Back to North Carolina

S1022 • 2025

Consumer Privacy Act.

Consumer Privacy Act.

Children Privacy
Passed Legislature

This bill passed both chambers and reached final enrollment, even if later executive action is not shown here.

Sponsor
Salvador, Batch, Smith, Theodros
Last action
2026-05-05
Official status
Re-ref Com On Appropriations/Base Budget
Effective date
2027-01-01

Plain English Breakdown

Using official source text because the generated explanation was unavailable or could not be confirmed against the official bill text.

Consumer Privacy Act.

Consumer Privacy Act.

What This Bill Does

  • Consumer Privacy Act.

Limits and Unknowns

  • This entry is temporarily using official source text because the generated explanation could not be confirmed against the official bill text during the last sync.

Bill History

  1. 2026-05-05 Senate

    Re-ref Com On Appropriations/Base Budget

  2. 2026-05-05 Senate

    Withdrawn From Com

  3. 2026-05-04 Senate

    Ref To Com On Rules and Operations of the Senate

  4. 2026-05-04 Senate

    Passed 1st Reading

  5. 2026-04-30 Senate

    Filed

Official Summary Text

Consumer Privacy Act.

Current Bill Text

Read the full stored bill text
GENERAL ASSEMBLY OF NORTH CAROLINA
SESSION 2025
S 1
SENATE BILL 1022

