GENERAL ASSEMBLY OF NORTH CAROLINA
SESSION 2025
H 1
HOUSE BILL 860
Short Title: Social Media Control in IT Act. (Public)
Sponsors: Representatives McNeely, Humphrey, Johnson, and Gable (Primary Sponsors).
For a complete list of sponsors, refer to the North Carolina General Assembly web site.
Referred to: Commerce and Economic Development, if favorable, Appropriations, if
favorable, Rules, Calendar, and Operations of the House
April 10, 2025
*H860 -v-1*
A BILL TO BE ENTITLED 1
AN ACT TO COMBAT SOC IAL MEDIA ADDICTION BY REQUIRING THAT SOCIAL 2
MEDIA PLATFORMS RESP ECT THE PRIVACY OF N ORTH CAROLINA USERS' 3
DATA AND NOT USE A NORTH CAROLINA MINOR' S DATA FOR ADVERTISING 4
OR ALGORITHMIC RECOM MENDATIONS, AND APPROPRIATING FUNDS FOR 5
THAT PURPOSE, AND TO MAKE WILLFUL VIOLAT IONS OF DATA USER 6
PRIVACY AN UNFAIR PR ACTICE UNDER CHAPTER 75 OF THE GENERAL 7
STATUTES. 8
The General Assembly of North Carolina enacts: 9
SECTION 1. Chapter 75 of the General Statutes is amended by adding a new Article 10
to read: 11
"Article 2B. 12
"Social Media Control in Information Technology. 13
"§ 75-70. Title; definitions. 14
(a) This Article shall be known and may be cited as the "Social Media Control in 15
Information Technology Act." 16
(b) Definitions. – The following definitions apply in this Article: 17
(1) Accessible mechanism. – A user-friendly, clear, easy-to-use, readily 18
available, and technologically feasible method that allows individuals to 19
exercise their data privacy rights without undue burden. The mechanism must 20
be designed to accommodate diverse user needs, including those with 21
disabilities, and should be available across commonly used platforms. The 22
mechanism should provide clear instructions, function without excessive 23
complexity, and be free of unreasonable barriers such as length procedures, 24
hidden settings, or excessive delays. 25
(2) Algorithmic recommendation system. – A computational process that uses 26
machine learning, natural language processing, artificial intelligence 27
techniques, generative artificial intelligence, or other computational 28
processing techniques that makes a decision or facilitates human decision 29
making with respect to user-related data to rank, order, promote, recommend, 30
suggest, amplify, or similarly determine the delivery or display of information 31
to an individual. 32
(3) Collects, collected, or collection. – Buying, renting, gathering, obtaining, 33
receiving, or accessing any personal information pertaining to a user by any 34 General Assembly Of North Carolina Session 2025
Page 2 House Bill 860-First Edition
means. This includes receiving information from the consumer, either actively 1
or passively, or by observing the consumer's behavior. 2
(4) Consent. – Any freely given, specific, informed, and unambiguous indication 3
of a user's wishes by which the consumer, or the consumer's legal guardian, a 4
person who has power of attorney, or a person acting as a conservator for the 5
consumer, including by a statement or by a clear affirmative action, signifies 6
agreement to the processing of personal information relating to the consumer 7
for a narrowly defined particular purpose. None of the following constitutes 8
consent: 9
a. Acceptance of a general or broad terms of use, or similar document, 10
that contains descriptions of personal information processing along 11
with other, unrelated information. 12
b. Hovering over, muting, pausing, or closing a given piece of content. 13
c. Agreement obtained through use of dark patterns. 14
(5) Default settings. – The predetermined options, values, and configurations that 15
a program is initially set to whenever it is installed and initially accessed. 16
(6) Minor. – An individual who is under 18 years of age. 17
(7) Operator. – Defined in section 1302 of the Children's Online Privacy 18
Protection Act of 1998, 15 U.S.C. § 6501. 19
(8) Opt-in mechanism. – An accessible mechanism separate from any other 20
notifications, disclosures, or consents, such as a privacy policy or terms of 21
service, that allows the user to consent to the platform engaging in a specific, 22
narrow, and well-defined practice. The Division of Health Service regulations 23
has the authority to specify requirements for the notification and consent 24
process, including specific language and disclosures that may include a 25
warning on the harmful effects of manipulative algorithms, the length of time 26
for which the notification must appear before the user has the option to 27
consent, and the process that the user must follow to consent. 28
(9) Personal information. – Information that identifies, relates to, describes, is 29
reasonably capable of being associated with, or could reasonably be linked, 30
directly or indirectly, with a particular consumer or household. Personal 31
information includes, but is not limited to, the following if it identifies, relates 32
to, describes, is reasonably capable of being associated with, or could be 33
