A Guide to North Carolina’s Proposed Data Privacy Law

Consumer PrivacyNorth CarolinaState Laws
Written By Jason Shoup

Following the lead of other states, the North Carolina General Assembly has introduced a broad consumer privacy bill–the Consumer Privacy Act (CPA) of North Carolina. Here’s what to expect from the bill if it is passed into law.

Applicability

The law applies to your business if it conducts business in North Carolina, or produces products or services targeted to North Carolina residents–and if one of the following conditions is met:

  • Your business controls or processes the personal data of at least 100,000 consumers

  • Your business controls or processes the personal data of at least 25,000 consumers and derives over 50 percent of its gross revenue from selling personal data

As usual, “personal data” means data that can be reasonably linked to a specific person. This does not include de-identified data or publicly available information. In the case of de-identified data, the controller must ensure that the data can not be associated with an individual. They can not make any attempt to re-identify the data and must contractually obligate any recipients of the data to comply with CPA.

Certain entities may meet CPA’s criteria but would still be exempt from compliance, including:

  • Financial institutions subject to Title V of the Gramm-Leach-Bliley Act

  • Entities covered by the privacy, security, and breach notification rules established pursuant to HIPAA

  • North Carolina political subdivisions

  • Nonprofit organizations

  • Higher education institutions

  • Public school units

Similarly, certain types of data are exempt from coverage. These include:

  • Certain health information and records, such as those protected under HIPAA, patient-identifying information, information collected for pharmaceutical research

  • Data used to assess a consumer’s creditworthiness for a consumer report, as authorized under the Fair Credit Reporting Act

  • Data processed and maintained in the context of a business relationship between an individual and an organization, such as emergency contact information for employees

The regulation comes with some limitations as well. No attempt to comply with CPA should impede an organization’s ability to:

  • Comply with any other laws

  • Comply with legal inquiries or investigations

  • Cooperate with law enforcement

  • Investigate, establish, exercise, prepare for, or defend legal claims

  • Provide a product or service requested by the consumer, including fulfilling a contractual obligation with the consumer

  • Protect the life or physical safety of an individual

  • Deal with any illegal activity, such as security incidents, identity theft or fraud

  • Engage with certain research where the benefits of the research outweigh the privacy risks of the data activity

  • Assist another entity with any of these obligations

Moreover, none of these obligations can restrict an entity’s ability to conduct internal research for the improvement of product development or improvement, identity or repair technical errors in its products or effectuate a product recall. The controller bears the burden of demonstrating that it qualifies for such exemptions.

Consumer Rights

Much like previous state privacy bills, the bill establishes a handful of consumer privacy rights. If this bill passes, consumers will have the right to:

  • Know if a controller is processing their personal data

  • Access any personal data a controller has processed from them

  • Correct inaccuracies in their data

  • Delete any data provided by or obtained about them

  • Obtain a portable copy of their data in a usable format that they can transmit to other controllers without hindrance

  • Opt-out of the processing of data for the purposes of targeted advertising, sale and profiling for decisions that impact the consumer

Any of these rights can be exercised through a request by the consumer or their legal guardian, if they are younger than 13. Once the request is authenticated, the controller or processor must comply. Consumers have the right to two free requests per year and may not be required to make an account in order to submit a request.

Upon receiving a request, the controller must process it without undue delay. All requests must be responded to within 45 days, unless the complexity or volume of consumer requests makes it impossible to do so. In such a case, the controller can extend the response period by another 45 days, as long as they inform the consumer of the reason for the extension.

If the controller has grounds to deny the request, they must inform the consumer within 45 days of the request being made. This notice should include the reason for the denial and how the consumer can appeal. If an appeal is made, the controller must inform the consumer of their decision within 60 days, giving them a clear online mechanism through which they can complain to the Attorney General if the appeal is denied.

Consumers can not be discriminated against for exercising any of their rights, except for the right to opt-out. This means that organizations can not refuse service to such consumers, or offer them a different price or quality of goods, unless the data activity is necessary for the provision of the good. This does not prohibit loyalty programs or discounts granted to consumers who provide their data.

Transparency

The bill also establishes a set of principles that controllers and processors should adhere to, dedicating an entire section to transparency.

Controllers must provide consumers with a privacy notice that includes:

  • The categories of data processed or shared with third-parties

  • The purpose for the processing

  • The categories of third-parties with whom the data is shared

  • One or more methods consumers can use to exercise their rights

  • How consumers can appeal a denied request

  • If the controller sells data to third-parties or uses data for target advertising

In short, controllers must disclose the purposes for data activity to consumers, and can not collect data beyond what is necessary for those purposes without the consumer’s consent.

Internal Measures

Controllers are obligated to implement “administrative, technical, and physical” data security practices in order to protect consumer data.

The bill requires controllers to conduct “data protection assessments” at least once a year for any processing activity for the purposes of targeted advertising, sale or profiling.

Such assessments must also be conducted for any activity that presents “a heightened risk of harm to consumers” or involves sensitive data, such as biometric or genetic data, geolocation data, or data revealing the subject’s race, ethnicity, religious beliefs, health diagnoses, sexual orientation, citizenship or immigration status.

In order to comply, these assessments must identify the benefits of the activity to the controller, consumer and other stakeholders, as well as the risks the activity poses to consumer rights and any safeguards put in place to mitigate them. These risks include a cybersecurity analysis, touching on any threats of the security of the data and an action plan to remedy them.

In addition, the assessment should include an analysis of the use of de-identified data in the processing. This aspect of the report should specifically address the extent to which de-identified data can be used in place of personal data.

Upon request, the controller must make these assessments available to the Attorney General, who will then evaluate it for compliance. In the case of a set of similar data activities, only one assessment is necessary.

Controller-Processor Relationships

The bill outlines the processor’s obligation to assist controllers in the efforts to comply, including cooperation with consumer rights requests, breach notifications, and data protection assessments.

For any processing activity, a binding contract must be put in place between the controller and processor establishing the instructions for the processing, the purpose and duration of the activity, and the type of data involved. More explicitly, the contract must require that the processor:

  • Ensures every individual who processes personal data adheres to a duty of confidentiality

  • Deletes or returns data to the controller upon request

  • Demonstrates its compliance with CPA to the controller upon request

  • Cooperates with the controller during data assessments

  • Contractually requires any subcontractor to comply with CPA when using personal data

Enforcement

CPA includes a private right to action, where consumers injured by a violation may institute a civil action to enjoin and restrain future violations. If the consumer is successful, the violating entity may have to pay their attorney fees. Consumers have three years from the date of a violation to initiate action.

In other cases, the Attorney General is responsible for enforcing CPA. Upon receiving notice of a violation, the violator has 30 days to cure it. If so, they face no consequences. If the violation continues, the Attorney General may seek an injunction and civil penalties of up to $5,000 per violation plus compensation for the expenses incurred in the investigation.

If passed, the act will become effective January 1, 2023.

Jason Shoup
Previous

Why Nation State Hackers are on the Rise
Next

FTC Can No Longer Seek Restitution for Consumers