Short Title: Consumer Privacy Act. (Public)
Sponsors: Senator Salvador (Primary Sponsor).
Referred to: Rules and Operations of the Senate
May 4, 2026
*S1022-v-1*
A BILL TO BE ENTITLED 1
AN ACT TO PROTECT CONSUMERS BY ENACTING THE CONSUMER PRIVACY ACT 2
OF NORTH CAROLINA AND TO APPROPRIATE FUNDS FOR THAT PURPOSE. 3
The General Assembly of North Carolina enacts: 4
SECTION 1. This act shall be known and may be cited as the "North Carolina 5
Consumer Privacy Act." 6
SECTION 2. The General Statutes are amended by adding a new Chapter to read: 7
"Chapter 75F. 8
"Consumer Privacy Act. 9
"§ 75F-1. Definitions. 10
(a) This Chapter shall be known and may be cited as the "North Carolina Consumer 11
Privacy Act." 12
(b) Definitions. – The following definitions apply in this Chapter: 13
(1) Account. – The Consumer Privacy Account established in G.S. 75F-14. 14
(2) Affiliate. – An entity that (i) controls, is controlled by, or is under common 15
control with another entity or (ii) shares common branding with another entity. 16
(3) Aggregated data. – Information that relates to a group or category of 17
consumers (i) from which individual consumer identities have been removed 18
and (ii) that is not linked or reasonably linkable to any consumer. 19
(4) Air carrier. – As defined in 49 U.S.C. § 40102. 20
(5) Authenticate. – To use reasonable means to determine that a consumer 's 21
request to exercise the rights described in G.S. 75F-4 is made by the consumer 22
who is entitled to exercise those rights. 23
(6) Biometric data. – Data generated by automatic measurements of an 24
individual's unique biological characteristics. The term includes an 25
individual's fingerprint, voiceprint, eye retinas, irises, or any other unique 26
biological pattern or characteristic that is used to identify a specific individual. 27
Biometric data does not include any of the following: 28
a. A physical or digital photograph. 29
b. A video or audio recording. 30
c. Data generated from an item described in sub-subdivision a. or b. of 31
this subdivision. 32
d. Information captured from a patient in a health care setting. 33
e. Information collected, used, or stored for treatment, payment, or health 34
care operations as those terms are defined in 45 C.F.R. Parts 160, 162, 35
and 164. 36
General Assembly Of North Carolina Session 2025
Page 2 Senate Bill 1022-First Edition
(7) Business associate. – As defined in 45 C.F.R. § 160.103. 1
(8) Child. – An individual younger than 13 years old. 2
(9) Consent. – An affirmative act by a consumer that unambiguously indicates the 3
consumer's voluntary and informed agreement to allow a person to process 4
personal data related to the consumer. 5
(10) Consumer. – An individual who is a resident of this State acting in an 6
individual or household context. The term does not include an individual 7
acting in a commercial or employment context. 8
(11) Control or controlled. – Includes each of the following: (i) ownership of, or 9
the power to vote, more than fifty percent (50%) of the outstanding shares of 10
any class of voting securities of an entity; (ii) control in any manner over the 11
election of a majority of the directors or of the individuals exercising similar 12
functions; and (iii) the power to exercise controlling influence of the 13
management of an entity. 14
(12) Controller. – A person doing business in this State who determines the 15
purposes for which , and the means by which , personal data are processed, 16
regardless of whether the person makes the determination alone or with others 17
that, alone or jointly with others, determines the purpose and means of 18
processing personal data. 19
(13) Covered entity. – As defined in 45 C.F.R. § 160.103. 20
(14) De-identified data. – Data that cannot reasonably be linked to an identified or 21
identifiable individual that are possessed by a controller who does all of the 22
following: 23
a. Takes reasonable measures to ensure that a person cannot associate the 24
data with an individual. 25
b. Publicly commits to maintain and use the data only in de -identified 26
form and not attempt to reidentify the data. 27
c. Contractually obligates any recipients of the data to comply with the 28
requirements descri bed in sub-subdivisions a. and b. of this 29
subdivision. 30
(15) Director. – The Director of the Division. 31
(16) Division. – The Consumer Protection Division of the North C arolina 32
Department of Justice or other unit of the Department of Justice engaging in 33
activities under this Chapter. 34
(17) Government entity. – The State or any local political subdivision of the State. 35
(18) Health care facility. – Any entity licensed pursuant to Chapter 122C, 131D, 36
or 131E of the General Statutes or Article 64 of Chapter 58 of the General 37
Statutes and any clinical laboratory certified under the federal Clinical 38
Laboratory Improvement Amendments in section 353 of the Public Health 39
Service Act (42 U.S.C. § 263a). 40
(19) Health care provider. – Includes: 41
a. An individual who is licensed, certified, or otherwise authorized under 42
Chapter 90 or 90B of the General Statutes to provide health care 43
services in the ordinary course of business or practice of a profession 44
or in an approved education or training program. 45
b. A health care fa cility where health care services are provided to 46
patients, residents, or others to whom such services are provided as 47
allowed by law. 48
c. Individuals licensed under Chapter 90 of the General Statutes or 49
practicing under a waiver in accordance with G.S. 90-12.5. 50
General Assembly Of North Carolina Session 2025
Senate Bill 1022-First Edition Page 3