reasonably linked, directly or indirectly, with a particular user or household: 34
a. Identifiers such as a real name, alias, postal address, unique personal 35
identifier, online identifier, Internet Protocol address, email address, 36
account name, social security number, drivers license number, 37
passport number, or other similar identifiers. 38
b. Commercial information, including, but not limited to, records of 39
personal property, products, or services purchased, obtained, or 40
considered, or other purchasing or consumer histories or tendencies. 41
c. Biometric information, that is any information relating to an 42
individual's physiological, biological, or behavioral characteristics, 43
including, but not limited to, imagery of the iris, retina, fingerprint, 44
face, hand, palm, gait, vein patterns, and voice recordings. 45
d. Internet or other electronic network activity information, including, 46
but not limited to, browsing history, search history, and information 47
regarding a user's interaction with an internet website application or 48
advertisement. 49
e. Usage data. 50
f. Third-party data. 51 General Assembly Of North Carolina Session 2025
House Bill 860-First Edition Page 3
g. Geolocation data. 1
h. Audio, electronic, visual, thermal, olfactory, or similar information. 2
i. Professional or employment-related information. 3
j. Education information, defined as information that is not publicly 4
available personally identifiable information as defined in the Family 5
Education Rights and Privacy Act (20 U.S.C. § 1232(g); 34 C.F.R. 6
Part 99). 7
k. Financial information from a user, including, but not limited to, a 8
user's account log-in, financial account, debit card, or credit card 9
number in combination with any required security or access code, 10
password, or credentials allowing access to an account. 11
l. The contents of a user's mail, email, and text messages unless the 12
platform is the intended recipient of the communication. 13
m. A user's racial or ethnic origin, citizenship or immigration status, 14
religious or philosophical beliefs, or union membership. 15
n. Information related to a user's health, sex life, or sexual orientation. 16
o. Inferences drawn from any of the information identified in this 17
subdivision reflecting the user's preferences, characteristics, 18
psychological trends, predispositions, behavior, attitudes, intelligence, 19
abilities, and aptitudes. 20
(10) Platform user. – An individual who resides in North Carolina who uses a 21
social media platform. 22
(11) Social media platform, covered platform, or platform. – An electronic medium 23
with more than 1,000,000 monthly active users in the United States that 24
functions as a social media service. The term does not include any of the 25
following: 26
a. An entity acting in its capacity as a provider of a common carrier 27
service subject to the Communications Act of 1934 (47 U.S.C. § 151 28
et seq.) as amended and supplemented. 29
b. A broadband internet access service under section 8.1(b) of Title 47 of 30
the Code of Federal Regulations. 31
c. An electronic mail service. 32
d. Internet search engines specifically designed to lead a user to a result 33
which a user expressly searched for. 34
e. Internet service providers. 35
f. A wireless messaging service provided through the short messaging 36
service or multimedia messaging service protocols. 37
g. Video game services specifically designed to serve as a platform to 38
solely play video games. 39
h. Online shopping or e-commerce services specifically designed for that 40
sole purpose. 41
i. Video-streaming services that solely provide non-user generated 42
content. 43
(12) Third-party data. – Personal data from another person, company, data broker, 44
and/or platform that is not the user to whom the data pertains and is not the 45
platform. The term does not refer to persons, companies, data brokers, and/or 46
platforms that collect personal data from another entity if the entity shares 47
common branding with the platform, controls the platform, is controlled by 48
the platform, or is under common control of another legal entity with the 49
platform. 50 General Assembly Of North Carolina Session 2025
Page 4 House Bill 860-First Edition
(13) Usage data. – Any information that is gathered about a user's interactions, 1
behaviors, preferences, and usage patterns on a platform, including, but not 2
limited to, information related to pages visited, clicks, scrolls, navigation 3
patterns, search queries, button presses, feature usage, frequency of logins, 4
session duration, items added or removed from a shopping cart, purchasing 5
history, subscription usage, content watched, content read, content listened to, 6
or time spent using or engaging with any feature or piece of content on the 7
platform. This includes any and all inferences derivable and related to a user 8
from this usage data, including user engagement statistics, content metrics, 9
