North Carolina Consumer Privacy Law

Primary law

North Carolina's operative privacy statute is Article 2A of Chapter 75, formally titled the Identity Theft Protection Act.

This Article shall be known and may be cited as the "Identity Theft Protection Act".

See N.C. Gen. Stat. § 75-60.

Primary law

The breach-notification duty applies to any business that owns or licenses personal information of North Carolina residents, or that conducts business in North Carolina and owns or licenses personal information in any form, including paper records.

Any business that owns or licenses personal information of residents of North Carolina or any business that conducts business in North Carolina that owns or licenses personal information in any form (whether computerized, paper, or otherwise) shall provide notice to the affected person that there has been a security breach following discovery or notification of the breach.

See N.C. Gen. Stat. § 75-65(a).

Primary law

Operators of websites, services, and applications used primarily for K-12 school purposes may not engage in targeted advertising based on information acquired through the school-use service.

Engage in targeted advertising on the operator's site, service, or application, or target advertising on any other site, service, or application if the targeting of the advertising is based on any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operator's site, service, or application for K-12 school purposes.

See N.C. Gen. Stat. § 115C-401.2(b)(1).

Primary law

Operators of websites, services, and applications used primarily for K-12 school purposes may not sell or rent student information.

Sell or rent a student's information, including covered information.

See N.C. Gen. Stat. § 115C-401.2(b)(3).

Primary law

North Carolina insurance law forbids health insurers from raising group premium rates, refusing to issue or deliver a health benefit plan, or charging a higher premium because of genetic information.

No insurer shall: (1) Raise the premium or contribution rates paid by a group for a group health benefit plan on the basis of genetic information obtained about an individual member of the group. (2) Refuse to issue or deliver a health benefit plan because of genetic information obtained about any person to be insured by the health benefit plan. (3) Charge a higher premium rate or charge for a health benefit plan because of genetic information obtained about any person to be insured by the health benefit plan.

See N.C. Gen. Stat. § 58-3-215(c).

Primary law

A breach-notification violation is per se a § 75-1.1 unfair-trade-practice violation, and an injured individual — but only an injured one — may sue privately.

A violation of this section is a violation of G.S. 75-1.1. No private right of action may be brought by an individual for a violation of this section unless such individual is injured as a result of the violation.

See N.C. Gen. Stat. § 75-65(i).

Primary law

A violation of the Social Security number protection section is a violation of § 75-1.1.

A violation of this section is a violation of G.S. 75-1.1.

See N.C. Gen. Stat. § 75-62(d).

Primary law

A violation of the consumer security-freeze section is a violation of § 75-1.1.

A violation of this section is a violation of G.S. 75-1.1.

See N.C. Gen. Stat. § 75-63(g).

Primary law

A violation of the protected-consumer security-freeze section is a violation of § 75-1.1.

A violation of this section is a violation of G.S. 75-1.1.

See N.C. Gen. Stat. § 75-63.1(g).

Primary law

A disposal violation is a § 75-1.1 violation, with a special limit on trebling for certain nonmanagerial employee acts or omissions.

A violation of this section is a violation of G.S. 75-1.1, but any damages assessed against a business because of the acts or omissions of its nonmanagerial employees shall not be trebled as provided in G.S. 75-16 unless the business was negligent in the training, supervision, or monitoring of those employees.

See N.C. Gen. Stat. § 75-64(f).

Primary law

A person injured by a Chapter 75 violation has a private right of action, and damages assessed must be trebled — the statute makes trebling mandatory, not discretionary.

If any person shall be injured or the business of any person, firm or corporation shall be broken up, destroyed or injured by reason of any act or thing done by any other person, firm or corporation in violation of the provisions of this Chapter, such person, firm or corporation so injured shall have a right of action on account of such injury done, and if damages are assessed in such case judgment shall be rendered in favor of the plaintiff and against the defendant for treble the amount fixed by the verdict.

See N.C. Gen. Stat. § 75-16.

Primary law

Section 75-1.1 is North Carolina's general unfair-and-deceptive-practices statute, the section into which Identity Theft Protection Act violations are channeled.

Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are declared unlawful.

See N.C. Gen. Stat. § 75-1.1(a).

Primary law

In a § 75-1.1 suit the judge may, in his discretion, award a reasonable attorney fee to the prevailing party's counsel, taxed as court costs against the losing party.

In any suit instituted by a person who alleges that the defendant violated G.S. 75-1.1, the presiding judge may, in his discretion, allow a reasonable attorney fee to the duly licensed attorney representing the prevailing party, such attorney fee to be taxed as a part of the court costs and payable by the losing party, upon a finding by the presiding judge that: (1) The party charged with the violation has willfully engaged in the act or practice, and there was an unwarranted refusal by such party to fully resolve the matter which constitutes the basis of such suit

See N.C. Gen. Stat. § 75-16.1.