d. Any emergency medical services personnel as defined in 1
G.S. 131E-155(7). 2
e. Any individual who is employed as a health care facility administrator, 3
executive, supervisor, board member, trustee, or other person in a 4
managerial position or comparable role at a health care facility. 5
f. An agent or employee of a health care facility that is licensed, certified, 6
or otherwise authorized to provide health care services. 7
g. An officer or director of a health care facility. 8
h. An agent or employee of a heal th care provider who is licensed, 9
certified, or otherwise authorized to provide health care services. 10
(20) Identifiable individual. – An individual who can be readily identified, directly 11
or indirectly. 12
(21) Institution of higher education. – A public or private institution of higher 13
education. 14
(22) Local political subdivision. – Includes a city, a county, a local school 15
administrative unit as defined in G.S. 115C-5, or a community college. 16
(23) Nonprofit organization. – Any corporation exempt from taxatio n under 17
section 501(c)(3), 501(c)(6), or 501(c)(12) of the Internal Revenue Code. 18
(24) Personal data. – Information that can be used to distinguish or trace an 19
individual's identity, either alone or when combined with other information. 20
The term does not i nclude information that is a public record under Chapter 21
132 of the General Statutes or information made available to the general 22
public lawfully and intentionally. 23
(25) Process. – Any operation or set of operations performed on personal data, 24
including co llection, use, storage, disclosure, analysis, deletion, or 25
modification of personal data. 26
(26) Processor. – A person who processes personal data on behalf of a controller. 27
(27) Protected health information. – As defined in 45 C.F.R. § 160.103. 28
(28) Pseudonymous data. – Personal data that cannot be attributed to a specific 29
individual without the use of additional information, if the additional 30
information is (i) kept separately from the consumer 's personal data and (ii) 31
subject to appropriate technical and organizational measures to ensure that the 32
personal data is not attributable to an identified or identifiable individual. 33
(29) Publicly available information. – Information that a person (i) lawfully obtains 34
from a record of a governmental entity, (ii) reasonably believes a consumer or 35
widely distributed media has lawfully made available to the general public, or 36
(iii) if the consumer has not restricted the information to a specific audience, 37
obtains from a person to whom the consumer disclosed the information. 38
(30) Right. – A consumer right described in G.S. 75F-4. 39
(31) Sale, sell, or sold. – The exchange of personal data for monetary consideration 40
by the controller to a third party. The terms do not include any of the 41
following: 42
a. A controller's disclosure of personal data to a processor who processes 43
the personal data on behalf of the controller. 44
b. A controller 's disclosure of personal data to an affiliate of the 45
controller. 46
c. Considering the context in which the consumer provided the personal 47
data to the controller, a controller 's disclosure of personal data to a 48
third party if the purpose is consistent with a consumer 's reasonable 49
expectations. 50
General Assembly Of North Carolina Session 2025
Page 4 Senate Bill 1022-First Edition
d. The disclosure or transfer of personal data when a consumer directs a 1
controller to disclose the personal data or interact with one or more 2
third parties. 3
e. A consumer 's disclosure of personal data to a third party for the 4
purpose of providing a product or service requested by the consumer 5
or a parent or legal guardian of a child. 6
f. The disclosure of information that the consumer intentionally makes 7
available to the general public via a channel of mass media and does 8
not restrict to a specific audience. 9
g. A controller's transfer of personal data to a third party as an asset that 10
is part of a propose d or actual merger, acquisition, or bankruptcy in 11
which the third party assumes control of all or part of the controller 's 12
assets. 13
(32) Sensitive data. – Personal data that reveals any of the following: 14
a. An individual 's (i) racial or ethnic origin, (ii) religious beliefs, (iii) 15
sexual orientation, (iv) citizenship or immigration status, or (v) 16
information regarding an individual 's medical history, mental or 17
physical health condition, or medical treatment or diagnosis by a 18
health care professional. The term does not include personal data that 19
reveals an individual 's racial or ethnic origin if the personal data are 20
processed by a video communication service . If the personal data are 21
processed by a person licensed to provide health care under State or 22
federal la w, information regarding an individual 's medical history, 23
mental or physical health condition, or medical treatment or diagnosis 24
by a health care professional , then the personal data is not sensitive 25
data. 26
b. The processing of genetic or biometric data if the processing is for the 27
purpose of identifying a specific individual. 28
c. Specific geolocation data. 29
(33) Specific geological location. – Information derived from technology, 30
including global positioning system level latitude and long itude coordinates, 31
that directly identifies an individual 's specific location, accurate within a 32
radius of 1,750 feet or less. The term does not include (i) the content of a 33
communication or (ii) any data generated by or connected to advanced utility 34
