Read the full stored bill text
GENERAL ASSEMBLY OF NORTH CAROLINA
SESSION 2025
H 2
HOUSE BILL 462
Committee Substitute Favorable 4/29/25
Short Title: Personal Data Privacy/Social Media Safety. (Public)
Sponsors:
Referred to:
March 20, 2025
*H462-v-2*
A BILL TO BE ENTITLED 1
AN ACT TO PROTECT NORTH CAROLINIANS BY ENACTING THE PERSONAL DATA 2
PRIVACY ACT AND SOCIAL MEDIA SAFETY ACT. 3
The General Assembly of North Carolina enacts: 4
5
PART I. ENACT PERSONAL DATA PRIVACY ACT 6
SECTION 1.1. This Part shall be known and may be cited as the "North Carolina 7
Personal Data Privacy Act." 8
SECTION 1.2. Effective January 1, 2026, the General Statutes are amended by 9
adding a new Chapter to read: 10
"Chapter 75F. 11
"Data Privacy Act. 12
"§ 75F-101. Short title. 13
This Chapter shall be known and may be cited as the "North Carolina Data Privacy Act." 14
"§ 75F-102. Definitions. 15
The following definitions apply in this Chapter: 16
(1) Affiliate. – A legal entity that shares common branding with another legal 17
entity or controls, is controlled by, or is under common control with another 18
legal entity. For the purposes of this subdivision, "control" or "controlled" 19
means any of the following: 20
a. Ownership of, or the power to vote, more than fifty percent (50%) of 21
the outstanding shares of any class of voting security of a legal entity. 22
b. Control in any manner over the election of a majority of the directors 23
or of individuals exercising similar functions. 24
c. The power to exercise controlling influence over the management of a 25
legal entity. 26
(2) Authenticate. – To use reasonable means to determine that a request to 27
exercise any of the rights afforded under G.S. 75F-104(a)(1) to (4), inclusive, 28
is being made by, or on behalf of, the consumer who is entitled to exercise the 29
consumer rights with respect to the personal data at issue. 30
(3) Biometric data. – Personal information and data generated by automatic 31
measurements of an individual 's unique biological characteristics, such as a 32
fingerprint, a voiceprint, eye retinas, irises, or other unique biological patterns 33
or characteristics that can be used to identify or authenticate a specific 34
individual. "Biometric data" does not include any of the following: 35
a. A digital or physical photograph. 36
General Assembly Of North Carolina Session 2025
Page 2 House Bill 462-Second Edition
b. An audio or video recording. 1
c. Any data generated from a digital or physical photograph, or an audio 2
or video recording, unless the data is generated to identify a specific 3
individual. 4
(4) Child. – As defined in COPPA. 5
(5) Child abuse. – Any conduct that would make an individual under 18 years of 6
age qualify as an abused juvenile under G.S. 7B-101 or any equivalent 7
provision in the laws of any other state ; the United States ; any territory, 8
district, or subdivision of the United States; or any foreign jurisdiction. 9
(6) Consent. – A clear affirmative act signifying a consumer 's freely given, 10
specific, informed, and unambiguous agreement to allow the processing of 11
personal data relating to the consumer. "Consent" may include a written 12
statement, including by electronic means, or any other unambiguous 13
affirmative action. "Consent" does not include any of the following: 14
a. Acceptance of a general or broad terms of use or similar document that 15
contains descriptions of personal data processing alon g with other, 16
unrelated information. 17
b. Hovering over, muting, pausing, or closing a given piece of content. 18
c. Agreement obtained through the use of dark patterns. 19
(7) Consumer. – An individual who is a resident of this State. "Consumer" does 20
not include an individual acting in a commercial or employment context or as 21
an employee, owner, director, officer, or contractor of a company, partnership, 22
sole proprietorship, nonprofit organization, or government agency whose 23
communications or tra nsactions with the controller occur solely within the 24
context of that individual 's role with the company, partnership, sole 25
proprietorship, nonprofit organization, or government agency. 26
(8) Controller. – A person that, alone or jointly with others, determi nes the 27
purpose and means of processing personal data. 28
(9) COPPA. – The Children's Online Privacy Protection Act of 1998, 15 U.S.C. 29
§ 6501, et seq., as amended, and the regulations, rules, guidance, and 30
exemptions adopted pursuant to the act, and such regulations, rules, guidance, 31
and exemptions as may be amended. 32
(10) Dark pattern. – Any of the following: 33
a. A user interface designed or manipulated with the substantial effect of 34
subverting or impairing user autonomy, decision making, or choice. 35
b. Any other practice the Federal Trade Commission refers to as a dark 36
pattern. 37
(11) Decisions that produce legal or similarly significant effects concerning the 38
consumer. – Decisions made by the controller that result in the provision or 39
denial by the controller of financial or lending services, housing, insurance, 40
education enrollment or opportunity, criminal justice, employment 41
opportunities, health care services, or access to essential goods or services. 42
(12) De-identified data. – Data that cannot reasonably be used to infer information 43
about, or otherwise be linked to, an identified or identifiable individual, or a 44
device linked to the individual, if the controller that possesses the data does 45
all of the following: 46
a. Takes reasonable measures to ensure that the data cannot be associated 47
with an individual. 48
b. Publicly commits to process the data only in a de -identified fashion 49
and not attempt to re-identify the data. 50
General Assembly Of North Carolina Session 2025
House Bill 462-Second Edition Page 3
c. Contractually obligates any recipients of the data to comply with all of 1
the provisions of this Chapter applicable to the controller with respect 2
to the data. 3
(13) Domestic violence. – As defined in G.S. 14-32.5 or any equivalent provision 4
in the laws of any other state ; the United States ; any territ ory, district, or 5
subdivision of the United States; or any foreign jurisdiction. 6
(14) Genetic data. – Any data, regardless of its format, that results from the analysis 7
of a biological sample of an individual, or from another source enabling 8
equivalent information to be obtained, and concerns genetic material. For 9
purposes of this subdivision, "genetic material " includes deoxyribonucleic 10
acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, 11
genomes, alterations or modifications to DNA or RNA, single nucleotide 12
polymorphisms (SNPs), uninterpreted data that results from analysis o f the 13
biological sample or other source, and any information extrapolated, derived, 14
or inferred therefrom. 15
(15) HIPAA. – The Health Insurance Portability and Accountability Act of 1996, 16
42 U.S.C. § 1320d, et seq., as amended. 17
(16) Human trafficking. – The offense defined in G.S. 14-43.11 or any equivalent 18
provision in the laws of any other state ; the United States ; any territory, 19
district, or subdivision of the United States; or any foreign jurisdiction. 20
(17) Identified or identifiable individual. – An individual who can be readily 21
identified, directly or indirectly. 22
(18) Nonprofit organization. – Any organization that is exempt from taxation under 23
section 501(c)(3), 501(c)(4), 501(c)(6), or 501(c)(12) of the Internal Revenue 24
Code of 1986, or any subsequ ent corresponding internal revenue code of the 25
United States, as amended. 26
(19) Personal data. – Any information that is linked or reasonably linkable to an 27
identified or identifiable individual and does not include de-identified data or 28
publicly available information. 29
(20) Precise geolocation data. – Information derived from technology, including 30
global positioning system level latitude and longitude coordinates or other 31
mechanisms, that directly identifies the specific location of an individual with 32