Primary law

Causes of action arising under the Identity Theft Protection Act may not be assigned.

Causes of action arising under this Article may not be assigned.

See N.C. Gen. Stat. § 75-65(j).

Primary law

Section 75-1.1 declares unfair or deceptive acts or practices in or affecting commerce unlawful; a materially misleading privacy-policy statement can support a deception theory if the required elements are met.

Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are declared unlawful.

See N.C. Gen. Stat. § 75-1.1(a).

Primary law

Section 5 of the FTC Act declares unfair or deceptive acts or practices in or affecting commerce unlawful; a materially misleading privacy-policy statement can support an FTC deception theory if the required elements are met.

Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.

See 15 U.S.C. § 45(a)(1).

Primary law

Damages assessed in a private Chapter 75 action are trebled as a matter of statutory command, which raises the stakes of a deceptive privacy policy.

if damages are assessed in such case judgment shall be rendered in favor of the plaintiff and against the defendant for treble the amount fixed by the verdict

See N.C. Gen. Stat. § 75-16.

Primary law

A financial institution may not disclose nonpublic personal information to nonaffiliated third parties unless it has given the consumer the required GLBA privacy notice.

Except as otherwise provided in this subchapter, a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 6803 of this title.

See 15 U.S.C. § 6802(a).

Primary law

A HIPAA covered entity must give individuals a notice describing the uses and disclosures of their protected health information and their rights and the entity's legal duties.

an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information

See 45 C.F.R. § 164.520.

Primary law

An operator of a child-directed website or online service must post notice of what information it collects from children, how it uses that information, and its disclosure practices.

to provide notice on the website of what information is collected from children by the operator, how the operator uses such information, and the operator’s disclosure practices for such information

See 15 U.S.C. § 6502(b)(1)(A)(i).

Primary law

A business conducting business in North Carolina or possessing a North Carolina resident's personal information must take reasonable measures against unauthorized access or use in connection with or after disposal.

Any business that conducts business in North Carolina and any business that maintains or otherwise possesses personal information of a resident of North Carolina must take reasonable measures to protect against unauthorized access to or use of the information in connection with or after its disposal.

See N.C. Gen. Stat. § 75-64(a).

Primary law

Reasonable disposal measures include monitored policies for destroying paper and electronic media so personal information cannot practicably be read or reconstructed.

The reasonable measures must include: (1) Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of papers containing personal information so that information cannot be practicably read or reconstructed. (2) Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media and other nonpaper media containing personal information so that the information cannot practicably be read or reconstructed.

See N.C. Gen. Stat. § 75-64(b)(1)-(2).

Primary law

A business may discharge its disposal duty through a written contract with a record-destruction vendor, entered after due diligence and subject to compliance monitoring.

A business may, after due diligence, enter into a written contract with, and monitor compliance by, another party engaged in the business of record destruction to destroy personal information in a manner consistent with this section.

See N.C. Gen. Stat. § 75-64(c).

Primary law

A disposal violation is a per se § 75-1.1 violation, but damages caused by nonmanagerial employees are not trebled unless the business was negligent in training, supervising, or monitoring them.

A violation of this section is a violation of G.S. 75-1.1, but any damages assessed against a business because of the acts or omissions of its nonmanagerial employees shall not be trebled as provided in G.S. 75-16 unless the business was negligent in the training, supervision, or monitoring of those employees.

See N.C. Gen. Stat. § 75-64(f).

Primary law

A business holding personal information it does not own or license must notify the owner or licensee immediately upon discovering a security breach.

Any business that maintains or possesses records or data containing personal information of residents of North Carolina that the business does not own or license, or any business that conducts business in North Carolina that maintains or possesses records or data containing personal information that the business does not own or license shall notify the owner or licensee of the information of any security breach immediately following discovery of the breach, consistent with the legitimate needs of law enforcement as provided in subsection (c) of this section.

See N.C. Gen. Stat. § 75-65(b).

Primary law

The GLBA Safeguards Rule requires a financial institution to oversee its service providers, including by requiring them by contract to implement and maintain appropriate safeguards for customer information.

Requiring your service providers by contract to implement and maintain such safeguards

See 16 C.F.R. § 314.4(f)(2).

Primary law

HIPAA requires a written business-associate contract with permitted-use terms, safeguards, breach reporting, and subcontractor flow-down obligations.

A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410; (D) In accordance with § 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information

See 45 C.F.R. § 164.504(e)(2).

Primary law

A security freeze prohibits a consumer reporting agency from releasing a consumer's credit report or information from it without express authorization, subject to statutory exceptions.

A security freeze shall prohibit, subject to exceptions in subsection ( l ) of this section, the consumer reporting agency from releasing the consumer's credit report or any information from it without the express authorization of the consumer.

See N.C. Gen. Stat. § 75-63(a).