metering infrastructure systems or equipment used by a utility. 35
(34) Targeted advertising. – Displaying an advertisement to a consumer where the 36
consumer is selected based upon personal data obtained from the consumer's 37
activities over time and across nonaffiliated websites or online applications to 38
predict the consumer 's preferences and interests. The term does not include 39
any advertising: 40
a. Based upon a consumer 's activities within the controller 's website or 41
online application or any affiliated website or online application. 42
b. Based on the context of a consumer's current search query or visit to a 43
website or online application. 44
c. Directed to a consumer in response to the consumer 's request for 45
information, a product, a service, or feedback. 46
d. Processing personal data solely to measure or report advertising 47
performance, reach, or frequency. 48
(35) Third party. – A person other than the consumer, controller, or processor or 49
an affiliate or contractor of the controller or processor. 50
General Assembly Of North Carolina Session 2025
Senate Bill 1022-First Edition Page 5
(36) Trade secre t. – Information, including a formula, pattern, compilation, 1
program, device, method, technique , or process that (i) derives independent 2
economic value, actual or potential, from not being generally known to and 3
not being readily ascertainable by proper me ans by other persons who can 4
obtain economic value from the information's disclosure or use and (ii) is the 5
subject of efforts that are reasonable under the circumstances to maintain the 6
information's secrecy. 7
"§ 75F-2. Applicability. 8
(a) This Chapter applies to any controller or processor who: 9
(1) Conducts business in this State or produces a product or service that is targeted 10
to consumers who are residents of this State; 11
(2) Has annual revenue of twenty-five million dollars ($25,000,000) or more; and 12
(3) Satisfies one or more of the following thresholds: 13
a. During a calendar year, controls or processes personal data of 100,000 14
or more consumers; or 15
b. Derives over fifty percent (50%) of the entity's gross revenue from the 16
sale of personal data and controls or processes personal data of 25,000 17
or more consumers. 18
(b) This Chapter does not apply to any of the following: 19
(1) A governmental entity or a third party under contract with a governmental 20
entity when the third party is acting on behalf of the governmental entity. 21
(2) A tribe. 22
(3) An institution of higher education. 23
(4) A nonprofit corporation. 24
(5) A covered entity. 25
(6) A business associate. 26
(7) Information that meets the definition of one of the following: 27
a. Protected health information for purpos es of the federal Health 28
Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 29
1320d et seq., and related regulations. 30
b. Patient identifying information for purposes of 42 C.F.R. Part 2. 31
c. Identifiable private information for purposes of the federal Policy for 32
the Protection of Human Subjects, 45 C.F.R. Part 46. 33
d. Identifiable private information or personal data collected as part of 34
human subjects research pursuant to or under the same standards as: 35
1. The good clinical practice guidelines i ssued by the 36
International Council for Harmonisation; or 37
2. The Protection of Human Subjects under 21 C.F.R. Part 50 and 38
Institutional Review Boards under 21 C.F.R. Part 56. 39
e. Personal data used or shared in research conducted in accordance with 40
one or more of the requirements described in sub-subdivision b. of this 41
subdivision. 42
f. Information and documents created for purposes of the federal Health 43
Care Quality Improvement Act of 1986, 42 U.S.C. § 11101 et seq., and 44
related regulations. 45
g. Patient safety work product for purposes of 42 C.F.R. Part 3. 46
h. Information that is: 47
1. De-identified in accordance with the requirements for 48
de-identification set forth in 45 C.F.R. Part 164; and 49
2. Derived from any of the health care -related information listed 50
above in this subdivision. 51
General Assembly Of North Carolina Session 2025
Page 6 Senate Bill 1022-First Edition
(8) Information originating from, and intermingled to be indistinguishable with, 1
information under subdivision (7) of this subsection that is maintained by a (i) 2
health care facility or health care provider or (ii) program or a qualified service 3
organization as defined in 42 C.F.R. § 2.11. 4
(9) Information used only for public health activities and purposes as described 5
in 45 C.F.R. § 164.512. 6
(10) An activity: 7
a. Subject to regulation under the federal Fair Credit Reporting Act, 15 8
U.S.C. § 1681 et seq., by one of the following: 9
1. A consumer reporting agency, as defined in 15 U.S.C. § 1681a; 10
2. A furnisher of information, as set forth in 15 U.S.C. § 1681s-2, 11
who provides information for use in a consumer report, as 12
defined in 15 U.S.C. § 1681a; or 13
3. A user of a consumer report, as set forth in 15 U.S.C. § 1681b; 14
and 15
b. Involving the collection, maintenance, disclosure, sale, 16
communication, or use of any personal data bearing on a consumer 's 17
credit worthiness, credit standing, credit capacity, character, general 18
reputation, personal characteristics, or mode of living. 19
(11) A financial institution or an affiliate of a financial institution governed by, or 20
personal data collected, processed, sold, or disclosed in accordance with Title 21
V of the Gramm -Leach-Bliley Act, 15 U.S.C. § 6801 et seq., and related 22
regulations. 23
(12) Personal data collected, pro cessed, sold, or disclosed in accordance with the 24
