NC
North Carolina House Bill H462

North Carolina 2025-2026 Regular Session

North Carolina House Bill H462 Compare Versions

OldNewDifferences
11 GENERAL ASSEMBLY OF NORTH CAROLINA
22 SESSION 2025
3-H 1
4-HOUSE BILL 462
3+H D
4+HOUSE BILL DRH40244-LR-32B
5+
56
67
78 Short Title: Personal Data Privacy/Social Media Safety. (Public)
8-Sponsors: Representatives T. Brown, Chesser, N. Jackson, and Longest (Primary
9-Sponsors).
10-For a complete list of sponsors, refer to the North Carolina General Assembly web site.
11-Referred to: Judiciary 2, if favorable, Commerce and Economic Development, if favorable,
12-Rules, Calendar, and Operations of the House
13-March 20, 2025
14-*H462 -v-1*
9+Sponsors: Representative T. Brown.
10+Referred to:
11+
12+*DRH40244 -LR-32B*
1513 A BILL TO BE ENTITLED 1
1614 AN ACT TO PROTECT NORTH CAROLINIANS BY ENACTING THE PERSONAL DATA 2
1715 PRIVACY ACT AND SOCIAL MEDIA SAFETY ACT . 3
1816 The General Assembly of North Carolina enacts: 4
1917 5
2018 PART I. ENACT PERSONAL DATA PRIVACY ACT 6
2119 SECTION 1.1. This act shall be known and may be cited as the "North Carolina 7
2220 Personal Data Privacy Act." 8
2321 SECTION 1.2. Effective January 1, 2026, the General Statutes are amended by 9
2422 adding a new Chapter to read: 10
2523 "Chapter 75F. 11
2624 "Data Privacy Act. 12
2725 "§ 75F-101. Short title. 13
2826 This Chapter shall be known and may be cited as the "North Carolina Data Privacy Act." 14
2927 "§ 75F-102. Definitions. 15
3028 The following definitions apply in this Chapter: 16
3129 (1) Affiliate. – A legal entity that shares common branding with another legal 17
3230 entity or controls, is controlled by, or is under common control with another 18
3331 legal entity. For the purposes of this subdivision, "control" or "controlled" 19
3432 means any of the following: 20
3533 a. Ownership of, or the power to vote, more than fifty percent (50%) of 21
3634 the outstanding shares of any class of voting security of a legal entity. 22
3735 b. Control in any manner over the election of a majority of the directors 23
3836 or of individuals exercising similar functions. 24
3937 c. The power to exercise controlling influence over the management of a 25
4038 legal entity. 26
4139 (2) Authenticate. – To use reasonable means to determine that a request to 27
4240 exercise any of the rights afforded under G.S. 75F-104(a)(1) to (4), inclusive, 28
4341 is being made by, or on behalf of, the consumer who is entitled to exercise the 29
4442 consumer rights with respect to the personal data at issue. 30
4543 (3) Biometric data. – Personal information and data generated by automatic 31
4644 measurements of an individual's unique biological characteristics, such as a 32
47-fingerprint, a voiceprint, eye retinas, irises, or other unique biological patterns 33 General Assembly Of North Carolina Session 2025
48-Page 2 House Bill 462-First Edition
49-or characteristics that can be used to identify or authenticate a specific 1
50-individual. "Biometric data" does not include any of the following: 2
51-a. A digital or physical photograph. 3
52-b. An audio or video recording. 4
53-c. Any data generated from a digital or physical photograph, or an audio 5
54-or video recording, unless the data is generated to identify a specific 6
55-individual. 7
56-(4) Business associate. – As defined in HIPAA. 8
57-(5) Child. – As defined in COPPA. 9
58-(6) Child abuse. – With respect to an individual under 18 years of age, as defined 10
59-in Chapter 14 of the General Statutes or any equivalent provision in the laws 11
60-of any other state; the United States; any territory, district, or subdivision of 12
61-the United States; or any foreign jurisdiction. 13
62-(7) Consent. – A clear affirmative act signifying a consumer's freely given, 14
63-specific, informed, and unambiguous agreement to allow the processing of 15
64-personal data relating to the consumer. "Consent" may include a written 16
65-statement, including by electronic means, or any other unambiguous 17
66-affirmative action. "Consent" does not include any of the following: 18
67-a. Acceptance of a general or broad terms of use or similar document that 19
68-contains descriptions of personal data processing along with other, 20
69-unrelated information. 21
70-b. Hovering over, muting, pausing, or closing a given piece of content. 22
71-c. Agreement obtained through the use of dark patterns. 23
72-(8) Consumer. – An individual who is a resident of this State. "Consumer" does 24
73-not include an individual acting in a commercial or employment context or as 25
74-an employee, owner, director, officer, or contractor of a company, partnership, 26
75-sole proprietorship, nonprofit organization, or government agency whose 27
76-communications or transactions with the controller occur solely within the 28
77-context of that individual's role with the company, partnership, sole 29
78-proprietorship, nonprofit organization, or government agency. 30
79-(9) Controller. – A person that, alone or jointly with others, determines the 31
80-purpose and means of processing personal data. 32
81-(10) COPPA. – The Children's Online Privacy Protection Act of 1998, 15 U.S.C. 33
82-§ 6501, et seq., as amended, and the regulations, rules, guidance, and 34
83-exemptions adopted pursuant to the act, and such regulations, rules, guidance, 35
84-and exemptions as may be amended. 36
85-(11) Covered entity. – As defined in HIPAA. 37
86-(12) Dark pattern. – Any of the following: 38
87-a. A user interface designed or manipulated with the substantial effect of 39
88-subverting or impairing user autonomy, decision making, or choice. 40
89-b. Any other practice the Federal Trade Commission refers to as a dark 41
90-pattern. 42
91-(13) Decisions that produce legal or similarly significant effects concerning the 43
92-consumer. – Decisions made by the controller that result in the provision or 44
93-denial by the controller of financial or lending services, housing, insurance, 45
94-education enrollment or opportunity, criminal justice, employment 46
95-opportunities, health care services, or access to essential goods or services. 47
96-(14) De-identified data. – Data that cannot reasonably be used to infer information 48
97-about, or otherwise be linked to, an identified or identifiable individual, or a 49
98-device linked to the individual, if the controller that possesses the data does 50
99-all of the following: 51 General Assembly Of North Carolina Session 2025
100-House Bill 462-First Edition Page 3
101-a. Takes reasonable measures to ensure that the data cannot be associated 1
102-with an individual. 2
103-b. Publicly commits to process the data only in a de-identified fashion 3
104-and not attempt to re-identify the data. 4
105-c. Contractually obligates any recipients of the data to comply with all of 5
106-the provisions of this Chapter applicable to the controller with respect 6
107-to the data. 7
108-(15) Domestic violence. - As defined in Chapter 14 of the General Statutes or any 8
109-equivalent provision in the laws of any other state; the United States; any 9
110-territory, district, or subdivision of the United States; or any foreign 10
111-jurisdiction. 11
112-(16) Genetic data. – Any data, regardless of its format, that results from the analysis 12
113-of a biological sample of an individual, or from another source enabling 13
114-equivalent information to be obtained, and concerns genetic material. For 14
115-purposes of this subdivision, "genetic material" includes deoxyribonucleic 15
116-acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, 16
117-genomes, alterations or modifications to DNA or RNA, single nucleotide 17
118-polymorphisms (SNPs), uninterpreted data that results from analysis of the 18
119-biological sample or other source, and any information extrapolated, derived, 19
120-or inferred therefrom. 20
121-(17) HIPAA. – The Health Insurance Portability and Accountability Act of 1996, 21
122-42 U.S.C. § 1320d, et seq., as amended. 22
123-(18) Human trafficking. – The offense defined in Chapter 14 of the General 23
124-Statutes or any equivalent provision in the laws of any other state; the United 24
125-States; any territory, district, or subdivision of the United States; or any 25
126-foreign jurisdiction. 26
127-(19) Identified or identifiable individual. – An individual who can be readily 27
128-identified, directly or indirectly. 28
129-(20) Nonprofit organization. – Any organization that is exempt from taxation under 29
130-section 501(c)(3), 501(c)(4), 501(c)(6), or 501(c)(12) of the Internal Revenue 30
131-Code of 1986, or any subsequent corresponding internal revenue code of the 31
132-United States, as amended. 32
133-(21) Personal data. – Any information that is linked or reasonably linkable to an 33
134-identified or identifiable individual and does not include de-identified data or 34
135-publicly available information. 35
136-(22) Precise geolocation data. – Information derived from technology, including 36
137-global positioning system level latitude and longitude coordinates or other 37
138-mechanisms, that directly identifies the specific location of an individual with 38
139-precision and accuracy within a radius of 1,750 feet. "Precise geolocation 39
140-data" does not include the content of communications or any data generated 40
141-by or connected to advanced utility metering infrastructure systems or 41
142-equipment for use by a utility. 42
143-(23) Process or processing. – Any operation or set of operations performed, 43
144-whether by manual or automated means, on personal data or on sets of 44
145-personal data, such as the collection, use, storage, disclosure, analysis, 45
146-deletion, or modification of personal data. 46
147-(24) Processor. – A person that processes personal data on behalf of a controller. 47
148-(25) Profiling. – Any form of automated processing performed on personal data to 48
149-evaluate, analyze, or predict personal aspects related to an identified or 49
150-identifiable individual's economic situation, health, demographic 50 General Assembly Of North Carolina Session 2025
151-Page 4 House Bill 462-First Edition
152-characteristics, personal preferences, interests, reliability, behavior, location, 1
153-or movements. 2
154-(26) Protected health information. – As defined in HIPAA. 3
155-(27) Pseudonymous data. – Personal data that cannot be attributed to a specific 4
156-individual without the use of additional information, provided the additional 5
157-information is kept separately and is subject to appropriate technical and 6
158-organizational measures to ensure that the personal data is not attributed to an 7
159-identified or identifiable individual. 8
160-(28) Publicly available information. – Information that is lawfully made readily 9
161-available to the general public through federal, State, or local government 10
162-records or widely distributed media and a controller has a reasonable basis to 11
163-believe a consumer has lawfully made readily available to the general public. 12
164-(29) Sale of personal data. – The exchange or transfer of personal data for monetary 13
165-or other valuable consideration by the controller to a third party. "Sale of 14
166-personal data" does not include any of the following: 15
167-a. The disclosure of personal data to a processor that processes the 16
168-personal data on behalf of the controller where limited to the purpose 17
169-of the processing. 18
170-b. The disclosure of personal data to a third party for purposes of 19
171-providing a product or service affirmatively requested by the 20
172-consumer. 21
173-c. The disclosure or transfer of personal data to an affiliate of the 22
174-controller. 23
175-d. The disclosure of personal data where the consumer directs the 24
176-controller to disclose the personal data or intentionally uses the 25
177-controller to interact with a third party. 26
178-e. The disclosure of personal data that the consumer intentionally made 27
179-available to the general public via a channel of mass media and did not 28
180-restrict to a specific audience. 29
181-f. The disclosure or transfer of personal data to a third party as an asset 30
182-that is part of a merger, acquisition, bankruptcy, or other similar 31
183-transaction in which the third party assumes control of all or part of 32
184-the controller's assets, or a proposed merger, acquisition, bankruptcy, 33
185-or other similar transaction in which the third party assumes control of 34
186-all or part of the controller's assets. 35
187-(30) Sensitive data. – Personal data that includes any of the following: 36
188-a. Data revealing racial or ethnic origin, religious beliefs, mental or 37
189-physical health condition or diagnosis (including pregnancy), sex life, 38
190-sexual orientation, status as transgender or nonbinary, national origin, 39
191-citizenship status, or immigration status. 40
192-b. Genetic or biometric data. 41
193-c. Personal data of a known child. 42
194-d. Precise geolocation data. 43
195-(31) Sexual assault. – Any of the offenses defined in Chapter 14 of the General 44
196-Statutes or any equivalent provision in the laws of any other state; the United 45
197-States; any territory, district, or subdivision of the United States; or any 46
198-foreign jurisdiction. 47
199-(32) Stalking. – The offense defined in Chapter 14 of the General Statutes or any 48
200-equivalent provision in the laws of any other state; the United States; any 49
201-territory, district, or subdivision of the United States; or any foreign 50
202-jurisdiction. 51 General Assembly Of North Carolina Session 2025
203-House Bill 462-First Edition Page 5
204-(33) Targeted advertising. – Displaying advertisements to a consumer where the 1
205-advertisement is selected based on personal data obtained or inferred from that 2
206-consumer's activities over time and across nonaffiliated internet websites or 3
207-online applications to predict the consumer's preferences or interests. 4
208-"Targeted advertising" does not include any of the following: 5
209-a. Advertisements based on activities within a controller's own internet 6
210-websites or online applications. 7
211-b. Advertisements based on the context of a consumer's current search 8
212-query, visit to an internet website, or online application. 9
213-c. Advertisements directed to a consumer in direct response to the 10
214-consumer's request for information or feedback. 11
215-d. Processing personal data solely to measure or report advertising 12
216-frequency, performance, or reach. 13
217-(34) Third party. – With respect to personal data controlled by a controller, any 14
218-person other than the relevant consumer, the controller of the personal data, 15
219-or a processor or an affiliate of the processor or the controller. 16
220-(35) Trade secret. – As defined in Chapter 66, 95, or 113 of the General Statutes. 17
221-(36) Violent felony. – As defined in section 4201 of Title 11 and includes any 18
222-equivalent provision in the laws of any other state; the United States; any 19
223-territory, district, or subdivision of the United States; or any foreign 20
224-jurisdiction. 21
225-"§ 75F-103. Applicability of Chapter. 22
226-(a) This Chapter applies to persons that conduct business in the State or persons that 23
227-produce products or services that are targeted to residents of the State and that during the 24
228-preceding calendar year did any of the following: 25
229-(1) Controlled or processed the personal data of not less than 35,000 consumers, 26
230-excluding personal data controlled or processed solely for the purpose of 27
231-completing a payment transaction. 28
232-(2) Controlled or processed the personal data of not less than 10,000 consumers 29
233-and derived more than twenty percent (20%) of their gross revenue from the 30
234-sale of personal data. 31
235-(b) This Chapter does not apply to any of the following entities: 32
236-(1) Any regulatory, administrative, advisory, executive, appointive, legislative, or 33
237-judicial body of the State or a political subdivision of the State, including any 34
238-board, bureau, commission, or agency of the State or a political subdivision 35
239-of the State, but excluding any institution of higher education. 36
240-(2) Any financial institution or affiliate of a financial institution, all as defined in 37
241-15 U.S.C. § 6809, to the extent that the financial institution or affiliate is 38
242-subject to Title V of the Gramm Leach Bliley Act (15 U.S.C. § 6801, et seq., 39
243-as amended) and the rules and implementing regulations promulgated 40
244-thereunder. 41
245-(c) This Chapter does not apply to the following information and data: 42
246-(1) Protected health information under HIPAA. 43
247-(2) Patient-identifying information for purposes of 42 U.S.C. § 290dd-2. 44