precision and accuracy within a radius of 1,750 feet. "Precise geolocation 33
data" does not include the content of communications or any data generated 34
by or connected to advanced utility metering infrastructure systems or 35
equipment for use by a utility. 36
(21) Process or processing. – Any operation or set of operations performed, 37
whether by manual or automated means, on personal data or on sets of 38
personal data, such as the collection, use, storage, disclosure, analysis, 39
deletion, or modification of personal data. 40
(22) Processor. – A person that processes personal data on behalf of a controller. 41
(23) Profiling. – Any form of automated processing performed on personal data to 42
evaluate, analyze, or predict personal aspects related to an identified or 43
identifiable individual's economic situation, health, demographic 44
characteristics, personal preferences, interests, reliability, behavior, location, 45
or movements. 46
(24) Pseudonymous data. – Personal data that cannot be attributed to a specific 47
individual without the use of additional information, provided the additional 48
information is kept separately and is subject to appropriate technical and 49
organizational measures to ensure that the personal data is not attributed to an 50
identified or identifiable individual. 51
General Assembly Of North Carolina Session 2025
Page 4 House Bill 462-Second Edition
(25) Publicly available information. – Information that is lawfully made readily 1
available to the general public through federal, State, or local government 2
records or widely distributed media and a controller has a reasonable basis to 3
believe a consumer has lawfully made readily available to the general public. 4
(26) Sale of personal data. – The exchange or transfer of personal data for monetary 5
or other valuable consideration by the controller to a third party. "Sale of 6
personal data" does not include any of the following: 7
a. The disclosure of personal data to a processor that processes the 8
personal data on behalf of the controller where limited to the purpose 9
of the processing. 10
b. The disclosure of personal data to a third party for purposes of 11
providing a product or service affirmatively requested by the 12
consumer. 13
c. The disclosure or transfer of personal data to an affiliate of the 14
controller. 15
d. The disclosure of personal data where the consumer directs the 16
controller to disclose the personal data or intentionall y uses the 17
controller to interact with a third party. 18
e. The disclosure of personal data that the consumer intentionally made 19
available to the general public via a channel of mass media and did not 20
restrict to a specific audience. 21
f. The disclosure or transfer of personal data to a third party as an asset 22
that is part of a merger, acquisition, bankruptcy, or other similar 23
transaction in which the third party assumes control of all or part of 24
the controller's assets, or a proposed merger, acquisition, bankru ptcy, 25
or other similar transaction in which the third party assumes control of 26
all or part of the controller's assets. 27
(27) Sensitive data. – Personal data that includes any of the following: 28
a. Data revealing racial or ethnic origin, religious beliefs, me ntal or 29
physical health condition or diagnosis (including pregnancy), sex life, 30
sexual orientation, status as transgender or nonbinary, national origin, 31
citizenship status, or immigration status. 32
b. Genetic or biometric data. 33
c. Personal data of a known child. 34
d. Precise geolocation data. 35
(28) Sexual assault. – Any sexually violent offense as defined in G.S. 14-208.6 or 36
any equivalent provision in the laws of any other state; the United States; any 37
territory, district, or subdivision of the United States ; or any foreign 38
jurisdiction. 39
(29) Stalking. – The offense defined in G.S. 14-277.3A or any equivalent provision 40
in the laws of any other state ; the United States ; any territory, district, or 41
subdivision of the United States; or any foreign jurisdiction. 42
(30) Targeted advertising. – Displaying advertisements to a consumer where the 43
advertisement is selected based on personal data obtained or inferred from that 44
consumer's activities over time and across nonaffiliated internet websites or 45
online applications to predict the consumer's preferences or interests. 46
"Targeted advertising" does not include any of the following: 47
a. Advertisements based on activities within a controller 's own internet 48
websites or online applications. 49
b. Advertisements based on the context of a consumer 's current search 50
query, visit to an internet website, or online application. 51
General Assembly Of North Carolina Session 2025
House Bill 462-Second Edition Page 5
c. Advertisements directed to a consumer in direct response to the 1
consumer's request for information or feedback. 2
d. Processing personal data solely to meas ure or report advertising 3
frequency, performance, or reach. 4
(31) Third party. – With respect to personal data controlled by a controller, any 5
person other than the relevant consumer, the controller of the personal data, 6
or a processor or an affiliate of the processor or the controller. 7
(32) Trade secret. – As defined in Chapter 66, 95, or 113 of the General Statutes. 8
(33) Violent felony. – As defined in G.S. 14-7.7 and includes any equivalent 9
provision in the laws of any other state ; the United States ; any territory, 10
district, or subdivision of the United States; or any foreign jurisdiction. 11
"§ 75F-103. Applicability of Chapter. 12
(a) This Chapter applies to persons that conduct business in the State or persons that 13
produce products or services that are targeted to residents of the State and that during the 14
preceding calendar year did any of the following: 15
(1) Controlled or processed the personal data of not less than 35,000 consumers, 16
excluding personal data controlled or processed solely for the purpose of 17
completing a payment transaction. 18
(2) Controlled or processed the personal data of not less than 10,000 consumers 19
and derived more than twenty percent (20%) of their gross revenue from the 20
sale of personal data. 21
(b) This Chapter does not apply to any of the following entities: 22
(1) Any regulatory, administrative, advisory, executive, appointive, legislative, or 23
judicial body of the State or a political subdivision of the State, including any 24
board, bureau, commission, or agency of the State or a politica l subdivision 25
of the State, but excluding any institution of higher education. 26
(2) Any financial institution or affiliate of a financial institution governed by, or 27
personal data collected, processed, or disclosed in accordance with, Title V of 28
the Gra mm-Leach-Bliley Act, 15 U.S.C. § 6801 , et se q., and related 29
regulations. 30
(c) This Chapter does not apply to the following information and data: 31
(1) Protected health information as defined in 45 C.F.R. § 160.103. 32
(2) Patient-identifying information for purposes of 42 U.S.C. § 290dd-2. 33
(3) Identifiable private information, as defined in 45 C.F.R. § 46.102, to the extent 34
that it is used for purposes of the federal policy for the protection of human 35
subjects pursuant to 45 C.F.R. § 46. 36
(4) Identifiable private information to the extent it is collected and used as part of 37
human subjects research pursuant to the ICH E6 Good Clinical Practice 38
Guideline issued by the International Council for Harmonisation of Technical 39
Requirements for Pharmaceuticals for Human Use or the protection of human 40
subjects under 21 C.F.R. §§ 50 and 56. 41
(5) Patient safety work product, as defined in 42 C.F.R. § 3.20, that is created and 42
used for purposes of patient safety improvement pursuant to 42 C.F.R. § 3, 43
established pursuant to 42 U.S.C. §§ 299b–21 to 299b–26. 44
(6) Information to the extent it is used for public health, community health, or 45
population health activities and purposes, as authorized by HIPAA, when 46