federal Driver's Privacy Protection Act of 1994, 18 U.S.C. § 2721 et seq. 25
(13) Personal data regulated by the federal Family Education Rights and Privacy 26
Act, 20 U.S.C. § 1232g, and related regulations. 27
(14) Personal data collected, processed, sold, or disclosed in accordance with the 28
federal Farm Credit Act of 1971, 12 U.S.C. § 2001 et seq. 29
(15) Data that are processed or maintained: 30
a. In the course of an individual applying to, being employed by, or 31
acting as an agent or independent contractor of a controller, processor, 32
or third party to the extent the collection and use of the data are related 33
to the individual's role; 34
b. As the emergency contact information of an individual described in 35
sub-subdivision a. of this subdivision and used for emergency contact 36
purposes; or 37
c. To administer benefits for another individual relating to an individual 38
described in sub-subdivision a. of this subdivision and used for the 39
purpose of administering the benefits. 40
(16) An individual's processing of personal data for purely personal or household 41
purposes. 42
(17) An air carrier. 43
(c) A controller is in compliance with any obligation to obtain parental consent under this 44
Chapter if the controller complies with the verifiable parental consent mechanisms under the 45
Children's Online Privacy Protection Act, 15 U.S.C. § 6501 et seq., and the act 's implementing 46
regulations and exemptions. 47
(d) This Chapter does not require a person to take any action in conflict with the federal 48
Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320d et seq., or related 49
regulations. 50
"§ 75F-3. Preemption; reference to other laws. 51
General Assembly Of North Carolina Session 2025
Senate Bill 1022-First Edition Page 7
(a) This Chapter supersedes and preempts any ordinance, resolution, rule, or other 1
regulation adopted by a local political subdivision of the State regarding the processing of 2
personal data by a controller or processor. 3
(b) Any reference to federal law in this Chapter includes any rules or regulations 4
promulgated under the federal law. 5
"§ 75F-4. Consumer rights; access; deletion; portability; opt out of certain processing. 6
(a) A consumer has the right to: 7
(1) Confirm whether a controller is processing the consumer 's personal data and 8
access the consumer's personal data. 9
(2) Delete the consumer 's personal data that the consumer provided to the 10
controller. 11
(3) Obtain a copy of the consumer 's personal data that the consumer previously 12
provided to the controller, in a format that to the extent technically feasible, 13
that is readily usable and allows the consumer to transmit the data to another 14
controller without impediment where the processing is carried out by 15
automated means. 16
(4) Opt out of the processing of the consumer 's personal data for purposes of 17
targeted advertising or the sale of personal data. 18
(b) Nothing in this section requires a person to cause a breach of security system. 19
"§ 75F-5. Exercising consumer rights. 20
(a) A consumer may exercise a right by submitting a request to a controller, by means 21
prescribed by the controller, specifying the right the consumer intends to exercise. 22
(b) In the case of processing personal data concerning a known child, the parent or legal 23
guardian of the known child shall exercise a right on the child's behalf. 24
(c) In the case of processing personal data conc erning a consumer subject to 25
guardianship, the guardian of the consumer shall exercise a right on the consumer's behalf. 26
"§ 75F-6. Controller's response to requests. 27
(a) Subject to the other provisions of this Chapter, a controller shall comply with a 28
consumer's request under G.S. 75F-5 to exercise a right. 29
(b) Within 45 days after the day on which a controller receives a request to exercise a 30
right, the controller shall take action on the consumer 's request and inform the consumer of any 31
action taken on the consumer's request. 32
(c) The controller may extend once the initial 45 -day period by an additional 45 days if 33
reasonably necessary due to the complexity of the request or the volume of the requests received 34
by the controller. If a controller extends the initial 45-day period, before the initial 45-day period 35
expires, the controller shall (i) inform the consumer of the extension, including the length of the 36
extension, and (ii) provide the reasons the extension is reasonably necessary. 37
(d) The 45-day period does not apply if the controller reasonably suspects the consumer's 38
request is fraudulent and the controller is not able to authenticate the request before the 45-day 39
period expires. 40
(e) If, in accordance with this section, a controller chooses not to take action on a 41
consumer's request, the controller shall within 45 days after the day on which the controller 42
receives the request inform the consumer of the reasons for not taking action. 43
(f) A controller may not charge a fee for information in response to a request, unless the 44
request is the consumer 's second or subsequent request during the same 12 -month period. 45
However, a controller may charge a reasonable fee to cover the administrative costs of complying 46
with a request or refuse to act on a request if: 47
(1) The request is excessive, repetitive, technically infeasible, or manifestly 48
unfounded; 49
(2) The controller reasonably believes the primary purpose in submitting the 50
request was something other than exercising a right; or 51
General Assembly Of North Carolina Session 2025
Page 8 Senate Bill 1022-First Edition
