North Carolina 2025-2026 Regular Session

North Carolina Senate Bill S624 Compare Versions

Version 1 (Old)

Version 2 (New)

Old	New		Differences
1	1		GENERAL ASSEMBLY OF NORTH CAROLINA
2	2		SESSION 2025
3		-	S 1
4		-	SENATE BILL 624
	3	+	S D
	4	+	SENATE BILL DRS45312-LR-148
	5	+
5	6
6	7
7	8		Short Title: AI Chatbots - Licensing/Safety/Privacy. (Public)
8	9		Sponsors: Senator Burgin (Primary Sponsor).
9		-	Referred to: ~~Rules and Operations of the Senate~~
10		-	~~March 26, 2025~~
11		-	~~S624 -v-1~~
	10	+	Referred to:
	11	+
	12	+	DRS45312 -LR-148
12	13		A BILL TO BE ENTITLED 1
13	14		AN ACT REGULATING ARTIFICIAL INTELLIGENCE CHATBOT LICENSING, SAFETY, 2
14	15		AND PRIVACY IN NORTH CAROLINA. 3
15	16		The General Assembly of North Carolina enacts: 4
16	17		5
17	18		PART I. CHATBOT LICENSING 6
18	19		SECTION 1.(a) The General Statutes are amended by adding a new Chapter to read: 7
19	20		"Chapter 114B. 8
20	21		"Licensing of Chatbots. 9
21	22		"§ 114B-1. Short title. 10
22	23		This Chapter shall be known and may be cited as the Chatbot Licensing Act. 11
23	24		"§ 114B-2. Definitions. 12
24	25		The following definitions apply in this Chapter: 13
25	26		(1) Chatbot. – A generative artificial intelligence system with which users can 14
26	27		interact by or through an interface that approximates or simulates conversation 15
27	28		through a text, audio, or visual medium. 16
28	29		(2) Department. – The North Carolina Department of Justice. 17
29	30		(3) Generative artificial intelligence system. – Any system that uses artificial 18
30	31		intelligence, as defined in section 238(g) of the John S. McCain National 19
31	32		Defense Authorization Act for Fiscal Year 2019, Public Law No. 115-232, 20
32	33		132 Stat. 1636 (2018), to generate or substantially modify image, video, audio, 21
33	34		multimedia, or text content. 22
34	35		(4) Health information. – The term: 23
35	36		a. Includes user information relating to physical or mental health status, 24
36	37		including: 25
37	38		1. Individual health conditions, treatment, diseases, or diagnosis. 26
38	39		2. Social, psychological, behavioral, and medical interventions. 27
39	40		3. Health-related surgeries or procedures. 28
40	41		4. Use or purchase of prescribed medication. 29
41	42		5. Bodily functions, vital signs, symptoms, or health-related 30
42	43		measurements. 31
43	44		6. Diagnoses or diagnostic testing, treatment, or medication. 32
44	45		7. Gender-affirming care information. 33
45	46		8. Reproductive or sexual health information. 34
46	47		9. Biometric data. 35
47		-	10. Genetic data. 36 General Assembly Of North Carolina Session 2025
48		-	Page 2 Senate Bill 624-First Edition
	48	+	10. Genetic data. 36
	49	+	FILED SENATE
	50	+	Mar 25, 2025
	51	+	S.B. 624
	52	+	PRINCIPAL CLERK General Assembly Of North Carolina Session 2025
	53	+	Page 2 DRS45312-LR-148
49	54		11. Precise location information that could reasonably indicate a 1
50	55		consumer's attempt to acquire or receive health services or 2
51	56		supplies. 3
52	57		12. Data that identifies a consumer seeking health care services. 4
53	58		13. Any data inferred by a company or person for use in the 5
54	59		treatment, diagnosis, or intervention regarding a mental or 6
55	60		physical health condition. 7
56	61		b. Does not include publicly available information that is lawfully made 8
57	62		available to the general public from federal, state, or local government 9
58	63		records. 10
59	64		(5) Licensee. – A person holding a license issued and in effect under this Chapter. 11
60	65		"§ 114B-3. Licensing requirements; review standards. 12
61	66		(a) No person shall operate or distribute a chatbot that deals substantially with health 13
62	67		information without first obtaining a health information chatbot license. 14
63	68		(b) An application for a health information chatbot license shall include all of the 15
64	69		following: 16
65	70		(1) Detailed documentation of the chatbot's: 17
66	71		a. Technical architecture and operational specifications. 18
67	72		b. Data collection, processing, storage, and deletion practices. 19
68	73		c. Security measures and protocols. 20
69	74		d. Privacy protection mechanisms. 21
70	75		(2) Quality control and testing procedures. 22
71	76		(3) Risk assessment and mitigation strategies. 23
72	77		(4) Evidence of compliance with applicable federal and state regulations. 24
73	78		(5) Proof of insurance coverage. 25