provided by or to a Covered Entity, as defined in 45 C.F.R. § 160.103, or when 47
provided by or to a Business Associate , as defined in 45 C.F.R. § 160.103, 48
pursuant to a Business Associate Agreement with a Covered Entity. 49
(7) The collection, maintenance, disclosure, sale, communication, or use of any 50
personal information bearing on a consumer 's credit worthiness, credit 51
General Assembly Of North Carolina Session 2025
Page 6 House Bill 462-Second Edition
standing, credit capacity, character, general reputation, personal 1
characteristics, or mode of living by a consumer reporting agency, furnisher, 2
or user that provides information for use in a consumer report, and by a user 3
of a consumer report, but only to the extent that the activity is regulated by 4
and authorized under the federal Fair Credit Reporting Act (15 U.S.C. § 1681, 5
et seq., as amended). 6
(8) Personal data collected, processed, sold, or disclosed in complianc e with the 7
Driver's Privacy Protection Act of 1994, 18 U.S.C. § 2721, et seq., as 8
amended. 9
(9) Personal data regulated by the Family Educational Rights and Privacy Act, 20 10
U.S.C. § 1232g, et seq., as amended. 11
(10) Personal data collected, processed, sold, or disclosed in compliance with the 12
Farm Credit Act, 12 U.S.C. § 2001, et seq., as amended. 13
(11) Data processed or maintained in any of the following ways: 14
a. In the course of an individual applying to, employed by, or acting as 15
an agent or independent contractor of a controller, processor, or third 16
party, to the extent that the data is collected and used within the context 17
of that role. 18
b. As the emergency contact information of an individual, used for 19
emergency contact purposes. 20
c. Necessary to retain to administer benefits for another individual 21
relating to the individual who is the subject of the information under 22
sub-subdivision a. of this sub division and used for the purposes of 23
administering the benefits. 24
(12) Personal data collected, processed, sold, or disclosed in relation to price, route, 25
or service, as the terms are used in the Airline Deregulation Act, 49 U.S.C. § 26
40101, et seq., as amended, by an air carrier subject to said act, to the extent 27
any part of this Chapter is preempted by the Airli ne Deregulation Act, 49 28
U.S.C. § 41713, as amended. 29
(13) Personal data of a victim of or witness to child abuse, domestic violence, 30
human trafficking, sexual assault, violent felony, or stalking that is collected, 31
processed, or maintained by a nonprofit organization that provides services to 32
victims of or witnesses to child abuse, domestic violence, human trafficking, 33
sexual assault, violent felony, or stalking. 34
(d) Controllers and processors that comply with the verifiable parental consent 35
requirements of COPPA shall be deemed compliant with any obligation to obtain parental 36
consent set forth in this Chapter with respect to a consumer who is a child. 37
"§ 75F-104. Consumer personal data rights. 38
(a) A consumer has the right to do all of the following: 39
(1) Confirm whether a controller is processing the consumer 's personal data and 40
access the personal data, unless the confirmation or access would require the 41
controller to reveal a trade secret. 42
(2) Correct inaccuracies in the consumer 's personal data, taking into account the 43
nature of the personal data and the purposes of the processing of the 44
consumer's personal data. 45
(3) Have personal data provided by, or obtained about, the consumer deleted. 46
(4) Obtain a copy of the consumer's personal data processed by the controller, in 47
a portable and, to the extent technically feasible, readily usable format that 48
allows the consumer to transmit the data to another controller without 49
hindrance, where the processing is carried out by automated means, provided 50
the controller shall not be required to reveal any trade secret. 51
General Assembly Of North Carolina Session 2025
House Bill 462-Second Edition Page 7
(5) Obtain a list of the specific third parties to which the controller has disclosed 1
the consumer 's personal data. If the controller does not maintain this 2
information in a format specific to the consumer, a list of specific third parties 3
to whom the controller has disclosed any consumers ' personal data may be 4
provided instead. 5
(6) Opt out of the processing of the personal data for purposes of any of the 6
following: 7
a. Targeted advertising. 8
b. The sale of personal data, except as provided in G.S. 75F-106(b). 9
c. Profiling in furtherance of solely automated decisions that produce 10
legal or similarly significant effects concerning the consumer. 11
(b) A consumer may exercise rights under this section by secure and reliable means 12
established by the controller and described to the consumer in the controller 's privacy notice. A 13
consumer may designate an authorized agent in accordance with G.S. 75F-105 to exercise the 14
rights of the consumer to opt out of the processing of the consumer 's personal data for purposes 15
of subdivision ( 6) of subsection (a) of this section on behalf of the consumer. In the case of 16
processing personal data of a known child, the parent or legal guardian may exercis e the 17
consumer rights on the child 's behalf. In the case of processing personal data concerning a 18
consumer subject to a guardianship, conservatorship , or other protective arrangement, the 19
guardian or the conservator of the consumer may exercise the rights on the consumer's behalf. 20
(c) Except as otherwise provided in this Chapter, a controller shall comply with a request 21
by a consumer to exercise the consumer rights authorized pursuant to said sections as follows: 22
(1) A controller shall respond to the consum er without undue delay but not later 23
than 45 days after receipt of the request. The controller may extend the 24
response period by 45 additional days when reasonably necessary, considering 25
the complexity and number of the consumer's requests, provided the controller 26
informs the consumer of any such extension within the initial 45-day response 27
period and of the reason for the extension. 28
(2) If a controller declines to take action regarding the consumer 's request, the 29
controller shall inform the consumer without undue delay but not later than 45 30
days after receipt of the request of the justification for declining to take action 31
and instructions for how to appeal the decision. 32
(3) Information provided in response to a consumer request shall be provided by 33
a controller, free of charge, once per consumer during any 12 -month period. 34
If requests from a consumer are manifestly unfounded, excessive , or 35
repetitive, the controller may charge the consumer a reasonable fee to cover 36
the administrative costs of complying with the request or decline to act on the 37
request. The controller bears the burden of demonstrating the manifestly 38
unfounded, excessive, or repetitive nature of the request. 39
(4) If a controller is unable to authenticate a request to exercise any of the rights 40
afforded under subdivisions (1) through (5), inclusive, of subsection (a) of this 41
section using commercially reasonable efforts, the controller shall not be 42
required to comply with a request to initiate an action pursuant to this section 43
and shall provide notice to the consumer that the controller is unable to 44
authenticate the request to exercise the right or rights until the consumer 45
provides additional information reasonably necessary to authenticate the 46
consumer and the consumer's request to exercise the right or rights. A 47
controller shall not be required to authenticate an opt -out request, but a 48
controller may deny an opt -out request if the controller has a good -faith, 49
reasonable, and documented belief that the request is fraudulent. If a controller 50
denies an opt -out request because the controller believes the request is 51
General Assembly Of North Carolina Session 2025
Page 8 House Bill 462-Second Edition
