In today’s digital age, data protection and privacy are a priority, as evidenced by the comprehensive data protection and privacy laws that have taken effect in many states across the US.
Although North Carolina does not yet have a comprehensive legislative framework for data privacy and protection, it is bound by several sectoral and issue-specific protections at the state and federal levels. To stay updated on the progress of privacy-related bills across the US, visit our US State Privacy Laws Tracker.
The following guide provides an overview of the state’s current data protection landscape and outlines the primary considerations for businesses to ensure compliance with existing privacy standards.
The Current State of the Data Protection Laws in North Carolina
Businesses operating in North Carolina must comply with the following requirements at the state level:
- Identity Theft Protection Act (G.S. 75, Art. 2A): North Carolina’s Identity Theft Protection Act includes:
- Secure Disposal (G.S. 75-64): “Reasonable measures” to destroy personal information on paper and electronic media, including written policies and oversight of disposal vendors.
- Breach Notification (G.S. 75-65): Notice to affected residents without unreasonable delay (subject to law-enforcement needs), with required content and permitted methods (including substitute notice). When notifying residents, businesses must also notify the NC Attorney General’s Consumer Protection Division; if more than 1,000 residents are notified, notice to the nationwide consumer reporting agencies is also required. The AG provides an online reporting portal.
- Insurance Information and Privacy (G.S. 58, Art. 39): North Carolina regulates the collection, use, and disclosure of information in connection with insurance transactions (distinct from a comprehensive consumer privacy law).
- Unfair or Deceptive Acts and Practices (G.S. 75-1.1): Misleading privacy statements or unfair data practices may be enforced under North Carolina’s Unfair and Deceptive Acts and Practices (UDAP) statute.
Applicable Federal Laws
The following laws may apply depending on the specific industry:
-
-
- Health Insurance Portability and Accountability Act (HIPAA) for protected health information handled by covered entities and business associates.
- Children's Online Privacy Protection Act (COPPA) for online data about children under 13 (in addition to North Carolina’s student-privacy rules).
- Gramm-Leach-Bliley Act (GLBA) for financial institutions’ customer data.
Best Practices for Businesses
Businesses operating in North Carolina are encouraged to implement safe data protection and privacy measures that help foster customer trust and build compliance over the long term. The following best practices may be considered:
-
-
- Enabling data-flow mapping by understanding personal data movement across systems to support quality, lineage, and lifecycle governance.
- Implementing robust security controls by deploying adequate administrative, technical, and physical safeguards.
- Ensuring the publication of clear and accessible privacy notices which offer appropriate choices for obtaining consent where required.
- Establishing rights-handling workflows to authenticate and fulfill access, correction, or deletion requests where required by sectoral or contractual obligations.
Conclusion
Organizations can efficiently navigate the complex privacy legal landscape by adhering to best practices and investing resources in understanding applicable laws. North Carolina’s Identity Theft Protection Act, insurance privacy rules, and UDAP enforcement create real obligations today while the state continues to consider broader privacy legislation.