248-(3) Identifiable private information, as defined in 45 C.F.R. § 46.102, to the extent 45
249-that it is used for purposes of the federal policy for the protection of human 46
250-subjects pursuant to 45 C.F.R. § 46. 47
251-(4) Identifiable private information to the extent it is collected and used as part of 48
252-human subjects research pursuant to the ICH E6 Good Clinical Practice 49
253-Guideline issued by the International Council for Harmonisation of Technical 50 General Assembly Of North Carolina Session 2025
254-Page 6 House Bill 462-First Edition
255-Requirements for Pharmaceuticals for Human Use or the protection of human 1
256-subjects under 21 C.F.R. §§ 50 and 56. 2
257-(5) Patient safety work product, as defined in 42 C.F.R. § 3.20, that is created and 3
258-used for purposes of patient safety improvement pursuant to 42 C.F.R. § 3, 4
259-established pursuant to 42 U.S.C. §§ 299b–21 to 299b–26. 5
260-(6) Information to the extent it is used for public health, community health, or 6
261-population health activities and purposes, as authorized by HIPAA, when 7
262-provided by or to a Covered Entity or when provided by or to a Business 8
263-Associate pursuant to a Business Associate Agreement with a Covered Entity. 9
264-(7) The collection, maintenance, disclosure, sale, communication, or use of any 10
265-personal information bearing on a consumer's credit worthiness, credit 11
266-standing, credit capacity, character, general reputation, personal 12
267-characteristics, or mode of living by a consumer reporting agency, furnisher, 13
268-or user that provides information for use in a consumer report, and by a user 14
269-of a consumer report, but only to the extent that the activity is regulated by 15
270-and authorized under the federal Fair Credit Reporting Act (15 U.S.C. § 1681, 16
271-et seq., as amended). 17
272-(8) Personal data collected, processed, sold, or disclosed in compliance with the 18
273-Driver's Privacy Protection Act of 1994, 18 U.S.C. § 2721, et seq., as 19
274-amended. 20
275-(9) Personal data regulated by the Family Educational Rights and Privacy Act, 20 21
276-U.S.C. § 1232g, et seq., as amended. 22
277-(10) Personal data collected, processed, sold, or disclosed in compliance with the 23
278-Farm Credit Act, 12 U.S.C. § 2001, et seq., as amended. 24
279-(11) Data processed or maintained in any of the following ways: 25
280-a. In the course of an individual applying to, employed by, or acting as 26
281-an agent or independent contractor of a controller, processor, or third 27
282-party, to the extent that the data is collected and used within the context 28
283-of that role. 29
284-b. As the emergency contact information of an individual, used for 30
285-emergency contact purposes. 31
286-c. Necessary to retain to administer benefits for another individual 32
287-relating to the individual who is the subject of the information under 33
288-sub-subdivision a. of this subdivision and used for the purposes of 34
289-administering the benefits. 35
290-(12) Personal data collected, processed, sold, or disclosed in relation to price, route, 36
291-or service, as the terms are used in the Airline Deregulation Act, 49 U.S.C. § 37
292-40101, et seq., as amended, by an air carrier subject to said act, to the extent 38
293-any part of this Chapter is preempted by the Airline Deregulation Act, 49 39
294-U.S.C. § 41713, as amended. 40
295-(13) Personal data of a victim of or witness to child abuse, domestic violence, 41
296-human trafficking, sexual assault, violent felony, or stalking that is collected, 42
297-processed, or maintained by a nonprofit organization that provides services to 43
298-victims of or witnesses to child abuse, domestic violence, human trafficking, 44
299-sexual assault, violent felony, or stalking. 45
300-(d) Controllers and processors that comply with the verifiable parental consent 46
301-requirements of COPPA shall be deemed compliant with any obligation to obtain parental 47
302-consent set forth in this Chapter with respect to a consumer who is a child. 48
303-"§ 75F-104. Consumer personal data rights. 49
304-(a) A consumer has the right to do all of the following: 50 General Assembly Of North Carolina Session 2025
305-House Bill 462-First Edition Page 7
306-(1) Confirm whether a controller is processing the consumer's personal data and 1
307-access the personal data, unless the confirmation or access would require the 2
308-controller to reveal a trade secret. 3
309-(2) Correct inaccuracies in the consumer's personal data, taking into account the 4
310-nature of the personal data and the purposes of the processing of the 5
311-consumer's personal data. 6
312-(3) Have personal data provided by, or obtained about, the consumer deleted. 7
313-(4) Obtain a copy of the consumer's personal data processed by the controller, in 8
314-a portable and, to the extent technically feasible, readily usable format that 9
315-allows the consumer to transmit the data to another controller without 10
316-hindrance, where the processing is carried out by automated means, provided 11
317-the controller shall not be required to reveal any trade secret. 12
318-(5) Obtain a list of the specific third parties to which the controller has disclosed 13
319-the consumer's personal data. If the controller does not maintain this 14
320-information in a format specific to the consumer, a list of specific third parties 15
321-to whom the controller has disclosed any consumers' personal data may be 16
322-provided instead. 17
323-(6) Opt out of the processing of the personal data for purposes of any of the 18
324-following: 19
325-a. Targeted advertising. 20
326-b. The sale of personal data, except as provided in G.S. 75F-106(b). 21
327-c. Profiling in furtherance of solely automated decisions that produce 22
328-legal or similarly significant effects concerning the consumer. 23
329-(b) A consumer may exercise rights under this section by secure and reliable means 24
330-established by the controller and described to the consumer in the controller's privacy notice. A 25
331-consumer may designate an authorized agent in accordance with G.S. 75F-105 to exercise the 26
332-rights of the consumer to opt out of the processing of the consumer's personal data for purposes 27
333-of subdivision (5) of subsection (a) of this section on behalf of the consumer. In the case of 28
334-processing personal data of a known child, the parent or legal guardian may exercise the 29
335-consumer rights on the child's behalf. In the case of processing personal data concerning a 30
336-consumer subject to a guardianship, conservatorship, or other protective arrangement, the 31
337-guardian or the conservator of the consumer may exercise the rights on the consumer's behalf. 32
338-(c) Except as otherwise provided in this Chapter, a controller shall comply with a request 33
339-by a consumer to exercise the consumer rights authorized pursuant to said sections as follows: 34
340-(1) A controller shall respond to the consumer without undue delay but not later 35
341-than 45 days after receipt of the request. The controller may extend the 36
342-response period by 45 additional days when reasonably necessary, considering 37
343-the complexity and number of the consumer's requests, provided the controller 38
344-informs the consumer of any such extension within the initial 45-day response 39
345-period and of the reason for the extension. 40
346-(2) If a controller declines to take action regarding the consumer's request, the 41
347-controller shall inform the consumer without undue delay but not later than 45 42
348-days after receipt of the request of the justification for declining to take action 43
349-and instructions for how to appeal the decision. 44
350-(3) Information provided in response to a consumer request shall be provided by 45
351-a controller, free of charge, once per consumer during any 12-month period. 46
352-If requests from a consumer are manifestly unfounded, excessive, or 47
353-repetitive, the controller may charge the consumer a reasonable fee to cover 48
354-the administrative costs of complying with the request or decline to act on the 49
355-request. The controller bears the burden of demonstrating the manifestly 50
356-unfounded, excessive, or repetitive nature of the request. 51 General Assembly Of North Carolina Session 2025
357-Page 8 House Bill 462-First Edition
358-(4) If a controller is unable to authenticate a request to exercise any of the rights 1
359-afforded under subdivisions (1) through (5), inclusive, of subsection (a) of this 2
360-section using commercially reasonable efforts, the controller shall not be 3
361-required to comply with a request to initiate an action pursuant to this section 4
362-and shall provide notice to the consumer that the controller is unable to 5
363-authenticate the request to exercise the right or rights until the consumer 6
364-provides additional information reasonably necessary to authenticate the 7
365-consumer and the consumer's request to exercise the right or rights. A 8
366-controller shall not be required to authenticate an opt-out request, but a 9
367-controller may deny an opt-out request if the controller has a good-faith, 10
368-reasonable, and documented belief that the request is fraudulent. If a controller 11
369-denies an opt-out request because the controller believes the request is 12
370-fraudulent, the controller shall send a notice to the person who made the 13
371-request disclosing that the controller believes the request is fraudulent, why 14
372-the controller believes the request is fraudulent, and that the controller shall 15
373-not comply with the request. 16
374-(5) A controller that has obtained personal data about a consumer from a source 17
375-other than the consumer shall be deemed in compliance with a consumer's 18
376-request to delete the data pursuant to subdivision (3) of subsection (a) of this 19
377-section if the controller retains a record of the deletion request and the 20
378-minimum data necessary for the purpose of ensuring the consumer's personal 21
379-data remains deleted from the controller's records and does not use the retained 22
380-data for any other purpose. 23
381-(d) A controller shall establish a process for a consumer to appeal the controller's refusal 24
382-to take action on a request within a reasonable period of time after the consumer's receipt of the 25
383-decision. The appeal process shall be conspicuously available and similar to the process for 26
384-submitting requests to initiate action pursuant to this section. Not later than 60 days after receipt 27
385-of an appeal, a controller shall inform the consumer in writing of any action taken or not taken 28
386-in response to the appeal, including a written explanation of the reasons for the decisions. If the 29
387-appeal is denied, the controller shall also provide the consumer with an online mechanism, if 30
388-available, or other method through which the consumer may contact the Department of Justice 31
389-to submit a complaint. 32
390-"§ 75F-105. Designation of agent to exercise rights of consumer, including through 33
391-universal opt-out mechanisms. 34
392-(a) A consumer may designate an authorized agent to act on the consumer's behalf to opt 35
393-out of the processing of the consumer's personal data for one or more of the purposes specified 36
394-in G.S. 75F-104(a)(5). The consumer may designate the authorized agent by way of, among other 37
395-things, a platform, technology, or mechanism, including an internet link or a browser setting, 38
396-browser extension, or global device setting, indicating the consumer's intent to opt out of the 39
397-processing. For the purposes of the designation, the platform, technology, or mechanism may 40
398-function as the agent for purposes of conveying the consumer's decision to opt out. 41
399-(b) A controller shall comply with an opt-out request received from an authorized agent 42
400-if the controller is able to verify, with commercially reasonable effort, the identity of the 43
401-consumer and the authorized agent's authority to act on the consumer's behalf. The Department 44
402-of Justice may publish or reference on its website a list of agents who presumptively shall have 45
403-the authority unless the controller has established a reasonable basis to conclude that the agent 46
404-lacks such authority. 47
405-"§ 75F-106. Duties of controllers. 48
406-(a) A controller shall do all of the following: 49 General Assembly Of North Carolina Session 2025
407-House Bill 462-First Edition Page 9
408-(1) Limit the collection of personal data to what is adequate, relevant, and 1
409-reasonably necessary in relation to the purposes for which the data is 2
410-processed, as disclosed to the consumer. 3
411-(2) Except as otherwise permitted by this Chapter, not process personal data for 4
412-purposes that are neither reasonably necessary to, nor compatible with, the 5
413-disclosed purposes for which the personal data is processed, as disclosed to 6
414-the consumer, unless the controller obtains the consumer's consent. 7
415-(3) Establish, implement, and maintain reasonable administrative, technical, and 8
416-physical data security practices to protect the confidentiality, integrity, and 9
417-accessibility of personal data appropriate to the volume and nature of the 10
418-personal data at issue. 11
419-(4) Not process sensitive data concerning a consumer without obtaining the 12
420-consumer's consent or, in the case of the processing of sensitive data 13
421-concerning a known child, without first obtaining consent from the child's 14
422-parent or lawful guardian. 15
423-(5) Not process personal data in violation of the laws of this State and federal laws 16
424-that prohibit unlawful discrimination. 17
425-(6) Provide an effective mechanism for a consumer to revoke the consumer's 18
426-consent under this section that is at least as easy as the mechanism by which 19
427-the consumer provided the consumer's consent and, upon revocation of the 20
428-consent, cease to process the data as soon as practicable but not later than 15 21
429-days after the receipt of the request. 22
430-(7) Not process the personal data of a consumer for purposes of targeted 23
431-advertising, or sell the consumer's personal data without the consumer's 24
432-consent, under circumstances where a controller has actual knowledge or 25
433-willfully disregards that the consumer is at least 13 years of age but younger 26
434-than 18 years of age. 27
435-(8) Not discriminate against a consumer for exercising any of the consumer rights 28
436-contained in this Chapter, including denying goods or services, charging 29
437-different prices or rates for goods or services, or providing a different level of 30
438-quality of goods or services to the consumer. 31
439-(b) Nothing in subsection (a) of this section shall be construed to require a controller to 32
440-provide a product or service that requires the personal data of a consumer which the controller 33
441-does not collect or maintain, or prohibit a controller from offering a different price, rate, level, 34
442-quality, or selection of goods or services to a consumer, including offering goods or services for 35
443-no fee, if the offering is in connection with a consumer's voluntary participation in a bona fide 36
444-loyalty, rewards, premium features, discounts, or club card program. 37
445-(c) A controller shall provide consumers with a reasonably accessible, clear, and 38
446-meaningful privacy notice that includes all of the following: 39
447-(1) The categories of personal data processed by the controller. 40
448-(2) The purpose for processing personal data. 41
449-(3) How consumers may exercise their consumer rights, including how a 42
450-consumer may appeal a controller's decision with regard to the consumer's 43
451-request. 44
452-(4) The categories of personal data that the controller shares with third parties, if 45
453-any. 46
454-(5) The categories of third parties with which the controller shares personal data, 47
455-if any. 48
456-(6) An active electronic mail address or other online mechanism that the 49
457-consumer may use to contact the controller. 50 General Assembly Of North Carolina Session 2025
458-Page 10 House Bill 462-First Edition
459-(d) If a controller sells personal data to third parties or processes personal data for targeted 1
460-advertising, the controller shall clearly and conspicuously disclose the processing, as well as the 2
461-manner in which a consumer may exercise the right to opt out of the processing. 3
462-(e) A controller shall establish and shall describe in the privacy notice required by 4
463-subsection (c) of this section one or more secure and reliable means for consumers to submit a 5