fraudulent, the controller shall send a notice to the person who made the 1
request disclosing that the controller believes the request is fraudulent, why 2
the controller believes the request is fraudulent, and that the controller shall 3
not comply with the request. 4
(5) A controller that has obtained personal data about a consumer from a source 5
other than the con sumer shall be deemed in compliance with a consumer 's 6
request to delete the data pursuant to subdivision (3) of subsection (a) of this 7
section if the controller retains a record of the deletion request and the 8
minimum data necessary for the purpose of ensuring the consumer's personal 9
data remains deleted from the controller's records and does not use the retained 10
data for any other purpose. 11
(d) A controller shall establish a process for a consumer to appeal the controller's refusal 12
to take action on a request within a reasonable period of time after the consumer's receipt of the 13
decision. The appeal process shall be conspicuously available and similar to the process for 14
submitting requests to initiate action pursuant to this section. Not later than 60 days after receipt 15
of an appeal, a controller shall inform the consumer in writing of any action taken or not taken 16
in response to the appeal, including a written explanation of the reasons for the decisions. If the 17
appeal is denied, the controller shall als o provide the consumer with an online mechanism, if 18
available, or other method through which the consumer may contact the Department of Justice 19
to submit a complaint. 20
"§ 75F -105. Designation of agent to exercise rights of consumer, including through 21
universal opt-out mechanisms. 22
(a) A consumer may designate an authorized agent to act on the consumer's behalf to opt 23
out of the processing of the consumer's personal data for one or more of the purposes specified 24
in G.S. 75F-104(a)(6). The consumer may designate the authorized agent by way of, among other 25
things, a platform, technology, or mechanism, including an internet link or a browser setting, 26
browser extension, or global device setting, indicating the consumer's intent to opt out of the 27
processing. For the purposes of the designation, the platform, technology, or mechanism may 28
function as the agent for purposes of conveying the consumer's decision to opt out. 29
(b) A controller shall comply with an opt-out request received from an authorized agent 30
if the controller is able to verify, with commercially reasonable effort, the identity of the 31
consumer and the authorized agent 's authority to act on the consumer's behalf. The North 32
Carolina Department of Justice may publish or reference on its w ebsite a list of agents who 33
presumptively shall have the authority unless the controller has established a reasonable basis to 34
conclude that the agent lacks such authority. 35
"§ 75F-106. Duties of controllers. 36
(a) A controller shall do all of the following: 37
(1) Limit the collection of personal data to what is adequate, relevant, and 38
reasonably necessary in relation to the purposes for which the data is 39
processed, as disclosed to the consumer. 40
(2) Except as otherwise permitted by this Chapter, not process personal data for 41
purposes that are neither reasonably necessary to, nor compatible with, the 42
disclosed purposes for which the personal data is processed, as disclosed to 43
the consumer, unless the controller obtains the consumer's consent. 44
(3) Establish, implement, and maintain reasonable administrative, technical, and 45
physical data security practices to protect the confidentiality, integrity, and 46
accessibility of personal data appropriate to the vol ume and nature of the 47
personal data at issue. 48
(4) Not process sensitive data concerning a consumer without obtaining the 49
consumer's consent or, in the case of the processing of sensitive data 50
General Assembly Of North Carolina Session 2025
House Bill 462-Second Edition Page 9
concerning a known child, without first obtaining consent from t he child 's 1
parent or lawful guardian. 2
(5) Not process personal data in violation of the laws of this State and federal laws 3
that prohibit unlawful discrimination. 4
(6) Provide an effective mechanism for a consumer to revoke the consumer 's 5
consent under this section that is at least as easy as the mechanism by which 6
the consumer provided the consumer 's consent and, upon revocation of the 7
consent, cease to process the data as soon as practicable but not later than 15 8
days after the receipt of the request. 9
(7) Not process the personal data of a consumer for purposes of targeted 10
advertising, or sell the consumer 's personal data without the consumer 's 11
consent, under circumstances where a controller has actual knowledge or 12
willfully disregards that the consumer is at least 13 years of age but younger 13
than 18 years of age. 14
(8) Not discriminate against a consumer for exercising any of the consumer rights 15
contained in this Chapter, including denying goods or services, charging 16
different prices or rates for goods or services, or providing a different level of 17
quality of goods or services to the consumer. 18
(b) Nothing in subsection (a) of this section shall be construed to require a controller to 19
provide a product or service that requires the personal data of a consumer wh ich the controller 20
does not collect or maintain, or prohibit a controller from offering a different price, rate, level, 21
quality, or selection of goods or services to a consumer, including offering goods or services for 22
no fee, if the offering is in connect ion with a consumer 's voluntary participation in a bona fide 23
loyalty, rewards, premium features, discounts, or club card program. 24
(c) A controller shall provide consumers with a reasonably accessible, clear, and 25
meaningful privacy notice that includes all of the following: 26
(1) The categories of personal data processed by the controller. 27
(2) The purpose for processing personal data. 28
(3) How consumers may exercise their consumer rights, including how a 29
consumer may appeal a controller 's decision with regard t o the consumer 's 30
request. 31
(4) The categories of personal data that the controller shares with third parties, if 32
any. 33
(5) The categories of third parties with which the controller shares personal data, 34
if any. 35
(6) An active electronic mail address or other online mechanism that the 36
consumer may use to contact the controller. 37
(d) If a controller sells personal data to third parties or processes personal data for targeted 38
advertising, the controller shall clearly and conspicuously disclose the processing, as well as the 39
manner in which a consumer may exercise the right to opt out of the processing. 40
(e) A controller shall establish and shall describe in the privacy notice required by 41
subsection (c) of this section one or more secure and reliable means for consum ers to submit a 42
request to exercise their consumer rights pursuant to this Chapter. The means shall take into 43
account the ways in which consumers normally interact with the controller, the need for secure 44
and reliable communication of the requests, and the ability of the controller to verify the identity 45
of the consumer making the request. A controller shall not require a consumer to create a new 46
account in order to exercise consumer rights but may require a consumer to use an existing 47
account. Any such means shall include all of the following: 48
(1) Providing a clear and conspicuous link on the controller 's internet website to 49
an internet webpage that enables a consumer, or an agent of the consumer, to 50
opt out of the targeted advertising or the sale of the consumer's personal data. 51
General Assembly Of North Carolina Session 2025
Page 10 House Bill 462-Second Edition
(2) Allowing a consumer to opt out of any processing of the consumer's personal 1
data for the purposes of targeted advertising, or any sale of the personal data, 2
