Proposed North Dakota Law Would Require Consent for User Data Sales, Authorize Private Right of Action with Steep Minimum Damages
A proposed bill in the North Dakota House of Representatives would prohibit the sale by a covered entity of a user's protected data without consent. The bill, which was sponsored by four Republican state representatives, has been referred to the Industry, Business and Labor Committee.
The bill defines "covered entity" as "a partnership, limited liability company, corporation, or other legal entity, including a social media company, that collects and sells a user's protected data and does business in the state."
A user's "protected data" is broadly defined to include:
- Location
- Screen name
- Website address
- Interests
- Hometown
- Professional history
- Friends or followers
- Shopping habits
- Test scores
- Health conditions
- Insurance
- Internet browsing history
- Purchases or purchase history
- Number of friends or followers
- Alcohol, tobacco, or drug usage
- Gambling habits
- Residence details
- Credit
- Insurance policies
- Media usage
- Relationship status
Covered entities would be prohibited from selling a user's protected data unless the user opts-in to allow the sale. The covered entity would be required to provide the user with the opportunity to affirmatively click or select approval of the sale for each type of protected data at issue. The protected data collected and sold by the covered entity must be described "clearly in plain language" to the user.
Notably, the proposed law contains a private right of action, expressly authorizing class action lawsuits. The bill provides that a "covered entity that violates this chapter is civilly liable to the user for a minimum of ten thousand dollars [emphasis added]." In the event of knowing violations, the minimum damages amount to the user would be $100,000. Recovery of attorney's fees is authorized for any violation.
Unsurprisingly, advertising trade groups are seeking revisions to the bill, raising particular concern over the opt-in consent requirement and private right of action.