(3) The request, individually or as part of an organized effort, harasses, disrupts, 1
or imposes undue burden on the resources of the controller's business. 2
(g) A controller that charges a fee or refuses to act in accordance with this section bears 3
the burden of demonstrating the re quest satisfied one or more of the criteria described in this 4
section. 5
(h) If a controller is unable to authenticate a consumer request to exercise a right 6
described in G.S. 75F-4 using commercially reasonable efforts, the controller is not required to 7
comply with the request and may request that the consumer provide additional information 8
reasonably necessary to authenticate the request. 9
"§ 75F-7. Responsibilities according to role. 10
(a) A processor shall adhere to the controller 's instructions, and taking into account the 11
nature of the processing and information available to the processor, by the appropriate technical 12
and organizational measures, insofar as reasonably practicable, assist the controller in meeting 13
the controller's obligations, in cluding obligations related to the security of processing personal 14
data and notification of a breach of security system. 15
(b) Before a processor performs processing on behalf of a controller, the processor and 16
controller shall enter into a contract that does all of the following: 17
(1) Clearly sets forth instructions for processing personal data, the nature and 18
purpose of the processing, the type of data subject to processing, the duration 19
of the processing, and the parties' rights and obligations. 20
(2) Requires the processor to ensure each person processing personal data is 21
subject to a duty of confidentiality with respect to the personal data. 22
(3) Requires the processor to engage any subcontractor pursuant to a written 23
contract that requires the subcontractor to meet the same obligations as the 24
processor with respect to the personal data. 25
(c) Determining whether a person is acting as a controller or processor with respect to a 26
specific processing of data is a fact-based determination that depends upon the context in which 27
personal data are to be processed. A processor that adheres to a controller 's instructions with 28
respect to a specific processing of personal data remains a processor. 29
"§ 75F-8. Responsibilities of cont ractors; transparency; purpose specification and data 30
minimization; consent for secondary use; security; nondiscrimination. 31
(a) A controller shall provide consumers with a reasonably accessible and clear privacy 32
notice that includes all of the following: 33
(1) The categories of personal data processed by the controller. 34
(2) The purposes for which the categories of personal data are processed. 35
(3) How consumers may exercise a right. 36
(4) The categories of personal data that the controller shares with third parties, if 37
any. 38
(5) The categories of third parties, if any, with whom the controller shares 39
personal data. 40
If a controller sells a consumer's personal data to one or more third parties or engages in targeted 41
advertising, the controller shall clearly and conspicuously disclose to the consu mer the manner 42
in which the consumer may exercise the right to opt out of the sale of the consumer 's personal 43
data or processing for targeted advertising. 44
(b) A controller shall establish, implement, and maintain reasonable administrative, 45
technical, and physical data security practices designed to protect the confidentiality and integrity 46
of personal data and reduce reasonably foreseeable risks of harm to consumers relating to the 47
processing of personal data. Considering the controller 's business size, sco pe, and type, a 48
controller shall use data security practices that are appropriate for the volume and nature of the 49
personal data at issue. 50
General Assembly Of North Carolina Session 2025
Senate Bill 1022-First Edition Page 9
(c) Except as otherwise provided in this Chapter, a controller may not process sensitive 1
data collected from a consum er without first presenting the consumer with clear notice and an 2
opportunity to opt out of the processing or , in the case of the processing of personal data 3
concerning a known child, processing the data in accordance with the federal Children 's Online 4
Privacy Protection Act, 15 U.S.C. § 6501 et seq., and the act 's implementing regulations and 5
exemptions. 6
(d) A controller may not discriminate against a consumer for exercising a right by (i) 7
denying a good or service to the consumer, (ii) charging the consum er a different price or rate 8
for a good or service, or (iii) providing the consumer a different level of quality of a good or 9
service. Nothing in this subsection prohibits a controller from offering a different price, rate, 10
level, quality, or selection of a good or service to a consumer, including offering a good or service 11
for no fee or at a discount, if the consumer has opted out of targeted advertising or the offer is 12
related to the consumer 's voluntary participation in a bona fide loyalty, rewards, prem ium 13
features, discounts, or club card program. 14
(e) A controller is not required to provide a product, service, or functionality to a 15
consumer if the consumer's personal data are, or the processing of the consumer 's personal data 16
is, reasonably necessary fo r the controller to provide the consumer the product, service, or 17
functionality and the consumer does not provide the consumer 's personal data to the controller 18
or allow the controller to process the consumer's personal data. Any provision of a contract th at 19
