Data privacy legislation has picked up steam across the nation in recent years. California, Colorado, and Virginia are among many states that have recently passed data privacy laws. Many other states, including North Carolina, have pending or proposed bills that are at various stages of the legislative process. Much of the new legislation imposes a duty on businesses to safeguard and to disclose to consumers the personal information that is collected from them. This is a rapidly evolving area and other states are passing new privacy legislation as we write this, so there is more to come.

Recently Enacted Privacy Laws

The California Consumer Privacy Act, which passed in 2018 and took effect in 2020, was a prominent early example of legislation addressing data privacy. CCPA gives consumers the right to request that a business that collects their personal information disclose the categories and specific pieces of personal information collected. The Act also states the business is to inform the consumer of the purpose for which the personal information collected shall be used. The Act imposes a duty on businesses that collect personal information to disclose the information to be collected and gives the consumer the right to request deletion of the consumer’s personal information and to correct any inaccurate information.

The Colorado Privacy Act gives consumers rights similar to the California law and imposes a duty on companies to safeguard consumer personal information and strengthen data protection practices. The Act also empowers the State’s Attorney General to evaluate a company’s data protection assessment and impose penalties on companies where violations occur.

The Virginia Consumer Act, which will take effect on January 1, 2023, provides much of the same personal data rights. The act imposes similar duties on businesses that collect personal data and requires businesses to create data protection programs to safeguard consumer information and reduce the risk of mismanagement.

The Proposed North Carolina Bill

In 2021,legislation was proposed in North Carolina entitled The Consumer Privacy Act of North Carolina (CPA). CPA is almost identical to the Virginia Consumer Act. CPA passed its first reading and was referred to the rules and operations committee on April 7, 2021. If CPA passes, it would become effective on January 1, 2023.

Scope

CPA would generally apply to businesses that operate in North Carolina or target their products or services to North Carolina residents and (i) control or process personal data of at least 100,000 consumers per year or (ii) control or process personal data of at least 5,000 consumers and derive over fifty percent (50%) of gross revenue from the sale of personal data.

However, there are numerous entities that would be exempt from CPA. There are also several types of data that would be exempt, which mostly includes data protected by federal laws such as HIPAA.

 Rights and protections that would be provided by CPA

If passed into law, CPA invokes similar consumer privacy rights as seen in other legislation across the country including allowing parents of minor children to invoke such rights on behalf of the child.

CPA will also require businesses to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.

CPA would provide six substantive rights to consumers:

1. Rights of Knowledge and Access – Consumers may confirm whether or not a business is processing the consumer’s personal data and may access such data.
2. Right of Correction – Consumers may correct inaccuracies in the consumer’s personal data.
3. Right of Deletion – Consumers may demand that their personal data be deleted.
4. Right to Obtain a Copy – Consumers may obtain a copy of their personal data.
5. Right to Opt Out – Consumers may opt out of the processing of their personal data for the purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
6. Private Right of Action – An individual consumer may institute a civil action to enjoin and restrain future violations of CPA and reasonable attorneys’ fees may be awarded to the prevailing party.

What does this mean for businesses in North Carolina?

Similar to the other existing data privacy regulations mentioned above, the EU’s General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA), CPA would regulate how businesses handle, process, and use consumers’ personal data.

The major compliance requirements for businesses would include:

1. Responding to Consumer Requests – Businesses will be required to comply with CPA requests without undue delay and within 45 days. A business may get one 45-day extension when reasonably necessary, so long as the business gives notice to the consumer within the initial 45-day response period and gives the reason for the extension. If the business declines a consumer’s request, it must do so within 45 days, provide justification for the declining to act, and provide instructions for how to appeal as provided within CPA.
2. Disclose – Businesses must disclose to the consumer the purposes for which consumer personal data is collected.
3. Limit Data Collection – Businesses must limit the collection of personal data to only what is “adequate, relevant and reasonably necessary” in relation to the disclosed purposes for personal data and may not exceed the disclosed purpose without consent from the consumer.
4. Obtain Consent for Sensitive Data – Businesses may not process sensitive data[1] concerning the consumer without obtaining consent.
5. Privacy Notice – Businesses must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes (1) the categories of personal data being processed, (2) the purposes of such processing, (3) how consumers may exercise their rights under CPA, (3) the categories of personal data that the business shares with third parties, and (4) the categories third parties, if any, with whom the business shares personal data.
6. Enter into Contracts – Businesses must enter into contracts with their data processors that include processing procedures with respect to the processing performed by the processor on behalf of the business and include specific requirements as by CPA.
7. Conduct Data Protection Assessments – Businesses must, at least annually, conduct and document data protection assessments.

Penalties for violating CPA

The CPA allows a private right of action for injured consumers, and lets the prevailing party recover attorneys’ fees. It also changes the law about where a consumer’s lawsuit would be filed (the venue for an action) from the current requirements.

In addition to civil actions by injured consumers, the Attorney General may initiate an action seeking an injunction and civil penalties up to $5,000 for each violation of CPA. The Attorney General may also recover reasonable expenses incurred in investigating and preparing the case, including attorney fees. A violation of CPA would also be a violation of North Carolina’s Unfair and Deceptive Trade Practices Act which mandates treble damages (triple the actual damages) and includes the potential for recovery of attorneys’ fees for the injured party.

If passed, the CPA would dramatically change privacy law in North Carolina. Stay tuned for more updates on the progress of this legislation and other privacy laws at the General Assembly.

Article written with assistance from Cranfill Sumner LLP clerk Devin Honbarger.

[1] Sensitive data. – A category of personal data that includes the following:

1. Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status.
2. The processing of genetic or biometric data for the purpose of uniquely identifying a natural person.
3. The personal data collected from a known child.
4. Precise geolocation data.