NC
North Carolina Senate Bill S757

North Carolina 2025-2026 Regular Session

North Carolina Senate Bill S757 Compare Versions

OldNewDifferences
11 GENERAL ASSEMBLY OF NORTH CAROLINA
22 SESSION 2025
3-S 1
4-SENATE BILL 757
3+S D
4+SENATE BILL DRS35255-LR-105A
5+
56
67
78 Short Title: Consumer Privacy Act. (Public)
89 Sponsors: Senators Salvador, Hanig, and Moffitt (Primary Sponsors).
9-Referred to: Rules and Operations of the Senate
10-March 26, 2025
11-*S757 -v-1*
10+Referred to:
11+
12+*DRS35255 -LR-105A*
1213 A BILL TO BE ENTITLED 1
1314 AN ACT TO PROTECT CONSUMERS BY ENACTING THE CONSUMER PRIVACY ACT 2
1415 OF NORTH CAROLINA. 3
1516 The General Assembly of North Carolina enacts: 4
1617 SECTION 1. This act shall be known and may be cited as the "North Carolina 5
1718 Consumer Privacy Act." 6
1819 SECTION 2. The General Statutes are amended by adding a new Chapter to read: 7
1920 "Chapter 75F. 8
2021 "Consumer Privacy Act. 9
2122 "§ 75F-1. Definitions. 10
2223 (a) This Chapter shall be known and may be cited as the "North Carolina Consumer 11
2324 Privacy Act." 12
2425 (b) Definitions. – The following definitions apply in this Chapter: 13
2526 (1) Account. – The Consumer Privacy Restricted Account established in 14
2627 G.S. 75F-14. 15
2728 (2) Affiliate. – An entity that (i) controls, is controlled by, or is under common 16
2829 control with another entity or (ii) shares common branding with another entity. 17
2930 (3) Aggregated data. – Information that relates to a group or category of 18
3031 consumers (i) from which individual consumer identities have been removed 19
3132 and (ii) that is not linked or reasonably linkable to any consumer. 20
3233 (4) Air carrier. – As defined in 49 U.S.C. § 40102. 21
3334 (5) Authenticate. – To use reasonable means to determine that a consumer's 22
3435 request to exercise the rights described in G.S. 75F-4 is made by the consumer 23
3536 who is entitled to exercise those rights. 24
3637 (6) Biometric data. – Data generated by automatic measurements of an 25
3738 individual's unique biological characteristics. The term includes an 26
3839 individual's fingerprint, voiceprint, eye retinas, irises, or any other unique 27
3940 biological pattern or characteristic that is used to identify a specific individual. 28
4041 Biometric data does not include any of the following: 29
4142 a. A physical or digital photograph. 30
4243 b. A video or audio recording. 31
4344 c. Data generated from an item described in sub-subdivision a. or b. of 32
4445 this subdivision. 33
45-d. Information captured from a patient in a health care setting. 34 General Assembly Of North Carolina Session 2025
46-Page 2 Senate Bill 757-First Edition
46+d. Information captured from a patient in a health care setting. 34
47+FILED SENATE
48+Mar 25, 2025
49+S.B. 757
50+PRINCIPAL CLERK General Assembly Of North Carolina Session 2025
51+Page 2 DRS35255-LR-105A
4752 e. Information collected, used, or stored for treatment, payment, or health 1
4853 care operations as those terms are defined in 45 C.F.R. Parts 160, 162, 2
4954 and 164. 3
5055 (7) Business associate. – As defined in 45 C.F.R. § 160.103. 4
5156 (8) Child. – An individual younger than 13 years old. 5
5257 (9) Consent. – An affirmative act by a consumer that unambiguously indicates the 6
5358 consumer's voluntary and informed agreement to allow a person to process 7
5459 personal data related to the consumer. 8
5560 (10) Consumer. – An individual who is a resident of this State acting in an 9
5661 individual or household context. The term does not include an individual 10
5762 acting in a commercial or employment context. 11
5863 (11) Control or controlled. – Includes each of the following: (i) ownership of, or 12
5964 the power to vote, more than fifty percent (50%) of the outstanding shares of 13
6065 any class of voting securities of an entity; (ii) control in any manner over the 14
6166 election of a majority of the directors or of the individuals exercising similar 15
6267 functions; and (iii) the power to exercise controlling influence of the 16
6368 management of an entity. 17
6469 (12) Controller. – A person doing business in this State who determines the 18
6570 purposes for which, and the means by which, personal data are processed, 19
6671 regardless of whether the person makes the determination alone or with others 20
6772 that, alone or jointly with others, determines the purpose and means of 21
6873 processing personal data. 22
6974 (13) Covered entity. – As defined in 45 C.F.R. § 160.103. 23
7075 (14) De-identified data. – Data that cannot reasonably be linked to an identified or 24
7176 identifiable individual that are possessed by a controller who does all of the 25
7277 following: 26
7378 a. Takes reasonable measures to ensure that a person cannot associate the 27
7479 data with an individual. 28
7580 b. Publicly commits to maintain and use the data only in de-identified 29
7681 form and not attempt to reidentify the data. 30
7782 c. Contractually obligates any recipients of the data to comply with the 31
7883 requirements described in sub-subdivisions a. and b. of this 32
7984 subdivision. 33
8085 (15) Director. – The Director of the Division. 34
8186 (16) Division. – Consumer Protection Division of the North Carolina Department 35
8287 of Justice or other unit of the Department of Justice engaging in activities 36
8388 under this Chapter. 37
8489 (17) Government entity. – The State or any local political subdivision of the State. 38