through an opt-out preference signal sent, with the consumer's consent, by a 3
platform, technology, or mechanism to the controller indicating the 4
consumer's intent to opt out of any such processing or sale. The platform, 5
technology, or mechanism shall do all of the following: 6
a. Not unfairly disadvantage another controller. 7
b. Not make use of a default setting but, rather, require the consumer to 8
make an affirmative, freely given, and unambiguous choice to opt out 9
of any processing of the consumer's personal data pursuant to this 10
Chapter. 11
c. Be consumer-friendly and easy to use by the average consumer. 12
d. Be as consistent as possible with any other similar platform, 13
technology, or mechanism required by any federal or State law or 14
regulation. 15
e. Enable the controller to reasonably determine whether the consumer 16
is a res ident of the State and whether the consumer has made a 17
legitimate request to opt out of any sale of the consumer's personal 18
data or targeted advertising. 19
(f) If a consumer's decision to opt out of any processing of the consumer's personal data 20
for the purposes of targeted advertising, or any sale of the personal data, through an opt -out 21
preference signal sent in accordance with the provisions of subdivision (1) of this subsection 22
conflicts with the consumer 's existing controller -specific privacy setting or voluntary 23
participation in a controller 's bona fide loyalty, rewards, premium features, discounts , or club 24
card program, the controller shall comply with the consumer's opt-out preference signal but may 25
notify the consumer of the conflict and provide to the consumer the choice to confirm the 26
controller-specific privacy setting or participation in the program. 27
(g) If a controller responds to consumer opt‐out requests received pursuant to subdivision 28
(1) of this subsection by informing the consumer of a charge for the use of any product or service, 29
the controller shall present the terms of any financial incentive offered pursuant to subdivision 30
(2) of this subsection for the retention, use, sale, or sharing of the consumer's personal data. 31
"§ 75F-107. Duties of processors. 32
(a) A processor shall adhere to the instructions of a controller and shall assist the 33
controller in meeting the controller's obligations under this Chapter. The assistance must include 34
all of the following: 35
(1) Taking into account the nature of processing and the information available to 36
the processor, by appropriate technical and organizational measures, insofar 37
as is reasonably practicable, to fulfill the controller's obligation to respond to 38
consumer rights requests. 39
(2) Taking into account the nature of processing and the information available to 40
the processor, by assisting the controller in meeting the controller's obligations 41
in relation to the security of processing the personal data and in relation to the 42
notification of a breach of security of the system of the processor, in order to 43
meet the controller's obligations. 44
(3) Providing necessary information to enable the controller to conduct and 45
document data protection assessments. 46
(b) A contract between a controller and a processor must govern the processor 's data 47
processing procedures with respect to processing performed on behalf of the controller. The 48
contract must be binding and clearly set forth instructions for processing data, the nature and 49
purpose of processing, the type of data subject to processing, the duration of processing, and the 50
General Assembly Of North Carolina Session 2025
House Bill 462-Second Edition Page 11
rights and obligations of both parties. The contract must also require that the processor do all of 1
the following: 2
(1) Ensure that each person processing personal data is subject to a duty of 3
confidentiality with respect to the data. 4
(2) At the controller's direction, delete or return all personal data to the controller 5
as requested at the end of the provision of services, unless retention of the 6
personal data is required by law. 7
(3) Upon the reasonable request of the controller, make available to the controller 8
all information in its possession necessary to demonstrate the processor 's 9
compliance with the obligations in this Chapter. 10
(4) After providing the controller an opportunity to object, engage any 11
subcontractor pursuant to a written contract that requires the subcontractor to 12
meet the obligations of the processor with respect to the personal data. 13
(5) Allow, and cooperate with, reasonable assessments b y the controller or the 14
controller's designated assessor, or the processor may arrange for a qualified 15
and independent assessor to conduct an assessment of the processor's policies 16
and technical and organizational measures in support of the obligations under 17
this Chapter, using an appropriate and accepted control standard or framework 18
and assessment procedure for the assessments. The processor shall provide a 19
report of the assessment to the controller upon request. 20
(c) Nothing in this section may be construed to relieve a controller or processor from the 21
liabilities imposed on the controller or processor by virtue of the controller's or processor's role 22
in the processing relationship, as described in this Chapter. 23
(d) Determining whether a person is acting as a controller or processor with respect to a 24
specific processing of data is a fact-based determination that depends upon the context in which 25
personal data is to be processed. A person who is not limited in the person's processing of 26
personal data pursuant to a controller's instructions, or who fails to adhere to the instructions, is 27
a controller and not a processor with respect to a specific processing of data. A processor that 28
continues to adhere to a controller's instructions with respect to a specific processing of personal 29
data remains a processor. If a processor begins, alone or jointly with others, determining the 30
purposes and means of the processing of personal data, the processor is a controller with respect 31
to the processing and may be subject to an enforcement action under this Chapter. 32
"§ 75F-108. Data protection assessments. 33
(a) A controller that controls or processes the data of not less than 100,000 consumers, 34
excluding data controlled or processed solely for the purpose of completing a payme nt 35
transaction, shall conduct and document, on a regular basis, a data protection assessment for each 36
of the controller's processing activities that presents a heightened risk of harm to a consumer. For 37
the purposes of this section, processing that present s a heightened risk of harm to a consumer 38
includes any of the following: 39
(1) The processing of personal data for the purposes of targeted advertising. 40
(2) The sale of personal data. 41
(3) The processing of personal data for the purposes of profiling, where the 42
profiling presents a reasonably foreseeable risk of any of the following: 43
a. Unfair or deceptive treatment of, or unlawful disparate impact on, 44
consumers. 45
b. Financial, physical, or reputational injury to consumers. 46
c. A physical or other intrusion upo n the solitude or seclusion, or the 47
private affairs or concerns, of consumers, where the intrusion would 48
be offensive to a reasonable person. 49
d. Other substantial injury to consumers. 50
(4) The processing of sensitive data. 51
General Assembly Of North Carolina Session 2025
Page 12 House Bill 462-Second Edition
(b) Data protection assessments conducted pursuant to subsection (a) of this section shall 1
identify and weigh the benefits that may flow, directly and indirectly, from the processing to the 2
controller, the consumer, other stakeholders, and the public against the potential risks to the rights 3
of the consumer associated with the processing, as mitigated by safeguards that can be employed 4
by the controller to reduce the risks. The controller shall factor into any such data protection 5
