Section 1.

Titles the act the “NC Personal Data Privacy Act.” Effective January 1, 2026, enacts new Chapter GS 75F, consisting of the Data Privacy Act. Defines 36 terms, including controller (a person that, alone or jointly with others, determines the purpose and means of processing personal data); and processor (a person that processes personal data on behalf of a controller).

Enacts GS 75F-103 applying the Chapter to persons that conduct business in the State or persons that produce products or services that are targeted to residents of the State and that during the preceding calendar year either (1) controlled or processed the personal data of not less than 35,000 consumers excluding personal data controlled or processed solely for the purpose of completing a payment transaction or (2) controlled or processed the personal data of not less than 10,000 consumers and derived more than 20% of their gross revenue from the sale of personal data. Excludes both the described State entities and described financial institutions subject to Title V of the Gramm Leach Bliley Act and the rules and implementing regulations promulgated thereunder. Lists thirteen types of data that are excluded from the Chapter including protected health information under HIPAA, certain types of personal data regulated by the specified federal laws, and personal data of a victim of or witness to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking that is collected, processed, or maintained by a nonprofit organization that provides services to those victims. Provides that controllers and processors that comply with the verifiable parental consent requirements of the Children's Online Privacy Protection Act of 1998 (COPPA) are deemed compliant with any obligation to obtain parental consent set forth in this Chapter with respect to a consumer who is a child.

Enacts GS 75F-104, concerning consumer personal data rights, as follows. Details six consumer rights, including the right to: (1) confirm whether a controller is processing the consumer's personal data and access the personal data, unless the confirmation or access would require the controller to reveal a trade secret; (2) correct inaccuracies in the data; and (3) opt out of the processing of the personal data for any of the three described reasons. Authorizes a consumer to exercise those rights by secure and reliable means established by the controller and described to the consumer in the controller's privacy notice. Allows for the consumer to have an authorized agent. Allows for parents to exercise the rights of a minor child and for the guardian or conservator to exercise those rights in instances where a protective arrangement is in place. Sets forth a process that a controller must follow in responding to a consumer’s rights. Provides for an appeal process in instances where a controller refuses to take action on a request within a reasonable amount of time after the consumer’s receipt of the decision. Specifies ways in which a consumer can designate an authorized agent, including through the described universal opt-out mechanisms in GS 75F-105.

Sets forth eight duties of controllers in GS 75F-106 including, (1) limiting the collection personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed, as disclosed to the consumer and (2) refraining from discriminating against the consumer from exercising the rights set forth in GS Chapter 75F. Clarifies that the controller duties do not require a controller to provide a product or service that requires the personal data of a consumer which the controller does not collect or maintain, or prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offering is in connection with a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.

Requires the controller to provide consumers with a reasonably accessible, clear, and meaningful privacy notice including the six described required disclosures. Provides for conspicuous notice and an opt-out if the controller sells data to third parties. Provides for means of delivery of the privacy notice described above.

Enacts GS 75F-107, setting forth the following three duties of processors in assisting the controller in meeting its obligations under GS Chapter 75F: (1) to fulfill the controller's obligation to respond to consumer rights requests, taking into account the circumstances described; (2) assisting the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of security of the system of the processor, in order to meet the controller's obligations; and (3) providing necessary information to enable the controller to conduct and document data protection assessments.

Describes five required provisions that must be included in a contract between a controller and a processor. Clarifies that GS 75F-107 does not relieve a controller or processor from the liabilities imposed on the controller or processor by virtue of the controller's or processor's role in the processing relationship. Instructs on when a person is acting as a processor or a controller.

Enacts GS 75F-108, pertaining to data protection assessments (as described) that are required to be performed by a controller that controls or processes the data of not less than 100,000 consumers, excluding data controlled or processed solely for the purpose of completing a payment transaction for each of the controller's processing activities that presents a heightened risk of harm to a consumer, as described. Provides for instances when the Attorney General is permitted to access a controller’s data protection assessment, including for the confidentiality of that assessment for purposes of public records law. Specifies that if a controller conducts a data protection assessment for the purpose of complying with another applicable law or regulation, the data protection assessment is deemed to satisfy the requirements established in GS 75F-108 if the data protection assessment is reasonably similar in scope and effect to the data protection assessment that would otherwise be conducted. Directs that data protection assessment requirements will apply to processing activities created or generated on or after July 1, 2026, and are not retroactive.

Enacts GS 75F-109, clarifying that GS Chapter 75F does not require a controller or processor to re-identify de-identified data or pseudonymous data, or to maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. Relieves a controller or processor of obligation to comply with an authenticated consumer request if the described circumstances pertaining to a controller’s inability to associate the request with personal data. Requires a controller disclosing pseudonymous data or de-identified data to exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments. Provides for the described exclusions from GS Chapter 75F in new GS 75F-110. Provides the Department of Justice with enforcement authority, as described, in GS 75F-111. Deems a violation of GS Chapter 75F an unfair trade practice. Bars anything in GS Chapter 75F from providing the basis for a private right of action. Requires the Department of Justice to engage in public outreach to educate consumers and the business community about this act, beginning at least six months prior to the effective date of the act.

Section 2.

Effective January 1, 2026, enacts GS Chapter 75G, concerning social media verifications. Defines nine terms including social media company and social media platform. Enacts GS 75G-102, pertaining to social media platforms and age verification and parental consent, as follows. Prevents a social media company from allowing a NC user who is a minor (under age 18) to be an account holder on its platform except with the express consent of their parent or legal guardian. Requires the company to verify the age of an account holder using one of the reasonable age verifications described. Specifies that if an account holder is a minor, the social media company must confirm that a minor has consent to become a new account holder at the time a North Carolina user opens the account. Requires the company to use a third-party vendor to perform the age verification. Enacts GS 75G-103, laying out liability for social media companies if they fail to perform the age verification described. Prevents the company from retaining any identifying information of the individual as part of the age verification.  Directs that violations of GS 75G-102 is a Class 1 misdemeanor. Provides for venue for any criminal proceeding. Allows for a civil enforcement action by the Attorney General. Provides for penalties of either (1) $2,500 per violation, court costs, and attorneys’ fees or (2) damages resulting from the minor accessing the platform without parental consent, including court costs, and attorneys’ fees. Exempts (1) a news or public interest broadcast, website video, report, or event and (2) cloud service providers. Specifies that GS 75G-103 does affect the rights of a news-gathering organization. Clarifies that the described internet service providers do not violate GS Chapter 75G solely by providing access to the internet (as described).  Prevents third party vendors or commercial entities conducting the age verification from retaining any identifying information. Specifies that a commercial entity that is found to have knowingly retained identifying information of an individual after access to the material is granted is liable to the individual for damages resulting from the retention of the identifying information, including court costs and reasonable attorneys' fees as ordered by the court.

Section 3.

Contains a severability clause.