8590 (18) Health care facility. – Any entity licensed pursuant to Chapter 122C, 131D, 39
8691 or 131E of the General Statutes or Article 64 of Chapter 58 of the General 40
8792 Statutes, and any clinical laboratory certified under the federal Clinical 41
8893 Laboratory Improvement Amendments in section 353 of the Public Health 42
8994 Service Act (42 U.S.C. § 263a). 43
9095 (19) Health care provider. – Includes: 44
9196 a. An individual who is licensed, certified, or otherwise authorized under 45
9297 Chapter 90 or 90B of the General Statutes to provide health care 46
9398 services in the ordinary course of business or practice of a profession 47
9499 or in an approved education or training program. 48
95100 b. A health care facility where health care services are provided to 49
96101 patients, residents, or others to whom such services are provided as 50
97102 allowed by law. 51 General Assembly Of North Carolina Session 2025
98-Senate Bill 757-First Edition Page 3
103+DRS35255-LR-105A Page 3
99104 c. Individuals licensed under Chapter 90 of the General Statutes or 1
100105 practicing under a waiver in accordance with G.S. 90-12.5. 2
101106 d. Any emergency medical services personnel as defined in 3
102107 G.S. 131E-155(7). 4
103108 e. Any individual who is employed as a health care facility administrator, 5
104109 executive, supervisor, board member, trustee, or other person in a 6
105110 managerial position or comparable role at a health care facility. 7
106111 f. An agent or employee of a health care facility that is licensed, certified, 8
107112 or otherwise authorized to provide health care services. 9
108113 g. An officer or director of a health care facility. 10
109114 h. An agent or employee of a health care provider who is licensed, 11
110115 certified, or otherwise authorized to provide health care services. 12
111116 (20) Identifiable individual. – An individual who can be readily identified, directly 13
112117 or indirectly. 14
113118 (21) Institution of higher education. – A public or private institution of higher 15
114119 education. 16
115120 (22) Local political subdivision. – Includes a city, a county, a local school 17
116121 administrative unit as defined in G.S. 115C-5, or a community college. 18
117122 (23) Nonprofit organization. – Any corporation exempt from taxation under 19
118123 section 501(c)(3), 501(c)(6), or 501(c)(12) of the Internal Revenue Code. 20
119124 (24) Personal data. – Information that can be used to distinguish or trace an 21
120125 individual's identity, either alone or when combined with other information. 22
121126 The term does not include information that is a public record under Chapter 23
122127 132 of the General Statutes or information made available to the general 24
123128 public lawfully and intentionally. 25
124129 (25) Process. – Any operation or set of operations performed on personal data, 26
125130 including collection, use, storage, disclosure, analysis, deletion, or 27
126131 modification of personal data. 28
127132 (26) Processor. – A person who processes personal data on behalf of a controller. 29
128133 (27) Protected health information. – As defined in 45 C.F.R. § 160.103. 30
129134 (28) Pseudonymous data. – Personal data that cannot be attributed to a specific 31
130135 individual without the use of additional information, if the additional 32
131136 information is (i) kept separately from the consumer's personal data and (ii) 33
132137 subject to appropriate technical and organizational measures to ensure that the 34
133138 personal data is not attributable to an identified or identifiable individual. 35
134139 (29) Publicly available information. – Information that a person (i) lawfully obtains 36
135140 from a record of a governmental entity, (ii) reasonably believes a consumer or 37
136141 widely distributed media has lawfully made available to the general public, or 38
137142 (iii) if the consumer has not restricted the information to a specific audience, 39
138143 obtains from a person to whom the consumer disclosed the information. 40
139144 (30) Right. – A consumer right described in G.S. 75F-4. 41
140145 (31) Sale, sell, or sold. – The exchange of personal data for monetary consideration 42
141146 by the controller to a third party. The terms do not include any of the 43
142147 following: 44
143148 a. A controller's disclosure of personal data to a processor who processes 45
144149 the personal data on behalf of the controller. 46
145150 b. A controller's disclosure of personal data to an affiliate of the 47
146151 controller. 48
147152 c. Considering the context in which the consumer provided the personal 49
148153 data to the controller, a controller's disclosure of personal data to a 50 General Assembly Of North Carolina Session 2025
149-Page 4 Senate Bill 757-First Edition
154+Page 4 DRS35255-LR-105A
150155 third party if the purpose is consistent with a consumer's reasonable 1
151156 expectations. 2
152157 d. The disclosure or transfer of personal data when a consumer directs a 3
153158 controller to disclose the personal data or interact with one or more 4
154159 third parties. 5
155160 e. A consumer's disclosure of personal data to a third party for the 6
156161 purpose of providing a product or service requested by the consumer 7
157162 or a parent or legal guardian of a child. 8
158163 f. The disclosure of information that the consumer intentionally makes 9