assessment the use of de -identified data and the reasonable expectations of consumers, as well 6
as the context of the processing and the relationship between the controller and the consumer 7
whose personal data will be processed. 8
(c) The Attorney General may require that a controller disclose any data protection 9
assessment that is relevant to an investigation conducted by the Attorney General, and the 10
controller shall make the data protection assessment available to the Attorney General. The 11
Attorney General may evaluate the data protection assessment for compliance w ith the 12
responsibilities set forth in this Chapter. Data protection assessments must be treated as 13
confidential and are not public records within the meaning of Chapter 132 of the General Statutes. 14
Notwithstanding the foregoing, a controller's data protection assessment may be used in an action 15
to enforce this Chapter. To the extent any information contained in a data protection assessment 16
disclosed to the Attorney General includes and conspicuously identifies information subject to 17
attorney-client privilege or work product protection, the disclosure by itself does not constitute a 18
waiver of the privilege or protection. 19
(d) A single data protection assessment may address a comparable set of processing 20
operations that include similar activities. 21
(e) If a controller conducts a data protection assessment for the purpose of complying 22
with another applicable law or regulation, the data protection assessment shall be deemed to 23
satisfy the requirements established in this section if the data protection assessment is reasonably 24
similar in scope and effect to the data protection assessment that would otherwise be conducted 25
pursuant to this section. 26
"§ 75F-109. De-identified data. 27
(a) Nothing in this Chapter shall be construed to require a controller or proces sor to 28
re-identify de-identified data or pseudonymous data, or to maintain data in identifiable form, or 29
collect, obtain, retain, or access any data or technology, in order to be capable of associating an 30
authenticated consumer request with personal data. 31
(b) Nothing in this Chapter shall be construed to require a controller or processor to 32
comply with an authenticated consumer rights request if all of the following apply: 33
(1) The controller is not reasonably capable of associating the request with the 34
personal data or it would be unreasonably burdensome for the controller to 35
associate the request with the personal data. 36
(2) The controller does not use the personal data to recognize or respond to the 37
specific consumer who is the subject of the personal data or associate the 38
personal data with other personal data about the same specific consumer. 39
(3) The controller does not sell the personal data to any third party or otherwise 40
voluntarily disclose the personal data to any third party other than a processor, 41
except as otherwise permitted in this section. 42
(c) The rights afforded under G.S. 75F-104(a)(1) to (4) , inclusive, do not apply to 43
pseudonymous data in cases where the controller is able to demonstrate that any information 44
necessary to identify the consumer is kept separately and is subject to effective technical and 45
organizational controls that prevent the controller from accessing the information. 46
(d) A controller that discloses pseudonymous data or de -identified data shall exercise 47
reasonable oversight to monitor compliance with any contractual commitments to which the 48
pseudonymous data or de -identified data is subject and shall take appropriate steps to address 49
any breaches of those contractual commitments. The determination of the reasonableness of the 50
General Assembly Of North Carolina Session 2025
House Bill 462-Second Edition Page 13
oversight and the appropriateness of contractual enforcement must take into account whether the 1
disclosed data includes data that would be sensitive data if it were re-identified. 2
"§ 75F-110. Exclusions. 3
(a) Nothing in this Chapter shall be construed to restrict a controller 's or processor 's 4
ability to do any of the following: 5
(1) Comply with federal, State, or local laws, rules, or regulations. 6
(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, 7
or summons by federal, State, local, or other governmental authorities. 8
(3) Cooperate with law enforcement agencies concerning conduct or activity that 9
the controller or processor reasonably and in good faith believes may violate 10
federal, State, or local laws, rules, or regulations. 11
(4) Investigate, establish, exercise, prepare for, or defend legal claims. 12
(5) Provide a product or service specifically requested by a consumer. 13
(6) Perform under a contract to which a consumer is a party, including fulfilling 14
the terms of a written warranty. 15
(7) Take steps at the request of a consumer prior to entering into a contract. 16
(8) Take immediate steps to protect an interest that is essential for the life or 17
physical safety of the consumer or another individual and where the 18
processing cannot be manifestly based on another legal basis. 19
(9) Prevent, detect, protect against, or respond to security incidents, identity theft, 20
fraud, harassment, malicious or deceptive activities, or any illegal activity ; 21
preserve the integrity or security of systems ; or investigate, report , or 22
prosecute those responsible for any such activity. 23
(10) Engage in public or peer-reviewed scientific research in the public interest that 24
adheres to all other applicable ethics and privacy laws and is approved, 25
monitored, and governed by an institutional review board that determines 26
whether the deletion of the information is likely to provide substantial benefits 27
that do not exclusively accrue to the controller, the expected benefits of the 28
research outweigh the privacy risks, and whether the controller has 29
implemented reasonable safeguards to mitigate privacy risks associ ated with 30
research, including any risks associated with re-identification. 31
(11) Assist another controller, processor, or third party with any of the activities 32
under this subsection. 33
(b) The obligations imposed on controllers or processors under this Chapt er, other than 34
those imposed by G.S. 75F-109, do not restrict a controller's or processor's ability to collect data 35
directly from consumers, or use or retain the data, for internal use only, to do any of the following: 36
(1) Conduct internal research to develop, improve, or repair products, services, or 37
technology. 38
(2) Effectuate a product recall. 39
(3) Identify and repair technical errors that impair existing or intended 40
functionality. 41
(4) Perform internal operations that are reasonably aligned with the expectations 42
of the consumer or reasonably anticipated based on the consumer 's existing 43
relationship with the controller or are otherwise compatible with processing 44
data in furtherance of the provision of a product or service specifically 45
requested by a co nsumer or the performance of a contract to which the 46
consumer is a party. 47
(c) The obligations imposed on controllers or processors under this Chapter shall not 48
apply where compliance by the controller or processor with said sections would violate an 49
evidentiary privilege under the laws of this State. Nothing in this Chapter shall be construed to 50
prevent a controller or processor from providing personal data concerning a consumer to a person 51
General Assembly Of North Carolina Session 2025
Page 14 House Bill 462-Second Edition
covered by an evidentiary privilege under the laws of this State as part of a privileged 1
communication. 2
(d) A controller or processor that discloses personal data to a processor or third -party 3
controller in compliance with this Chapter shall not be deemed to have violated said sections if 4
the processor or third-party controller that receives and processes the personal data violates said 5
sections, provided that (i) at the time the disclosing controller or processor disclosed the personal 6