74	79		(6) Required application fees. 26
75	80		(7) Any additional information required by the Department. 27
76	81		(c) The Department shall review applications for health information chatbot licenses 28
77	82		based upon all of the following: 29
78	83		(1) Technical competence and reliability as compliant with industry standards. 30
79	84		(2) Data protection and security measures as compliant with industry standards. 31
80	85		(3) Compliance with applicable regulations. 32
81	86		(4) Risk management procedures. 33
82	87		(5) Professional qualification requirements, including: 34
83	88		a. Evidence-based standards demonstrating substantial efficacy for the 35
84	89		supported use case of health information; and 36
85	90		b. Endorsement by qualified experts within the field of the supported use 37
86	91		case. 38
87	92		(6) Public safety considerations. 39
88	93		(d) The Department shall adopt rules to carry out the purposes of this Chapter. 40
89	94		"§ 114B-4. Operational requirements. 41
90	95		(a) A licensee shall maintain professional liability insurance in an amount not less than 42
91	96		the amount per occurrence required by the Department. 43
92	97		(b) A licensee shall do all of the following: 44
93	98		(1) Implement industry-standard encryption for data in transit and at rest, 45
94	99		maintain detailed access logs, and conduct regular security audits no less than 46
95	100		once every six (6) months. 47
96	101		(2) Report any data breaches within twenty-four (24) hours to the Department and 48
97	102		within forty-eight (48) hours to affected consumers, notwithstanding any 49
98	103		provision of law to the contrary. 50
99	104		(3) Obtain explicit user consent for data collection and use. 51 General Assembly Of North Carolina Session 2025
100		-	~~Senate Bill 624-First Edition~~ Page 3
	105	+	DRS45312-LR-148 Page 3
101	106		(4) Provide users with access to their personal data. 1
102	107		(5) Provide users with the ability to delete their data upon request. 2
103	108		(c) A licensee must clearly disclose all of the following: 3
104	109		(1) The artificial nature of the chatbot. 4
105	110		(2) Limitations of the service. 5
106	111		(3) Data collection and use practices. 6
107	112		(4) User rights and remedies. 7
108	113		(5) Emergency resources when applicable. 8
109	114		(6) Human oversight and intervention protocols. 9
110	115		(d) A licensees shall do all of the following: 10
111	116		(1) Demonstrate effectiveness through peer-reviewed, controlled trials with 11
112	117		appropriate validation studies done on appropriate sample sizes with 12
113	118		real-world performance data. 13
114	119		(2) Demonstrate effectiveness in a comparative analysis to human expert 14
115	120		performance. 15
116	121		(3) Meet minimum domain benchmarks as established by the Department. 16
117	122		(e) A licensee shall conduct regular inspections and perform an annual third-party audit. 17
118	123		Results of all inspections and audits must be made available to the Department. 18
119	124		(f) A licensee shall implement continuous monitoring systems for safety and risk 19
120	125		indicators and submit quarterly performance reports including incident reports. 20
121	126		"§ 114B-5. Enforcement; oversight; inspections. 21
122	127		(a) The Department shall enforce the provisions of, and the rules adopted under, this 22
123	128		Chapter. 23
124	129		(b) The Attorney General shall designate a Director, officers, and employees assigned to 24
125	130		the oversight and enforcement of this Chapter. Upon presenting appropriate credentials and a 25
126	131		written notice to the owner, operator, or agent in charge, those officers and employees are 26
127	132		authorized to enter, at reasonable times, any factory, warehouse, or establishment in which 27
128	133		chatbots licensed under this Chapter are manufactured, processed, or held, and to inspect, in a 28
129	134		reasonable manner and within reasonable limits and in a reasonable time. In addition to physical 29
130	135		inspections, the Department may conduct digital inspections of licensed chatbots under this 30
131	136		Chapter, to include the following: 31
132	137		(1) Examination of source code, algorithms, and machine learning models. 32
133	138		(2) Review of data processing and storage practices. 33
134	139		(3) Evaluation of cybersecurity measures and protocols. 34
135	140		(4) Assessment of user data privacy protections. 35