159164 available to the general public via a channel of mass media and does 10
160165 not restrict to a specific audience. 11
161166 g. A controller's transfer of personal data to a third party as an asset that 12
162167 is part of a proposed or actual merger, acquisition, or bankruptcy in 13
163168 which the third party assumes control of all or part of the controller's 14
164169 assets. 15
165170 (32) Sensitive data. – Personal data that reveals any of the following: 16
166171 a. An individual's (i) racial or ethnic origin, (ii) religious beliefs, (iii) 17
167172 sexual orientation, (iv) citizenship or immigration status, or (v) 18
168173 information regarding an individual's medical history, mental or 19
169174 physical health condition, or medical treatment or diagnosis by a 20
170175 health care professional. The term does not include personal data that 21
171176 reveals an individual's racial or ethnic origin if the personal data are 22
172177 processed by a video communication service. If the personal data are 23
173178 processed by a person licensed to provide health care under State or 24
174179 federal law, information regarding an individual's medical history, 25
175180 mental or physical health condition, or medical treatment or diagnosis 26
176181 by a health care professional, then the personal data is not sensitive 27
177182 data. 28
178183 b. The processing of genetic or biometric data if the processing is for the 29
179184 purpose of identifying a specific individual. 30
180185 c. Specific geolocation data. 31
181186 (33) Specific geological location. – Information derived from technology, 32
182187 including global positioning system level latitude and longitude coordinates, 33
183188 that directly identifies an individual's specific location, accurate within a 34
184189 radius of 1,750 feet or less. The term does not include (i) the content of a 35
185190 communication or (ii) any data generated by or connected to advanced utility 36
186191 metering infrastructure systems or equipment used by a utility. 37
187192 (34) Targeted advertising. – Displaying an advertisement to a consumer where the 38
188193 consumer is selected based upon personal data obtained from the consumer's 39
189194 activities over time and across nonaffiliated websites or online applications to 40
190195 predict the consumer's preferences and interests. The term does not include 41
191196 any advertising: 42
192197 a. Based upon a consumer's activities within the controller's website or 43
193198 online application or any affiliated website or online application. 44
194199 b. Based on the context of a consumer's current search query or visit to a 45
195200 website or online application. 46
196201 c. Directed to a consumer in response to the consumer's request for 47
197202 information, product, a service, or feedback. 48
198203 d. Processing personal data solely to measure or report advertising 49
199204 performance, reach, or frequency. 50 General Assembly Of North Carolina Session 2025
200-Senate Bill 757-First Edition Page 5
205+DRS35255-LR-105A Page 5
201206 (35) Third party. – A person other than the consumer, controller, or processor or 1
202207 an affiliate or contractor of the controller or processor. 2
203208 (36) Trade secret. – Information, including a formula, pattern, compilation, 3
204209 program, device, method, technique, or process that (i) derives independent 4
205210 economic value, actual or potential, from not being generally known to and 5
206211 not being readily ascertainable by proper means by other persons who can 6
207212 obtain economic value from the information's disclosure or use and (ii) is the 7
208213 subject of efforts that are reasonable under the circumstances to maintain the 8
209214 information's secrecy. 9
210215 "§ 75F-2. Applicability. 10
211216 (a) This Chapter applies to any controller or processor who: 11
212217 (1) Conducts business in this State or produces a product or service that is targeted 12
213218 to consumers who are residents of this State; 13
214219 (2) Has annual revenue of twenty-five million dollars ($25,000,000) or more; and 14
215220 (3) Satisfies one or more of the following thresholds: 15
216221 a. During a calendar year, controls or processes personal data of 100,000 16
217222 or more consumers; or 17
218223 b. Derives over fifty percent (50%) of the entity's gross revenue from the 18
219224 sale of personal data and controls or processes personal data of 25,000 19
220225 or more consumers. 20
221226 (b) This Chapter does not apply to any of the following: 21
222227 (1) A governmental entity or a third party under contract with a governmental 22
223228 entity when the third party is acting on behalf of the governmental entity. 23
224229 (2) A tribe. 24
225230 (3) An institution of higher education. 25
226231 (4) A nonprofit corporation. 26
227232 (5) A covered entity. 27
228233 (6) A business associate. 28
229234 (7) Information that meets the definition of one of the following: 29
230235 a. Protected health information for purposes of the federal Health 30
231236 Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 31
232237 1320d et seq., and related regulations. 32
233238 b. Patient identifying information for purposes of 42 C.F.R. Part 2. 33
234239 c. Identifiable private information for purposes of the federal Policy for 34
235240 the Protection of Human Subjects, 45 C.F.R. Part 46. 35
236241 d. Identifiable private information or personal data collected as part of 36
