AI Chatbots-Licensing, Safety, and Privacy.
Creates two parallel regimes: licensed health-information chatbots with strict oversight, and a general safety/privacy framework for all covered platforms starting in 2027.
Creates two parallel regimes: licensed health-information chatbots with strict oversight, and a general safety/privacy framework for all covered platforms starting in 2027.
Overview
- Bill: SB 963
- Session: 2025
- Jurisdiction: North Carolina
- Short Title: AI Chatbots-Licensing, Safety, and Privacy
- Primary Sponsor: Senator Burgin
- Filed: Apr 30, 2026
Purpose and intent
- Establish a regulatory framework for the licensing, safety, and privacy of AI chatbots that handle health information or process user data.
- Create two parallel but related regimes:
1) Chapter 114B: Licensing, quality, and oversight of health-information chatbots (within the Department of Justice).
2) Chapter 170: General safety and privacy protections for chatbot use across covered platforms (privacy, identification, data handling, and enforcement).
Part I. Chatbot Licensing (Chapter 114B)
- Scope
- Applies to operators/distributors of chatbots that deal substantially with health information.
- Administered by the Department of Justice (DOJ).
- Key definitions
- Chatbot: Generative AI system with user interaction via text, audio, or visual interfaces.
- Health information: Broad set of health-related data, including biometric data, health conditions, gender-affirming care info, genetic data, precise location for health services, and other sensitive health-related data.
- Licensee: Entity holding an active health information chatbot license.
- Licensing requirements (health information)
- Applications must include: architecture, data lifecycle (collection, processing, storage, deletion), security measures, privacy protections, quality control/testing procedures, risk assessment/mitigation, regulatory compliance, insurance proof, application fees, and other Department-specified information.
- Department review criteria: technical competence/reliability, data protection, regulatory compliance, risk management, professional qualifications (evidence-based standards, expert endorsement), and public safety considerations.
- Department to adopt implementing rules.
- Operational requirements for licensees
- Professional liability insurance: Minimum amount per occurrence as determined by the Department.
- Security and data practices: Industry-standard encryption (data in transit and at rest), detailed access logs, security audits at least every six months.
- Breach response: Report data breaches within 24 hours to the Department and within 48 hours to affected users.
- User consent: Obtain explicit user consent for data collection and use; provide access to and allow deletion of personal data.
- Transparency: Clear disclosures about artificial nature of the chatbot, service limitations, data practices, user rights/remedies, emergency resources, and human oversight protocols.
- Effectiveness evidence: Demonstrate through peer-reviewed trials with real-world data, and comparative effectiveness against human experts; meet minimum domain benchmarks set by the Department.
- Oversight: Regular inspections and an annual third-party audit; inspect and audit results provided to the Department.
- Continuous monitoring: Ongoing safety/risk monitoring with quarterly performance and incident reporting.
- Identification and enforcement
- Interaction identification requirements to show compliance with existing G.S. 170-5 (identification and disclosure standards).
- Prohibited acts include licensing non-compliance, failure to comply with Chapter rules, failure to permit record access, and failure to report adverse events.
- Civil penalties: Up to $50,000 per violation, with funds deposited to the Civil Penalty and Forfeiture Fund.
- Effective dates
- Subsection (a) effective January 1, 2027 (licensing to begin enforcing health information chatbots).
- Subsection (b) funding/publicity provision effective July 1, 2026.
- Funding for publicizing licensing provisions: $50,000 nonrecurring from General Fund in 2026-2027.
Part II. Safety and Privacy (Chapter 170)
- Scope
- Creates a separate statewide framework for chatbot safety and privacy applicable to covered platforms.
- Defines a “covered platform” as a chatbot provider with either >$100,000 annual gross revenue in NC in the prior year or more than 5,000 monthly US users in most recent 12 months; excludes purely educational/research use or government entities.
- Key definitions
- Sensitive personal information includes health data, biometric data, precise location data, financial, education records, genetic data, and other categories listed.
- Emergency situations: Defined contexts where user intends harm to self/others.
- Self-destructing messages: Data auto-deletes after a set period.
- Trusting party: User entrusting data to the platform.
- Duties of loyalty for covered platforms
- Platforms must act in the best interests of trusting parties, including:
- Emergency response and safety prioritization.
- Preventing emotional dependence for chatbots designed for social/companionship use.
- Clear disclosure of chatbot identity (non-human) and transparency about limitations.
- Avoid deception, manipulation, and improper influence.
- Data minimization and protecting privacy in personalization and gatekeeping.
- Contractual requirements (Terms of Service)
- Terms must be clear, conspicuous, and require affirmative user consent before taking effect.
- Notice and consent for material changes to terms.
- Terms must be accessible at all times.
- Identity disclosure process required (distinct from privacy policy).
- Chatbot identification process (Section 170-5)
- Clear, accessible disclosures that the bot is not human, is AI, and lacks emotions or personal preferences (summarized in under 300 words).
- Explicit user consent at the start of interaction; consent must be free of deceptive design practices and repeated for each new interaction.
- Consent process must be stand-alone from other agreements.
- Data privacy requirements (Section 170-6)
- De-identification of user-related data before storage/analysis.
- Reasonable measures to avoid incorporating sensitive personal data into AI training datasets.
- Retain conversations without sensitive data for at least 60 days.
- Self-destructing messages with a 30-day destruction window after data acquisition.
- Applies to healthcare, financial services, legal, government services, mental health, and education sectors (and generally where sensitive data is processed).
- Transport encryption required for all messages.
- Enforcement (Section 170-7)
- Civil action by the Attorney General or by private individuals for civil damages.
- Private actions: damages up to the greater of actual damages or $1,000 per violation, plus attorneys’ fees; statute of limitations 2 years from discovery.
- No waivers of these rights by contract.
- Effective date
- Part II becomes effective January 1, 2027.
Part III. Rulemaking Authority
- The Department of Justice must adopt rules implementing Parts I and II by January 1, 2027.
Part IV. Effective Date
- General effective date: as provided in the act, with specified provisions taking effect on their stated dates.
Potential impacts
- For health-information chatbots: Introduces a rigorous licensing regime, with mandatory certifications, insurance, testing, monitoring, and annual audits. Substantial compliance obligations and potential penalties for noncompliance.
- For platforms handling general chatbot data: Creates a broad privacy/safety regime emphasizing transparency, de-identification, consent, data minimization, and safety with enforcement avenues.
- Consumers: Enhanced identification of AI chatbots, more explicit consent requirements, data access/deletion rights, and stronger privacy protections for sensitive data.
- Industry: Requires investment in security, auditing, risk management, and ongoing compliance programs; potential costs for licenses, insurance, audits, and rulemaking compliance.
Note
- The bill emphasizes a separation between licensing for health-information chatbots and general chatbot safety/privacy via two chapters, with phased effectiveness starting in 2027 and rulemaking finalized by 2027.
Compiled from official sources — confirm details with the bill’s official record.
Sign in to ask a question.