A North Carolina privacy act was introduced in the Senate earlier this year. On April 4, 2023, legislators in North Carolina proposed SB 525, also named the North Carolina Consumer Privacy Act. The Senate Committee on Rules and Operations is now reviewing the bill, and its fate is still unknown. A summary of the proposed North Carolina data privacy law is provided below.
Summary of the Proposed Act:
The bill would apply to any controller, defined as a person doing business in the state who determines for which and how personal data are processed, or processor, defined as a person who processes data on behalf of a controller, who:
- conducts business in the state or produces a product or service that is targeted to consumers who are residents of North Carolina
- has annual revenue of $25 million or more
- who either
- controls or processes ses personal data of 100,000 or more consumers during a calendar year
- derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes the personal data of 25,000 or more consumers
Interactions with Existing Laws
- The bill stipulates that a controller complies with the act’s “parental consent” clause if they comply with the verifiable parental consent mechanisms under the federal Children’s Online Privacy Protection Act (COPPA)
- The bill does not require actions that conflict with the federal Health Insurance Portability and Accountability Act (HIPPA)
- The bill establishes that it supersedes and preempts local laws regarding the processing of personal data by a controller or processor.
Establishes Four Consumer Rights
- The right to confirm whether a controller is processing the consumer data and accessing the consumer’s data
- The right to delete the consumer’s data that the consumer provided to the controller
- The right to obtain a copy of the consumer’s data that the consumer previously provided to the consumer, in a readily usable format as described
- The Right to opt out of the processing of the consumer’s data for purposes of targeted advertising or the sale of personal data
Controller and Processor Requirements
- Requires controllers to take action and inform the consumer of any action taken, or inform the consumer of reasons for not taking action, within 45 days after the day the controller receives a request, absent reasonable suspicion that the request is fraudulent.
- Provides for an extension of another 45 days if reasonably necessary due to the complexity of the request or volume of requests received, subject to notice requirements.
- Requires processors to adhere to controllers’ instructions and as reasonably practicable, assist controllers in meeting the controllers’ obligations, including security obligations.
- Establishes mandatory contract terms between contractors and processors and requires contracting before performing processing on behalf of the processor.
- Requires a controller to provide consumers with a reasonably accessible and clear privacy notice that includes five points: the categories of personal data processed by the controller, the purpose of processing the types of personal data, and how consumers may exercise a right.
- Requires conspicuous disclosure of how a consumer can opt out of a controller’s sale of personal data to a third party or processing for targeted advertising.
- Requires a controller to establish, implement and maintain reasonable administrative, technical, and physical data security practices as described.
- Prohibits processing sensitive data without first presenting the consumer with clear notice and an opportunity-out out
- Requires compliance with COPPA for personal data concerning a known child.
- Prohibits specified discriminatory acts against a consumer for exercising a right
- The bill does not provide a private cause of action.
- Directs the Consumer Protection Division of the Department of Justice (Division) to establish and administer a system to receive consumer complaints regarding alleged violations and authorizes the Division to investigate consumer complaints.
- Grants the Attorney General exclusive enforcement authority upon referral from the Division.
- Details enforcement procedures, including notice of violations, and an opportunity to cure noticed violations.
- Provides for recovery of actual damages to the consumer and up to $7,500 for each violation; requires allocation of liabilities among multiple processors and controllers involved in the same processing violation.
Tentative Effective Date: January 1, 2024