feature usage statistics, user flow data, retention rates, and churn rates. 10
"§ 75-71. User data privacy; targeting minors prohibited; registry. 11
(a) Privacy Requirements. – The General Assembly finds that unhealthy social media use 12
has been linked to depression, anxiety, eating disorders, and suicidal ideation, especially among 13
young people. Exploitation of user data can result in users being targeted in ways that increase 14
unhealthy social media use. It is the policy of this State that user data shall be respected by 15
platforms. Special protections are warranted for users who are minors. Therefore, the operator of 16
a social media platform shall comply with all of the following requirements for platform users: 17
(1) The platform must specifically and clearly inform users in the following ways: 18
a. A disclosure in a clear, easy-to-read, and accessible format when a user 19
first initializes their use of a platform for the first time, or after a period 20
of inactivity greater than or equal to six months, about how the 21
platform collects personal information, what personal information the 22
platform collects, how the personal information is used by the platform 23
for every use case, and how the user can exercise their rights and 24
choices on the platform. This disclosure must be provided in no more 25
than 500 words, and the platform must obtain a user's consent before 26
the platform collects any user-related data on the user. 27
b. A disclosure in a clear, easy-to-read, and accessible format that details 28
(i) the categories of information the platform has collected about the 29
user, (ii) the categories of sources from which the information is 30
collected, (iii) the business or commercial purpose for collecting, 31
selling, or sharing personal information, (iv) the categories of third 32
parties to whom the business discloses personal information, and (v) 33
the specific pieces of personal information it has collected about that 34
user. Such information must be available upon receipt of a verifiable 35
consumer request made through an accessible mechanism on the 36
platform. 37
(2) Personal information may be used in algorithmic recommendations only when 38
both of the following requirements are met: 39
a. The platform reasonably determines the user is not a minor from 40
personal information collected by and available to the covered 41
platform in its ordinary course of business. 42
b. The user has been notified and expressly consents to the use of their 43
own data in this manner by consenting in an opt-in mechanism. 44
(3) Through an accessible mechanism, users must be given the capacity to alter, 45
change, and delete what categories of personal information are used in a 46
platform's algorithmic recommendation system or systems. This selection 47
shall be modifiable at any time. If a user indicates that they intend a certain 48
category of personal information not to be used in an algorithmic 49
recommendation system, then the platform must not include said category or 50
categories within an algorithmic recommendation system. A covered platform 51 General Assembly Of North Carolina Session 2025
House Bill 860-First Edition Page 5
shall not discriminate against a user because the user exercised any of the 1
rights under this Article in the provision of functionality or features of the 2
covered platform, unless the use of user-related data in an algorithmic 3
recommendation system is reasonably necessary to the feature or 4
functionality. 5
(b) Targeting Minors Prohibited. – A covered platform must establish comprehensive and 6
effective controls to ensure that a minor's personal information is not used in any algorithmic 7
recommendation system. 8
(c) Exceptions. – Subsection (b) of this section does not apply to any of the following: 9
(1) Recommending or presenting content from accounts that a user follows in 10
reverse chronological order or a similar method of recommending or 11
presenting content. 12
(2) A user's explicit search for content or request for information for the sole 13
purpose of providing immediate results to the search, and without retention or 14
use of the user-related data from the search or request for purposes other than 15
providing results to the search or request. 16
(3) A covered platform's action, voluntarily taken in good faith to restrict access 17
to or availability of material as described in section 230(c)(2)(A) of the 18
Communications Act of 1934 (47 U.S.C. § 230(c)(2)(A)), is not subject to this 19
subsection, and nothing in this section otherwise limits or otherwise affects 20
the provisions of section 230 of the Communications Act of 1934, except as 21
otherwise provided in this Article. 22
(d) The operator of a social media platform may be held liable for violating subsection 23
(a) of this section if the user was given algorithmic content recommendations without a proper 24
opt-in mechanism or affirmation from the user from the opt-in process. The operator of a social 25