464-request to exercise their consumer rights pursuant to this Chapter. The means shall take into 6
465-account the ways in which consumers normally interact with the controller, the need for secure 7
466-and reliable communication of the requests, and the ability of the controller to verify the identity 8
467-of the consumer making the request. A controller shall not require a consumer to create a new 9
468-account in order to exercise consumer rights but may require a consumer to use an existing 10
469-account. Any such means shall include all of the following: 11
470-(1) Providing a clear and conspicuous link on the controller's internet website to 12
471-an internet webpage that enables a consumer, or an agent of the consumer, to 13
472-opt out of the targeted advertising or the sale of the consumer's personal data. 14
473-(2) Allowing a consumer to opt out of any processing of the consumer's personal 15
474-data for the purposes of targeted advertising, or any sale of the personal data, 16
475-through an opt-out preference signal sent, with the consumer's consent, by a 17
476-platform, technology, or mechanism to the controller indicating the 18
477-consumer's intent to opt out of any such processing or sale. The platform, 19
478-technology, or mechanism shall do all of the following: 20
479-a. Not unfairly disadvantage another controller. 21
480-b. Not make use of a default setting but, rather, require the consumer to 22
481-make an affirmative, freely given, and unambiguous choice to opt out 23
482-of any processing of the consumer's personal data pursuant to this 24
483-Chapter. 25
484-c. Be consumer-friendly and easy to use by the average consumer. 26
485-d. Be as consistent as possible with any other similar platform, 27
486-technology, or mechanism required by any federal or State law or 28
487-regulation. 29
488-e. Enable the controller to reasonably determine whether the consumer 30
489-is a resident of the State and whether the consumer has made a 31
490-legitimate request to opt out of any sale of the consumer's personal 32
491-data or targeted advertising. 33
492-If a consumer's decision to opt out of any processing of the consumer's personal data for the 34
493-purposes of targeted advertising, or any sale of the personal data, through an opt-out preference 35
494-signal sent in accordance with the provisions of subdivision (1) of this subsection conflicts with 36
495-the consumer's existing controller-specific privacy setting or voluntary participation in a 37
496-controller's bona fide loyalty, rewards, premium features, discounts, or club card program, the 38
497-controller shall comply with the consumer's opt-out preference signal but may notify the 39
498-consumer of the conflict and provide to the consumer the choice to confirm the controller-specific 40
499-privacy setting or participation in the program. 41
500-If a controller responds to consumer opt‐out requests received pursuant to subdivision (1) of 42
501-this subsection by informing the consumer of a charge for the use of any product or service, the 43
502-controller shall present the terms of any financial incentive offered pursuant to subdivision (2) of 44
503-this subsection for the retention, use, sale, or sharing of the consumer's personal data. 45
504-"§ 75F-107. Duties of processors. 46
505-(a) A processor shall adhere to the instructions of a controller and shall assist the 47
506-controller in meeting the controller's obligations under this Chapter. The assistance must include 48
507-all of the following: 49
508-(1) Taking into account the nature of processing and the information available to 50
509-the processor, by appropriate technical and organizational measures, insofar 51 General Assembly Of North Carolina Session 2025
510-House Bill 462-First Edition Page 11
511-as is reasonably practicable, to fulfill the controller's obligation to respond to 1
512-consumer rights requests. 2
513-(2) Taking into account the nature of processing and the information available to 3
514-the processor, by assisting the controller in meeting the controller's obligations 4
515-in relation to the security of processing the personal data and in relation to the 5
516-notification of a breach of security of the system of the processor, in order to 6
517-meet the controller's obligations. 7
518-(3) Providing necessary information to enable the controller to conduct and 8
519-document data protection assessments. 9
520-(b) A contract between a controller and a processor must govern the processor's data 10
521-processing procedures with respect to processing performed on behalf of the controller. The 11
522-contract must be binding and clearly set forth instructions for processing data, the nature and 12
523-purpose of processing, the type of data subject to processing, the duration of processing, and the 13
524-rights and obligations of both parties. The contract must also require that the processor do all of 14
525-the following: 15
526-(1) Ensure that each person processing personal data is subject to a duty of 16
527-confidentiality with respect to the data. 17
528-(2) At the controller's direction, delete or return all personal data to the controller 18
529-as requested at the end of the provision of services, unless retention of the 19
530-personal data is required by law. 20
531-(3) Upon the reasonable request of the controller, make available to the controller 21
532-all information in its possession necessary to demonstrate the processor's 22
533-compliance with the obligations in this Chapter. 23
534-(4) After providing the controller an opportunity to object, engage any 24
535-subcontractor pursuant to a written contract that requires the subcontractor to 25
536-meet the obligations of the processor with respect to the personal data. 26
537-(5) Allow, and cooperate with, reasonable assessments by the controller or the 27
538-controller's designated assessor, or the processor may arrange for a qualified 28
539-and independent assessor to conduct an assessment of the processor's policies 29
540-and technical and organizational measures in support of the obligations under 30
541-this Chapter, using an appropriate and accepted control standard or framework 31
542-and assessment procedure for the assessments. The processor shall provide a 32
543-report of the assessment to the controller upon request. 33
544-(c) Nothing in this section may be construed to relieve a controller or processor from the 34
545-liabilities imposed on the controller or processor by virtue of the controller's or processor's role 35
546-in the processing relationship, as described in this Chapter. 36
547-(d) Determining whether a person is acting as a controller or processor with respect to a 37
548-specific processing of data is a fact-based determination that depends upon the context in which 38
549-personal data is to be processed. A person who is not limited in the person's processing of 39
550-personal data pursuant to a controller's instructions, or who fails to adhere to the instructions, is 40
551-a controller and not a processor with respect to a specific processing of data. A processor that 41
552-continues to adhere to a controller's instructions with respect to a specific processing of personal 42
553-data remains a processor. If a processor begins, alone or jointly with others, determining the 43
554-purposes and means of the processing of personal data, the processor is a controller with respect 44
555-to the processing and may be subject to an enforcement action under this Chapter. 45
556-"§ 75F-108. Data protection assessments. 46
557-(a) A controller that controls or processes the data of not less than 100,000 consumers, 47
558-excluding data controlled or processed solely for the purpose of completing a payment 48
559-transaction, shall conduct and document, on a regular basis, a data protection assessment for each 49
560-of the controller's processing activities that presents a heightened risk of harm to a consumer. For 50 General Assembly Of North Carolina Session 2025
561-Page 12 House Bill 462-First Edition
562-the purposes of this section, processing that presents a heightened risk of harm to a consumer 1
563-includes any of the following: 2
564-(1) The processing of personal data for the purposes of targeted advertising. 3
565-(2) The sale of personal data. 4
566-(3) The processing of personal data for the purposes of profiling, where the 5
567-profiling presents a reasonably foreseeable risk of any of the following: 6
568-a. Unfair or deceptive treatment of, or unlawful disparate impact on, 7
569-consumers. 8
570-b. Financial, physical, or reputational injury to consumers. 9
571-c. A physical or other intrusion upon the solitude or seclusion, or the 10
572-private affairs or concerns, of consumers, where the intrusion would 11
573-be offensive to a reasonable person. 12
574-d. Other substantial injury to consumers. 13
575-(4) The processing of sensitive data. 14
576-(b) Data protection assessments conducted pursuant to subsection (a) of this section shall 15
577-identify and weigh the benefits that may flow, directly and indirectly, from the processing to the 16
578-controller, the consumer, other stakeholders, and the public against the potential risks to the rights 17
579-of the consumer associated with the processing, as mitigated by safeguards that can be employed 18
580-by the controller to reduce the risks. The controller shall factor into any such data protection 19
581-assessment the use of de-identified data and the reasonable expectations of consumers, as well 20
582-as the context of the processing and the relationship between the controller and the consumer 21
583-whose personal data will be processed. 22
584-(c) The Attorney General may require that a controller disclose any data protection 23
585-assessment that is relevant to an investigation conducted by the Attorney General, and the 24
586-controller shall make the data protection assessment available to the Attorney General. The 25
587-Attorney General may evaluate the data protection assessment for compliance with the 26
588-responsibilities set forth in this Chapter. Data protection assessments must be treated as 27
589-confidential and are not public records within the meaning of Chapter 132 of the General Statutes. 28
590-Notwithstanding the foregoing, a controller's data protection assessment may be used in an action 29
591-to enforce this Chapter. To the extent any information contained in a data protection assessment 30
592-disclosed to the Attorney General includes and conspicuously identifies information subject to 31
593-attorney-client privilege or work product protection, the disclosure by itself does not constitute a 32
594-waiver of the privilege or protection. 33
595-(d) A single data protection assessment may address a comparable set of processing 34
596-operations that include similar activities. 35
597-(e) If a controller conducts a data protection assessment for the purpose of complying 36
598-with another applicable law or regulation, the data protection assessment shall be deemed to 37
599-satisfy the requirements established in this section if the data protection assessment is reasonably 38
600-similar in scope and effect to the data protection assessment that would otherwise be conducted 39
601-pursuant to this section. 40
602-(f) Data protection assessment requirements shall apply to processing activities created 41
603-or generated on or after July 1, 2026, and are not retroactive. 42
604-"§ 75F-109. De-identified data. 43
605-(a) Nothing in this Chapter shall be construed to require a controller or processor to 44
606-re-identify de-identified data or pseudonymous data, or to maintain data in identifiable form, or 45
607-collect, obtain, retain, or access any data or technology, in order to be capable of associating an 46
608-authenticated consumer request with personal data. 47
609-(b) Nothing in this Chapter shall be construed to require a controller or processor to 48
610-comply with an authenticated consumer rights request if all of the following apply: 49 General Assembly Of North Carolina Session 2025
611-House Bill 462-First Edition Page 13
612-(1) The controller is not reasonably capable of associating the request with the 1
613-personal data or it would be unreasonably burdensome for the controller to 2
614-associate the request with the personal data. 3
615-(2) The controller does not use the personal data to recognize or respond to the 4
616-specific consumer who is the subject of the personal data or associate the 5
617-personal data with other personal data about the same specific consumer. 6
618-(3) The controller does not sell the personal data to any third party or otherwise 7
619-voluntarily disclose the personal data to any third party other than a processor, 8
620-except as otherwise permitted in this section. 9
621-(c) The rights afforded under G.S. 75F-104(a)(1) to (4), inclusive, do not apply to 10
622-pseudonymous data in cases where the controller is able to demonstrate that any information 11
623-necessary to identify the consumer is kept separately and is subject to effective technical and 12
624-organizational controls that prevent the controller from accessing the information. 13
625-(d) A controller that discloses pseudonymous data or de-identified data shall exercise 14
626-reasonable oversight to monitor compliance with any contractual commitments to which the 15
627-pseudonymous data or de-identified data is subject and shall take appropriate steps to address 16
628-any breaches of those contractual commitments. The determination of the reasonableness of the 17
629-oversight and the appropriateness of contractual enforcement must take into account whether the 18
630-disclosed data includes data that would be sensitive data if it were re-identified. 19
631-"§ 75F-110. Exclusions. 20
632-(a) Nothing in this Chapter shall be construed to restrict a controller's or processor's 21
633-ability to do any of the following: 22
634-(1) Comply with federal, State, or local laws, rules, or regulations. 23
635-(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, 24
636-or summons by federal, State, local, or other governmental authorities. 25
637-(3) Cooperate with law enforcement agencies concerning conduct or activity that 26
638-the controller or processor reasonably and in good faith believes may violate 27
639-federal, State, or local laws, rules, or regulations. 28
640-(4) Investigate, establish, exercise, prepare for, or defend legal claims. 29
641-(5) Provide a product or service specifically requested by a consumer. 30
642-(6) Perform under a contract to which a consumer is a party, including fulfilling 31
643-the terms of a written warranty. 32
644-(7) Take steps at the request of a consumer prior to entering into a contract. 33
645-(8) Take immediate steps to protect an interest that is essential for the life or 34
646-physical safety of the consumer or another individual and where the 35
647-processing cannot be manifestly based on another legal basis. 36
648-(9) Prevent, detect, protect against, or respond to security incidents, identity theft, 37
649-fraud, harassment, malicious or deceptive activities, or any illegal activity; 38
650-preserve the integrity or security of systems; or investigate, report, or 39
651-prosecute those responsible for any such activity. 40
652-(10) Engage in public or peer-reviewed scientific research in the public interest that 41
653-adheres to all other applicable ethics and privacy laws and is approved, 42
654-monitored, and governed by an institutional review board that determines 43
655-whether the deletion of the information is likely to provide substantial benefits 44
656-that do not exclusively accrue to the controller, the expected benefits of the 45
657-research outweigh the privacy risks, and whether the controller has 46
658-implemented reasonable safeguards to mitigate privacy risks associated with 47
659-research, including any risks associated with re-identification. 48
660-(11) Assist another controller, processor, or third party with any of the activities 49
661-under this subsection. 50 General Assembly Of North Carolina Session 2025
662-Page 14 House Bill 462-First Edition
663-(b) The obligations imposed on controllers or processors under this Chapter, other than 1
664-those imposed by G.S. 75F-109, do not restrict a controller's or processor's ability to collect data 2
665-directly from consumers, or use or retain the data, for internal use only, to do any of the following: 3
666-(1) Conduct internal research to develop, improve, or repair products, services, or 4
667-technology. 5
668-(2) Effectuate a product recall. 6
669-(3) Identify and repair technical errors that impair existing or intended 7
670-functionality. 8
671-(4) Perform internal operations that are reasonably aligned with the expectations 9