136	141		(5) Testing of chatbot responses and behaviors in various scenarios. 36
137	142		(6) Audit of data collection, use, and retention practices. 37
138	143		(7) Inspection of software development and update processes. 38
139	144		(8) Review of remote access and monitoring capabilities. 39
140	145		(9) Evaluation of integration with other digital health technologies or platforms. 40
141	146		(c) As part of any inspection, whether physical or digital, the Director may require access 41
142	147		to all records relating to the development, testing, validation, production, distribution, and 42
143	148		performance of a chatbot licensed under this Chapter. 43
144	149		(d) Any information obtained during an inspection which falls within the definition of a 44
145	150		trade secret or confidential commercial information as defined in 21 CFR 20.61 shall be treated 45
146	151		as confidential and shall not be disclosed under Chapter 132 of the General Statutes, except as 46
147	152		may be necessary in proceedings under this Chapter or other applicable law. 47
148	153		(e) Following any inspection, the Director shall provide a detailed report of findings to 48
149	154		the manufacturer or importer, including any identified deficiencies and required corrective 49
150	155		actions. 50 General Assembly Of North Carolina Session 2025
151		-	Page 4 ~~Senate Bill 624-First Edition~~
	156	+	Page 4 DRS45312-LR-148
152	157		(f) Every person who is a manufacturer or importer of a licensed chatbot under this 1
153	158		Chapter shall establish and maintain such records, and make such reports to the Director, as the 2
154	159		Director may by regulation reasonably require to assure the safety and effectiveness of such 3
155	160		devices. 4
156	161		"§ 114B-6. Prohibited acts. 5
157	162		(a) It is unlawful for any person to do any of the following: 6
158	163		(1) Introduce or deliver for introduction into state commerce any chatbot that 7
159	164		deals substantially with health information without complying with the 8
160	165		licensing requirement of this Chapter. 9
161	166		(2) Fail to comply with any requirement of this Chapter or any rule adopted 10
162	167		hereunder. 11
163	168		(3) Refuse to permit access to or copying of any record as required by this 12
164	169		Chapter. 13
165	170		(4) Fail to report adverse events as required under this Chapter. 14
166	171		(b) The Department may, at its discretion, exempt certain prohibited acts from some or 15
167	172		all of these prohibitions if it determines that the exemption is consistent with the protection of 16
168	173		the public. 17
169	174		(c) Any person who violates any provision of G.S. 114B-5 shall be subject to civil 18
170	175		penalties in the amount of $50,000. The clear proceeds of fines and forfeitures provided for in 19
171	176		Chapter shall be remitted to the Civil Penalty and Forfeiture Fund in accordance with 20
172	177		G.S. 115C-457.2. 21
173	178		"§ 114B-7. Miscellaneous. 22
174	179		If any provision of this Chapter is determined to be unenforceable or invalid by a court of 23
175	180		competent jurisdiction, the remaining provisions of this Chapter shall not be affected." 24
176	181		SECTION 1.(b) This section becomes effective January 1, 2026. 25
177	182		26
178	183		PART II. SAFETY AND PRIVACY 27
179	184		SECTION 2.(a) The General Statutes are amended by adding a new Chapter to read: 28
180	185		"Chapter 170. 29
181	186		"Chatbot Safety and Privacy Act. 30
182	187		"§ 170-1. Title. 31
183	188		This act shall be known and may be cited as the Chatbot Safety and Privacy Act. 32
184	189		"§ 170-2. Definitions. 33
185	190		The following definitions apply in this Chapter: 34
186	191		(1) Best interests. — Those interests affected by the entrustment of data, labor, or 35
187	192		attention from a user to a covered platform. 36
188	193		(2) Chatbot. — A generative artificial intelligence system with which users can 37
189	194		interact by or through an interface that approximates or simulates conversation 38
190	195		through a text, audio, or visual medium. 39
191	196		(3) Conversation. — In reference to a chatbot, a series of inputs from a human 40
192	197		user and responses from a chatbot that often have sequential flow and the 41
193	198		maintenance of conversation context by the chatbot. 42
194	199		(4) Covered platform. — Any person that provides chatbot services to users in 43
