An Overview of the North Carolina Consumer Privacy Act – Senate Bill 525

I. Introduction

The North Carolina Consumer Privacy Act (NCCPA) came into effect on January 1, 2024. It represents a significant legislative development in the realm of digital privacy and consumer rights within the state of North Carolina.

The NCCPA empowers North Carolina residents with control over their personal data and imposes obligations on organizations engaged in processing the personal data of North Carolina residents, positioning North Carolina at the forefront of state-level privacy legislation in the United States.

This guide delves into NCCPA’s key provisions, implications for organizations, and the broader impact of the Act on privacy practices and regulatory compliance in the digital age.

II. Who Needs to Comply with NCCPA

The law applies to any controller or processor that:

• Conducts business in North Carolina or produces a product or service that is targeted to consumers who are North Carolina residents; and
• Has an annual revenue exceeding twenty-five million dollars ($25,000,000), and
• Meets either of the following criteria:

(i) Controls or processes personal data of 100,000 or more consumers in a calendar year, or

(ii) Controls or processes the personal data of 25,000 or more consumers and derives over 50% of the entity’s gross revenue from the sale of personal data.

The law does not apply to the following entities:

• A governmental entity or a third party under contract with a governmental entity when the third party is acting on behalf of the governmental entity.
• A tribe.
• An institution of higher education.
• A nonprofit corporation.
• A covered entity as defined in 45 C.F.R. Sec.160.103.
• A business associate, as defined in 45 C.F.R. Sec.160.103.

The law does not apply to the following information:

• Any health information, records, data, and documents protected and covered under HIPAA, other federal or state medical laws, including patient information, identifiable private information for purposes of the Federal Policy for the protection of Human Subjects, patient safety work product, de-identified medical data, and medical data for public health use or medical research under HIPAA or any other medical law or policy, information maintained by a healthcare facility/provider, or information used only for public health activities and purposes;
• Protection of Human Subjects, patient safety work product, de-identified medical data, and medical data for public health use or medical research under HIPAA or any other medical law or policy, information maintained by a healthcare facility/provider, or information used only for public health activities and purposes;
• Activities subject to FCRA, 15 11 U.S.C. § 1681 et seq;
• A financial institution or an affiliate of a financial institution or personal data collected, processed, sold, or disclosed in accordance with Title V of the Gramm-Leach-Bliley Act and related regulations.
• Personal data collected, processed, sold, or disclosed in accordance with the federal Driver's Privacy Protection Act of 1994;
• Personal data regulated by the federal Family Education Rights and Privacy Act and related regulations;
• Personal data collected, processed, sold, or disclosed in accordance with the federal Farm Credit Act of 1971;
• Data used for the purpose of employment, emergency contact, or administering benefits;
• An individual's processing of personal data for purely personal or household purposes.

III. Definitions of Key Terms

A. Aggregated Data

Information that relates to a group or category of consumers from which individual consumer identities have been removed and that is not linked or reasonably linkable to any consumer.

B. Biometric Data

Data generated by automatic measurements of an individual's unique biological characteristics. The term includes an individual's fingerprint, voiceprint, eye retinas, irises, or any other unique biological pattern or characteristic that is used to identify a specific individual. Biometric data does not include any of the following:

1. A physical or digital photograph.
2. A video or audio recording.
3. Data generated from physical or a digital photograph or a video or audio recording.
4. Information captured from a patient in a healthcare setting.
5. Information collected, used, or stored for treatment, payment, or health care operations as those terms are defined in 45 C.F.R. Parts 160, 162, and 164.

C. Child

An individual younger than 13 years old.

D. Consent

An affirmative act by a consumer that unambiguously indicates the consumer's voluntary and informed agreement to allow a person to process personal data related to the consumer.

E. Consumer

An individual who is a resident of North Carolina acting in an individual or household context. The term consumer does not include an individual acting in a commercial or employment context.

F. Controller

A person doing business in North Carolina who determines the purposes for which, and the means by which, personal data are processed, regardless of whether the person makes the determination alone or with others that, alone or jointly with others, determines the purpose and means of processing personal data

G. Personal Data

Information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information. Personal data does not include information that is a public record under Chapter 132 of the General Statutes or information made available to the general public lawfully and intentionally.

H. Sensitive Data

Personal data that reveals any of the following:

1. An individual's (i) racial or ethnic origin, (ii) religious beliefs, (iii) sexual orientation, (iv) citizenship or immigration status, or (v) information regarding an individual's medical history, mental or physical health condition, or medical treatment or diagnosis by a healthcare professional. The term does not include personal data that reveals an individual's racial or ethnic origin if the personal data are processed by a video communication service. If the personal data are processed by a person licensed to provide health care under State or federal law, information regarding an individual's medical history, mental or physical health condition, or medical treatment or diagnosis by a healthcare professional, then the personal data is not sensitive data.
2. The processing of genetic or biometric data if the processing is for the purpose of identifying a specific individual.
3. Specific geolocation data.