media platform may be held liable for violating subsection (b) of this section if the operator of 26
the social media platform knew or had reason to know that the user was a minor. The operator of 27
a social media platform that has made an estimation of a user's age based upon the user's 28
self-attestation is not liable if the user was a minor who falsely attested to not being a minor. 29
"§ 75-72. Design features and digital rights of users. 30
(a) Protective Default Settings for Minors. – A covered platform shall configure all 31
privacy settings provided to any user by the online service, product, or feature be both available 32
to minors and, by default, set to preferences that offer the highest level of privacy, unless the 33
business can demonstrate a compelling reason that a different setting is in the best interest of 34
minors. These settings must include all of the following: 35
(1) Notifications must be turned off by default. 36
(2) The visibility of reaction or interaction counts on all content, including content 37
generated by a minor and content seen by a minor generated from others, must 38
be turned off by default. 39
(3) The ability of other users, not added by the user to a list of approved contacts, 40
to communicate with the minor must be turned off by default. 41
(4) The ability of other users, whether registered or not, and not added by the user 42
to a list of approved contacts, to view the minor's user-related data collected 43
by or shared on the platform must be disabled by default. 44
(5) The ability of other users to see the geolocation of a minor must be disabled 45
by default. 46
(6) Features that increase, sustain, or extend the use of the covered platform by a 47
minor, such as automatic playing of media and rewards for time spent on the 48
platform, must be disabled by default. 49
(b) Rights to Change and Delete Data. – A covered platform shall provide users with both 50
of the following: 51 General Assembly Of North Carolina Session 2025
Page 6 House Bill 860-First Edition
(1) An accessible mechanism to request the correction of any inaccurate personal 1
information about the user, taking into account the nature of the personal 2
information and the purposes of the personal information. A platform that 3
receives a verifiable request to correct inaccurate personal information shall 4
use commercially reasonable efforts to correct the inaccurate personal 5
information as directed by the user. A covered platform shall maintain a record 6
of all requests. 7
(2) An accessible mechanism to request the deletion of personal information 8
about the user, taking into account the nature of the personal information and 9
the purposes of the personal information. If the personal information is 10
reasonably necessary for the platform to complete a transaction, to ensure the 11
security and integrity of the user's personal information, to debug or identify 12
and repair errors in the platform, to exercise free speech and ensure the user's 13
right to exercise free speech, to comply with existing federal and State 14
regulations, to engage in public or peer-reviewed scientific research, or to 15
enable solely internal uses reasonably aligned with a consumer's expectations, 16
then the covered platform is not required to comply with the user's request. 17
Otherwise, the covered platform is required to complete the request. A 18
covered platform shall maintain a confidential record of all requests. 19
(c) Digital Rights of the User. – All of the following rights belong to every minor utilizing 20
covered platforms: 21
(1) Right to protection from manipulative design. – Every minor has the right to 22
be protected from manipulative design techniques which exploit 23
psychological vulnerability or have been shown by the preponderance of the 24
evidence to create addiction or dependency. 25
(2) Right to transparency. – Every minor has the right to understand the nature of 26
their digital experiences. Platforms and services should provide clear and 27
accessible explanations of the platform features as well as how covered 28
platforms can negatively affect their well-being. 29
(3) Right to protection from personalized recommendation systems. – Every 30
minor has the right to be protected from algorithmic recommendation systems. 31
(d) The operator of a covered platform may be subject to violations of subsection (a), (b), 32
or (c) of this section if any of the requirements and rights established herein have been determined 33
to be violated. 34
"§ 75-73. Investigation; enforcement; private right of action. 35
(a) Violations. – Effective January 1, 2026, a platform's violation of this Article is an 36
unfair or deceptive act or practice under G.S. 75-1.1. 37
(b) Investigations. – The Attorney General shall monitor social media platforms for 38
compliance with this Article. 39
(c) Complaints. – A platform user may make a complaint to the Attorney General 40
alleging that a social media platform has failed to comply with the requirements of this Article. 41