672-of the consumer or reasonably anticipated based on the consumer's existing 10
673-relationship with the controller or are otherwise compatible with processing 11
674-data in furtherance of the provision of a product or service specifically 12
675-requested by a consumer or the performance of a contract to which the 13
676-consumer is a party. 14
677-(c) The obligations imposed on controllers or processors under this Chapter shall not 15
678-apply where compliance by the controller or processor with said sections would violate an 16
679-evidentiary privilege under the laws of this State. Nothing in this Chapter shall be construed to 17
680-prevent a controller or processor from providing personal data concerning a consumer to a person 18
681-covered by an evidentiary privilege under the laws of this State as part of a privileged 19
682-communication. 20
683-(d) A controller or processor that discloses personal data to a processor or third-party 21
684-controller in compliance with this Chapter shall not be deemed to have violated said sections if 22
685-the processor or third-party controller that receives and processes the personal data violates said 23
686-sections, provided that (i) at the time the disclosing controller or processor disclosed the personal 24
687-data, the disclosing controller or processor did not have actual knowledge that the receiving 25
688-processor or third-party controller had violated or would violate said sections and (ii) the 26
689-disclosing controller or processor was, and remained, in compliance with its obligations as the 27
690-discloser of the data hereunder. A third-party controller or processor receiving personal data from 28
691-a controller or processor in compliance with this Chapter is likewise not in violation of said 29
692-sections for the independent misconduct of the controller or processor from which the third-party 30
693-controller or processor receives the personal data. 31
694-(e) Nothing in this Chapter may be construed to do any of the following: 32
695-(1) Impose any obligation on a controller or processor that adversely affects the 33
696-rights of any person to freedom of speech or freedom of the press guaranteed 34
697-by the First Amendment to the United States Constitution or Article I, Section 35
698-14 of the North Carolina Constitution. 36
699-(2) Apply to any person's processing of personal data in the course of the person's 37
700-purely personal or household activities. 38
701-(f) Personal data processed pursuant to this section may be processed to the extent that 39
702-the processing is reasonably necessary and proportionate to the purposes listed in this section and 40
703-is adequate, relevant, and limited to what is necessary in relation to the specific purposes listed 41
704-in this section. Personal data collected, used, or retained pursuant to subsection (b) of this section 42
705-shall, where applicable, take into account the nature and purpose or purposes of the collection, 43
706-use, or retention. The data shall be subject to reasonable administrative, technical, and physical 44
707-measures to protect the confidentiality, integrity, and accessibility of the personal data and to 45
708-reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or 46
709-retention of personal data. 47
710-(g) If a controller processes personal data pursuant to an exemption in this section, the 48
711-controller bears the burden of demonstrating that the processing qualifies for the exemption and 49
712-complies with the requirements of subsection (f) of this section. 50 General Assembly Of North Carolina Session 2025
713-House Bill 462-First Edition Page 15
714-(h) Processing personal data for the purposes expressly identified in this section shall not 1
715-solely make a legal entity a controller with respect to the processing. 2
716-"§ 75F-111. Enforcement. 3
717-(a) The Department of Justice shall investigate and enforce alleged violations of this 4
718-Chapter. 5
719-(b) The Department of Justice may, prior to initiating any action for a violation of any 6
720-provision of this Chapter, issue a notice of violation to the controller or processor if the 7
721-Department of Justice determines that a cure is possible. If the Department of Justice issues a 8
722-notice of violation, the controller shall have at least 60 days to cure the violation after receipt of 9
723-the notice. If the controller fails to cure the violation within the time period, the Department of 10
724-Justice may bring an enforcement proceeding pursuant to subsection (a) of this section. In 11
725-determining whether to grant a controller or processor an opportunity to cure an alleged violation, 12
726-the Department of Justice may consider all of the following: 13
727-(1) The number of violations. 14
728-(2) The size and complexity of the controller or processor. 15
729-(3) The nature and extent of the controller's or processor's processing activities. 16
730-(4) The substantial likelihood of injury to the public. 17
731-(5) The safety of persons or property. 18
732-(6) Whether the alleged violation was likely caused by human or technical error. 19
733-(7) The extent to which the controller or processor has violated this or similar 20
734-laws in the past. 21
735-(c) Nothing in this Chapter shall be construed as providing the basis for, or be subject to, 22
736-a private right of action for violations of said sections or any other law. 23
737-(d) A violation of this Chapter shall be deemed an unfair practice under G.S. 75-1.1." 24
738-SECTION 1.3. Beginning at least six months prior to the effective date of this act, 25
739-the Department of Justice shall engage in public outreach to educate consumers and the business 26
740-community about this act. 27
741- 28
742-PART II. ENACT SOCIAL MEDIA SAFETY ACT 29
743-SECTION 2.1. Effective January 1, 2026, the General Statutes are amended by 30
744-adding a new Chapter to read: 31
745-"Chapter 75G. 32
746-"Social Media Verification. 33
747-"§ 75G-101. Definitions. 34
748-The following definitions apply in this Chapter: 35
749-(1) Account holder. – An individual who creates an account or a profile to use a 36
750-social media platform. 37
751-(2) Commercial entity. – A corporation, limited liability company, partnership, 38
752-limited partnership, sole proprietorship, or other legally recognized entity. The 39
753-term includes a third-party vendor. 40
754-(3) Digitized identification card. – A data file available on a mobile device that 41
755-has connectivity to the internet through a State-approved application that 42
756-allows the mobile device to download the data file from the Division of Motor 43
757-Vehicles that contains all of the data elements visible on the face and back of 44
758-a drivers license or identification card and displays the current status of the 45
759-drivers license or identification card, including valid, expired, cancelled, 46
760-suspended, revoked, active, or inactive. 47
761-(4) Minor. – An individual under 18 years of age. 48
762-(5) North Carolina user. – An individual who is a resident of the State of North 49
763-Carolina and who accesses or attempts to access a social media platform while 50
764-present in this State by accessing the social media platform while using a 51 General Assembly Of North Carolina Session 2025
765-Page 16 House Bill 462-First Edition
766-North Carolina Internet Protocol address or otherwise known or believed to 1
767-be in this State while using the social media platform. 2
768-(6) Reasonable age verification. – To confirm that a person seeking to access a 3
769-social media platform is at least 18 years old. 4
770-(7) Social media company. – An online forum that a company makes available 5
771-for an account holder to: 6
772-a. Create a public profile, establish an account, or register as a user for 7
773-the primary purpose of interacting socially with other profiles and 8
774-accounts; 9
775-b. Upload or create posts or content; 10
776-c. View posts or content of other account holders; and 11
777-d. Interact with other account holders or users, including, without 12
778-limitation, establishing mutual connections through request and 13
779-acceptance. 14
780-(7a) Social media company. – Does not include any of the following: 15
781-a. A company that exclusively offers subscription content in which users 16
782-follow or subscribe unilaterally and whose platforms' primary purpose 17
783-is not social interaction. 18
784-b. A social media company that allows a user to generate short video 19
785-clips of dancing, voice overs, or other acts of entertainment in which 20
786-the primary purpose is not educational or informative does not meet 21
787-the exclusion under sub-subdivision a. of this subdivision. 22
788-c. A media company that exclusively offers interactive gaming, virtual 23
789-gaming, or an online service; that allows the creation and uploading of 24
790-content for the purpose of interactive gaming, entertainment, or 25
791-associated entertainment; and the communication related to that 26
792-content. 27
793-d. A company that offers cloud storage services, enterprise cybersecurity 28
794-services, educational devices, or enterprise collaboration tools for 29
795-kindergarten through grade 12 (K-12) schools and derives less than 30
796-twenty-five percent (25%) of the company's revenue from operating a 31
797-social media platform, including games and advertising. 32
798-e. A company that provides career development opportunities, including 33
799-professional networking, job skills, learning certifications, and job 34
800-posting and application services. 35
801-(8) Social media platform. – A public or semipublic internet-based service or 36
802-application that has users in North Carolina and on which a substantial 37
803-function of the service or application is to connect users in order to allow users 38
804-to interact socially with each other within the service or application; however, 39
805-a service or application that provides email or direct messaging shall not be 40
806-considered to be a social media platform on the basis of that function alone. 41
807-(8a) Social media platform. – Does not include an online service, a website, or an 42
808-application if the predominant or exclusive function is: 43
809-a. Electronic mail. 44
810-b. Direct messaging consisting of messages, photos, or videos that are 45
811-sent between devices by electronic means if messages are: 46
812-1. Shared between the sender and the recipient or recipients; 47
813-2. Only visible to the sender and the recipient or recipients; and 48
814-3. Are not posted publicly. 49
815-c. A streaming service that (i) provides only licensed media in a 50
816-continuous flow from the service, website, or application to the end 51 General Assembly Of North Carolina Session 2025
817-House Bill 462-First Edition Page 17
818-user and (ii) does not obtain a license to the media from a user or 1
819-account holder by agreement of the streaming service's terms of 2
820-service. 3
821-d. News, sports, entertainment, or other content that is preselected by the 4
822-provider and not user generated, including, without limitation, if any 5
823-chat, comment, or interactive functionality that is provided is 6
824-incidental to, directly related to, or dependent upon provision of the 7
825-content. 8
826-e. Online shopping or e-commerce, if the interaction with other users or 9
827-account holders is generally limited to: 10
828-1. The ability to post and comment on reviews; 11
829-2. The ability to display lists or collections of goods for sale or 12
830-wish lists; and 13
831-3. Other functions that are focused on online shopping or 14
832-e-commerce rather than interaction between users or account 15
833-holders. 16
834-f. Business-to-business software that is not accessible to the general 17
835-public. 18
836-g. Cloud storage. 19
837-h. Shared document collaboration. 20
838-i. Providing access to or interacting with data visualization platforms, 21
839-libraries, or hubs. 22
840-j. To permit comments on a digital news website, if the news content is 23
841-posted only by the provider of the digital news website. 24
842-k. For the purpose of providing or obtaining technical support for the 25
843-social media company's social media platform, products, or services. 26
844-l. Academic or scholarly research. 27
845-m. Other research if (i) the majority of the content is posted or created by 28
846-the provider of the online service, website, or application and (ii) the 29
847-ability to chat, comment, or interact with other users is directly related 30
848-to the provider's content; then, the following criteria must also apply: 31
849-1. The service is a classified advertising service that only permits 32
850-the sale of goods and prohibits the solicitation of personal 33
851-services or that is used by and under the direction of an 34
852-educational entity, including, without limitation, a learning 35
853-management system, student engagement program, and 36
854-subject-specific or skill-specific program. 37
855-(8b) Social media platform. – Does not include a social media platform that is 38
856-controlled by a business entity that has generated less than one hundred 39
857-million dollars ($100,000,000) in annual gross revenue. 40
858-(9) User. – A person who has access to view all or some of the posts and content 41
859-on a social media platform but is not an account holder. 42
860-"§ 75G-102. Social media platforms; reasonable age verification methods; parental consent 43
861-required. 44
862-(a) A social media company shall not permit a North Carolina user who is a minor to be 45
863-an account holder on the social media company's social media platform unless the minor has the 46
864-express consent of a parent or legal guardian. A social media company shall verify the age of an 47
865-account holder. If an account holder is a minor, the social media company shall confirm that a 48
866-minor has consent under this subsection to become a new account holder at the time a North 49
867-Carolina user opens the account. 50 General Assembly Of North Carolina Session 2025
868-Page 18 House Bill 462-First Edition
869-(b) A social media company shall use a third-party vendor to perform reasonable age 1
870-verification before allowing access to the social media company's social media platform. 2
871-(c) Reasonable age verification methods under this section include providing one of the 3
872-following: 4
873-(1) A digitized identification card, including a digital copy of a drivers license 5
874-issued by the Division of Motor Vehicles. 6
875-(2) Government-issued identification. 7
876-(3) Any commercially reasonable age verification method. 8
877-"§ 75G-103. Liability for social media companies. 9
878-(a) A social media company that knowingly violates this Chapter is liable if the social 10
879-media company fails to perform a reasonable age verification. 11
880-(b) If a social media company performs a reasonable age verification, the social media 12
881-company shall not retain any identifying information of the individual after access to the social 13
882-media platform has been granted. 14
883-(c1) Violation of G.S. 75G-102 is a Class 1 misdemeanor. As authorized under this 15
884-section, the district attorney for the county where the North Carolina user resides may initiate a 16
885-criminal proceeding against a social media company that allegedly violates G.S. 75G-102. 17
886-(c2) As authorized under G.S. 75G-104, the Attorney General may initiate a civil 18
887-enforcement action against a social media company that allegedly commits a violation of 19
888-G.S. 75G-102. 20
889-(c3) A social media company that violates this Chapter is liable to an individual for: 21
890-(1) A penalty of two thousand five hundred dollars ($2,500) per violation, court 22
891-costs, and reasonable attorneys' fees as ordered by the court; or 23
892-(2) Damages resulting from a minor accessing a social media platform without 24
893-his or her parent's or custodian's consent, including court costs and reasonable 25
894-attorneys' fees as ordered by the court. 26
895-(d) This section does not: 27
896-(1) Apply to a news or public interest broadcast, website video, report, or event; 28
897-(2) Affect the rights of a news-gathering organization; or 29
898-(3) Apply to cloud service providers. 30
899-(e) An internet service provider, or any of its affiliates or subsidiaries, or search engines 31
900-shall not violate this Chapter solely by providing access, connection to or from a website, or other 32
901-information or content on the internet, or a facility, system, or network that is not under that 33
902-internet service provider's control, including transmission, downloading, intermediate storage, 34