I. Targeted Advertising

Displaying an advertisement to a consumer where the consumer is selected based upon personal data obtained from the consumer's activities over time and across nonaffiliated websites or online applications to predict the consumer's preferences and interests. The term does not include any advertising:

1. Based upon a consumer's activities within the controller's website or online application or any affiliated website or online application.
2. Based on the context of a consumer's current search query or visit to a website or online application.
3. Directed to a consumer in response to the consumer's request for information, product, service, or feedback.
4. Processing personal data solely to measure or report advertising performance, reach, or frequency.

IV. Obligations for Organizations Under NCCPA

A. Consent Requirements

The law does not require opt-in consent to process a consumer’s sensitive data. But rather it lays down mandatory notice requirements, outlining that in case of processing sensitive data collected from a consumer, it should first present the consumer with a clear notice along with a method and opportunity to opt-out of processing of its sensitive data.

Moreover, in the case of the processing of personal data concerning a known child, the consumer should process the data in accordance with the federal Children's Online Privacy Protection Act (COPPA) and the Act's implementing regulations and exemptions.

Controllers are not obligated to provide products or services if the provision of these services is contingent upon processing specific personal data that the consumer does not provide or allow to be processed.

B. Non-Discrimination Requirements

A controller must not discriminate against a consumer for exercising a right by refusing them a good or service, charging them a different price or rate, or offering them a different quality of good or service.

However, if the consumer has opted out of targeted advertising or the offer is related to the consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program, then the controller may offer a different price, rate, level, quality, or selection of a good or service to a consumer, including offering a good or service for free or at a discount.

C. Privacy Notice Requirements

A controller must provide consumers with a clear, understandable, and reasonably accessible privacy notice that contains the following information:

1. Personal data categories that the controller processes.
2. The purpose of processing the categories of personal data.
3. How consumers may exercise their consumer rights.
4. The categories of personal data that the controller shares with third parties, if any.
5. The categories of third parties, if any, with whom the controller shares personal data.

If personal data is sold or used for targeted advertising, there must be a conspicuous disclosure of how consumers can opt-out of such practices.

D. Security Requirements

A controller must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to safeguard the integrity and confidentiality of personal data and minimize the reasonably foreseeable risks that processing it may pose to consumers. The data security procedures must be implemented, taking into account the scope and category of personal data in question and accounting for the businesses’ size, scope, and nature.

E.  Non-Waiver of Consumer Rights

Under the law, any provision of a contract that purports to waive or limit a consumer's right is also void.

F. Processing De-identified Data or Pseudonymous Data

The law does not require a controller or processor to reidentify de-identified data or pseudonymous data or obtain, maintain, or access data in identifiable form for the purpose of allowing the controller or processor to associate a consumer request with personal data. The controller is also not required to comply with an authenticated consumer request to exercise a right under the law if:

• Either the controller does not have the reasonable capacity to associate the request with the personal data, or it would be unreasonably burdensome for it to associate the request with the personal data;
• personal data is not being used by the controller to recognize or respond to the consumer who is the subject of the personal data; and
• personal data is not being sold or disclosed to any third party other than a processor.

Moreover, data subject rights do not apply to pseudonymous data.

G. Processor/ Service Provider Agreements

A processor must comply with the controller's instructions and, insofar as it is reasonably practical, assist the controller in fulfilling its obligations, including those pertaining to the security of processing personal data and notifying others of a security system breach, and by implementing the appropriate organizational and technical measures.

Prior to a processor processing data on behalf of a controller, a contract must be established that:

1. Clearly lays out how personal data is processed, what kind of data is processed, why it's being processed, how long it will take to process it, and what rights and duties each party has.
2. Requires that the processor ensure that everyone processing personal data ensures its confidentiality.
3. Requires that the processor only use subcontractors who have signed a written contract containing the same requirements for processing personal data as the processor.

Moreover, any subcontractor pursuant to a written contract engaged by a processor is also bound by the same obligations. Processors must follow the controller's instructions and assist the controller in fulfilling his or her obligations, including those relating to the security of personal data processing and security breach notifications.

V. Data Subject Rights

A. Right to Confirm and Access Information

A consumer has the right to confirm whether a controller is processing their personal data and accessing that information.

B. Right to Delete

A consumer has the right to request that the controller delete the personal data that they provided to the controller.

C. Right to Portability

When processing is carried out using automated means, a consumer has the right to obtain a copy of the personal data they previously gave to the controller in a format that is, as far as is technically feasible, readily usable and enables them to transfer the data to another controller without difficulty.

