorney general by mail or electronic mail any breach of the security system which exceeds two hundred fifty individuals. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in section 51-30-04, or any measures necessary to determine the scope of the breach and to restore the integrity of the data system." *N.D. Cent. Code § 51-30-02.* <https://ndlegis.gov/cencode/t51c30.pdf>
+
+[^stat-51-30-01-breach-def]: **N.D. Cent. Code § 51-30-01** — "‘Breach of the security system’ means unauthorized acquisition of computerized data when access to personal information has not been secured by encryption or by any other method or technology that renders the electronic files, media, or databases unreadable or unusable. Good-faith acquisition of personal information by an employee or agent of the person is not a breach of the security of the system, if the personal information is not used or subject to further unauthorized disclosure." *N.D. Cent. Code § 51-30-01(1).* <https://ndlegis.gov/cencode/t51c30.pdf>
+
+[^stat-51-30-01-personal-info]: **N.D. Cent. Code § 51-30-01** — "‘Personal information’ means an individual's first name or first initial and last name in combination with any of the following data elements, when the name and the data elements are not encrypted: (1) The individual's social security number; (2) The operator's license number assigned to an individual by the department of transportation under section 39-06-14; (3) A nondriver color photo identification card number assigned to the individual by the department of transportation under section 39-06-03.1; (4) The individual's financial institution account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial accounts; (5) The individual's date of birth; (6) The maiden name of the individual's mother; (7) Medical information; (8) Health insurance information; (9) An identification number assigned to the individual by the individual's employer in combination with any required security code, access code, or password; or (10) The individual's digitized or other electronic signature." *N.D. Cent. Code § 51-30-01(4)(a).* <https://ndlegis.gov/cencode/t51c30.pdf>
+
+[^q4-stat-51-30-03-vendor-notice]: **N.D. Cent. Code § 51-30-03** — "Any person that maintains computerized data that includes personal information that the person does not own shall notify the owner or licensee of the information of the breach of the security of the data immediately following the discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person." *N.D. Cent. Code § 51-30-03.* <https://ndlegis.gov/cencode/t51c30.pdf>
+
+[^stat-51-30-04-delay]: **N.D. Cent. Code § 51-30-04** — "The notification required by this chapter may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The notification required by this chapter must be made after the law enforcement agency determines that the notification will not compromise the investigation." *N.D. Cent. Code § 51-30-04.* <https://ndlegis.gov/cencode/t51c30.pdf>
+
+[^stat-51-30-05-substitute]: **N.D. Cent. Code § 51-30-05** — "Substitute notice, if the person demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars, or that the affected class of subject persons to be notified exceeds five hundred thousand, or the person does not have sufficient contact information." *N.D. Cent. Code § 51-30-05(3).* <https://ndlegis.gov/cencode/t51c30.pdf>
+
+[^stat-51-30-06-own-policy]: **N.D. Cent. Code § 51-30-06** — "Notwithstanding section 51-30-05, a person that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this chapter is deemed to be in compliance with the notification requirements of this chapter if the person notifies subject individuals in accordance with its policies in the event of a breach of security of the system." *N.D. Cent. Code § 51-30-06.* <https://ndlegis.gov/cencode/t51c30.pdf>
+
+[^stat-51-30-06-deemed-compliance]: **N.D. Cent. Code § 51-30-06** — "A financial institution, trust company, or credit union that is subject to, examined for, and in compliance with the federal interagency guidance on response programs for unauthorized access to customer information and customer notice is in compliance with this chapter. A covered entity, business associate, or subcontractor subject to breach notification requirements under title 45, Code of Federal Regulations, subpart D, part 164, is considered to be in compliance with this chapter." *N.D. Cent. Code § 51-30-06.* <https://ndlegis.gov/cencode/t51c30.pdf>