903-access software, or other service that provides access or connectivity, to the extent the internet 35
904-service provider is not responsible for the creation of the content or the communication on a 36
905-social media platform. 37
906-"§ 75G-104. Liability for commercial entity or third-party vendor. 38
907-(a) A commercial entity or third-party vendor shall not retain any identifying information 39
908-of an individual after access to the social media platform has been granted. 40
909-(b) A commercial entity that is found to have knowingly retained identifying information 41
910-of an individual after access to the material is granted is liable to the individual for damages 42
911-resulting from the retention of the identifying information, including court costs and reasonable 43
912-attorneys' fees as ordered by the court." 44
913- 45
914-PART III. SEVERABILITY 46
915-SECTION 3.1. If any provision of this act or the application thereof to any person 47
916-or circumstance is held invalid, the invalidity does not affect any other provision or application 48
917-of the act which can be given effect without the invalid provision or application and, to that end, 49
918-the provisions of this act are declared to be severable. 50
919- 51 General Assembly Of North Carolina Session 2025
920-House Bill 462-First Edition Page 19
921-PART IV. EFFECTIVE DATE 1
922-SECTION 4.1. Except as otherwise provided, this act is effective when it becomes 2
923-law. 3
45+fingerprint, a voiceprint, eye retinas, irises, or other unique biological patterns 33
46+or characteristics that can be used to identify or authenticate a specific 34
47+individual. "Biometric data" does not include any of the following: 35
48+a. A digital or physical photograph. 36
49+H.B. 462
50+Mar 19, 2025
51+HOUSE PRINCIPAL CLERK General Assembly Of North Carolina Session 2025
52+Page 2 DRH40244-LR-32B
53+b. An audio or video recording. 1
54+c. Any data generated from a digital or physical photograph, or an audio 2
55+or video recording, unless the data is generated to identify a specific 3
56+individual. 4
57+(4) Business associate. – As defined in HIPAA. 5
58+(5) Child. – As defined in COPPA. 6
59+(6) Child abuse. – With respect to an individual under 18 years of age, as defined 7
60+in Chapter 14 of the General Statutes or any equivalent provision in the laws 8
61+of any other state; the United States; any territory, district, or subdivision of 9
62+the United States; or any foreign jurisdiction. 10
63+(7) Consent. – A clear affirmative act signifying a consumer's freely given, 11
64+specific, informed, and unambiguous agreement to allow the processing of 12
65+personal data relating to the consumer. "Consent" may include a written 13
66+statement, including by electronic means, or any other unambiguous 14
67+affirmative action. "Consent" does not include any of the following: 15
68+a. Acceptance of a general or broad terms of use or similar document that 16
69+contains descriptions of personal data processing along with other, 17
70+unrelated information. 18
71+b. Hovering over, muting, pausing, or closing a given piece of content. 19
72+c. Agreement obtained through the use of dark patterns. 20
73+(8) Consumer. – An individual who is a resident of this State. "Consumer" does 21
74+not include an individual acting in a commercial or employment context or as 22
75+an employee, owner, director, officer, or contractor of a company, partnership, 23
76+sole proprietorship, nonprofit organization, or government agency whose 24
77+communications or transactions with the controller occur solely within the 25
78+context of that individual's role with the company, partnership, sole 26
79+proprietorship, nonprofit organization, or government agency. 27
80+(9) Controller. – A person that, alone or jointly with others, determines the 28
81+purpose and means of processing personal data. 29
82+(10) COPPA. – The Children's Online Privacy Protection Act of 1998, 15 U.S.C. 30
83+§ 6501, et seq., as amended, and the regulations, rules, guidance, and 31
84+exemptions adopted pursuant to the act, and such regulations, rules, guidance, 32
85+and exemptions as may be amended. 33
86+(11) Covered entity. – As defined in HIPAA. 34
87+(12) Dark pattern. – Any of the following: 35
88+a. A user interface designed or manipulated with the substantial effect of 36
89+subverting or impairing user autonomy, decision making, or choice. 37
90+b. Any other practice the Federal Trade Commission refers to as a dark 38
91+pattern. 39
92+(13) Decisions that produce legal or similarly significant effects concerning the 40
93+consumer. – Decisions made by the controller that result in the provision or 41
94+denial by the controller of financial or lending services, housing, insurance, 42
95+education enrollment or opportunity, criminal justice, employment 43
96+opportunities, health care services, or access to essential goods or services. 44
97+(14) De-identified data. – Data that cannot reasonably be used to infer information 45
98+about, or otherwise be linked to, an identified or identifiable individual, or a 46
99+device linked to the individual, if the controller that possesses the data does 47
100+all of the following: 48
101+a. Takes reasonable measures to ensure that the data cannot be associated 49
102+with an individual. 50 General Assembly Of North Carolina Session 2025
103+DRH40244-LR-32B Page 3
104+b. Publicly commits to process the data only in a de-identified fashion 1
105+and not attempt to re-identify the data. 2
106+c. Contractually obligates any recipients of the data to comply with all of 3
107+the provisions of this Chapter applicable to the controller with respect 4
108+to the data. 5
109+(15) Domestic violence. - As defined in Chapter 14 of the General Statutes or any 6
110+equivalent provision in the laws of any other state; the United States; any 7
111+territory, district, or subdivision of the United States; or any foreign 8
112+jurisdiction. 9
113+(16) Genetic data. – Any data, regardless of its format, that results from the analysis 10
114+of a biological sample of an individual, or from another source enabling 11
115+equivalent information to be obtained, and concerns genetic material. For 12
116+purposes of this subdivision, "genetic material" includes deoxyribonucleic 13
117+acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, 14
118+genomes, alterations or modifications to DNA or RNA, single nucleotide 15
119+polymorphisms (SNPs), uninterpreted data that results from analysis of the 16
120+biological sample or other source, and any information extrapolated, derived, 17
121+or inferred therefrom. 18
122+(17) HIPAA. – The Health Insurance Portability and Accountability Act of 1996, 19
123+42 U.S.C. § 1320d, et seq., as amended. 20
124+(18) Human trafficking. – The offense defined in Chapter 14 of the General 21
125+Statutes or any equivalent provision in the laws of any other state; the United 22
126+States; any territory, district, or subdivision of the United States; or any 23
127+foreign jurisdiction. 24
128+(19) Identified or identifiable individual. – An individual who can be readily 25
129+identified, directly or indirectly. 26
130+(20) Nonprofit organization. – Any organization that is exempt from taxation under 27
131+section 501(c)(3), 501(c)(4), 501(c)(6), or 501(c)(12) of the Internal Revenue 28
132+Code of 1986, or any subsequent corresponding internal revenue code of the 29
133+United States, as amended. 30
134+(21) Personal data. – Any information that is linked or reasonably linkable to an 31
135+identified or identifiable individual and does not include de-identified data or 32
136+publicly available information. 33
137+(22) Precise geolocation data. – Information derived from technology, including 34
138+global positioning system level latitude and longitude coordinates or other 35
139+mechanisms, that directly identifies the specific location of an individual with 36
140+precision and accuracy within a radius of 1,750 feet. "Precise geolocation 37
141+data" does not include the content of communications or any data generated 38
142+by or connected to advanced utility metering infrastructure systems or 39
143+equipment for use by a utility. 40
144+(23) Process or processing. – Any operation or set of operations performed, 41
145+whether by manual or automated means, on personal data or on sets of 42
146+personal data, such as the collection, use, storage, disclosure, analysis, 43
147+deletion, or modification of personal data. 44
148+(24) Processor. – A person that processes personal data on behalf of a controller. 45
149+(25) Profiling. – Any form of automated processing performed on personal data to 46
150+evaluate, analyze, or predict personal aspects related to an identified or 47
151+identifiable individual's economic situation, health, demographic 48
152+characteristics, personal preferences, interests, reliability, behavior, location, 49
153+or movements. 50
154+(26) Protected health information. – As defined in HIPAA. 51 General Assembly Of North Carolina Session 2025
155+Page 4 DRH40244-LR-32B
156+(27) Pseudonymous data. – Personal data that cannot be attributed to a specific 1
157+individual without the use of additional information, provided the additional 2
158+information is kept separately and is subject to appropriate technical and 3
159+organizational measures to ensure that the personal data is not attributed to an 4
160+identified or identifiable individual. 5
161+(28) Publicly available information. – Information that is lawfully made readily 6
162+available to the general public through federal, State, or local government 7
163+records or widely distributed media and a controller has a reasonable basis to 8
164+believe a consumer has lawfully made readily available to the general public. 9
165+(29) Sale of personal data. – The exchange or transfer of personal data for monetary 10
166+or other valuable consideration by the controller to a third party. "Sale of 11
167+personal data" does not include any of the following: 12
168+a. The disclosure of personal data to a processor that processes the 13
169+personal data on behalf of the controller where limited to the purpose 14
170+of the processing. 15
171+b. The disclosure of personal data to a third party for purposes of 16
172+providing a product or service affirmatively requested by the 17
173+consumer. 18
174+c. The disclosure or transfer of personal data to an affiliate of the 19
175+controller. 20
176+d. The disclosure of personal data where the consumer directs the 21
177+controller to disclose the personal data or intentionally uses the 22
178+controller to interact with a third party. 23
179+e. The disclosure of personal data that the consumer intentionally made 24
180+available to the general public via a channel of mass media and did not 25
181+restrict to a specific audience. 26
182+f. The disclosure or transfer of personal data to a third party as an asset 27
183+that is part of a merger, acquisition, bankruptcy, or other similar 28
184+transaction in which the third party assumes control of all or part of 29
185+the controller's assets, or a proposed merger, acquisition, bankruptcy, 30
186+or other similar transaction in which the third party assumes control of 31
187+all or part of the controller's assets. 32
188+(30) Sensitive data. – Personal data that includes any of the following: 33
189+a. Data revealing racial or ethnic origin, religious beliefs, mental or 34
190+physical health condition or diagnosis (including pregnancy), sex life, 35
191+sexual orientation, status as transgender or nonbinary, national origin, 36
192+citizenship status, or immigration status. 37
193+b. Genetic or biometric data. 38
194+c. Personal data of a known child. 39
195+d. Precise geolocation data. 40
196+(31) Sexual assault. – Any of the offenses defined in Chapter 14 of the General 41
197+Statutes or any equivalent provision in the laws of any other state; the United 42
198+States; any territory, district, or subdivision of the United States; or any 43
199+foreign jurisdiction. 44
200+(32) Stalking. – The offense defined in Chapter 14 of the General Statutes or any 45
201+equivalent provision in the laws of any other state; the United States; any 46
202+territory, district, or subdivision of the United States; or any foreign 47
203+jurisdiction. 48
204+(33) Targeted advertising. – Displaying advertisements to a consumer where the 49
205+advertisement is selected based on personal data obtained or inferred from that 50
206+consumer's activities over time and across nonaffiliated internet websites or 51 General Assembly Of North Carolina Session 2025
207+DRH40244-LR-32B Page 5
208+online applications to predict the consumer's preferences or interests. 1
209+"Targeted advertising" does not include any of the following: 2
210+a. Advertisements based on activities within a controller's own internet 3
211+websites or online applications. 4
212+b. Advertisements based on the context of a consumer's current search 5
213+query, visit to an internet website, or online application. 6
214+c. Advertisements directed to a consumer in direct response to the 7
215+consumer's request for information or feedback. 8
216+d. Processing personal data solely to measure or report advertising 9
217+frequency, performance, or reach. 10
218+(34) Third party. – With respect to personal data controlled by a controller, any 11
219+person other than the relevant consumer, the controller of the personal data, 12
220+or a processor or an affiliate of the processor or the controller. 13
221+(35) Trade secret. – As defined in Chapter 66, 95, or 113 of the General Statutes. 14
222+(36) Violent felony. – As defined in section 4201 of Title 11 and includes any 15
223+equivalent provision in the laws of any other state; the United States; any 16
224+territory, district, or subdivision of the United States; or any foreign 17
225+jurisdiction. 18
226+"§ 75F-103. Applicability of Chapter. 19
227+(a) This Chapter applies to persons that conduct business in the State or persons that 20
228+produce products or services that are targeted to residents of the State and that during the 21
229+preceding calendar year did any of the following: 22
230+(1) Controlled or processed the personal data of not less than 35,000 consumers, 23
231+excluding personal data controlled or processed solely for the purpose of 24
232+completing a payment transaction. 25
233+(2) Controlled or processed the personal data of not less than 10,000 consumers 26
234+and derived more than twenty percent (20%) of their gross revenue from the 27
235+sale of personal data. 28
236+(b) This Chapter does not apply to any of the following entities: 29
237+(1) Any regulatory, administrative, advisory, executive, appointive, legislative, or 30
238+judicial body of the State or a political subdivision of the State, including any 31
239+board, bureau, commission, or agency of the State or a political subdivision 32
240+of the State, but excluding any institution of higher education. 33
241+(2) Any financial institution or affiliate of a financial institution, all as defined in 34
242+15 U.S.C. § 6809, to the extent that the financial institution or affiliate is 35
243+subject to Title V of the Gramm Leach Bliley Act (15 U.S.C. § 6801, et seq., 36
244+as amended) and the rules and implementing regulations promulgated 37
245+thereunder. 38
246+(c) This Chapter does not apply to the following information and data: 39
247+(1) Protected health information under HIPAA. 40
248+(2) Patient-identifying information for purposes of 42 U.S.C. § 290dd-2. 41
249+(3) Identifiable private information, as defined in 45 C.F.R. § 46.102, to the extent 42
250+that it is used for purposes of the federal policy for the protection of human 43
251+subjects pursuant to 45 C.F.R. § 46. 44
252+(4) Identifiable private information to the extent it is collected and used as part of 45
253+human subjects research pursuant to the ICH E6 Good Clinical Practice 46
254+Guideline issued by the International Council for Harmonisation of Technical 47
255+Requirements for Pharmaceuticals for Human Use or the protection of human 48
256+subjects under 21 C.F.R. §§ 50 and 56. 49 General Assembly Of North Carolina Session 2025
257+Page 6 DRH40244-LR-32B
258+(5) Patient safety work product, as defined in 42 C.F.R. § 3.20, that is created and 1
259+used for purposes of patient safety improvement pursuant to 42 C.F.R. § 3, 2
260+established pursuant to 42 U.S.C. §§ 299b–21 to 299b–26. 3
261+(6) Information to the extent it is used for public health, community health, or 4
262+population health activities and purposes, as authorized by HIPAA, when 5
263+provided by or to a Covered Entity or when provided by or to a Business 6
264+Associate pursuant to a Business Associate Agreement with a Covered Entity. 7
