AN ACT TO PROTECT CONSUMERS BY ENACTING THE CONSUMER PRIVACY ACT OF NORTH CAROLINA.
Titles the act as the "Consumer Privacy Act of North Carolina."
Enacts Article 2B, Consumer Privacy Act, to GS Chapter 75. Sets forth 31 defined terms. Defines the scope of the act include persons that conduct business in the State or produce products or services that are targeted to residents and that either (1) during a calendar year, control or process personal data of at least 100,000 consumers or (2) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data, as defined. Defines personal data to mean any information that is linked or reasonably linkable to an identified or identifiable natural person; excludes de-identified data, as defined, or publicly available information. Enumerates seven exemptions from the scope of the Article, including political subdivisions of the State, nonprofits, public school units and institutions of higher education. Lists 14 data categories exempt from the scope of the Article, including protected health information under the federal HIPPA (Health Insurance Portability and Accountability Act), information used only for public health activities and purposed authorized by HIPPA, personal data regulated by the federal FERPA (Family Educational Rights and Privacy Act), and personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act.
Mandates controllers, defined as natural or legal persons that either alone or jointly determine the purpose and means of processing personal data, to comply with an authenticated (as defined) consumer request to exercise any of the five specified consumer rights, which include the right (1) to confirm whether or not a controller is processing the consumer's personal data and to access such personal data, (2) to correct inaccuracies in the consumer's personal data, (3) to delete personal data provided by or obtained about the consumer, (4) to obtain a copy of the consumer's personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means, and (5) to opt out of the processing of the personal data for purposes of targeted advertising (as defined), the sale of personal data, or profiling (as defined) in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. Defines consumer to mean a natural person who is a resident of the State acting only in an individual or household context; excludes a natural person acting in a commercial or employment context. Authorizes consumers to invoke the stated rights at any time by submitting a request to a controller; allows the parent or legal guardian of a child (defined to mean a natural person under 13 years old) to invoke the rights on behalf of the child regarding processing personal data belonging to the child. Details the procedure and duties of controller upon receipt of a consumer's request to exercise the consumer's rights, including responding within 45 days subject to a 45-day extension as specified, with justification for declining to take action and instruction for appeal; provision of requested information at no cost up to twice annually per consumer, with unfounded, excessive, or repetitive requests subject to administrative costs or denial; and request additional information for authentication of the request. Does not require the controller to comply with a consumer request that cannot be authenticated. Requires controllers to establish an appeals process, with a 60 day response period required for appeals determinations and an online mechanism for consumers to file complaints regarding denied appeals to the Attorney General.
Establishes requirements and limitations of controllers, including limiting the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the processing purpose disclosed to the consumer; establishing and maintaining reasonable data security practices; and prohibiting processing sensitive data concerning a consumer without obtaining the consumer's consent (with distinct federal requirements regarding the sensitive data of a child). Defines sensitive data as personal data revealing racial or ethnic origin, religious beliefs, mental or physical diagnosis, sexual orientation, or citizenship or immigrations status; the processing of genetic or biometric data (as defined) for the purpose of uniquely identifying a natural person; the personal data collected from a known child; and precise geolocation data (as defined). Bars discrimination against consumers who exercise their consumer rights. Voids any provision of a contract or agreement that waives or limits consumer rights established in the Article. Details privacy notice requirements controllers must provide to consumers, including notice of the categories of personal data processed by the controller and the purpose for processing personal data. Requires disclosure of a controller of the sale of personal data to third parties or processing of personal data for targeted advertising, with directions on how to opt-out of such processing. Requires controllers to establish and describe in the privacy notice how consumers can submit a request to exercise their rights, as specified.
Details the responsibilities and restrictions for processors in assisting controllers to meet the Article's requirements. Requires controllers and processors to contract, and details contract requirements. Provides for the effect of a processing relationship upon liability, and determination of actions as a controller versus a processor.
Directs controllers to annually conduct and document a data protection assessment of five activities involving personal data, detailing five components and analysis of each, such as benefits from the processing to the controller, consumer and other stakeholders, the potential risks of the consumer associated with the processing, and a cybersecurity analysis, as specified. Authorizes the Attorney General to request a controller to disclose any data protection assessment relevant to an investigation, with assessments provided deemed confidential and exempt from GS Chapter 132. Provides further parameters regarding assessments. Makes the data protection assessment requirements applicable to processing activities created or generated after January 1, 2023; specifies that the requirements are not retroactive.
Lists the duties of a controller with regard to de-identified data, including public commitment to maintaining and using de-identified data without attempting to re-identify the data. Provides for three criteria which do not require a controller or processor to comply with an authenticated consumer rights request. Excludes certain pseudonymous data, defined as personal data that cannot be attributed to a specified natural person without the use of additional information that is kept separately and not attributable to an identified or identifiable natural person, from the consumer rights. Provides for the controller's responsibilities regarding pseudonymous data or de-identified data disclosed through contractual commitments with third parties, as defined.
Details the limitations of the Article, describing abilities of a controller or processor that are not restricted by the Article, interaction of the Article's requirements with evidentiary privileges, pass-through liability of controllers and third parties in violation of the Article, application of the Article to legally protected rights, authorized personal data processing purposes, and duties for exemption qualification.
Deems violations of the Article an unfair and deceptive trade practice. Places enforcement authority with the Attorney General, except for violations resulting in personal injuries that provide for a private right of action. Allows for 30 days' notice to violators to cure violations as specified, prohibiting further action given a written statement that alleged violations have been cured and no further violations will occur. Authorizes the Attorney General to seek an injunction and impose a civil penalty of up to $5,000 for each violation following the cure period or breach of an express written statement provided by the violator. Allows recovery of reasonably expenses incurred in investigating and preparing the case. Provides for an injured person seeking damages to bring a civil action for injunction, and permits the award of reasonably attorneys' fees to the prevailing party. Grants an estate the right to recover damages. Provides for venue and establishes a three year statute of limitations.
Creates the Consumer Privacy Fund (Fund) to support the work of the Attorney General's enforcement of the Article, subject to legislative appropriation. Directs the Joint Legislative Oversight Committee on Information Technology to create a work group to review the Article and its implementation, and annually report to the Committee by October 1, beginning in 2021. Lists ex officio members of the work group and permits inclusion of industry representatives and the public.
Makes conforming changes to the power and duties of the Attorney General under GS 114-2.
Effective January 1, 2023.
© 2021 School of Government The University of North Carolina at Chapel Hill
This work is copyrighted and subject to "fair use" as permitted by federal copyright law. No portion of this publication may be reproduced or transmitted in any form or by any means without the express written permission of the publisher. Distribution by third parties is prohibited. Prohibited distribution includes, but is not limited to, posting, e-mailing, faxing, archiving in a public database, installing on intranets or servers, and redistributing via a computer network or in printed form. Unauthorized use or reproduction may result in legal action against the unauthorized user.