data, the disclosing controller or processor did not have actual knowledge that the rec eiving 7
processor or third -party controller had violated or would violate said sections and (ii) the 8
disclosing controller or processor was, and remained, in compliance with its obligations as the 9
discloser of the data hereunder. A third-party controller or processor receiving personal data from 10
a controller or processor in compliance with this Chapter is likewise not in violation of said 11
sections for the independent misconduct of the controller or processor from which the third-party 12
controller or processor receives the personal data. 13
(e) Nothing in this Chapter may be construed to do any of the following: 14
(1) Impose any obligation on a controller or processor that adversely affects the 15
rights of any person to freedom of speech or freedom of the press guaranteed 16
by the First Amendment to the United States Constitution or Article I, Section 17
14 of the North Carolina Constitution. 18
(2) Apply to any person's processing of personal data in the course of the person's 19
purely personal or household activities. 20
(f) Personal data processed pursuant to this section may be processed to the extent that 21
the processing is reasonably necessary and proportionate to the purposes listed in this section and 22
is adequate, relevant, and limited to what is necessary in relation to the specific purposes listed 23
in this section. Personal data collected, used, or retained pursuant to subsection (b) of this section 24
shall, where applicable, take into account the nature and purpose or purposes of the collection, 25
use, or retention. The data shall be subject to reasonable administrative, technical, and physical 26
measures to protect the confidentiality, integrity, and accessibility of the personal data and to 27
reduce reasonably foreseeable risks of harm to consumers relating to the collection, u se, or 28
retention of personal data. 29
(g) If a controller processes personal data pursuant to an exemption in this section, the 30
controller bears the burden of demonstrating that the processing qualifies for the exemption and 31
complies with the requirements of subsection (f) of this section. 32
(h) Processing personal data for the purposes expressly identified in this section shall not 33
solely make a legal entity a controller with respect to the processing. 34
"§ 75F-111. Enforcement. 35
(a) The North Carolina Department of Justice shall investigate and enforce alleged 36
violations of this Chapter. 37
(b) The North Carolina Department of Justice may, prior to initiating any action for a 38
violation of any provision of this Chapter, issue a notice of violation to the controller or processor 39
if the Department of Justice determines that a cure is possible. If the North Carolina Department 40
of Justice issues a notice of violation, the controller shall have at least 60 days to cure the violation 41
after receipt of the notice. If the cont roller fails to cure the violation within the time period, the 42
North Carolina Department of Justice may bring an enforcement proceeding pursuant to 43
subsection (a) of this section. In determining whether to grant a controller or processor an 44
opportunity to cure an alleged violation, the North Carolina Department of Justice may consider 45
all of the following: 46
(1) The number of violations. 47
(2) The size and complexity of the controller or processor. 48
(3) The nature and extent of the controller's or processor's processing activities. 49
(4) The substantial likelihood of injury to the public. 50
(5) The safety of persons or property. 51
General Assembly Of North Carolina Session 2025
House Bill 462-Second Edition Page 15
(6) Whether the alleged violation was likely caused by human or technical error. 1
(7) The extent to which the controller or processor has violated this or similar 2
laws in the past. 3
(c) Nothing in this Chapter shall be construed as providing the basis for, or be subject to, 4
a private right of action for violations of said sections or any other law. 5
(d) A violation of this Chapter shall be deemed an unfair practice under G.S. 75-1.1." 6
SECTION 1.3. Beginning no later than July 1, 2025, the North Carolina Department 7
of Justice shall engage in public outreach to educate consumers and the business community 8
about this Part. Data protection assessment requirements in G.S. 75F-108, as enacted by this Part, 9
shall apply to process ing activities created or generated on or after July 1, 2026, and are not 10
retroactive. 11
12
PART II. ENACT SOCIAL MEDIA SAFETY ACT 13
SECTION 2.1. Effective January 1, 2026, the General Statutes are amended by 14
adding a new Chapter to read: 15
"Chapter 75G. 16
"Social Media Verification. 17
"§ 75G-101. Definitions. 18
The following definitions apply in this Chapter: 19
(1) Account holder. – An individual who creates an account or a profile to use a 20
social media platform. 21
(2) Commercial entity. – A corporation, limited liability company, partnership, 22
limited partnership, sole proprietorship, or other legally recognized entity. The 23
term includes a third-party vendor. 24
(3) Digitized identification card. – A data file available on a mobile device that 25
has connectivity to the internet through a State -approved application that 26
allows the mobile device to download the data file from the Division of Motor 27
Vehicles that contains all of the data elements visible on the face and back of 28
a drivers license or identification card and displays t he current status of the 29
drivers license or identification card, including valid, expired, cancelled, 30
suspended, revoked, active, or inactive. 31
(4) Minor. – An individual under 18 years of age. 32
(5) North Carolina user. – An individual who is a resident of t he State of North 33
Carolina and who accesses or attempts to access a social media platform while 34
present in this State or who accesses or attempts to access a social media 35
platform while using a North Carolina Internet Protocol address. 36
(6) Reasonable age verification. – A method to confirm that a person seeking to 37
open an account social media platform is at least 18 years old. 38
(7) Social media company. – An online forum that allows an account holder to do 39
any of the following: 40
a. Create a public profile, establish an account, or register as a user for 41
the primary purpose of interacting socially with other profiles and 42
accounts. 43
b. Upload or create posts or content. 44
c. View posts or content of other account holders. 45
d. Interact with other acco unt holders or users, including , without 46
limitation, establishing mutual connections through request and 47
acceptance. 48
(8) Social media company. – Does not include any of the following: 49
General Assembly Of North Carolina Session 2025
Page 16 House Bill 462-Second Edition
a. A company that exclusively offers subscription content in which users 1
follow or subscribe unilaterally and whose platforms' primary purpose 2
is not social interaction. 3
b. A social media company that allows a user to generate short video 4
clips of dancing, voice overs, or other acts of entertainment in which 5
the primary purpose is not educational or informative. 6
c. A media company that exclusively offers interacti ve gaming, virtual 7
gaming, or an online service that allows the creation and uploading of 8
content for the purpose of interacti ve gaming, entertainment, or 9
associated e ntertainment, and any communication related to that 10
content. 11
d. A company that offers cloud storage services, enterprise cybersecurity 12
services, educational devices, or enterprise collaboration tools for 13
kindergarten through grade 12 (K-12) schools and der ives less than 14
twenty-five percent (25%) of the company's revenue from operating a 15
social media platform, including games and advertising. 16
e. A company that provides career development opportunities, including 17
professional networking, job skills, learning certifications, and job 18