D. Right to Opt-Out

A consumer has the right to opt-out of the processing of their personal data for purposes of targeted advertising or the sale of personal data.

Exercising Consumer Rights

A consumer can exercise their rights by submitting a request to the controller, using the methods prescribed by the controller, specifying the rights they want to exercise.

When processing a known child's personal data, their parent or legal guardian may exercise a right on the child's behalf. When processing a consumer's personal information under guardianship, the guardian of the consumer may act on the consumer's behalf.

Controllers’ Response to DSRs

A controller must respond to a consumer’s request and inform the consumer of the subsequent action within 45 days of the receipt of the request. However, the controller may extend the response period by another 45 days, considering the complexity and volume of the requests received.

In the event that a controller decides to extend the initial time, the controller must notify the consumer of the extension, specify its duration, and provide justification for why it is reasonably required before the expiry of the initial 45 days. However, The 45-day period does not apply if the controller suspects fraud and cannot authenticate the request in time. The controller must inform the consumer of the reasons for not taking action within the initial 45 days. If the controller decides not to take any action on the consumer’s request, it shall convey the same to the consumer within 45 days of the receipt of the request.

Charging Fee for Excessive Requests

When a controller responds to a consumer request, it cannot charge a fee unless it is the consumer's second or subsequent request in the same 12-month period. Nonetheless, a controller has the right to refuse to act upon a request or to impose a reasonable price to cover the administrative expenses of complying with it if:

1. The request is excessive, repetitive, technically infeasible, or manifestly unfounded;
2. The controller has a reasonable belief that the request was submitted primarily for a motive other than to exercise a right; or
3. The request harasses, interferes with, or places an excessive load on the controller's business resources, either alone or in conjunction with other requests.

A controller is not obligated to comply with a consumer's request to exercise a right if the controller is unable to authenticate the request using commercially reasonable efforts. Instead, the controller may ask the consumer to give any additional information that is reasonably needed to authenticate the request.

VI. Regulatory Authority

The NCCPA is enforced by the Attorney General. Upon referral from the Division, the Attorney General may bring an enforcement action against a controller or processor for a violation.

The Attorney General must provide the controller or processor the following information at least 45 days prior to the day on which the Attorney General files an enforcement action against them:

• A written notice outlining each NCCPA’s requirements that the Attorney General claims the processor or controller has violated or is currently violating.
• An explanation of the evidence supporting each accusation.

The Attorney General may not initiate an action if the controller or processor:

• Resolves the violation within 45 days from the day since it received the written notification.
• Gives the Attorney General a written notice stating that the violation has been resolved and that it won't happen again.

Limitations

The law does not apply if a controller is processing personal data to comply with any of the following:

1. Comply with the State, Federal, or local laws.
2. Comply with a criminal, civil, or regulatory investigation, inquiry, subpoena, or summons by a federal, state, local, or other government entity.
3. Cooperate with law enforcement agencies in good faith.
4. Investigate, or prepare a legal claim.
5. Provide products or services requested by a consumer, parent, or legal guardian of a child.
6. Perform contractual obligation of a contract to whom a child is a party.
7. Take essential steps to save the life or physical safety of a consumer or another individual.
8. Respond to a security incident.
9. Preserve the integrity or security of systems.
10. Engage in public interest matters that comply with all other applicable ethics and privacy laws.
11. Assist another person to fulfill obligations prescribed under the law.
12. Conduct internal research, identify and repair technical errors, or effectuate a product recall.

VII. Penalties for Non-Compliance

The Attorney General has the authority to initiate an action against the controller who fails to cure the violations within the 45-day notice period or, after curing the violations, again indulges in violations of the law. The attorney general may recover the actual damages to the consumer and an amount not to exceed seven thousand five hundred dollars ($7,500) for each violation. The law does not provide a private right of action.

VIII. How Can an Organization Operationalize the NCCPA

Organizations can operationalize the North Carolina Consumer Privacy Act (NCCPA) by:

• Establishing clearly defined policies and procedures for processing data in compliance with NCCPA’s provisions;
• Developing clear and accessible understandable privacy notices that comply with NCCPA’s requirements;
• Obtaining explicit consent from users before processing their personal data;
• Developing a robust framework for receiving and processing data requests, complaints, and appeals from consumers; and
• Train employees who handle the consumers’ data on the organization's policies and procedures, as well as the requirements of the NCCPA.

IX. How Securiti Can Help

Securiti’s Data Command Center enables organizations to comply with the North Carolina Consumer Privacy Act (NCCPA) by securing the organization’s data, enabling organizations to maximize data value, and fulfilling an organization’s obligations around data security, data privacy, data governance, and compliance.

Organizations can overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, enabling organizations to swiftly comply with privacy, security, governance, and compliance requirements.

Request a demo to learn more.