265+(7) The collection, maintenance, disclosure, sale, communication, or use of any 8
266+personal information bearing on a consumer's credit worthiness, credit 9
267+standing, credit capacity, character, general reputation, personal 10
268+characteristics, or mode of living by a consumer reporting agency, furnisher, 11
269+or user that provides information for use in a consumer report, and by a user 12
270+of a consumer report, but only to the extent that the activity is regulated by 13
271+and authorized under the federal Fair Credit Reporting Act (15 U.S.C. § 1681, 14
272+et seq., as amended). 15
273+(8) Personal data collected, processed, sold, or disclosed in compliance with the 16
274+Driver's Privacy Protection Act of 1994, 18 U.S.C. § 2721, et seq., as 17
275+amended. 18
276+(9) Personal data regulated by the Family Educational Rights and Privacy Act, 20 19
277+U.S.C. § 1232g, et seq., as amended. 20
278+(10) Personal data collected, processed, sold, or disclosed in compliance with the 21
279+Farm Credit Act, 12 U.S.C. § 2001, et seq., as amended. 22
280+(11) Data processed or maintained in any of the following ways: 23
281+a. In the course of an individual applying to, employed by, or acting as 24
282+an agent or independent contractor of a controller, processor, or third 25
283+party, to the extent that the data is collected and used within the context 26
284+of that role. 27
285+b. As the emergency contact information of an individual, used for 28
286+emergency contact purposes. 29
287+c. Necessary to retain to administer benefits for another individual 30
288+relating to the individual who is the subject of the information under 31
289+sub-subdivision a. of this subdivision and used for the purposes of 32
290+administering the benefits. 33
291+(12) Personal data collected, processed, sold, or disclosed in relation to price, route, 34
292+or service, as the terms are used in the Airline Deregulation Act, 49 U.S.C. § 35
293+40101, et seq., as amended, by an air carrier subject to said act, to the extent 36
294+any part of this Chapter is preempted by the Airline Deregulation Act, 49 37
295+U.S.C. § 41713, as amended. 38
296+(13) Personal data of a victim of or witness to child abuse, domestic violence, 39
297+human trafficking, sexual assault, violent felony, or stalking that is collected, 40
298+processed, or maintained by a nonprofit organization that provides services to 41
299+victims of or witnesses to child abuse, domestic violence, human trafficking, 42
300+sexual assault, violent felony, or stalking. 43
301+(d) Controllers and processors that comply with the verifiable parental consent 44
302+requirements of COPPA shall be deemed compliant with any obligation to obtain parental 45
303+consent set forth in this Chapter with respect to a consumer who is a child. 46
304+"§ 75F-104. Consumer personal data rights. 47
305+(a) A consumer has the right to do all of the following: 48
306+(1) Confirm whether a controller is processing the consumer's personal data and 49
307+access the personal data, unless the confirmation or access would require the 50
308+controller to reveal a trade secret. 51 General Assembly Of North Carolina Session 2025
309+DRH40244-LR-32B Page 7
310+(2) Correct inaccuracies in the consumer's personal data, taking into account the 1
311+nature of the personal data and the purposes of the processing of the 2
312+consumer's personal data. 3
313+(3) Have personal data provided by, or obtained about, the consumer deleted. 4
314+(4) Obtain a copy of the consumer's personal data processed by the controller, in 5
315+a portable and, to the extent technically feasible, readily usable format that 6
316+allows the consumer to transmit the data to another controller without 7
317+hindrance, where the processing is carried out by automated means, provided 8
318+the controller shall not be required to reveal any trade secret. 9
319+(5) Obtain a list of the specific third parties to which the controller has disclosed 10
320+the consumer's personal data. If the controller does not maintain this 11
321+information in a format specific to the consumer, a list of specific third parties 12
322+to whom the controller has disclosed any consumers' personal data may be 13
323+provided instead. 14
324+(6) Opt out of the processing of the personal data for purposes of any of the 15
325+following: 16
326+a. Targeted advertising. 17
327+b. The sale of personal data, except as provided in G.S. 75F-106(b). 18
328+c. Profiling in furtherance of solely automated decisions that produce 19
329+legal or similarly significant effects concerning the consumer. 20
330+(b) A consumer may exercise rights under this section by secure and reliable means 21
331+established by the controller and described to the consumer in the controller's privacy notice. A 22
332+consumer may designate an authorized agent in accordance with G.S. 75F-105 to exercise the 23
333+rights of the consumer to opt out of the processing of the consumer's personal data for purposes 24
334+of subdivision (5) of subsection (a) of this section on behalf of the consumer. In the case of 25
335+processing personal data of a known child, the parent or legal guardian may exercise the 26
336+consumer rights on the child's behalf. In the case of processing personal data concerning a 27
337+consumer subject to a guardianship, conservatorship, or other protective arrangement, the 28
338+guardian or the conservator of the consumer may exercise the rights on the consumer's behalf. 29
339+(c) Except as otherwise provided in this Chapter, a controller shall comply with a request 30
340+by a consumer to exercise the consumer rights authorized pursuant to said sections as follows: 31
341+(1) A controller shall respond to the consumer without undue delay but not later 32
342+than 45 days after receipt of the request. The controller may extend the 33
343+response period by 45 additional days when reasonably necessary, considering 34
344+the complexity and number of the consumer's requests, provided the controller 35
345+informs the consumer of any such extension within the initial 45-day response 36
346+period and of the reason for the extension. 37
347+(2) If a controller declines to take action regarding the consumer's request, the 38
348+controller shall inform the consumer without undue delay but not later than 45 39
349+days after receipt of the request of the justification for declining to take action 40
350+and instructions for how to appeal the decision. 41
351+(3) Information provided in response to a consumer request shall be provided by 42
352+a controller, free of charge, once per consumer during any 12-month period. 43
353+If requests from a consumer are manifestly unfounded, excessive, or 44
354+repetitive, the controller may charge the consumer a reasonable fee to cover 45
355+the administrative costs of complying with the request or decline to act on the 46
356+request. The controller bears the burden of demonstrating the manifestly 47
357+unfounded, excessive, or repetitive nature of the request. 48
358+(4) If a controller is unable to authenticate a request to exercise any of the rights 49
359+afforded under subdivisions (1) through (5), inclusive, of subsection (a) of this 50
360+section using commercially reasonable efforts, the controller shall not be 51 General Assembly Of North Carolina Session 2025
361+Page 8 DRH40244-LR-32B
362+required to comply with a request to initiate an action pursuant to this section 1
363+and shall provide notice to the consumer that the controller is unable to 2
364+authenticate the request to exercise the right or rights until the consumer 3
365+provides additional information reasonably necessary to authenticate the 4
366+consumer and the consumer's request to exercise the right or rights. A 5
367+controller shall not be required to authenticate an opt-out request, but a 6
368+controller may deny an opt-out request if the controller has a good-faith, 7
369+reasonable, and documented belief that the request is fraudulent. If a controller 8
370+denies an opt-out request because the controller believes the request is 9
371+fraudulent, the controller shall send a notice to the person who made the 10
372+request disclosing that the controller believes the request is fraudulent, why 11
373+the controller believes the request is fraudulent, and that the controller shall 12
374+not comply with the request. 13
375+(5) A controller that has obtained personal data about a consumer from a source 14
376+other than the consumer shall be deemed in compliance with a consumer's 15
377+request to delete the data pursuant to subdivision (3) of subsection (a) of this 16
378+section if the controller retains a record of the deletion request and the 17
379+minimum data necessary for the purpose of ensuring the consumer's personal 18
380+data remains deleted from the controller's records and does not use the retained 19
381+data for any other purpose. 20
382+(d) A controller shall establish a process for a consumer to appeal the controller's refusal 21
383+to take action on a request within a reasonable period of time after the consumer's receipt of the 22
384+decision. The appeal process shall be conspicuously available and similar to the process for 23
385+submitting requests to initiate action pursuant to this section. Not later than 60 days after receipt 24
386+of an appeal, a controller shall inform the consumer in writing of any action taken or not taken 25
387+in response to the appeal, including a written explanation of the reasons for the decisions. If the 26
388+appeal is denied, the controller shall also provide the consumer with an online mechanism, if 27
389+available, or other method through which the consumer may contact the Department of Justice 28
390+to submit a complaint. 29
391+"§ 75F-105. Designation of agent to exercise rights of consumer, including through 30
392+universal opt-out mechanisms. 31
393+(a) A consumer may designate an authorized agent to act on the consumer's behalf to opt 32
394+out of the processing of the consumer's personal data for one or more of the purposes specified 33
395+in G.S. 75F-104(a)(5). The consumer may designate the authorized agent by way of, among other 34
396+things, a platform, technology, or mechanism, including an internet link or a browser setting, 35
397+browser extension, or global device setting, indicating the consumer's intent to opt out of the 36
398+processing. For the purposes of the designation, the platform, technology, or mechanism may 37
399+function as the agent for purposes of conveying the consumer's decision to opt out. 38
400+(b) A controller shall comply with an opt-out request received from an authorized agent 39
401+if the controller is able to verify, with commercially reasonable effort, the identity of the 40
402+consumer and the authorized agent's authority to act on the consumer's behalf. The Department 41
403+of Justice may publish or reference on its website a list of agents who presumptively shall have 42
404+the authority unless the controller has established a reasonable basis to conclude that the agent 43
405+lacks such authority. 44
406+"§ 75F-106. Duties of controllers. 45
407+(a) A controller shall do all of the following: 46
408+(1) Limit the collection of personal data to what is adequate, relevant, and 47
409+reasonably necessary in relation to the purposes for which the data is 48
410+processed, as disclosed to the consumer. 49
411+(2) Except as otherwise permitted by this Chapter, not process personal data for 50
412+purposes that are neither reasonably necessary to, nor compatible with, the 51 General Assembly Of North Carolina Session 2025
413+DRH40244-LR-32B Page 9
414+disclosed purposes for which the personal data is processed, as disclosed to 1
415+the consumer, unless the controller obtains the consumer's consent. 2
416+(3) Establish, implement, and maintain reasonable administrative, technical, and 3
417+physical data security practices to protect the confidentiality, integrity, and 4
418+accessibility of personal data appropriate to the volume and nature of the 5
419+personal data at issue. 6
420+(4) Not process sensitive data concerning a consumer without obtaining the 7
421+consumer's consent or, in the case of the processing of sensitive data 8
422+concerning a known child, without first obtaining consent from the child's 9
423+parent or lawful guardian. 10
424+(5) Not process personal data in violation of the laws of this State and federal laws 11
425+that prohibit unlawful discrimination. 12
426+(6) Provide an effective mechanism for a consumer to revoke the consumer's 13
427+consent under this section that is at least as easy as the mechanism by which 14
428+the consumer provided the consumer's consent and, upon revocation of the 15
429+consent, cease to process the data as soon as practicable but not later than 15 16
430+days after the receipt of the request. 17
431+(7) Not process the personal data of a consumer for purposes of targeted 18
432+advertising, or sell the consumer's personal data without the consumer's 19
433+consent, under circumstances where a controller has actual knowledge or 20
434+willfully disregards that the consumer is at least 13 years of age but younger 21
435+than 18 years of age. 22
436+(8) Not discriminate against a consumer for exercising any of the consumer rights 23
437+contained in this Chapter, including denying goods or services, charging 24
438+different prices or rates for goods or services, or providing a different level of 25
439+quality of goods or services to the consumer. 26
440+(b) Nothing in subsection (a) of this section shall be construed to require a controller to 27
441+provide a product or service that requires the personal data of a consumer which the controller 28
442+does not collect or maintain, or prohibit a controller from offering a different price, rate, level, 29
443+quality, or selection of goods or services to a consumer, including offering goods or services for 30
444+no fee, if the offering is in connection with a consumer's voluntary participation in a bona fide 31
445+loyalty, rewards, premium features, discounts, or club card program. 32
446+(c) A controller shall provide consumers with a reasonably accessible, clear, and 33
447+meaningful privacy notice that includes all of the following: 34
448+(1) The categories of personal data processed by the controller. 35
449+(2) The purpose for processing personal data. 36
450+(3) How consumers may exercise their consumer rights, including how a 37
451+consumer may appeal a controller's decision with regard to the consumer's 38
452+request. 39
453+(4) The categories of personal data that the controller shares with third parties, if 40
454+any. 41
455+(5) The categories of third parties with which the controller shares personal data, 42
456+if any. 43
457+(6) An active electronic mail address or other online mechanism that the 44
458+consumer may use to contact the controller. 45
459+(d) If a controller sells personal data to third parties or processes personal data for targeted 46
460+advertising, the controller shall clearly and conspicuously disclose the processing, as well as the 47
461+manner in which a consumer may exercise the right to opt out of the processing. 48
462+(e) A controller shall establish and shall describe in the privacy notice required by 49
463+subsection (c) of this section one or more secure and reliable means for consumers to submit a 50
464+request to exercise their consumer rights pursuant to this Chapter. The means shall take into 51 General Assembly Of North Carolina Session 2025
465+Page 10 DRH40244-LR-32B
466+account the ways in which consumers normally interact with the controller, the need for secure 1
467+and reliable communication of the requests, and the ability of the controller to verify the identity 2
468+of the consumer making the request. A controller shall not require a consumer to create a new 3
469+account in order to exercise consumer rights but may require a consumer to use an existing 4
470+account. Any such means shall include all of the following: 5
471+(1) Providing a clear and conspicuous link on the controller's internet website to 6
472+an internet webpage that enables a consumer, or an agent of the consumer, to 7
473+opt out of the targeted advertising or the sale of the consumer's personal data. 8
474+(2) Allowing a consumer to opt out of any processing of the consumer's personal 9
475+data for the purposes of targeted advertising, or any sale of the personal data, 10
476+through an opt-out preference signal sent, with the consumer's consent, by a 11
477+platform, technology, or mechanism to the controller indicating the 12
478+consumer's intent to opt out of any such processing or sale. The platform, 13
479+technology, or mechanism shall do all of the following: 14