purports to waive or limit a consumer's right under this Chapter is void. 20
"§ 75F-9. Processing de-identified data or pseudonymous data. 21
(a) The provisions of this Chapter do not require a controller or processor to do any of 22
the following: 23
(1) Reidentify de-identified data or pseudonymous data. 24
(2) Maintain data in identifiable form or obtain, retain, or access any data or 25
technology for the purpose of allowing the controller or processor to associate 26
a consumer request with personal data. 27
(3) Comply with an authenticated consumer request to exercise a right described 28
in G.S. 75F-4, if the controller: 29
a. Is not reasonably capable of associating the request with the personal 30
data or it would be unreasonably burdensome for the controller to 31
associate the request with the personal data; 32
b. Does not (i) use the personal data to recognize or respond to the 33
consumer who is the subject of the personal data or (ii) associate the 34
personal data with other personal data about the consumer; and 35
c. Does not sell or other otherwise disclose the personal data to any third 36
party other than a processor, except as otherwise permitted in this 37
section. 38
(b) The rights described in G.S. 75F-4(a)(1) through (a)(3) do not apply to pseudonymous 39
data if a controller demonstrates that any information necessary to identify a consumer is kept 40
separately and subject to appropriate technical and organizational measures to ensure the 41
personal data are not attributed to an identified individual or an identifiable individual. 42
(c) A controller who uses pseudonymous data or de-identified data shall take reasonable 43
steps to ensure the controller complies with any contractual obligations to which the 44
pseudonymous data or de -identified data are subject and promptly addresses any br each of a 45
contractual obligation. 46
"§ 75F-10. Limitations. 47
(a) The requirements described in this Chapter do not restrict a controller's or processor's 48
ability to do any of the following: 49
(1) Comply with a State, federal, or local law, rule, or regulation. 50
General Assembly Of North Carolina Session 2025
Page 10 Senate Bill 1022-First Edition
(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, 1
or summons by a federal, State, local, or other governmental entity. 2
(3) Cooperate with a law enforcement agency concerning activity that the 3
controller or processor reason ably and in good faith believes may violate 4
federal, State, or local laws, rules, or regulations. 5
(4) Investigate, establish, exercise, prepare for, or defend a legal claim. 6
(5) Provide a product or service requested by a consumer or a parent or legal 7
guardian of a child. 8
(6) Perform a contract to which the consumer or the parent or legal guardian of a 9
child is a party, including fulfilling the terms of a written warranty or taking 10
steps at the request of the consumer or parent or legal guardian before entering 11
into the contract with the consumer. 12
(7) Take immediate steps to protect an interest that is essential for the life or 13
physical safety of the consumer or of another individual. 14
(8) Detect, prevent, protect against, or respond to a security incident, identity 15
theft, fraud, harassment, malicious or deceptive activity, or any illegal activity 16
or investigate, report, or prosecute a person responsible for an action described 17
in this subdivision. 18
(9) Preserve the integrity or security of systems or investigate, report, or prosecute 19
a person responsible for harming or threatening the integrity or security of 20
systems. 21
(10) If the controller discloses the processing in a notice described in G.S. 75F-8, 22
engage in public or peer-reviewed scientific, historical, or statistical research 23
in the public interest that adheres to all other applicable ethics and privacy 24
laws. 25
(11) Assist another person with an obligation described in this subsection. 26
(12) Process personal data to do any of the following: 27
a. Conduct internal analytics or other research to develop, improve, or 28
repair a controller's or processor's product, service, or technology. 29
b. Identify and repair technical errors that impair existing or intended 30
functionality. 31
c. Effectuate a product recall. 32
(13) Process personal data to perform an internal operation that is (i) reasonably 33
aligned with the consumer 's expectations based on the consumer 's existing 34
relationship with the controller or (ii) otherwise compatible with processing 35
to aid the controller or processor in providing a product or service specifically 36
requested by a consumer or a parent or legal guardian of a child or the 37
performance of a contract to which the consumer or a parent or legal guardian 38
of a child is a party. 39
(14) Retain a consumer's email address to comply with the consumer 's request to 40
exercise a right. 41
(b) This Chapter does not apply if a controller 's or processor 's compliance with this 42
Chapter: 43
(1) Violates an evidentiary privilege under North Carolina law. 44
(2) As part of a privileged communication, prevents a controller or processor from 45
providing personal data concerning a consumer to a person covered by an 46
evidentiary privilege under North Carolina law. 47
(3) Adversely affects the privacy or other rights of any person. 48
(c) A controller or processor is not in violation of this Chapter if: 49
(1) The controller or processor discloses personal data to a third -party controller 50
or processor in compliance with this Chapter. 51
General Assembly Of North Carolina Session 2025
Senate Bill 1022-First Edition Page 11