+
+[^q5-stat-13-01-2-program]: **N.D. Cent. Code § 13-01.2-02** — "A financial corporation shall develop, implement, and maintain a comprehensive information security program." *N.D. Cent. Code § 13-01.2-02(1).* <https://ndlegis.gov/cencode/t13c01-2.pdf>
+
+[^stat-13-01-2-scope]: **N.D. Cent. Code § 13-01.2-01** — "‘Financial corporation’ means all entities regulated by the department of financial institutions, excluding financial institutions and credit unions." *N.D. Cent. Code § 13-01.2-01(9).* <https://ndlegis.gov/cencode/t13c01-2.pdf>
+
+[^q5-fed-glba-qualified]: **GLBA Safeguards Rule** — "Designate a qualified individual responsible for overseeing and implementing your information security program and enforcing your information security program" *16 C.F.R. § 314.4(a).* <https://www.law.cornell.edu/cfr/text/16/314.4#:~:text=Designate%20a%20qualified%20individual%20responsible,enforcing%20your%20information%20security%20program>
+
+[^stat-13-01-2-qualified]: **N.D. Cent. Code § 13-01.2-03(1)** — "A financial corporation's information security program must denote a designation of a qualified individual responsible for overseeing and implementing the financial corporation's information security program and enforcing the financial corporation's information security program." *N.D. Cent. Code § 13-01.2-03(1).* <https://ndlegis.gov/cencode/t13c01-2.pdf>
+
+[^stat-13-01-2-encryption]: **N.D. Cent. Code § 13-01.2-03(5)(c)** — "Protecting by encryption all customer information held or transmitted by the financial corporation both in transit over external networks and at rest. To the extent a financial corporation determines that encryption of customer information, either in transit over external networks or at rest, is infeasible, the financial corporation may secure customer information using effective alternative compensating controls reviewed and approved by the financial corporation's qualified individual." *N.D. Cent. Code § 13-01.2-03(5)(c).* <https://ndlegis.gov/cencode/t13c01-2.pdf>
+
+[^stat-13-01-2-mfa]: **N.D. Cent. Code § 13-01.2-03(5)(e)** — "Implementing multifactor authentication for any individual accessing any information system, unless the financial corporation's qualified individual has approved in writing the use of a reasonably equivalent or more secure access control." *N.D. Cent. Code § 13-01.2-03(5)(e).* <https://ndlegis.gov/cencode/t13c01-2.pdf>
+
+[^stat-13-01-2-testing]: **N.D. Cent. Code § 13-01.2-03(6)** — "Information systems monitoring and testing must include continuous monitoring or periodic penetration testing, and vulnerability assessments." *N.D. Cent. Code § 13-01.2-03(6)(b).* <https://ndlegis.gov/cencode/t13c01-2.pdf>
+
+[^stat-13-01-2-training]: **N.D. Cent. Code § 13-01.2-03(7)** — "A financial corporation shall implement policies and procedures to ensure the financial corporation's personnel are able to enact the financial corporation's information security program by: a. Providing the financial corporation's personnel with security awareness training that is updated as necessary to reflect risks identified by the risk assessment; b. Utilizing qualified information security personnel employed by the financial corporation or an affiliate or service provider sufficient to manage the financial corporation's information security risks and to perform or oversee the information security program; c. Providing information security personnel with security updates and training sufficient to address relevant security risks; and d. Verifying that key information security personnel take steps to maintain current knowledge of changing information security threats and countermeasures." *N.D. Cent. Code § 13-01.2-03(7).* <https://ndlegis.gov/cencode/t13c01-2.pdf>
+
+[^stat-13-01-2-irp]: **N.D. Cent. Code § 13-01.2-03(10)** — "A financial corporation shall establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information the financial corporation controls." *N.D. Cent. Code § 13-01.2-03(10).* <https://ndlegis.gov/cencode/t13c01-2.pdf>
+
+[^stat-13-01-2-annual-report]: **N.D. Cent. Code § 13-01.2-03(11)** — "A financial corporation shall require the financial corporation's qualified individual to report in writing, at least annually, to the financial corporation's board of directors or equivalent governing body. If no board of directors or equivalent governing body exists, the report shall be timely presented to a senior officer responsible for the financial corporation's information security program." *N.D. Cent. Code § 13-01.2-03(11).* <https://ndlegis.gov/cencode/t13c01-2.pdf>
