Can I ensure that my company is compliant with expanding privacy protections in North Dakota? What are the requirements?

To ensure that your company is compliant with expanding privacy protections in North Dakota, you must follow the requirements outlined in NDAC Section 45-14-01-05, NDAC Section 45-14-01-06, NDAC Section 45-14-01-07, NDAC Section 45-14-01-09, and NDAC Section 45-14-01-16.

Initial Privacy Notice

Under NDAC Section 45-14-01-05, your company must provide a clear and conspicuous initial privacy notice that accurately reflects its privacy policies and practices to customers and consumers. The notice must include the following information:

• The categories of nonpublic personal financial information that the licensee collects
• The categories of nonpublic personal financial information that the licensee discloses
• The categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information
• The categories of nonpublic personal financial information about the licensee’s former customers that the licensee discloses and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information about the licensee’s former customers
• An explanation of the consumer’s right to authorize or not authorize the disclosure of nonpublic personal financial information to nonaffiliated third parties
• The licensee’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal information

Annual Privacy Notice

Under NDAC Section 45-14-01-06, your company must provide a clear and conspicuous annual privacy notice to customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship. The notice must include the same information as the initial privacy notice, as well as any other information your company wishes to provide that applies to the licensee and to the consumers to whom the licensee sends its privacy notice.

Revised Privacy Notices

Under NDAC Section 45-14-01-09, your company must provide a revised privacy notice if it requests authorization to disclose a new category of nonpublic personal financial information to any nonaffiliated third party, nonpublic personal financial information to a new category of nonaffiliated third party, or nonpublic personal financial information about a former customer to a nonaffiliated third party, if that former customer has not authorized the disclosure. The revised notice must accurately describe your company’s policies and practices, and your company must obtain authorization from the consumer whose nonpublic personal financial information is sought to be disclosed.

Exceptions to Notice and Authorization Requirements

Under NDAC Section 45-14-01-16, there are exceptions to notice and authorization requirements for disclosure of nonpublic personal financial information. For example, your company may disclose nonpublic personal financial information to comply with federal, state, or local laws, rules, and other applicable legal requirements, or to comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by federal, state, or local authorities.

To summarize, to ensure compliance with expanding privacy protections in North Dakota, your company must provide clear and conspicuous initial, annual, and revised privacy notices that accurately reflect its privacy policies and practices, and include the required information outlined in NDAC Section 45-14-01-05, NDAC Section 45-14-01-06, NDAC Section 45-14-01-07, NDAC Section 45-14-01-09, and NDAC Section 45-14-01-16.

Jurisdiction

North Dakota

• Privacy