Primary law

Any North Carolina consumer may place a security freeze on their credit report by request to a consumer reporting agency.

A consumer may place a security freeze on the consumer's credit report by making a request to a consumer reporting agency in accordance with this subsection.

See N.C. Gen. Stat. § 75-63(a).

Primary law

Consumer reporting agencies may not charge for placing, lifting, or removing a security freeze when the request is made electronically.

A consumer reporting agency shall not charge a fee to put a security freeze in place, remove a freeze, or lift a freeze pursuant to subsection (d) or (j) of this section, provided that any such request is made electronically.

See N.C. Gen. Stat. § 75-63(o).

Primary law

A protected consumer includes an individual under age 16 when a security-freeze request is made and an incapacitated individual or one with a guardian or guardian ad litem.

An individual (i) who is under the age of 16 at the time a request for the placement of a security freeze is made pursuant to G.S. 75-63.1 or (ii) who is incapacitated or for whom a guardian or guardian ad litem has been appointed.

See N.C. Gen. Stat. § 75-61(11a).

Primary law

A consumer reporting agency must place a protected-consumer security freeze — covering minors under 16 and incapacitated adults — within 30 days of a qualifying request by the protected consumer's representative.

A consumer reporting agency shall place a protected consumer security freeze on the protected consumer's credit report or on the protected consumer's file in accordance with subsection (b) of this section within 30 days of all of the following conditions being satisfied

See N.C. Gen. Stat. § 75-63.1(a).

Primary law

A business may not sell, lease, trade, rent, or otherwise intentionally disclose an individual's Social Security number to a third party without written consent where it has reason to believe the third party lacks a legitimate purpose.

Sell, lease, loan, trade, rent, or otherwise intentionally disclose an individual's social security number to a third party without written consent to the disclosure from the individual, when the party making the disclosure knows or in the exercise of reasonable diligence would have reason to believe that the third party lacks a legitimate purpose for obtaining the individual's social security number.

See N.C. Gen. Stat. § 75-62(a)(6).

Primary law

Knowingly broadcasting or publishing a person's personal information after that person has objected to disclosure violates § 75-66.

It shall be a violation of this section for any person to knowingly broadcast or publish to the public on radio, television, cable television, in a writing of any kind, or on the internet, the personal information of another with actual knowledge that the person whose personal information is disclosed has previously objected to any such disclosure.

See N.C. Gen. Stat. § 75-66(a).

Primary law

A person injured by an unlawful publication of personal information may sue for civil damages.

Any person whose property or person is injured by reason of a violation of this section may sue for civil damages pursuant to the provisions of G.S. 1-539.2C.

See N.C. Gen. Stat. § 75-66(e).

Primary law

Breach notification must be made without unreasonable delay, qualified only by law-enforcement needs and the measures necessary to scope the breach and restore the system.

The disclosure notification shall be made without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (c) of this section, and consistent with any measures necessary to determine sufficient contact information, determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.

See N.C. Gen. Stat. § 75-65(a).

Primary law

A security breach is unauthorized access to and acquisition of unencrypted, unredacted personal information where illegal use has occurred, is reasonably likely, or creates a material risk of harm to a consumer; encrypted records also trigger the definition if the confidential process or key is acquired.

An incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer. Any incident of unauthorized access to and acquisition of encrypted records or data containing personal information along with the confidential process or key shall constitute a security breach.

See N.C. Gen. Stat. § 75-61(14).

Primary law

Personal information under the ITPA means a person's first name or first initial and last name combined with identifying information as defined in G.S. 14-113.20(b), excluding certain public information.

A person's first name or first initial and last name in combination with identifying information as defined in G.S. 14-113.20(b). Personal information does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, including name, address, and telephone number, and does not include information made lawfully available to the general public from federal, state, or local government records.

See N.C. Gen. Stat. § 75-61(10).

Primary law

For breach-notification purposes, certain electronic identifiers, email information, account names, prior surnames, and passwords are excluded unless they would permit access to financial accounts or resources.

For the purposes of this section, personal information shall not include electronic identification numbers, email names or addresses, internet account numbers, internet identification names, parent's legal surname prior to marriage, or a password unless this information would permit access to a person's financial account or resources.

See N.C. Gen. Stat. § 75-65(a).

Primary law

Encryption means using an algorithmic process to render data unreadable or unusable without a confidential process or key.

The use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without use of a confidential process or key.

See N.C. Gen. Stat. § 75-61(8).

Primary law

Redaction means rendering data unreadable or truncating it so no more than the last four digits of the identification number are accessible.

The rendering of data so that it is unreadable or is truncated so that no more than the last four digits of the identification number is accessible as part of the data.

See N.C. Gen. Stat. § 75-61(13).

