Consumer Privacy Act.
NC creates Chapter 75F, the Consumer Privacy Act, to protect residents' personal data and set duties for controllers/processors, with AG's Consumer Protection Division enforcing.
NC creates Chapter 75F, the Consumer Privacy Act, to protect residents' personal data and set duties for controllers/processors, with AG's Consumer Protection Division enforcing.
Status and timing
- Bill number: SB 525 — “Consumer Privacy Act.”
- Introduced: February 20, 2025.
- Current status (as provided): Passed first reading.
Purpose and intent
- Establish a statewide consumer privacy statute (Chapter 75F) to protect personal data of North Carolina residents by creating clear definitions, rights for consumers, and obligations for entities that collect, process, or disclose personal data. The bill sets up a regulatory framework to govern how businesses and other organizations handle consumers’ personal data.
Key provisions and structure (based on bill text excerpts)
- New Chapter: Adds Chapter 75F, titled the “Consumer Privacy Act.”
- Definitions: Provides detailed statutory definitions for core terms used throughout the law, including:
- Consumer (a resident acting in an individual/household context), Controller, Processor, Personal data, Sensitive categories (e.g., biometric data), De‑identified and Aggregated data, Pseudonymous data, Affiliate, and more.
- Health‑related terms and scope — “covered entity,” “protected health information,” health care provider/facility — are defined with reference to federal law (HIPAA) and related regulations.
- Administrative structure: Establishes the “Division” as the Consumer Protection Division of the North Carolina Department of Justice (or another unit within the Attorney General’s office) and provides for a Director to oversee implementation and enforcement activities. The bill also references a “Consumer Privacy Restricted Account” (G.S. 75F‑14).
- Data scope and exclusions: Personal data is defined broadly but explicitly excludes information that is a public record under Chapter 132 or otherwise lawfully made available to the general public; health‑care data and covered entities are treated consistent with federal HIPAA definitions.
- Consent and children: The bill defines “consent” and “child” (under age 13), signaling special protections or requirements for minors’ data and affirmative consumer consent for certain processing.
- Enforcement/implementation mechanisms: By creating the Division and Director roles and a restricted account, the bill indicates enforcement and administrative funding/accounting mechanisms will be centralized in the Attorney General’s consumer protection apparatus.
Who would be affected
- Consumers: North Carolina residents acting in personal or household contexts would receive statutory protections for their personal data.
- Businesses and organizations: Any person or entity acting as a controller or processor doing business in the State (or determining purposes/means of processing personal data of NC residents) would be subject to new duties and possible enforcement.
- Health care entities: Entities already regulated as “covered entities” under HIPAA are treated specially in the definitions; the bill appears to carve out or coordinate with existing federal health‑data rules.
- State enforcement: The Attorney General’s Consumer Protection Division would have a central role in administration and enforcement.
Potential impacts and considerations
- Compliance burden: Businesses that collect or process data on North Carolina residents may need to inventory data, update privacy policies, implement new consent and consumer‑rights procedures, and negotiate processing agreements with vendors/affiliates.
- Interplay with federal law: The bill expressly references HIPAA definitions and other federal standards for some categories (health care, business associates), suggesting coordination or partial exemption for federally regulated health data.
- Consumer remedies and enforcement: The bill establishes an enforcement structure (Division, Director), but the excerpt does not provide detail here on private rights of action, penalties, or specific consumer remedies — those details would determine enforcement intensity and fiscal impacts.
Procedural notes
- The bill creates a new statutory chapter (75F) and contains extensive definitional material as the foundation for subsequent rights, obligations, and enforcement provisions. Further committee hearings, amendments, and votes will determine the final scope (consumer rights, penalties, compliance timelines, exemptions).
If you want, I can:
- Produce a side‑by‑side comparison between this draft and other recent state consumer‑privacy laws (e.g., California, Virginia) to highlight likely rights and obligations; or
- Track subsequent amendments and committee actions and provide an updated summary when new text is posted.
Compiled from official sources — confirm details with the bill’s official record.
Sign in to ask a question.