195	200		this State, if the person (i) has annual gross revenues exceeding $100,000 in 44
196	201		the last calendar year or any of the two preceding calendar years or (ii) has 45
197	202		more than 5,000 monthly active users in the United States for half or more of 46
198	203		the months during the last 12 months. The term does not include any person 47
199	204		that provides chatbot services solely for educational or research purposes and 48
200	205		does not monetize such services through advertising or commercial uses or 49
201	206		any government entity providing chatbot services for official purposes. 50 General Assembly Of North Carolina Session 2025
202		-	~~Senate Bill 624-First Edition~~ Page 5
	207	+	DRS45312-LR-148 Page 5
203	208		(5) Dataset. — The structured collection of data, typically stored in electronic 1
204	209		form, organized in a way that allows for easy retrieval, analysis, and 2
205	210		information. 3
206	211		(6) De-identification. — The process of removing all pieces of data that link a 4
207	212		specific user to a particular interaction, including the following: 5
208	213		a. Methods which replaces identifiable information, including names, 6
209	214		addresses, identification numbers, or any other distinctive data, with 7
210	215		pseudonyms or unique identifiers not linked to a user's identity. 8
211	216		b. Methods which aggregate and generalize the data to such an extent that 9
212	217		it becomes statistically improbable to re-identify any user from the 10
213	218		de-identified data. 11
214	219		c. Methods which eliminate any context, metadata, or information that 12
215	220		can be traced back to a specific user or interaction, including 13
216	221		timestamps and geolocation data. 14
217	222		(7) Emergency situation. — A situation where a user using a chatbot indicates 15
218	223		that they intend to either commit harm to themselves or commit harm to 16
219	224		others. 17
220	225		(8) Generative artificial intelligence system. —Any system that uses artificial 18
221	226		intelligence, as defined in section 238(g) of the John S. McCain National 19
222	227		Defense Authorization Act for Fiscal Year 2019, Public Law No. 115 232, 20
223	228		132 Stat. 1636 (2018), to generate or substantially modify image, video, audio, 21
224	229		multimedia, or text content. 22
225	230		(9) Legitimate purpose. – A purpose that is lawful and in line with the stated 23
226	231		objectives, functionalities, core services, and reasonable expectation of users 24
227	232		on a platform 25
228	233		(10) Self-destructing messages. —A type of data that is programmed to 26
229	234		automatically and irreversibly delete and become inaccessible to both the 27
230	235		sender and the recipient after a predetermined period. 28
231	236		(11) Sensitive personal information. — The term does not include publicly 29
232	237		available information that is lawfully made available to the general public 30
233	238		from federal, state, or local government records. The term does include user 31
234	239		information relating to any of the following: 32
235	240		a. Includes user information relating to physical or mental health status, 33
236	241		including: 34
237	242		1. Individual health conditions, treatment, diseases, or diagnosis. 35
238	243		2. Social, psychological, behavioral, and medical interventions. 36
239	244		3. Health-related surgeries or procedures. 37
240	245		4. Use or purchase of prescribed medication. 38
241	246		5. Bodily functions, vital signs, symptoms, or health-related 39
242	247		measurements. 40
243	248		6. Diagnoses or diagnostic testing, treatment, or medication. 41
244	249		7. Gender-affirming care information. 42
245	250		8. Reproductive or sexual health information. 43
246	251		9. Biometric data. 44
247	252		10. Genetic data. 45
248	253		11. Precise location information that could reasonably indicate a 46
249	254		consumer's attempt to acquire or receive health services. 47
250	255		b. Social security, driver's license, state identification card or passport 48
251	256		number. 49 General Assembly Of North Carolina Session 2025
252		-	Page 6 ~~Senate Bill 624-First Edition~~
	257	+	Page 6 DRS45312-LR-148
253	258		c. Account log-in, financial account, debit card or credit card number in 1
254	259		combination with any required security or access code, password or 2
255	260		credentials allowing access to an account. 3
256	261		d. Contents of a user's mail, email, and text messages. 4