480+a. Not unfairly disadvantage another controller. 15
481+b. Not make use of a default setting but, rather, require the consumer to 16
482+make an affirmative, freely given, and unambiguous choice to opt out 17
483+of any processing of the consumer's personal data pursuant to this 18
484+Chapter. 19
485+c. Be consumer-friendly and easy to use by the average consumer. 20
486+d. Be as consistent as possible with any other similar platform, 21
487+technology, or mechanism required by any federal or State law or 22
488+regulation. 23
489+e. Enable the controller to reasonably determine whether the consumer 24
490+is a resident of the State and whether the consumer has made a 25
491+legitimate request to opt out of any sale of the consumer's personal 26
492+data or targeted advertising. 27
493+If a consumer's decision to opt out of any processing of the consumer's personal data for the 28
494+purposes of targeted advertising, or any sale of the personal data, through an opt-out preference 29
495+signal sent in accordance with the provisions of subdivision (1) of this subsection conflicts with 30
496+the consumer's existing controller-specific privacy setting or voluntary participation in a 31
497+controller's bona fide loyalty, rewards, premium features, discounts, or club card program, the 32
498+controller shall comply with the consumer's opt-out preference signal but may notify the 33
499+consumer of the conflict and provide to the consumer the choice to confirm the controller-specific 34
500+privacy setting or participation in the program. 35
501+If a controller responds to consumer opt‐out requests received pursuant to subdivision (1) of 36
502+this subsection by informing the consumer of a charge for the use of any product or service, the 37
503+controller shall present the terms of any financial incentive offered pursuant to subdivision (2) of 38
504+this subsection for the retention, use, sale, or sharing of the consumer's personal data. 39
505+"§ 75F-107. Duties of processors. 40
506+(a) A processor shall adhere to the instructions of a controller and shall assist the 41
507+controller in meeting the controller's obligations under this Chapter. The assistance must include 42
508+all of the following: 43
509+(1) Taking into account the nature of processing and the information available to 44
510+the processor, by appropriate technical and organizational measures, insofar 45
511+as is reasonably practicable, to fulfill the controller's obligation to respond to 46
512+consumer rights requests. 47
513+(2) Taking into account the nature of processing and the information available to 48
514+the processor, by assisting the controller in meeting the controller's obligations 49
515+in relation to the security of processing the personal data and in relation to the 50 General Assembly Of North Carolina Session 2025
516+DRH40244-LR-32B Page 11
517+notification of a breach of security of the system of the processor, in order to 1
518+meet the controller's obligations. 2
519+(3) Providing necessary information to enable the controller to conduct and 3
520+document data protection assessments. 4
521+(b) A contract between a controller and a processor must govern the processor's data 5
522+processing procedures with respect to processing performed on behalf of the controller. The 6
523+contract must be binding and clearly set forth instructions for processing data, the nature and 7
524+purpose of processing, the type of data subject to processing, the duration of processing, and the 8
525+rights and obligations of both parties. The contract must also require that the processor do all of 9
526+the following: 10
527+(1) Ensure that each person processing personal data is subject to a duty of 11
528+confidentiality with respect to the data. 12
529+(2) At the controller's direction, delete or return all personal data to the controller 13
530+as requested at the end of the provision of services, unless retention of the 14
531+personal data is required by law. 15
532+(3) Upon the reasonable request of the controller, make available to the controller 16
533+all information in its possession necessary to demonstrate the processor's 17
534+compliance with the obligations in this Chapter. 18
535+(4) After providing the controller an opportunity to object, engage any 19
536+subcontractor pursuant to a written contract that requires the subcontractor to 20
537+meet the obligations of the processor with respect to the personal data. 21
538+(5) Allow, and cooperate with, reasonable assessments by the controller or the 22
539+controller's designated assessor, or the processor may arrange for a qualified 23
540+and independent assessor to conduct an assessment of the processor's policies 24
541+and technical and organizational measures in support of the obligations under 25
542+this Chapter, using an appropriate and accepted control standard or framework 26
543+and assessment procedure for the assessments. The processor shall provide a 27
544+report of the assessment to the controller upon request. 28
545+(c) Nothing in this section may be construed to relieve a controller or processor from the 29
546+liabilities imposed on the controller or processor by virtue of the controller's or processor's role 30
547+in the processing relationship, as described in this Chapter. 31
548+(d) Determining whether a person is acting as a controller or processor with respect to a 32
549+specific processing of data is a fact-based determination that depends upon the context in which 33
550+personal data is to be processed. A person who is not limited in the person's processing of 34
551+personal data pursuant to a controller's instructions, or who fails to adhere to the instructions, is 35
552+a controller and not a processor with respect to a specific processing of data. A processor that 36
553+continues to adhere to a controller's instructions with respect to a specific processing of personal 37
554+data remains a processor. If a processor begins, alone or jointly with others, determining the 38
555+purposes and means of the processing of personal data, the processor is a controller with respect 39
556+to the processing and may be subject to an enforcement action under this Chapter. 40
557+"§ 75F-108. Data protection assessments. 41
558+(a) A controller that controls or processes the data of not less than 100,000 consumers, 42
559+excluding data controlled or processed solely for the purpose of completing a payment 43
560+transaction, shall conduct and document, on a regular basis, a data protection assessment for each 44
561+of the controller's processing activities that presents a heightened risk of harm to a consumer. For 45
562+the purposes of this section, processing that presents a heightened risk of harm to a consumer 46
563+includes any of the following: 47
564+(1) The processing of personal data for the purposes of targeted advertising. 48
565+(2) The sale of personal data. 49
566+(3) The processing of personal data for the purposes of profiling, where the 50
567+profiling presents a reasonably foreseeable risk of any of the following: 51 General Assembly Of North Carolina Session 2025
568+Page 12 DRH40244-LR-32B
569+a. Unfair or deceptive treatment of, or unlawful disparate impact on, 1
570+consumers. 2
571+b. Financial, physical, or reputational injury to consumers. 3
572+c. A physical or other intrusion upon the solitude or seclusion, or the 4
573+private affairs or concerns, of consumers, where the intrusion would 5
574+be offensive to a reasonable person. 6
575+d. Other substantial injury to consumers. 7
576+(4) The processing of sensitive data. 8
577+(b) Data protection assessments conducted pursuant to subsection (a) of this section shall 9
578+identify and weigh the benefits that may flow, directly and indirectly, from the processing to the 10
579+controller, the consumer, other stakeholders, and the public against the potential risks to the rights 11
580+of the consumer associated with the processing, as mitigated by safeguards that can be employed 12
581+by the controller to reduce the risks. The controller shall factor into any such data protection 13
582+assessment the use of de-identified data and the reasonable expectations of consumers, as well 14
583+as the context of the processing and the relationship between the controller and the consumer 15
584+whose personal data will be processed. 16
585+(c) The Attorney General may require that a controller disclose any data protection 17
586+assessment that is relevant to an investigation conducted by the Attorney General, and the 18
587+controller shall make the data protection assessment available to the Attorney General. The 19
588+Attorney General may evaluate the data protection assessment for compliance with the 20
589+responsibilities set forth in this Chapter. Data protection assessments must be treated as 21
590+confidential and are not public records within the meaning of Chapter 132 of the General Statutes. 22
591+Notwithstanding the foregoing, a controller's data protection assessment may be used in an action 23
592+to enforce this Chapter. To the extent any information contained in a data protection assessment 24
593+disclosed to the Attorney General includes and conspicuously identifies information subject to 25
594+attorney-client privilege or work product protection, the disclosure by itself does not constitute a 26
595+waiver of the privilege or protection. 27
596+(d) A single data protection assessment may address a comparable set of processing 28
597+operations that include similar activities. 29
598+(e) If a controller conducts a data protection assessment for the purpose of complying 30
599+with another applicable law or regulation, the data protection assessment shall be deemed to 31
600+satisfy the requirements established in this section if the data protection assessment is reasonably 32
601+similar in scope and effect to the data protection assessment that would otherwise be conducted 33
602+pursuant to this section. 34
603+(f) Data protection assessment requirements shall apply to processing activities created 35
604+or generated on or after July 1, 2026, and are not retroactive. 36
605+"§ 75F-109. De-identified data. 37
606+(a) Nothing in this Chapter shall be construed to require a controller or processor to 38
607+re-identify de-identified data or pseudonymous data, or to maintain data in identifiable form, or 39
608+collect, obtain, retain, or access any data or technology, in order to be capable of associating an 40
609+authenticated consumer request with personal data. 41
610+(b) Nothing in this Chapter shall be construed to require a controller or processor to 42
611+comply with an authenticated consumer rights request if all of the following apply: 43
612+(1) The controller is not reasonably capable of associating the request with the 44
613+personal data or it would be unreasonably burdensome for the controller to 45
614+associate the request with the personal data. 46
615+(2) The controller does not use the personal data to recognize or respond to the 47
616+specific consumer who is the subject of the personal data or associate the 48
617+personal data with other personal data about the same specific consumer. 49 General Assembly Of North Carolina Session 2025
618+DRH40244-LR-32B Page 13
619+(3) The controller does not sell the personal data to any third party or otherwise 1
620+voluntarily disclose the personal data to any third party other than a processor, 2
621+except as otherwise permitted in this section. 3
622+(c) The rights afforded under G.S. 75F-104(a)(1) to (4), inclusive, do not apply to 4
623+pseudonymous data in cases where the controller is able to demonstrate that any information 5
624+necessary to identify the consumer is kept separately and is subject to effective technical and 6
625+organizational controls that prevent the controller from accessing the information. 7
626+(d) A controller that discloses pseudonymous data or de-identified data shall exercise 8
627+reasonable oversight to monitor compliance with any contractual commitments to which the 9
628+pseudonymous data or de-identified data is subject and shall take appropriate steps to address 10
629+any breaches of those contractual commitments. The determination of the reasonableness of the 11
630+oversight and the appropriateness of contractual enforcement must take into account whether the 12
631+disclosed data includes data that would be sensitive data if it were re-identified. 13
632+"§ 75F-110. Exclusions. 14
633+(a) Nothing in this Chapter shall be construed to restrict a controller's or processor's 15
634+ability to do any of the following: 16
635+(1) Comply with federal, State, or local laws, rules, or regulations. 17
636+(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, 18
637+or summons by federal, State, local, or other governmental authorities. 19
638+(3) Cooperate with law enforcement agencies concerning conduct or activity that 20
639+the controller or processor reasonably and in good faith believes may violate 21
640+federal, State, or local laws, rules, or regulations. 22
641+(4) Investigate, establish, exercise, prepare for, or defend legal claims. 23
642+(5) Provide a product or service specifically requested by a consumer. 24
643+(6) Perform under a contract to which a consumer is a party, including fulfilling 25
644+the terms of a written warranty. 26
645+(7) Take steps at the request of a consumer prior to entering into a contract. 27
646+(8) Take immediate steps to protect an interest that is essential for the life or 28
647+physical safety of the consumer or another individual and where the 29
648+processing cannot be manifestly based on another legal basis. 30
649+(9) Prevent, detect, protect against, or respond to security incidents, identity theft, 31
650+fraud, harassment, malicious or deceptive activities, or any illegal activity; 32
651+preserve the integrity or security of systems; or investigate, report, or 33
652+prosecute those responsible for any such activity. 34
653+(10) Engage in public or peer-reviewed scientific research in the public interest that 35
654+adheres to all other applicable ethics and privacy laws and is approved, 36
655+monitored, and governed by an institutional review board that determines 37
656+whether the deletion of the information is likely to provide substantial benefits 38
657+that do not exclusively accrue to the controller, the expected benefits of the 39
658+research outweigh the privacy risks, and whether the controller has 40
659+implemented reasonable safeguards to mitigate privacy risks associated with 41
660+research, including any risks associated with re-identification. 42
661+(11) Assist another controller, processor, or third party with any of the activities 43
662+under this subsection. 44
663+(b) The obligations imposed on controllers or processors under this Chapter, other than 45
664+those imposed by G.S. 75F-109, do not restrict a controller's or processor's ability to collect data 46
665+directly from consumers, or use or retain the data, for internal use only, to do any of the following: 47
666+(1) Conduct internal research to develop, improve, or repair products, services, or 48
667+technology. 49
668+(2) Effectuate a product recall. 50 General Assembly Of North Carolina Session 2025
669+Page 14 DRH40244-LR-32B
670+(3) Identify and repair technical errors that impair existing or intended 1
671+functionality. 2
672+(4) Perform internal operations that are reasonably aligned with the expectations 3
673+of the consumer or reasonably anticipated based on the consumer's existing 4
674+relationship with the controller or are otherwise compatible with processing 5
675+data in furtherance of the provision of a product or service specifically 6
676+requested by a consumer or the performance of a contract to which the 7
677+consumer is a party. 8
678+(c) The obligations imposed on controllers or processors under this Chapter shall not 9
679+apply where compliance by the controller or processor with said sections would violate an 10
680+evidentiary privilege under the laws of this State. Nothing in this Chapter shall be construed to 11
681+prevent a controller or processor from providing personal data concerning a consumer to a person 12
682+covered by an evidentiary privilege under the laws of this State as part of a privileged 13
683+communication. 14
684+(d) A controller or processor that discloses personal data to a processor or third-party 15
685+controller in compliance with this Chapter shall not be deemed to have violated said sections if 16
686+the processor or third-party controller that receives and processes the personal data violates said 17
687+sections, provided that (i) at the time the disclosing controller or processor disclosed the personal 18