237242 human subjects research pursuant to or under the same standards as: 37
238243 1. The good clinical practice guidelines issued by the 38
239244 International Council for Harmonisation; or 39
240245 2. The Protection of Human Subjects under 21 C.F.R. Part 50 and 40
241246 Institutional Review Boards under 21 C.F.R. Part 56. 41
242247 e. Personal data used or shared in research conducted in accordance with 42
243248 one or more of the requirements described in sub-subdivision b. of this 43
244249 subdivision. 44
245250 f. Information and documents created for purposes of the federal Health 45
246251 Care Quality Improvement Act of 1986, 42 U.S.C. § 11101 et seq., and 46
247252 related regulations. 47
248253 g. Patient safety work product for purposes of 42 C.F.R. Part 3; or 48
249254 h. Information that is: 49
250255 1. De-identified in accordance with the requirements for 50
251256 de-identification set forth in 45 C.F.R. Part 164; and 51 General Assembly Of North Carolina Session 2025
252-Page 6 Senate Bill 757-First Edition
257+Page 6 DRS35255-LR-105A
253258 2. Derived from any of the health care-related information listed 1
254259 above in this subdivision. 2
255260 (8) Information originating from, and intermingled to be indistinguishable with, 3
256261 information under subdivision (7) of this subsection that is maintained by a (i) 4
257262 health care facility or health care provider or (ii) program or a qualified service 5
258263 organization as defined in 42 C.F.R. § 2.11. 6
259264 (9) Information used only for public health activities and purposes as described 7
260265 in 45 C.F.R. § 164.512. 8
261266 (10) An activity: 9
262267 a. Subject to regulation under the federal Fair Credit Reporting Act, 15 10
263268 U.S.C. § 1681 et seq., by one of the following: 11
264269 1. A consumer reporting agency, as defined in 15 U.S.C. § 1681a; 12
265270 2. A furnisher of information, as set forth in 15 U.S.C. § 1681s-2, 13
266271 who provides information for use in a consumer report, as 14
267272 defined in 15 U.S.C. § 1681a; or 15
268273 3. A user of a consumer report, as set forth in 15 U.S.C. § 1681b; 16
269274 and 17
270275 b. Involving the collection, maintenance, disclosure, sale, 18
271276 communication, or use of any personal data bearing on a consumer's 19
272277 credit worthiness, credit standing, credit capacity, character, general 20
273278 reputation, personal characteristics, or mode of living. 21
274279 (11) A financial institution or an affiliate of a financial institution governed by, or 22
275280 personal data collected, processed, sold, or disclosed in accordance with, Title 23
276281 V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq., and related 24
277282 regulations. 25
278283 (12) Personal data collected, processed, sold, or disclosed in accordance with the 26
279284 federal Driver's Privacy Protection Act of 1994, 18 U.S.C. § 2721 et seq. 27
280285 (13) Personal data regulated by the federal Family Education Rights and Privacy 28
281286 Act, 20 U.S.C. § 1232g, and related regulations. 29
282287 (14) Personal data collected, processed, sold, or disclosed in accordance with the 30
283288 federal Farm Credit Act of 1971, 12 U.S.C. § 2001 et seq. 31
284289 (15) Data that are processed or maintained: 32
285290 a. In the course of an individual applying to, being employed by, or 33
286291 acting as an agent or independent contractor of a controller, processor, 34
287292 or third party to the extent the collection and use of the data are related 35
288293 to the individual's role; 36
289294 b. As the emergency contact information of an individual described in 37
290295 sub-subdivision a. of this subdivision and used for emergency contact 38
291296 purposes; or 39
292297 c. To administer benefits for another individual relating to an individual 40
293298 described in sub-subdivision a. of this subdivision and used for the 41
294299 purpose of administering the benefits. 42
295300 (16) An individual's processing of personal data for purely personal or household 43
296301 purposes. 44
297302 (17) An air carrier. 45
298303 (c) A controller is in compliance with any obligation to obtain parental consent under this 46
299304 Chapter if the controller complies with the verifiable parental consent mechanisms under the 47
300305 Children's Online Privacy Protection Act, 15 U.S.C. § 6501 et seq., and the act's implementing 48
301306 regulations and exemptions. 49 General Assembly Of North Carolina Session 2025
302-Senate Bill 757-First Edition Page 7
307+DRS35255-LR-105A Page 7
303308 (d) This Chapter does not require a person to take any action in conflict with the federal 1
304309 Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320d et seq., or related 2
305310 regulations. 3
306311 "§ 75F-3. Preemption; reference to other laws. 4
307312 (a) This Chapter supersedes and preempts any ordinance, resolution, rule, or other 5
308313 regulation adopted by a local political subdivision of the State regarding the processing of 6
309314 personal data by a controller or processor. 7
310315 (b) Any reference to federal law in this Chapter includes any rules or regulations 8
311316 promulgated under the federal law. 9
312317 "§ 75F-4. Consumer rights; access; deletion; portability; opt out of certain processing. 10
313318 (a) A consumer has the right to: 11
314319 (1) Confirm whether a controller is processing the consumer's personal data and 12
