11 May North Carolina Introduces Consumer Privacy Act
Written by: Charles R. Langhorne IV, Esq.
On April 7, 2021, North Carolina joined the race to enact state privacy law, by introducing the North Carolina Consumer Privacy Act (the “Act”). The Act was introduced by Senators DeAndrea Salvador (D), Ben Clark (D), and Joyce Waddell (D). Notably, all of the sponsoring senators are Democrats, which could present some hurdles when it comes time to vote.
The Act is essentially a mirror image of Virginia’s Consumer Data Protection Act, with startling penalties for noncompliance. Most importantly, the Act includes a private right of action that could lead to treble damages.
To Whom Does It Apply?
The Act applies to any business who meets both requirements below.
- Conducting business in North Carolina; or
- Any business producing products or services targeted to residents of North Carolina;
- Controls or processes the personal data of at least 100,000 North Carolina residents in a calendar year; or
- Controls or processes personal data of 25,000 North Carolina residents and derives 50% of its gross revenue from the sale of personal data.
Rights of North Carolina Residents
North Carolina residents have the following rights:
- Right to access the personal data.
- Right to correct inaccuracies in personal data.
- Right to have their personal data deleted.
- Right to obtain a copy of their personal data.
- Right to opt-out of further processing of their personal data.
Any business subject to Act must maintain a website privacy notice that contains the following information:
- The categories of personal data being processed;
- The purpose for processing personal data;
- How North Carolina residents may exercise their rights under the Act;
- The categories of personal data shared with third parties; and
- The categories of third parties with whom personal data is shared.
The Act requires data controllers to enter into a written data processing agreement with its processors (read: subcontractors).
Violations & Enforcement
The Act does provide a private right of action for businesses that violate the statute. The North Carolina Attorney General is provided the opportunity to investigate violations and “may” provide a business 30 days to cure an alleged violation, but is not required to provide a right to cure.
Most importantly, a violation of the Act is a violation of North Carolina’s Unfair and Deceptive Trade Practices Act which carries treble damages (3x the actual damages).
Violations found to be in breach of the Act alone will cost a data controller up to $5,000 per violation.
When is it Effective?
The Act becomes effective on January 1, 2023.