See it in Action

State Privacy Law Tracker: North Carolina

Alabama
Alaska
Arizona
Arkansas
California
Colorado
Connecticut
Delaware Personal
Florida
Georgia
Hawaii
Idaho
Illinois 
Indiana
Iowa
Kansas
Kentucky
Maine
Maryland
Massachusetts
Michigan
Mississippi
Missouri
Montana
Nebraska
Nevada
New Hampshire
New Jersey
New Mexico
New York
North Carolina
North Dakota
Ohio
Oklahoma
Oregon
Pennsylvania
Rhode Island
South Carolina
South Dakota
Tennessee
Texas
Utah
Vermont
Virginia
Washington
West Virginia
Wisconsin
Wyoming
North Carolina Data Privacy Law
  • Status: In Committee

A North Carolina privacy act was introduced in the Senate earlier this year. On April 4, 2023, legislators in North Carolina proposed SB 525, also named the North Carolina Consumer Privacy Act. The Senate Committee on Rules and Operations is now reviewing the bill, and its fate is still unknown. A summary of the proposed North Carolina data privacy law is provided below.

Summary of the Proposed Act:

The bill would apply to any controller, defined as a person doing business in the state who determines for which and how personal data are processed, or processor, defined as a person who processes data on behalf of a controller, who: 

  1. conducts business in the state or produces a product or service that is targeted to consumers who are residents of North Carolina
  2. has annual revenue of $25 million or more
  3. who either
    1. controls or processes ses personal data of 100,000 or more consumers during a calendar year
    2. derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes the personal data of 25,000 or more consumers

Interactions with Existing Laws

  • The bill stipulates that a controller complies with the act’s “parental consent” clause if they comply with the verifiable parental consent mechanisms under the federal Children’s Online Privacy Protection Act (COPPA)
  • The bill does not require actions that conflict with the federal Health Insurance Portability and Accountability Act (HIPPA)
  • The bill establishes that it supersedes and preempts local laws regarding the processing of personal data by a controller or processor. 

Establishes Four Consumer Rights

  1. The right to confirm whether a controller is processing the consumer data and accessing the consumer’s data
  2. The right to delete the consumer’s data that the consumer provided to the controller
  3. The right to obtain a copy of the consumer’s data that the consumer previously provided to the consumer, in a readily usable format as described
  4. The Right to opt out of the processing of the consumer’s data for purposes of targeted advertising or the sale of personal data

Controller and Processor Requirements

  • Requires controllers to take action and inform the consumer of any action taken, or inform the consumer of reasons for not taking action, within 45 days after the day the controller receives a request, absent reasonable suspicion that the request is fraudulent. 
  • Provides for an extension of another 45 days if reasonably necessary due to the complexity of the request or volume of requests received, subject to notice requirements. 
  • Requires processors to adhere to controllers’ instructions and as reasonably practicable, assist controllers in meeting the controllers’ obligations, including security obligations. 
  • Establishes mandatory contract terms between contractors and processors and requires contracting before performing processing on behalf of the processor. 
  • Requires a controller to provide consumers with a reasonably accessible and clear privacy notice that includes five points: the categories of personal data processed by the controller, the purpose of processing the types of personal data, and how consumers may exercise a right. 
  • Requires conspicuous disclosure of how a consumer can opt out of a controller’s sale of personal data to a third party or processing for targeted advertising. 
  • Requires a controller to establish, implement and maintain reasonable administrative, technical, and physical data security practices as described. 
  • Prohibits processing sensitive data without first presenting the consumer with clear notice and an opportunity-out out
  • Requires compliance with COPPA for personal data concerning a known child. 
  • Prohibits specified discriminatory acts against a consumer for exercising a right

Enforcement

  • The bill does not provide a private cause of action. 
  • Directs the Consumer Protection Division of the Department of Justice (Division) to establish and administer a system to receive consumer complaints regarding alleged violations and authorizes the Division to investigate consumer complaints. 
  • Grants the Attorney General exclusive enforcement authority upon referral from the Division.
  • Details enforcement procedures, including notice of violations, and an opportunity to cure noticed violations. 
  • Provides for recovery of actual damages to the consumer and up to $7,500 for each violation; requires allocation of liabilities among multiple processors and controllers involved in the same processing violation. 

Tentative Effective Date:  January 1, 2024 

Sign up for our Data Privacy Tracker with monthly updates on the latest news and developments

500 7th Avenue New York, NY 10018

Contact Us

PLATFORM

USE CASES

STANDARDS

INDUSTRIES

PARTNERS

RESOURCES

ABOUT

GUIDES

© Copyright 2024 by Centraleyes Tech Ltd | Privacy Policy

Sign up for our Centraleyes
Intelligence Report

500 7th Avenue New York, NY 10018

Contact Us

PLATFORM

STANDARDS

INDUSTRIES

USE CASES

ABOUT

RESOURCES

GUIDES

PARTNERS

© Copyright 2024 by Centraleyes Tech Ltd |  Privacy Policy
Watch
Demo
Partner Login

Try the Centraleyes
Risk & Compliance

Free for 30 Days

Skip to content