The Attorney General may bring a civil action in any case in which the Attorney General has 42
reason to believe that the interest of the residents of this State has been or is threatened due to 43
noncompliance with this Article. 44
(d) Private Right of Action. – Minors can file suit if they are affected by any covered 45
platform found to be in violation of this Article through mechanisms involved in parens patriae 46
jurisdiction by the following: 47
(1) Civil suit brought through private action attorneys. 48
(2) Relief. – In a civil action brought under subsection (c) of this section or this 49
subsection in which a plaintiff prevails, the court may award the plaintiff any 50
one or more of the following: 51 General Assembly Of North Carolina Session 2025
House Bill 860-First Edition Page 7
a. An amount equal to the sum of any compensatory damages. 1
b. Punitive damages. 2
c. Injunctive relief. 3
d. Declaratory relief. 4
e. Reasonable attorneys' fees and litigation costs. 5
"§ 75-74. North Carolina Data Privacy Task Force. 6
(a) There is created the North Carolina Data Privacy Task Force (Task Force) within the 7
Department of Justice for budgetary purposes only. 8
(b) The Task Force shall be composed of 21 members. The ex officio members listed in 9
subdivisions (1) through (6) of this subsection may designate representatives from their particular 10
departments, divisions, or offices to represent them on the Task Force. In making appointments 11
or designating representatives, appointing authorities and ex officio members shall use best 12
efforts to select members or representatives with sufficient knowledge and experience to 13
effectively contribute to the issues examined by the Task Force and, to the extent possible, to 14
reflect the geographical, political, gender, and racial diversity of this State. The members shall 15
be as follows: 16
(1) The Attorney General. 17
(2) The State Chief Information Officer. 18
(3) The Secretary of the Department of Health and Human Services. 19
(4) The Director of the State Bureau of Investigation. 20
(5) The Director of the Maternal and Child Health Section of the Department of 21
Health and Human Services. 22
(6) The Director of the Division of Mental Health, Developmental Disabilities, 23
and Substance Use Services. 24
(7) A representative from NC Child, appointed by the Governor upon 25
recommendation of the President of the organization. 26
(8) A representative from a private group, other than NC Child, that advocates for 27
children, appointed by the Governor upon recommendation of private child 28
advocacy organizations. 29
(9) A pediatrician, licensed to practice medicine in North Carolina, appointed by 30
the President Pro Tempore of the Senate. 31
(10) A psychiatrist, licensed to practice medicine in North Carolina, appointed by 32
the Speaker of the House of Representatives. 33
(11) Two public members, one of whom is an educator, appointed by the Speaker 34
of the House of Representatives. 35
(12) Two public members, one of whom is a social worker, appointed by the 36
President Pro Tempore of the Senate. 37
(13) Two members of the Senate, appointed by the President Pro Tempore of the 38
Senate, and two members of the House of Representatives, appointed by the 39
Speaker of the House of Representatives. 40
(14) A representative from the North Carolina Young People's Alliance, appointed 41
by the Governor upon recommendation of the head of the organization. 42
(15) Two youth representatives under the age of 21 appointed by the Secretary of 43
the Department of Health and Human Services after conducting an 44
application-based selection process. 45
(c) All members of the Task Force are voting members. Vacancies in the appointed 46
membership shall be filled by the appointing officer who made the initial appointment. Terms 47
shall be two years. The members shall elect a chair who shall preside for the duration of the 48
chair's term as a member. In the event a vacancy occurs in the chair before the expiration of the 49
chair's term, the members shall elect an acting chair to serve for the remainder of the unexpired 50
term. 51 General Assembly Of North Carolina Session 2025
Page 8 House Bill 860-First Edition
(d) Beginning March 15, 2026, and then annually thereafter, the Task Force shall report 1
to the General Assembly on its work, with a special focus on mental health issues related to social 2
media, along with findings, recommendations, and any legislative proposals." 3
SECTION 2. Effective July 1, 2025, there is appropriated from the General Fund to 4
the Department of Justice the sum of one hundred thousand dollars ($100,000) for the 2025-2026 5
fiscal year and the sum of one hundred thousand dollars ($100,000) for the 2026-2027 fiscal year 6
to develop the registry created in G.S. 75-71, as enacted by this act. 7
SECTION 3. Section 1 of this act becomes effective October 1, 2026. The remainder 8
of this act becomes effective July 1, 2025. 9