315320 access the consumer's personal data. 13
316321 (2) Delete the consumer's personal data that the consumer provided to the 14
317322 controller. 15
318323 (3) Obtain a copy of the consumer's personal data that the consumer previously 16
319324 provided to the controller, in a format that to the extent technically feasible, 17
320325 that is readily usable and allows the consumer to transmit the data to another 18
321326 controller without impediment where the processing is carried out by 19
322327 automated means. 20
323328 (4) Opt out of the processing of the consumer's personal data for purposes of 21
324329 targeted advertising or the sale of personal data. 22
325330 (b) Nothing in this section requires a person to cause a breach of security system. 23
326331 "§ 75F-5. Exercising consumer rights. 24
327332 (a) A consumer may exercise a right by submitting a request to a controller, by means 25
328333 prescribed by the controller, specifying the right the consumer intends to exercise. 26
329334 (b) In the case of processing personal data concerning a known child, the parent or legal 27
330335 guardian of the known child shall exercise a right on the child's behalf. 28
331336 (c) In the case of processing personal data concerning a consumer subject to 29
332337 guardianship, the guardian of the consumer shall exercise a right on the consumer's behalf. 30
333338 "§ 75F-6. Controller's response to requests. 31
334339 (a) Subject to the other provisions of this Chapter, a controller shall comply with a 32
335340 consumer's request under G.S. 75F-5 to exercise a right. 33
336341 (b) Within 45 days after the day on which a controller receives a request to exercise a 34
337342 right, the controller shall take action on the consumer's request and inform the consumer of any 35
338343 action taken on the consumer's request. 36
339344 (c) The controller may extend once the initial 45-day period by an additional 45 days if 37
340345 reasonably necessary due to the complexity of the request or the volume of the requests received 38
341346 by the controller. If a controller extends the initial 45-day period, before the initial 45-day period 39
342347 expires, the controller shall (i) inform the consumer of the extension, including the length of the 40
343348 extension, and (ii) provide the reasons the extension is reasonably necessary. 41
344349 (d) The 45-day period does not apply if the controller reasonably suspects the consumer's 42
345350 request is fraudulent and the controller is not able to authenticate the request before the 45-day 43
346351 period expires. 44
347352 (e) If, in accordance with this section, a controller chooses not to take action on a 45
348353 consumer's request, the controller shall within 45 days after the day on which the controller 46
349354 receives the request inform the consumer of the reasons for not taking action. 47
350355 (f) A controller may not charge a fee for information in response to a request, unless the 48
351356 request is the consumer's second or subsequent request during the same 12-month period. 49
352357 However, a controller may charge a reasonable fee to cover the administrative costs of complying 50
353358 with a request or refuse to act on a request if: 51 General Assembly Of North Carolina Session 2025
354-Page 8 Senate Bill 757-First Edition
359+Page 8 DRS35255-LR-105A
355360 (1) The request is excessive, repetitive, technically infeasible, or manifestly 1
356361 unfounded; 2
357362 (2) The controller reasonably believes the primary purpose in submitting the 3
358363 request was something other than exercising a right; or 4
359364 (3) The request, individually or as part of an organized effort, harasses, disrupts, 5
360365 or imposes undue burden on the resources of the controller's business. 6
361366 (g) A controller that charges a fee or refuses to act in accordance with this section bears 7
362367 the burden of demonstrating the request satisfied one or more of the criteria described in this 8
363368 section. 9
364369 (h) If a controller is unable to authenticate a consumer request to exercise a right 10
365370 described in G.S. 75F-4 using commercially reasonable efforts, the controller is not required to 11
366371 comply with the request and may request that the consumer provide additional information 12
367372 reasonably necessary to authenticate the request. 13
368373 "§ 75F-7. Responsibilities according to role. 14
369374 (a) A processor shall adhere to the controller's instructions, and taking into account the 15
370375 nature of the processing and information available to the processor, by appropriate technical and 16
371376 organizational measures, insofar as reasonably practicable, assist the controller in meeting the 17
372377 controller's obligations, including obligations related to the security of processing personal data 18
373378 and notification of a breach of security system. 19
374379 (b) Before a processor performs processing on behalf of a controller, the processor and 20
375380 controller shall enter into a contract that does all of the following: 21
376381 (1) Clearly sets forth instructions for processing personal data, the nature and 22
377382 purpose of the processing, the type of data subject to processing, the duration 23
378383 of the processing, and the parties' rights and obligations. 24
379384 (2) Requires the processor to ensure each person processing personal data is 25