688+data, the disclosing controller or processor did not have actual knowledge that the receiving 19
689+processor or third-party controller had violated or would violate said sections and (ii) the 20
690+disclosing controller or processor was, and remained, in compliance with its obligations as the 21
691+discloser of the data hereunder. A third-party controller or processor receiving personal data from 22
692+a controller or processor in compliance with this Chapter is likewise not in violation of said 23
693+sections for the independent misconduct of the controller or processor from which the third-party 24
694+controller or processor receives the personal data. 25
695+(e) Nothing in this Chapter may be construed to do any of the following: 26
696+(1) Impose any obligation on a controller or processor that adversely affects the 27
697+rights of any person to freedom of speech or freedom of the press guaranteed 28
698+by the First Amendment to the United States Constitution or Article I, Section 29
699+14 of the North Carolina Constitution. 30
700+(2) Apply to any person's processing of personal data in the course of the person's 31
701+purely personal or household activities. 32
702+(f) Personal data processed pursuant to this section may be processed to the extent that 33
703+the processing is reasonably necessary and proportionate to the purposes listed in this section and 34
704+is adequate, relevant, and limited to what is necessary in relation to the specific purposes listed 35
705+in this section. Personal data collected, used, or retained pursuant to subsection (b) of this section 36
706+shall, where applicable, take into account the nature and purpose or purposes of the collection, 37
707+use, or retention. The data shall be subject to reasonable administrative, technical, and physical 38
708+measures to protect the confidentiality, integrity, and accessibility of the personal data and to 39
709+reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or 40
710+retention of personal data. 41
711+(g) If a controller processes personal data pursuant to an exemption in this section, the 42
712+controller bears the burden of demonstrating that the processing qualifies for the exemption and 43
713+complies with the requirements of subsection (f) of this section. 44
714+(h) Processing personal data for the purposes expressly identified in this section shall not 45
715+solely make a legal entity a controller with respect to the processing. 46
716+"§ 75F-111. Enforcement. 47
717+(a) The Department of Justice shall investigate and enforce alleged violations of this 48
718+Chapter. 49
719+(b) The Department of Justice may, prior to initiating any action for a violation of any 50
720+provision of this Chapter, issue a notice of violation to the controller or processor if the 51 General Assembly Of North Carolina Session 2025
721+DRH40244-LR-32B Page 15
722+Department of Justice determines that a cure is possible. If the Department of Justice issues a 1
723+notice of violation, the controller shall have at least 60 days to cure the violation after receipt of 2
724+the notice. If the controller fails to cure the violation within the time period, the Department of 3
725+Justice may bring an enforcement proceeding pursuant to subsection (a) of this section. In 4
726+determining whether to grant a controller or processor an opportunity to cure an alleged violation, 5
727+the Department of Justice may consider all of the following: 6
728+(1) The number of violations. 7
729+(2) The size and complexity of the controller or processor. 8
730+(3) The nature and extent of the controller's or processor's processing activities. 9
731+(4) The substantial likelihood of injury to the public. 10
732+(5) The safety of persons or property. 11
733+(6) Whether the alleged violation was likely caused by human or technical error. 12
734+(7) The extent to which the controller or processor has violated this or similar 13
735+laws in the past. 14
736+(c) Nothing in this Chapter shall be construed as providing the basis for, or be subject to, 15
737+a private right of action for violations of said sections or any other law. 16
738+(d) A violation of this Chapter shall be deemed an unfair practice under G.S. 75-1.1." 17
739+SECTION 1.3. Beginning at least six months prior to the effective date of this act, 18
740+the Department of Justice shall engage in public outreach to educate consumers and the business 19
741+community about this act. 20
742+ 21
743+PART II. ENACT SOCIAL MEDIA SAFETY ACT 22
744+SECTION 2.1. Effective January 1, 2026, the General Statutes are amended by 23
745+adding a new Chapter to read: 24
746+"Chapter 75G. 25
747+"Social Media Verification. 26
748+"§ 75G-101. Definitions. 27
749+The following definitions apply in this Chapter: 28
750+(1) Account holder. – An individual who creates an account or a profile to use a 29
751+social media platform. 30
752+(2) Commercial entity. – A corporation, limited liability company, partnership, 31
753+limited partnership, sole proprietorship, or other legally recognized entity. The 32
754+term includes a third-party vendor. 33
755+(3) Digitized identification card. – A data file available on a mobile device that 34
756+has connectivity to the internet through a State-approved application that 35
757+allows the mobile device to download the data file from the Division of Motor 36
758+Vehicles that contains all of the data elements visible on the face and back of 37
759+a drivers license or identification card and displays the current status of the 38
760+drivers license or identification card, including valid, expired, cancelled, 39
761+suspended, revoked, active, or inactive. 40
762+(4) Minor. – An individual under 18 years of age. 41
763+(5) North Carolina user. – An individual who is a resident of the State of North 42
764+Carolina and who accesses or attempts to access a social media platform while 43
765+present in this State by accessing the social media platform while using a 44
766+North Carolina Internet Protocol address or otherwise known or believed to 45
767+be in this State while using the social media platform. 46
768+(6) Reasonable age verification. – To confirm that a person seeking to access a 47
769+social media platform is at least 18 years old. 48
770+(7) Social media company. – An online forum that a company makes available 49
771+for an account holder to: 50 General Assembly Of North Carolina Session 2025
772+Page 16 DRH40244-LR-32B
773+a. Create a public profile, establish an account, or register as a user for 1
774+the primary purpose of interacting socially with other profiles and 2
775+accounts; 3
776+b. Upload or create posts or content; 4
777+c. View posts or content of other account holders; and 5
778+d. Interact with other account holders or users, including, without 6
779+limitation, establishing mutual connections through request and 7
780+acceptance. 8
781+(7a) Social media company. – Does not include any of the following: 9
782+a. A company that exclusively offers subscription content in which users 10
783+follow or subscribe unilaterally and whose platforms' primary purpose 11
784+is not social interaction. 12
785+b. A social media company that allows a user to generate short video 13
786+clips of dancing, voice overs, or other acts of entertainment in which 14
787+the primary purpose is not educational or informative does not meet 15
788+the exclusion under sub-subdivision a. of this subdivision. 16
789+c. A media company that exclusively offers interactive gaming, virtual 17
790+gaming, or an online service; that allows the creation and uploading of 18
791+content for the purpose of interactive gaming, entertainment, or 19
792+associated entertainment; and the communication related to that 20
793+content. 21
794+d. A company that offers cloud storage services, enterprise cybersecurity 22
795+services, educational devices, or enterprise collaboration tools for 23
796+kindergarten through grade 12 (K-12) schools and derives less than 24
797+twenty-five percent (25%) of the company's revenue from operating a 25
798+social media platform, including games and advertising. 26
799+e. A company that provides career development opportunities, including 27
800+professional networking, job skills, learning certifications, and job 28
801+posting and application services. 29
802+(8) Social media platform. – A public or semipublic internet-based service or 30
803+application that has users in North Carolina and on which a substantial 31
804+function of the service or application is to connect users in order to allow users 32
805+to interact socially with each other within the service or application; however, 33
806+a service or application that provides email or direct messaging shall not be 34
807+considered to be a social media platform on the basis of that function alone. 35
808+(8a) Social media platform. – Does not include an online service, a website, or an 36
809+application if the predominant or exclusive function is: 37
810+a. Electronic mail. 38
811+b. Direct messaging consisting of messages, photos, or videos that are 39
812+sent between devices by electronic means if messages are: 40
813+1. Shared between the sender and the recipient or recipients; 41
814+2. Only visible to the sender and the recipient or recipients; and 42
815+3. Are not posted publicly. 43
816+c. A streaming service that (i) provides only licensed media in a 44
817+continuous flow from the service, website, or application to the end 45
818+user and (ii) does not obtain a license to the media from a user or 46
819+account holder by agreement of the streaming service's terms of 47
820+service. 48
821+d. News, sports, entertainment, or other content that is preselected by the 49
822+provider and not user generated, including, without limitation, if any 50
823+chat, comment, or interactive functionality that is provided is 51 General Assembly Of North Carolina Session 2025
824+DRH40244-LR-32B Page 17
825+incidental to, directly related to, or dependent upon provision of the 1
826+content. 2
827+e. Online shopping or e-commerce, if the interaction with other users or 3
828+account holders is generally limited to: 4
829+1. The ability to post and comment on reviews; 5
830+2. The ability to display lists or collections of goods for sale or 6
831+wish lists; and 7
832+3. Other functions that are focused on online shopping or 8
833+e-commerce rather than interaction between users or account 9
834+holders. 10
835+f. Business-to-business software that is not accessible to the general 11
836+public. 12
837+g. Cloud storage. 13
838+h. Shared document collaboration. 14
839+i. Providing access to or interacting with data visualization platforms, 15
840+libraries, or hubs. 16
841+j. To permit comments on a digital news website, if the news content is 17
842+posted only by the provider of the digital news website. 18
843+k. For the purpose of providing or obtaining technical support for the 19
844+social media company's social media platform, products, or services. 20
845+l. Academic or scholarly research. 21
846+m. Other research if (i) the majority of the content is posted or created by 22
847+the provider of the online service, website, or application and (ii) the 23
848+ability to chat, comment, or interact with other users is directly related 24
849+to the provider's content; then, the following criteria must also apply: 25
850+1. The service is a classified advertising service that only permits 26
851+the sale of goods and prohibits the solicitation of personal 27
852+services or that is used by and under the direction of an 28
853+educational entity, including, without limitation, a learning 29
854+management system, student engagement program, and 30
855+subject-specific or skill-specific program. 31
856+(8b) Social media platform. – Does not include a social media platform that is 32
857+controlled by a business entity that has generated less than one hundred 33
858+million dollars ($100,000,000) in annual gross revenue. 34
859+(9) User. – A person who has access to view all or some of the posts and content 35
860+on a social media platform but is not an account holder. 36
861+"§ 75G-102. Social media platforms; reasonable age verification methods; parental consent 37
862+required. 38
863+(a) A social media company shall not permit a North Carolina user who is a minor to be 39
864+an account holder on the social media company's social media platform unless the minor has the 40
865+express consent of a parent or legal guardian. A social media company shall verify the age of an 41
866+account holder. If an account holder is a minor, the social media company shall confirm that a 42
867+minor has consent under this subsection to become a new account holder at the time a North 43
868+Carolina user opens the account. 44
869+(b) A social media company shall use a third-party vendor to perform reasonable age 45
870+verification before allowing access to the social media company's social media platform. 46
871+(c) Reasonable age verification methods under this section include providing one of the 47
872+following: 48
873+(1) A digitized identification card, including a digital copy of a drivers license 49
874+issued by the Division of Motor Vehicles. 50
875+(2) Government-issued identification. 51 General Assembly Of North Carolina Session 2025
876+Page 18 DRH40244-LR-32B
877+(3) Any commercially reasonable age verification method. 1
878+"§ 75G-103. Liability for social media companies. 2
879+(a) A social media company that knowingly violates this Chapter is liable if the social 3
880+media company fails to perform a reasonable age verification. 4
881+(b) If a social media company performs a reasonable age verification, the social media 5
882+company shall not retain any identifying information of the individual after access to the social 6
883+media platform has been granted. 7
884+(c1) Violation of G.S. 75G-102 is a Class 1 misdemeanor. As authorized under this 8
885+section, the district attorney for the county where the North Carolina user resides may initiate a 9
886+criminal proceeding against a social media company that allegedly violates G.S. 75G-102. 10
887+(c2) As authorized under G.S. 75G-104, the Attorney General may initiate a civil 11
888+enforcement action against a social media company that allegedly commits a violation of 12
889+G.S. 75G-102. 13
890+(c3) A social media company that violates this Chapter is liable to an individual for: 14
891+(1) A penalty of two thousand five hundred dollars ($2,500) per violation, court 15
892+costs, and reasonable attorneys' fees as ordered by the court; or 16
893+(2) Damages resulting from a minor accessing a social media platform without 17
894+his or her parent's or custodian's consent, including court costs and reasonable 18
895+attorneys' fees as ordered by the court. 19
896+(d) This section does not: 20
897+(1) Apply to a news or public interest broadcast, website video, report, or event; 21
898+(2) Affect the rights of a news-gathering organization; or 22
899+(3) Apply to cloud service providers. 23
900+(e) An internet service provider, or any of its affiliates or subsidiaries, or search engines 24
901+shall not violate this Chapter solely by providing access, connection to or from a website, or other 25
902+information or content on the internet, or a facility, system, or network that is not under that 26
903+internet service provider's control, including transmission, downloading, intermediate storage, 27
904+access software, or other service that provides access or connectivity, to the extent the internet 28
905+service provider is not responsible for the creation of the content or the communication on a 29
906+social media platform. 30
907+"§ 75G-104. Liability for commercial entity or third-party vendor. 31
908+(a) A commercial entity or third-party vendor shall not retain any identifying information 32
909+of an individual after access to the social media platform has been granted. 33
910+(b) A commercial entity that is found to have knowingly retained identifying information 34
911+of an individual after access to the material is granted is liable to the individual for damages 35
912+resulting from the retention of the identifying information, including court costs and reasonable 36
913+attorneys' fees as ordered by the court." 37
914+ 38
915+PART III. SEVERABILITY 39
916+SECTION 3.1. If any provision of this act or the application thereof to any person 40
917+or circumstance is held invalid, the invalidity does not affect any other provision or application 41
918+of the act which can be given effect without the invalid provision or application and, to that end, 42
919+the provisions of this act are declared to be severable. 43
920+ 44
921+PART IV. EFFECTIVE DATE 45
922+SECTION 4.1. Except as otherwise provided, this act is effective when it becomes 46
923+law. 47