Primary law

Whenever a business notifies any affected person of a breach, it must also notify the Attorney General's Consumer Protection Division — the duty attaches to every consumer-noticed breach with no headcount floor.

In the event a business provides notice to an affected person pursuant to this section, the business shall notify without unreasonable delay the Consumer Protection Division of the Attorney General's Office of the nature of the breach, the number of consumers affected by the breach, steps taken to investigate the breach, steps taken to prevent a similar breach in the future, and information regarding the timing, distribution, and content of the notice.

See N.C. Gen. Stat. § 75-65(e1).

Primary law

North Carolina breach notices must be clear and conspicuous and include seven categories of information about the incident, data involved, protective measures, contact information, vigilance advice, consumer reporting agencies, the FTC, and the North Carolina Attorney General.

The notice shall be clear and conspicuous. The notice shall include all of the following: (1) A description of the incident in general terms. (2) A description of the type of personal information that was subject to the unauthorized access and acquisition. (3) A description of the general acts of the business to protect the personal information from further unauthorized access. (4) A telephone number for the business that the person may call for further information and assistance, if one exists. (5) Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports. (6) The toll-free numbers and addresses for the major consumer reporting agencies. (7) The toll-free numbers, addresses, and website addresses for the Federal Trade Commission and the North Carolina Attorney General's Office, along with a statement that the individual can obtain information from these sources about preventing identity theft.

See N.C. Gen. Stat. § 75-65(d).

Primary law

Substitute notice is available if notice would cost more than $250,000, the affected class exceeds 500,000, or the business lacks enough contact information, consent, or ability to identify particular affected persons.

Substitute notice, if the business demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000) or that the affected class of subject persons to be notified exceeds 500,000, or if the business does not have sufficient contact information or consent to satisfy subdivisions (1), (2), or (3) of this subsection, for only those affected persons without sufficient contact information or consent, or if the business is unable to identify particular affected persons, for only those unidentifiable affected persons.

See N.C. Gen. Stat. § 75-65(e)(4).

Primary law

A breach notice to more than 1,000 persons at one time also requires notice to the nationwide consumer reporting agencies.

In the event a business provides notice to more than 1,000 persons at one time pursuant to this section, the business shall notify, without unreasonable delay, the Consumer Protection Division of the Attorney General's Office and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. § 1681a(p), of the timing, distribution, and content of the notice.

See N.C. Gen. Stat. § 75-65(f).

Primary law

A breach-notification violation is per se a § 75-1.1 unfair-trade-practice violation, privately actionable by an injured individual.

A violation of this section is a violation of G.S. 75-1.1. No private right of action may be brought by an individual for a violation of this section unless such individual is injured as a result of the violation.

See N.C. Gen. Stat. § 75-65(i).

Primary law

A breach-notification violation is a § 75-1.1 violation, and an individual may bring a private action only if injured by the violation.

A violation of this section is a violation of G.S. 75-1.1. No private right of action may be brought by an individual for a violation of this section unless such individual is injured as a result of the violation.

See N.C. Gen. Stat. § 75-65(i).

Primary law

A person injured by a Chapter 75 violation has a private right of action, and damages assessed must be trebled.

If any person shall be injured or the business of any person, firm or corporation shall be broken up, destroyed or injured by reason of any act or thing done by any other person, firm or corporation in violation of the provisions of this Chapter, such person, firm or corporation so injured shall have a right of action on account of such injury done, and if damages are assessed in such case judgment shall be rendered in favor of the plaintiff and against the defendant for treble the amount fixed by the verdict.

See N.C. Gen. Stat. § 75-16.

Primary law

Section 75-1.1 declares unfair or deceptive acts or practices in or affecting commerce unlawful.

Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are declared unlawful.

See N.C. Gen. Stat. § 75-1.1(a).

Primary law

Whenever a business provides breach notice to an affected person, it must notify the Attorney General's Consumer Protection Division without unreasonable delay and provide specified breach-report details.

In the event a business provides notice to an affected person pursuant to this section, the business shall notify without unreasonable delay the Consumer Protection Division of the Attorney General's Office of the nature of the breach, the number of consumers affected by the breach, steps taken to investigate the breach, steps taken to prevent a similar breach in the future, and information regarding the timing, distribution, and content of the notice.

See N.C. Gen. Stat. § 75-65(e1).

Primary law

The Identity Theft Protection Act cannot be waived by contract — any waiver of the Article's provisions is void and unenforceable.

Any waiver of the provisions of this Article is contrary to public policy and is void and unenforceable.

See N.C. Gen. Stat. § 75-65(g).

Primary law

The student online privacy statute is enforced by the Attorney General through civil actions for injunctive and equitable relief and creates no private right of action.

The Attorney General, upon ascertaining that an operator has violated this section, may bring a civil action seeking injunctive and other equitable relief.

See N.C. Gen. Stat. § 115C-401.2(g).