Bill Summaries: S525 (2023-2024 Session)

Tracking:
  • Summary date: Apr 5 2023 - View summary

    Titles the act as the "North Carolina Consumer Privacy Act."

    Enacts GS Chapter 75F, to be cited as the North Carolina Consumer Privacy Act. Sets forth 36 defined terms. Defines the scope of the Chapter, making the Chapter apply to any controller, defined as a person doing business in the State who determines for which and the means by which personal data are processed, or processor, defined as a person who processes data on behalf of a controller, who: (1) conducts business in the State or produces a product or service that is targeted to consumers who are residents; (2) has annual revenue of $25 million or more; and (3) who either (a) controls or processes personal data of 100,000 or more consumers during a calendar year, or (b) derives over 50% of the entity's gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers. Lists 17 types of entities, information, and activities that are exempt from the Chapter's provisions, including governmental entities and contractors, nonprofit corporations, federally protected health and private information, and individual's processing of personal data for personal purposes. Establishes that a controller is in compliance with the Chapter's parental consent requirements if the controller complies with the verifiable parental consent mechanisms under the federal Children's Online Privacy Protection Act (COPPA). Clarifies that the Chapter does not require actions that conflict with the federal Health Insurance Portability and Accountability Act (HIPPA). 

    Establishes that the Chapter supersedes and preempts local laws regarding the processing of personal data by a controller or processor. Provides that reference to federal law includes any rules or regulation adopted thereunder.

    Establishes four consumer rights: (1) confirm whether a controller is processing the consumer's personal data and access the consumer's personal data; (2) delete the consumer's personal data that the consumer provided to the controller; (3) obtain a copy of the consumer's personal data that the consumer previously provided to the consumer, in a readily usable format as described; and (4) opt out of the processing of the consumer's data for purposes of targeted advertising or the sale of personal data. Specifies that the rights do not require a person to cause a breach of security system. Provides for a consumer, parent or guardian, to submit a request to a controller specifying the right the consumer intends to exercise. Requires controllers to take action and inform the consumer of any action taken, or inform the consumer of reasons for not taking action, within 45 days after the day the controller receives a request, absent reasonable suspicion that the request is fraudulent. Provides for extension by another 45 days if reasonably necessary due to the complexity of the request or volume of requests received, subject to notice requirements. Establishes instances in which the controller can charge a fee for requested information. Adds that if a controller is unable to authenticate a consumer request using commercially reasonable efforts, the controller is not required to comply and may request the consumer provide additional information reasonably necessary to authenticate the request. 

    Requires processors to adhere to controllers' instructions and as reasonably practicable, assist controllers in meeting the controllers' obligations, including security obligations. Establishes mandatory terms for contracts between contractors and processors and requires contracting prior to performing processing on behalf of the processor. Provides for determining acting as a processor versus a controller in specific processing.

    Requires a controller to provide consumers with a reasonably accessible and clear privacy notice that includes five points, such as the categories of personal data processed by the controller, the purpose of processing the categories of personal data, and how consumers may exercise a right. Requires conspicuous disclosure of the manner in which a consumer can opt out of a controller's sale of personal data to a third party or processing for targeted advertising. Requires a controller to establish, implement and maintain reasonable administrative, technical, and physical data security practices as described. Prohibits processing sensitive data without first presenting the consumer with clear notice and an opportunity to opt out; requires compliance with COPPA for personal data concerning a known child. Prohibits specified discriminatory acts against a consumer for exercising a right; allows for different offerings when consumers opt out of targeted advertising or offerings related to a customer's voluntary participation in loyalty type programs. Adds that a controller is not required to provide a product, service, or functionality to a consumer if the personal data, or its processing, is reasonably necessary for the controller to provide the consumer the product, service, or functionality, and the consumer does not provide the personal data or allow for its processing. Deems contractual provisions that waive or limit consumer's rights void.

    Lists actions that the Chapter does not require of controllers or processors, including reidentifying de-identified data or pseudonymous data. Details responsibilities related to pseudonymous data. Lists 14 actions of controllers or processors which are not restricted by the Chapter, including compliance with civil, criminal, or regulatory inquiries, investigations, subpoenas, or summons by a federal, State, local, or other governmental entity. Sets limits for the Chapter's application, such as when compliance would violate evidentiary privilege under State law or would adversely affect the privacy or rights of any person. Deems controllers and processors not in violation of the Chapter when disclosing personal data to third-party controllers or processors in compliance with the Chapter, the third party processes in violation of the Chapter, and the controller or processor did not have actual knowledge of the third party's intent to commit a violation. Places the burden of demonstrating the processing is exempt on the controller. Specifies that the Chapter does not require disclosure of a trade secret.

    Specifies that the Chapter provides no right to a private cause of action. Directs the Consumer Protection Division of the Department of Justice (Division) to establish and administer a system to receive consumer complaints regarding alleged violations and authorizes the Division to investigate consumer complaints. Grants the Attorney General exclusive enforcement authority upon referral from the Division. Details enforcement procedures, including notice of violations, and an opportunity to cure noticed violations. Provides for recovery of actual damages to the consumer and up to $7,500 for each violation; requires allocation of liabilities among multiple processor and controllers involved in the same processing violation. 

    Creates the Consumer Privacy Account (Account), funded by money received through civil enforcement actions. Allows for the funds, upon legislative appropriation, to be used by the Attorney General for investigation and administrative costs relating to Chapter violations, recovery of costs and attorneys fess incurred during enforcement, and providing consumer and business education relating to the Chapter. Requires annual transfer of amounts exceeding $4 million in the Account to the General Fund.

    Directs the Attorney General and the Division to report to the specified NCGA committee by July 1, 2025, evaluating the liability and enforcement provisions of the Chapter, and summarizing the data protected and not protected. Allows updating the report as new information becomes available.

    Effective January 1, 2024. 


  • Summary date: Apr 3 2023 - View summary

    To be summarized.