257	262		e. Financial information, including credit score, bank account balance, 5
258	263		loan information, investment details, and income details. 6
259	264		f. Personal education records. 7
260	265		g. Genetic information of an individual's family members. 8
261	266		h. Information about an individual's minor children. 9
262	267		i. Financial transaction history. 10
263	268		j. Information collected from children under thirteen (13) years of age. 11
264	269		(12) Terms of service agreement. — An electronic agreement between a user and 12
265	270		a covered platform that sets forth the terms, conditions, rights, and 13
266	271		responsibilities of the respective parties in connection with the use of the 14
267	272		platform's chatbot services. 15
268	273		(13) Transport encryption. — A security measure wherein data is encrypted during 16
269	274		its transmission from one point to another. The data is typically encrypted by 17
270	275		the sender's system or an intermediary service before being sent over a 18
271	276		network, and then decrypted by the recipient's system or an intermediary 19
272	277		service upon arrival. While the data is protected during transit, it may be 20
273	278		accessible in unencrypted form at the endpoints or by the service providers 21
274	279		facilitating the transmission. 22
275	280		(14) Trusting party. – Any user of a covered platform who gives, either voluntary 23
276	281		or involuntary, personal information to a covered platform, or any user who 24
277	282		enters into any information relationship with a covered platform. 25
278	283		(15) User-related data. — Any data collected directly or indirectly from the user 26
279	284		and linked or reasonably linkable to the user by the chatbot, including but not 27
280	285		limited to the following: 28
281	286		a. Personal data. — Data that is directly linked to the user or indirectly 29
282	287		identifiable, including by reference to an identifier such as a name, an 30
283	288		identification number, precise geolocation, an online identifier or one 31
284	289		of several special characteristics, which expresses the physical, 32
285	290		physiological, genetic, mental, commercial, cultural or social identity 33
286	291		of the user. 34
287	292		b. Usage data. — Data that is gathered about users' interactions, ehaviors, 35
288	293		preferences, and usage patterns within the platforms, including but not 36
289	294		limited to user engagement and conversation content. 37
290	295		c. Other user data. — Any data not covered by personal data and usage 38
291	296		data concerning a user, including data collected by third party cookies. 39
292	297		"§ 170-3. Duty of loyalty for chatbots. 40
293	298		(a) A covered platform shall not process data or design chatbot systems and tools in ways 41
294	299		that significantly conflict with trusting parties' best interests, as implicated by their interactions 42
295	300		with chatbots. 43
296	301		(b) A covered platform shall, in fulfilling their duty of loyalty, abide by the following 44
297	302		subsidiary duties: 45
298	303		(1) Duty of loyalty in emergency situations. — A covered platform shall 46
299	304		implement and maintain reasonably effective systems to detect, promptly 47
300	305		respond to, report, and mitigate emergency situations in a manner that 48
301	306		prioritizes the safety and well-being of users over the platform's other 49
302	307		interests. 50 General Assembly Of North Carolina Session 2025
303		-	~~Senate Bill 624-First Edition~~ Page 7
	308	+	DRS45312-LR-148 Page 7
304	309		(2) Duty of loyalty regarding emotional dependence. — A covered platforms shall 1
305	310		implement and maintain reasonably effective systems to detect and prevent 2
306	311		emotional dependence of a user on a chatbot, prioritizing the user's 3
307	312		psychological well-being over the platform's interest in user engagement or 4
308	313		retention. 5
309	314		a. This duty only applies to any covered platform that utilizes a chatbot 6
310	315		designed to (i) generate social connections with users, (ii) engage in 7
311	316		extended conversation mimicking human interaction, or (iii) provide 8
312	317		emotional support or companionship. 9
313	318		b. The determination required by sub-subdivision a. of this subdivision 10
314	319		shall be based on the chatbot's intended purpose, design features, 11
315	320		conversational capabilities, and interaction patterns with users. 12