+
+[^stat-13-01-2-notify]: **N.D. Cent. Code § 13-01.2-03(12)** — "After discovery of a notification event described in subdivision c, if the notification event involves the information of at least five hundred consumers, the financial corporation shall notify the commissioner as soon as possible, and no later than forty-five days after the event is discovered." *N.D. Cent. Code § 13-01.2-03(12)(b).* <https://ndlegis.gov/cencode/t13c01-2.pdf>
+
+[^stat-13-01-2-exemption]: **N.D. Cent. Code § 13-01.2-04** — "Subsection 4, subdivision b of subsection 6, and subsections 10 and 11 of section 13-01.2-03 do not apply to financial institutions that maintain customer information concerning fewer than five thousand consumers." *N.D. Cent. Code § 13-01.2-04.* <https://ndlegis.gov/cencode/t13c01-2.pdf>
+
+[^q5-fed-glba-ftc-notice]: **GLBA Safeguards Rule** — "Upon discovery of a notification event as described in paragraph (j)(2) of this section, if the notification event involves the information of at least 500 consumers, you must notify the Federal Trade Commission as soon as possible, and no later than 30 days after discovery of the event." *16 C.F.R. § 314.4(j)(1).* <https://www.law.cornell.edu/cfr/text/16/314.4#:~:text=Upon%20discovery%20of%20a%20notification,after%20discovery%20of%20the%20event.>
+
+[^stat-51-30-07-ag-enforce]: **N.D. Cent. Code § 51-30-07** — "The attorney general may enforce this chapter. The attorney general, in enforcing this chapter, has all the powers provided in chapter 51-15 and may seek all the remedies in chapter 51-15. A violation of this chapter is deemed a violation of chapter 51-15." *N.D. Cent. Code § 51-30-07.* <https://ndlegis.gov/cencode/t51c30.pdf>
+
+[^stat-51-30-07-not-exclusive]: **N.D. Cent. Code § 51-30-07** — "The remedies, duties, prohibitions, and penalties of this chapter are not exclusive and are in addition to all other causes of action, remedies, and penalties under chapter 51-15, or otherwise provided by law." *N.D. Cent. Code § 51-30-07.* <https://ndlegis.gov/cencode/t51c30.pdf>
+
+[^stat-51-15-09-private]: **N.D. Cent. Code § 51-15-09** — "Except as provided in section 51-15-02.3, this chapter does not bar any claim for relief by any person against any person who has acquired any moneys or property by means of any practice declared to be unlawful in this chapter. If the court finds the defendant knowingly committed the conduct, the court may order that the person commencing the action recover up to three times the actual damages proven and the court must order that the person commencing the action recover costs, disbursements, and actual reasonable attorney's fees incurred in the action." *N.D. Cent. Code § 51-15-09.* <https://ndlegis.gov/cencode/t51c15.pdf>
+
+[^stat-51-15-07-injunction]: **N.D. Cent. Code § 51-15-07** — "Whenever it appears to the attorney general that a person has engaged in, or is engaging in, any practice declared to be unlawful by this chapter, or by other provisions of law, including chapter 50-22, 51-13, 51-14, 51-16.1, or 51-18, the attorney general may seek and obtain in an action in a district court an injunction prohibiting that person from continuing the unlawful practice or engaging in the unlawful practice or doing any act in furtherance of the unlawful practice after appropriate notice to that person." *N.D. Cent. Code § 51-15-07.* <https://ndlegis.gov/cencode/t51c15.pdf>
+
+[^stat-51-15-11-penalty]: **N.D. Cent. Code § 51-15-11** — "The court may assess for the benefit of the state a civil penalty of not more than five thousand dollars for each violation of this chapter or for each violation of chapter 51-12, 51-13, 51-14, or 51-18." *N.D. Cent. Code § 51-15-11.* <https://ndlegis.gov/cencode/t51c15.pdf>
+
+[^stat-51-15-12-limitations]: **N.D. Cent. Code § 51-15-12** — "Notwithstanding chapter 28-01, an action for relief under this chapter is barred if the claim is not commenced within four years after the claim for relief accrues. The period of limitation for a claim for relief may not be deemed to have accrued until the aggrieved party discovers the facts constituting the violation of this chapter." *N.D. Cent. Code § 51-15-12.* <https://ndlegis.gov/cencode/t51c15.pdf>