Who is affected by North Carolina data privacy laws?
The Identity Theft Protection Act creates obligations for any company who owns or licenses the personal information of North Carolina residents, or any business that conducts business in North Carolina who also owns or licenses that information in any form.
If passed, the Consumer Privacy Act of North Carolina (CPA) would apply to businesses who target their services to North Carolina residents. It requires compliance from any company who controls or processes the personal data of:
- At least 100,000 consumers on an annual basis; or
- At least 25,000 consumers, and derives over 50 percent of their revenue from the sale of personal data.
What’s the difference between privacy policies and privacy notices?
North Carolina privacy laws
The Identity Theft and Protection Act primarily focuses on data breaches. The CPA expands on the ITPA by focusing on personal consumer data, giving consumers more control over how their data is used.
Key differences include:
- Right of knowledge and access: Consumers can confirm whether their data is being collected and processed. They may also request a copy of that data.
- Right to correction or deletion: Consumers can correct their personal data or ask that the controller delete the data.
- Right to opt out: Consumers are entitled to opt out of personal data processing for targeted purposes.
- Private right of action: The attorney general has the right to enforce the CPA, if passed, but individuals also have a right to civil action.
- Responses to consumer requests: Data controllers are required to comply with any of the requests above, typically within 45 days.
- Disclosure obligation: Controllers must tell consumers why they’re collecting data.
- Limitations on data collection: Controllers need to limit data collection to “adequate, relevant, and reasonably necessary” data for the disclosed purposes above. Furthermore, if the controller has obtained a consumer’s sensitive data without consent, they may not process it. This includes data relating to race, ethnicity, health diagnoses, citizenship or immigration status, religion, biometric or genetic data, and precise geolocation data.
- Privacy notices: Data controllers need to provide consumers with a privacy notice, including what kind of data is being processed, for which purpose, how to exercise consumer rights, and whether the information is shared with third parties.
- Data processor contracts: Controllers must ensure their contracts with processors comply with CPA procedures and requirements.
- Assessments: Controllers must conduct and document a data protection assessment on an annual basis.
If passed, the law will go into effect in January 2023.
Our software pairs technology with real legal expertise to deliver compliant North Carolina privacy policies and notices in record time. Simply answer a series of questions, download the generated document, and have your lawyer review. It’s the easiest way to stay compliant and avoid incurring penalties—all while saving money on legal fees.