380385 subject to a duty of confidentiality with respect to the personal data. 26
381386 (3) Requires the processor to engage any subcontractor pursuant to a written 27
382387 contract that requires the subcontractor to meet the same obligations as the 28
383388 processor with respect to the personal data. 29
384389 (c) Determining whether a person is acting as a controller or processor with respect to a 30
385390 specific processing of data is a fact-based determination that depends upon the context in which 31
386391 personal data are to be processed. A processor that adheres to a controller's instructions with 32
387392 respect to a specific processing of personal data remains a processor. 33
388393 "§ 75F-8. Responsibilities of contractors; transparency; purpose specification and data 34
389394 minimization; consent for secondary use; security; nondiscrimination. 35
390395 (a) A controller shall provide consumers with a reasonably accessible and clear privacy 36
391396 notice that includes all of the following: 37
392397 (1) The categories of personal data processed by the controller. 38
393398 (2) The purposes for which the categories of personal data are processed. 39
394399 (3) How consumers may exercise a right. 40
395400 (4) The categories of personal data that the controller shares with third parties, if 41
396401 any. 42
397402 (5) The categories of third parties, if any, with whom the controller shares 43
398403 personal data. 44
399404 If a controller sells a consumer's personal data to one or more third parties or engages in targeted 45
400405 advertising, the controller shall clearly and conspicuously disclose to the consumer the manner 46
401406 in which the consumer may exercise the right to opt out of the sale of the consumer's personal 47
402407 data or processing for targeted advertising. 48
403408 (b) A controller shall establish, implement, and maintain reasonable administrative, 49
404409 technical, and physical data security practices designed to protect the confidentiality and integrity 50
405410 of personal data and reduce reasonably foreseeable risks of harm to consumers relating to the 51 General Assembly Of North Carolina Session 2025
406-Senate Bill 757-First Edition Page 9
411+DRS35255-LR-105A Page 9
407412 processing of personal data. Considering the controller's business size, scope, and type, a 1
408413 controller shall use data security practices that are appropriate for the volume and nature of the 2
409414 personal data at issue. 3
410415 (c) Except as otherwise provided in this Chapter, a controller may not process sensitive 4
411416 data collected from a consumer without first presenting the consumer with clear notice and an 5
412417 opportunity to opt out of the processing, or in the case of the processing of personal data 6
413418 concerning a known child, processing the data in accordance with the federal Children's Online 7
414419 Privacy Protection Act, 15 U.S.C. § 6501 et seq., and the act's implementing regulations and 8
415420 exemptions. 9
416421 (d) A controller may not discriminate against a consumer for exercising a right by (i) 10
417422 denying a good or service to the consumer, (ii) charging the consumer a different price or rate 11
418423 for a good or service, or (iii) providing the consumer a different level of quality of a good or 12
419424 service. Nothing in this subsection prohibits a controller from offering a different price, rate, 13
420425 level, quality, or selection of a good or service to a consumer, including offering a good or service 14
421426 for no fee or at a discount, if the consumer has opted out of targeted advertising or the offer is 15
422427 related to the consumer's voluntary participation in a bona fide loyalty, rewards, premium 16
423428 features, discounts, or club card program. 17
424429 (e) A controller is not required to provide a product, service, or functionality to a 18
425430 consumer if the consumer's personal data are, or the processing of the consumer's personal data 19
426431 is, reasonably necessary for the controller to provide the consumer the product, service, or 20
427432 functionality and the consumer does not provide the consumer's personal data to the controller 21
428433 or allow the controller to process the consumer's personal data. Any provision of a contract that 22
429434 purports to waive or limit a consumer's right under this Chapter is void. 23
430435 "§ 75F-9. Processing de-identified data or pseudonymous data. 24
431436 (a) The provisions of this Chapter do not require a controller or processor to do any of 25
432437 the following: 26
433438 (1) Reidentify de-identified data or pseudonymous data. 27
434439 (2) Maintain data in identifiable form or obtain, retain, or access any data or 28
435440 technology for the purpose of allowing the controller or processor to associate 29
436441 a consumer request with personal data. 30
437442 (3) Comply with an authenticated consumer request to exercise a right described 31
438443 in G.S. 75F-4, if the controller: 32
439444 a. Is not reasonably capable of associating the request with the personal 33
440445 data or it would be unreasonably burdensome for the controller to 34
441446 associate the request with the personal data; 35
442447 b. Does not (i) use the personal data to recognize or respond to the 36
443448 consumer who is the subject of the personal data or (ii) associate the 37
444449 personal data with other personal data about the consumer; and 38
