WeVote

Bill

Bill

SB 757

Consumer Privacy Act.

2025-2026 Session Introduced by Woodson Bradley and 4 co-sponsors

Senators propose a new North Carolina Consumer Privacy Act to regulate how state residents’ personal data is collected, processed, and used by businesses.

Passed 1st Reading
0
WeVote Research Nonpartisan
Bill Summary · SB 757

SB 757 — "Consumer Privacy Act" (First Edition) — Summary

Status: Introduced Feb 21, 2025. Passed 1st Reading (Mar 26, 2025). (Bill text is a first-edition draft; portions of the text provided are truncated and subject to amendment.)

Main purpose

SB 757 would create a new statutory framework — the "North Carolina Consumer Privacy Act" (new Chapter 75F of the General Statutes) — to regulate the collection, processing, and use of personal data of state residents and to define obligations for businesses that determine how and why personal data are processed.

Key provisions (from the available draft)

  • Establishes a new Chapter 75F titled “Consumer Privacy Act.”
  • Extensive definitions (Chapter 75F‑1), including:
    • Core terms: “consumer,” “personal data,” “process,” “controller,” and “processor.”
    • Technical categories: “de‑identified data,” “pseudonymous data,” “aggregated data.”
    • Sensitive categories: “biometric data,” “protected health information” (with cross‑references to federal HIPAA definitions), and other exemptions for health‑care related data and entities.
    • Other administrative terms: “Director” and “Division” (the bill ties enforcement/administration to the Consumer Protection Division of the NC Department of Justice).
  • Scope: Applies to “consumers” defined as individuals who are state residents acting in an individual or household context; explicitly excludes individuals acting in commercial or employment contexts.
  • Data handling: The draft defines what it means to “process” personal data (collection, use, storage, disclosure, analysis, deletion, modification).
  • De‑identification requirements: A controller holding de‑identified data must (1) take reasonable measures to prevent re‑identification, (2) publicly commit to maintain/use the data only in de‑identified form, and (3) contractually obligate recipients to same protections.
  • Exemptions: The definitions carve out various health‑care contexts (treatment/payment/operations), covered entities, business associates, and other narrow categories consistent with federal law.
  • Institutional framework: Creates references to a “Consumer Privacy Restricted Account” (the bill refers to an Account in subsequent sections) and designates the Consumer Protection Division and a Director for administration and enforcement functions.

Note: The provided materials include only the initial portions (primarily definitions and structural provisions). Provisions commonly found in consumer privacy laws (specific consumer rights such as access, deletion, correction, data portability, opt‑out of targeted advertising; controller obligations like data minimization, purpose limitation, security; thresholds/exemptions; private right of action; civil penalties) are not visible in the truncated excerpt and may be in later sections or added in committee.

Who would be affected

  • Consumers: North Carolina residents (individuals acting in individual/household contexts) whose personal data are processed.
  • Businesses: Any person or entity “doing business in this State” that acts as a controller (i.e., determines processing purposes/means) would be subject to obligations under the Chapter; processors acting on behalf of controllers are also defined and likely regulated by contracting and compliance duties.
  • Regulated sectors: The draft explicitly preserves a number of health‑care related definitions/exemptions; other sectoral exemptions (financial, education, government) may appear elsewhere in the bill.

Enforcement & administration

  • The bill designates the Consumer Protection Division (and a Director) as the administering/enforcing authority for the Chapter. Specific enforcement mechanisms, remedies, penalties, and procedures are not contained in the excerpt provided.

Procedural/ timeline notes

  • Introduced Feb 21, 2025; passed first reading March 26, 2025 and referred to committee(s).
  • This is an early version (S‑757, First Edition). The bill text is truncated in available documents and is likely to be amended in committee. Interested parties should monitor committee reports and later drafts for the operative consumer rights, compliance requirements, exemptions, and enforcement details.

Potential impacts (high level)

  • If enacted in substantially similar form, SB 757 would create a statewide compliance regime for businesses processing resident data — prompting policy updates (privacy notices, contracts with processors, data governance, security measures) — and would give consumers a statutory framework governing how their personal data are handled.
  • The final economic and administrative impacts will depend on thresholds, exemptions, enforcement approach, and remedies that are included in sections beyond the provided draft.

For a complete, actionable compliance assessment, review the full bill text (complete Chapter 75F) and subsequent committee amendments once published. If you’d like, I can monitor and provide an updated summary when the bill advances or when newer versions are released.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.