316	321		(3) Duty of loyalty un chatbot identity disclosure. — A covered platform has a 13
317	322		duty to clearly and consistently identify the chatbot as an artificial entity when 14
318	323		that fact is not clearly apparent. The platform shall not process data or design 15
319	324		systems in ways that deceive or mislead users about the non-human nature of 16
320	325		the chatbot, prioritizing transparency over any potential benefits of perceived 17
321	326		human-like interaction. 18
322	327		(4) Duty of loyalty in influence. — A covered platform shall not process data or 19
323	328		design chatbot systems and tools in ways that influence trusting parties to 20
324	329		achieve particular results that are against the best interests of trusting parties. 21
325	330		(5) Duty of loyalty in collection. — A covered platform shall collect and store 22
326	331		only that information that does not conflict with a trusting party's best 23
327	332		interests. Such information must be (i) adequate, in the sense that it is 24
328	333		sufficient to fulfill a legitimate purpose of the platform; (ii) relevant, in the 25
329	334		sense that the information has a relevant link to that legitimate purpose, and 26
330	335		(iii) necessary, in the sense that it is the minimum amount of information 27
331	336		which is needed for that legitimate purpose. 28
332	337		(6) Duty of loyalty in personalization. — A covered platform shall be loyal to the 29
333	338		best interests of trusting parties when personalizing content based upon 30
334	339		personal information or characteristics. 31
335	340		(7) Duty of loyalty in gatekeeping. — A covered platform shall be a loyal 32
336	341		gatekeeper of personal information from a trusted party, including avoiding 33
337	342		conflicts to the best interests of trusting parties when allowing government or 34
338	343		other third-party access to trusting parties and their data. 35
339	344		"§ 170-4. Contractual requirements. 36
340	345		(a) The duties between a covered platform and an end-user shall be established through 37
341	346		a terms of service agreement which is presented to the end-user in clear, conspicuous, and easily 38
342	347		understandable language. The terms of service agreement must (i) explicitly outline the online 39
343	348		service provider's obligations, (ii) describe the rights and protections afforded to the end-user 40
344	349		under this relationship, and (iii) require affirmative consent from the end-user before the 41
345	350		agreement takes effect. 42
346	351		(b) The covered platform must provide clear notice to end-users of any material changes 43
347	352		to the terms of service agreement and obtain renewed consent for such changes. 44
348	353		(c) The terms of service agreement must be easily accessible to users at all times through 45
349	354		the covered platform's application or the covered platform's website. 46
350	355		(d) A covered platform shall implement a chatbot identification disclosure process that 47
351	356		meets the requirements outlined in G.S. 170-5. 48
352	357		"§ 170-5. Chatbot identification process requirements. 49
353	358		(a) The chatbot identification process shall include all of the following elements: 50
354	359		(1) A covered platform shall clearly inform users that the chatbot is: 51 General Assembly Of North Carolina Session 2025
355		-	Page 8 ~~Senate Bill 624-First Edition~~
	360	+	Page 8 DRS45312-LR-148
356	361		a. Not human, human-like, or sentient. 1
357	362		b. A computer program designed to mimic human conversation based on 2
358	363		statistical analysis of human-produced text. 3
359	364		c. Incapable of experiencing emotions such as love or lust. 4
360	365		d. Without personal preferences or feelings. 5
361	366		(2) The information required by subdivision (1) of this subsection shall be readily 6
362	367		accessible, clearly presented, and concisely conveyed in less than three 7
363	368		hundred (300) words. 8
364	369		(b) A users shall provide explicit and informed consent to interact with the chatbot. The 9
365	370		consent process shall: 10
366	371		(1) Require an affirmative action from the user (such as clicking an "I understand" 11
367	372		button); and 12
368	373		(2) Confirm the user's understanding of the chatbot's identity and limitations. 13
369	374		(c) A covered platform is prohibited from using deceptive design elements that 14