445450 c. Does not sell or other otherwise disclose the personal data to any third 39
446451 party other than a processor, except as otherwise permitted in this 40
447452 section. 41
448453 (b) The rights described in G.S. 75F-4(a)(1) through (a)(3) do not apply to pseudonymous 42
449454 data if a controller demonstrates that any information necessary to identify a consumer is kept 43
450455 separately and subject to appropriate technical and organizational measures to ensure the 44
451456 personal data are not attributed to an identified individual or an identifiable individual. 45
452457 (c) A controller who uses pseudonymous data or de-identified data shall take reasonable 46
453458 steps to ensure the controller complies with any contractual obligations to which the 47
454459 pseudonymous data or de-identified data are subject and promptly addresses any breach of a 48
455460 contractual obligation. 49
456461 "§ 75F-10. Limitations. 50 General Assembly Of North Carolina Session 2025
457-Page 10 Senate Bill 757-First Edition
462+Page 10 DRS35255-LR-105A
458463 (a) The requirements described in this Chapter do not restrict a controller's or processor's 1
459464 ability to do any of the following: 2
460465 (1) Comply with a State, federal, or local law, rule, or regulation. 3
461466 (2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, 4
462467 or summons by a federal, State, local, or other governmental entity. 5
463468 (3) Cooperate with a law enforcement agency concerning activity that the 6
464469 controller or processor reasonably and in good faith believes may violate 7
465470 federal, State, or local laws, rules, or regulations. 8
466471 (4) Investigate, establish, exercise, prepare for, or defend a legal claim. 9
467472 (5) Provide a product or service requested by a consumer or a parent or legal 10
468473 guardian of a child. 11
469474 (6) Perform a contract to which the consumer or the parent or legal guardian of a 12
470475 child is a party, including fulfilling the terms of a written warranty or taking 13
471476 steps at the request of the consumer or parent or legal guardian before entering 14
472477 into the contract with the consumer. 15
473478 (7) Take immediate steps to protect an interest that is essential for the life or 16
474479 physical safety of the consumer or of another individual. 17
475480 (8) Detect, prevent, protect against, or respond to a security incident, identity 18
476481 theft, fraud, harassment, malicious or deceptive activity, or any illegal activity 19
477482 or investigate, report, or prosecute a person responsible for an action described 20
478483 in this subdivision. 21
479484 (9) Preserve the integrity or security of systems or investigate, report, or prosecute 22
480485 a person responsible for harming or threatening the integrity or security of 23
481486 systems. 24
482487 (10) If the controller discloses the processing in a notice described in G.S. 75F-8, 25
483488 engage in public or peer-reviewed scientific, historical, or statistical research 26
484489 in the public interest that adheres to all other applicable ethics and privacy 27
485490 laws. 28
486491 (11) Assist another person with an obligation described in this subsection. 29
487492 (12) Process personal data to do any of the following: 30
488493 a. Conduct internal analytics or other research to develop, improve, or 31
489494 repair a controller's or processor's product, service, or technology. 32
490495 b. Identify and repair technical errors that impair existing or intended 33
491496 functionality. 34
492497 c. Effectuate a product recall. 35
493498 (13) Process personal data to perform an internal operation that is (i) reasonably 36
494499 aligned with the consumer's expectations based on the consumer's existing 37
495500 relationship with the controller or (ii) otherwise compatible with processing 38
496501 to aid the controller or processor in providing a product or service specifically 39
497502 requested by a consumer or a parent or legal guardian of a child or the 40
498503 performance of a contract to which the consumer or a parent or legal guardian 41
499504 of a child is a party. 42
500505 (14) Retain a consumer's email address to comply with the consumer's request to 43
501506 exercise a right. 44
502507 (b) This Chapter does not apply if a controller's or processor's compliance with this 45
503508 Chapter: 46
504509 (1) Violates an evidentiary privilege under North Carolina law. 47
505510 (2) As part of a privileged communication, prevents a controller or processor from 48
506511 providing personal data concerning a consumer to a person covered by an 49
507512 evidentiary privilege under North Carolina law. 50
508513 (3) Adversely affects the privacy or other rights of any person. 51 General Assembly Of North Carolina Session 2025
509-Senate Bill 757-First Edition Page 11
514+DRS35255-LR-105A Page 11
510515 (c) A controller or processor is not in violation of this Chapter if: 1
511516 (1) The controller or processor discloses personal data to a third-party controller 2
512517 or processor in compliance with this Chapter. 3
513518 (2) The third party processes the personal data in violation of this Chapter. 4
514519 (3) The disclosing controller or processor did not have actual knowledge of the 5
515520 third party's intent to commit a violation of this Chapter. 6
516521 (d) If a controller processes personal data under an exemption described in subsection (a) 7