posting and application services. 19
(9) Social media platform. – A public or semipublic internet-based service or 20
application that has users in North Carolina and when the substantial function 21
of the service or application is to connect users in order to allow users to 22
interact socially with each other within the service or application; however, a 23
service or application that provides email or direct messaging shall not be 24
considered to be a social media platform on the basis of that function alone. 25
(10) Social media platform. – Does not include an online service, a website, or an 26
application if the predominant or exclusive function is any of the following: 27
a. Electronic mail. 28
b. Direct messaging consisting of messages, photos, or v ideos that are 29
sent between devices by electronic means if the direct messages meet 30
all of the following criteria: 31
1. Shared between the sender and the recipient or recipients. 32
2. Only visible to the sender and the recipient or recipients. 33
3. Are not posted publicly. 34
c. A streaming service that (i) provides only licensed media in a 35
continuous flow from the service, website, or application to the end 36
user and (ii) does not obtain a license to the media from a user or 37
account holder by agreement of the s treaming service 's terms of 38
service. 39
d. News, sports, entertainment, or other content that is preselected by the 40
provider and not user generated, including , if any chat, comment, or 41
interactive functionality that is provided is incidental to, directly 42
related to, or dependent upon provision of the content. 43
e. Online shopping or e-commerce, if the interaction with other users or 44
account holders is generally limited to any of the following: 45
1. The ability to post and comment on reviews. 46
2. The ability to disp lay lists or collections of goods for sale or 47
wish lists. 48
3. Any other function that is focused on online shopping or 49
e-commerce rather than interaction between users or account 50
holders. 51
General Assembly Of North Carolina Session 2025
House Bill 462-Second Edition Page 17
f. Business-to-business software that is not accessible to the general 1
public. 2
g. Cloud storage. 3
h. Shared document collaboration. 4
i. Providing access to or interacting with data visualization platforms, 5
libraries, or hubs. 6
j. Permitting comments on a digital news website, if the news content is 7
posted only by the provider of the digital news website. 8
k. For the purpose of providing or obtaining technical support for the 9
social media company's social media platform, products, or services. 10
l. Academic or scholarly research. 11
m. Other research if (i) the majority of the content is posted or created by 12
the provider of the online service, website, or application and (ii) the 13
ability to chat, comment, or interact with other users is directly related 14
to the provider 's content; provided that the service is a classified 15
advertising service that only permits the sale of goods and prohibits 16
the solicitation of personal services or that is used by and under the 17
direction of an educational entity, including , a learning management 18
system, student engagement program, and subject -specific or 19
skill-specific program. 20
(11) Social media platform. – Does not include a social media platform that is 21
controlled by a business entity that has generated less than one hundred 22
million dollars ($100,000,000) in annual gross revenue. 23
(12) User. – A person who has access to view all or some of the posts and content 24
on a social media platform but is not an account holder. 25
"§ 75G-102. Social media platforms; reasonable age verification methods; parental consent 26
required. 27
(a) A social media company shall not permit a North Carolina user who is a minor to be 28
an account holder on the social media company's social media platform unless the minor has the 29
express consent of a parent or legal guardian. 30
(b) A social media company shall use a commercial entit y to perform reasonable age 31
verification to verify the age of the user before allowing a North Carolina user to be an account 32
holder on the social media company's social media platform. If the North Carolina user is a minor, 33
the social media company shall confirm that a minor has consent under this section to become 34
an account holder before allowing the North Carolina user to open the account. 35
(c) Reasonable age verification methods under this section include one of the following: 36
(1) Providing a digitized identification card, including a digital copy of a drivers 37
license issued by the Division of Motor Vehicles. 38
(2) Providing a government-issued identification. 39
(3) Any commercially reasonable age verification method. 40
"§ 75G-103. Liability for social media companies. 41
(a) A social media company that knowingly violates this Chapter is liable if the social 42
media company fails to perform a reasonable age verification. 43
(b) If a social media company performs a reason able age verification, the social media 44
company shall not retain any identifying information of the individual after access to an account 45
on the social media platform has been granted. 46
(c) A violation of G.S. 75G-102 is a Class 1 misdemeanor. The district attorney for the 47
county where the North Carolina user resides may initiate a criminal proceeding against a social 48
media company that allegedly violates G.S. 75G-102. 49
(d) The Attorney General may initiate a civil enforcement action against a soc ial media 50
company that allegedly commits a violation of G.S. 75G-102. 51
General Assembly Of North Carolina Session 2025
Page 18 House Bill 462-Second Edition
(e) A social media company that violates this Chapter is liable to an individual for either 1
of the following: 2
(1) A penalty of two thousand five hundred dollars ($2,500) per violation, court 3
costs, and reasonable attorneys' fees as ordered by the court. 4
(2) Damages resulting from a minor accessing a social media platform without 5
his or her parent 's or legal guardian 's consent, including court costs and 6
reasonable attorneys' fees as ordered by the court. 7
(f) This section does not apply to a news or public interest broadcast, website video, 8
report, or event or to cloud service provide rs, or affect the rights of a news -gathering 9
organization. 10
(g) An internet service provider, or any of its affiliates or subsidiaries, or search engines 11
shall not violate this Chapter solely by providing access, connection to or from a website, or other 12
information or content on the internet, or a facility, system, or network that is not under that 13
internet service provider's control, including transmission, downloading, intermediate storage, 14
access software, or other service that provides access or connectivity, to the extent the internet 15
service provider is not responsible for the creation of the content or the communication on a 16
social media platform. 17
"§ 75G-104. Liability for commercial entity. 18
(a) A commercial entity shall not retain any identifying information of an individual after 19
access to the social media platform has been granted. 20
(b) A commercial entity that is found to have knowingly retained identifying information 21
of an individual after access to the material is granted is liable to the individual for damages 22
resulting from the retention of the identifying information, including court costs and reasonable 23
attorneys' fees as ordered by the court." 24
25
PART III. SEVERABILITY 26
SECTION 3.1. If any provision of this act or the application thereof to any person 27
or circumstance is held invalid, the invalidity does not affect any other provision or application 28
of the act which can be given effect without the invalid provision or application and, to that end, 29
the provisions of this act are declared to be severable. 30
31
PART IV. EFFECTIVE DATE 32
SECTION 4.1. Except as otherwise provided, this act is effective when it becomes 33
law. 34