370	375		manipulate or coerce users into providing consent or obscure the nature of the chatbot or the 15
371	376		consent process. 16
372	377		(d) The chatbot identity communication and opt-in consent process shall be repeated at 17
373	378		the start of each new session with a user. 18
374	379		(e) The chatbot identification and consent process required by this section shall be 19
375	380		separate and distinct from any privacy policy agreement or other consent processes required by 20
376	381		law or platform policy. 21
377	382		"§ 170-6. Data privacy requirements. 22
378	383		(a) A covered platform must do each of the following: 23
379	384		(1) Ensure that all user-related data disclosed collected through conversations 24
380	385		between users and chatbots or through third-party cookies, undergoes a 25
381	386		process of de-identification prior to storage and analysis; 26
382	387		(2) Take reasonable care to prohibit the incorporation or inclusion of any sensitive 27
383	388		personal information derived from a user during the use of a chatbot into an 28
384	389		aggregate dataset used to train any chatbot or generative artificial intelligence 29
385	390		system. 30
386	391		(3) Store all chatbot conversations which does not include sensitive personal 31
387	392		information for at least sixty (60) days. 32
388	393		(b) Each covered platform that meets the standard set forth in subsection (a) of this 33
389	394		section shall utilize self-destructing messages with a predetermined destruction period of thirty 34
390	395		(30) days after the data has been acquired. 35
391	396		(c) The requirements of subsection (b) of this section shall apply to all chatbots which 36
392	397		are employed in: healthcare, financial services, the legal field, government services, mental 37
393	398		health support, and education. In general, this applies to any domain, beyond those specifically 38
394	399		listed, where chatbots are employed primarily for the processing or storage of sensitive personal 39
395	400		information. 40
396	401		(d) All covered platforms shall utilize transport encryption for all messages between a 41
397	402		user and a chatbot. 42
398	403		"§ 170-7. Enforcement. 43
399	404		(a) In any case in which the Attorney General has reason to believe that a covered 44
400	405		platform has violated or is violating any provision of this Chapter, the State, as parens patriae, 45
401	406		may bring a civil action on behalf of the residents of the State to (i) enjoin any practice violating 46
402	407		this Chapter and enforce compliance with the pertinent section or sections on behalf of residents 47
403	408		of the State; (ii) obtain damages, restitution, or other compensation, each of which shall be 48
404	409		distributed in accordance with State law; or (iii) obtain such other relief as the court may consider 49
405	410		to be appropriate. 50 General Assembly Of North Carolina Session 2025
406		-	~~Senate Bill 624-First Edition~~ Page 9
	411	+	DRS45312-LR-148 Page 9
407	412		(b) Any person who suffers injury in fact as a result of a violation of this Chapter may 1
408	413		bring a civil action against the covered platform to enjoin further the violation; recover damages 2
409	414		in an amount equal to the greater of actual damages or one thousand dollars ($1,000) per 3
410	415		violation; obtain reasonable attorneys' fees and litigation costs; and obtain any other relief that 4
411	416		the court deems appropriate. 5
412	417		(c) An action under paragraph subsection (b) of this section may not be brought more 6
413	418		than two (2) years after the date on which the person first discovered or reasonably should have 7
414	419		discovered the violation. No person shall be permitted to bring more than one action under this 8
415	420		subsection against the same covered platform for the same alleged violation. 9
416	421		(d) The rights and remedies provided for in this subsection may not be waived by any 10
417	422		agreement, policy, form, or condition of service. 11
418	423		"§ 170-8. Miscellaneous. 12
419	424		If any provision of this Chapter is determined to be unenforceable or invalid, the remaining 13
420	425		provisions of this Chapter shall not be affected." 14
421	426		SECTION 2.(b) This Part becomes effective January 1, 2026. 15
422	427		16
423	428		PART III. EFFECTIVE DATE 17
424	429		SECTION 3. Unless otherwise provided, this act is effective when it becomes law. 18