517522 of this section, the controller bears the burden of demonstrating that the processing qualifies for 8
518523 the exemption. 9
519524 (e) Nothing in this Chapter requires a controller, processor, third party, or consumer to 10
520525 disclose a trade secret. 11
521526 "§ 75F-11. No private cause of action. 12
522527 A violation of this Chapter does not provide a basis for, nor is a violation of this Chapter 13
523528 subject to, a private right of action under this Chapter or any other law. 14
524529 "§ 75F-12. Enforcement. 15
525530 (a) The Division shall establish and administer a system to receive consumer complaints 16
526531 regarding a controller's or processor's alleged violation of this Chapter. 17
527532 (b) The Division may investigate a consumer complaint to determine whether the 18
528533 controller or processor violated or is violating this Chapter. 19
529534 "§ 75F-13. Enforcement powers of the Attorney General. 20
530535 (a) The Attorney General has the exclusive authority to enforce this Chapter. Upon 21
531536 referral from the Division, the Attorney General may initiate an enforcement action against a 22
532537 controller or processor for a violation of this Chapter. 23
533538 (b) At least 45 days before the day on which the Attorney General initiates an 24
534539 enforcement action against a controller or processor, the Attorney General shall provide the 25
535540 controller or processor with the following: 26
536541 (1) Written notice identifying each provision of this Chapter the Attorney General 27
537542 alleges the controller or processor has violated or is violating. 28
538543 (2) An explanation of the basis for each allegation. 29
539544 (c) The Attorney General may not initiate an action if the controller or processor: 30
540545 (1) Cures the noticed violation within 45 days after the day on which the 31
541546 controller or processor receives the written notice described in subsection (b) 32
542547 of this section. 33
543548 (2) Provides the Attorney General an express written statement that the violation 34
544549 has been cured and no further violation of the cured violation will occur. 35
545550 (d) The Attorney General may initiate an action against a controller or processor who (i) 36
546551 fails to cure a violation after receiving the notice described in subsection (b) of this section or (ii) 37
547552 after curing a noticed violation and providing a written statement in accordance with subsection 38
548553 (b) of this section, continues to violate this Chapter. 39
549554 (e) In an action described in subsection (d) of this section, the Attorney General may 40
550555 recover actual damages to the consumer; and for each violation described in subsection (d) of 41
551556 this section, an amount not to exceed seven thousand five hundred dollars ($7,500). 42
552557 (f) All money received from an action under this Chapter shall be deposited into the 43
553558 Consumer Privacy Account established in G.S. 75F-14. 44
554559 (g) If more than one controller or processor are involved in the same processing in 45
555560 violation of this Chapter, the liability for the violation shall be allocated among the controllers or 46
556561 processors in proportion to the comparative fault of each controller or processor. 47
557562 "§ 75F-14. Consumer Privacy Account. 48
558563 (a) There is created a restricted account known as the "Consumer Privacy Account." The 49
559564 account shall be funded by money received through civil enforcement actions under this Chapter. 50 General Assembly Of North Carolina Session 2025
560-Page 12 Senate Bill 757-First Edition
565+Page 12 DRS35255-LR-105A
561566 (b) Upon appropriation by the General Assembly, the account funds may be used by the 1
562567 Attorney General for these purposes: 2
563568 (1) Investigation and administrative costs incurred by the Division in 3
564569 investigating consumer complaints alleging violations of this Chapter. 4
565570 (2) Recovery of costs and attorney fees accrued by the Attorney General in 5
566571 enforcing this Chapter. 6
567572 (3) Providing consumer and business education regarding consumer rights under 7
568573 this Chapter and compliance with the provisions of this Chapter for controllers 8
569574 and processors. 9
570575 (c) If the balance in the account exceeds four million dollars ($4,000,000) at the close of 10
571576 any fiscal year, the State Budget Director shall transfer the amount that exceeds four million 11
572577 dollars ($4,000,000) into the General Fund. 12
573578 "§ 75F-15. Attorney General report. 13
574579 (a) The Attorney General and the Division shall compile a report evaluating the liability 14
575580 and enforcement provisions of this Chapter, including the effectiveness of the Attorney General's 15
576581 and the Division's efforts to enforce this Chapter and summarizing the data protected and not 16
577582 protected by this Chapter, including, with reasonable detail, a list of the types of information that 17
578583 are publicly available from State, local, and federal government sources. 18
579584 (b) The Attorney General and the Division may update the report as new information 19
580585 becomes available. 20
581586 (c) The Attorney General and the Division shall submit the report to the Joint Legislative 21
582587 Oversight Commission on Governmental Operations by July 1, 2027." 22
583588 SECTION 3. This act becomes effective January 1, 2026. 23