(2) The third party processes the personal data in violation of this Chapter. 1
(3) The disclosing controller or processor did not have actual knowledge of the 2
third party's intent to commit a violation of this Chapter. 3
(d) If a controller processes personal data under an exemption described in subsection (a) 4
of this section, the controller bears the burden of demonstrating that the processing qualifies for 5
the exemption. 6
(e) Nothing in this Chapter requires a controller, processor, third party, or consumer to 7
disclose a trade secret. 8
"§ 75F-11. No private cause of action. 9
A violation of this Chapter does not provide a basis for, nor is a violation of this Chapter 10
subject to, a private right of action under this Chapter or any other law. 11
"§ 75F-12. Enforcement. 12
(a) The Division shall establish and administer a system to receive consumer complaints 13
regarding a controller's or processor's alleged violation of this Chapter. 14
(b) The Division may investigate a consumer complaint to determine whether the 15
controller or processor violated or is violating this Chapter. 16
"§ 75F-13. Enforcement powers of the Attorney General. 17
(a) The Attorney General has the exclusive authority to enforce this Chapter. Upon 18
referral from the Division, the Attorney General may initiate an enforcement action against a 19
controller or processor for a violation of this Chapter. 20
(b) At least 45 days before the day on which the Attorney General initiates an 21
enforcement action against a controller or processor, the Attorney General shall provide the 22
controller or processor with the following: 23
(1) Written notice identifying each provision of this Chapter the Attorney General 24
alleges the controller or processor has violated or is violating. 25
(2) An explanation of the basis for each allegation. 26
(c) The Attorney General may not initiate an action if the controller or processor: 27
(1) Cures the noticed violation within 45 days after the day on which the 28
controller or processor receives the written notice described in subsection (b) 29
of this section. 30
(2) Provides the Attorney General an express written statement that the violation 31
has been cured and no further violation of the cured violation will occur. 32
(d) The Attorney General may initiate an action against a controller or processor who (i) 33
fails to cure a violation after receiving the notice described in subsection (b) of this section or (ii) 34
after curing a noticed violation and providing a written statement in accordance with subsection 35
(b) of this section, continues to violate this Chapter. 36
(e) In an action described in subsection (d) of this section, the Attorney General may 37
recover actual damages to the consumer; and for each violation described in subsection (d) of 38
this section, an amount not to exceed seven thousand five hundred dollars ($7,500). 39
(f) All money received from an action under this Chapter shall be deposited into the 40
Consumer Privacy Account established in G.S. 75F-14. 41
(g) If more than one controller or processor are involved in the same processing in 42
violation of this Chapter, the liability for the violation shall be allocated among the controllers or 43
processors in proportion to the comparative fault of each controller or processor. 44
"§ 75F-14. Consumer Privacy Account. 45
(a) There is created a restricted account known as the "Consumer Privacy Account." The 46
account shall be funded by money received through civil enforcement actions under this Chapter. 47
(b) Upon appropriation by the General Assembly, the account funds may be used by the 48
Attorney General for these purposes: 49
(1) Investigation and administrat ive costs incurred by the Division in 50
investigating consumer complaints alleging violations of this Chapter. 51
General Assembly Of North Carolina Session 2025
Page 12 Senate Bill 1022-First Edition
(2) Recovery of costs and attorney s' fees accrued by the Attorney General in 1
enforcing this Chapter. 2
(3) Providing consumer and business education regarding consumer rights under 3
this Chapter and compliance with the provisions of this Chapter for controllers 4
and processors. 5
(c) If the balance in the account exceeds four million dollars ($4,000,000) at the close of 6
any fiscal year, the State Budget Director shall transfer the amount that exceeds four million 7
dollars ($4,000,000) into the General Fund. 8
"§ 75F-15. Attorney General report. 9
(a) The Attorney General and the Division shall compile a report evaluating the liability 10
and enforcement provisions of this Chapter, including the effectiveness of the Attorney General's 11
and the Division 's efforts to enforce this Chapter and summarizing the data protected and not 12
protected by this Chapter, including, with reasonable detail, a list of the types of information that 13
are publicly available from State, local, and federal government sources. 14
(b) The Attorney General and the Division may update the report as new info rmation 15
becomes available. 16
(c) The Attorney General and the Division shall submit the report to the Joint Legislative 17
Oversight Commission on Governmental Operations by July 1, 2028." 18
SECTION 3. There is appropriated from the General Fund to the Department of 19
Justice the sum of one million dollars ($1,000,000) in the 2026-2027 fiscal year for the purposes, 20
administration, and enforcement of this act. 21
SECTION 4. Sections 1 and 2 of this act become effective January 1, 2027. Section 22
3 of this act becomes effective July 1, 2026. The remainder of this act is effective when it 23
becomes law. 24