FILED SENATE
Apr 6, 2021
GENERAL ASSEMBLY OF NORTH CAROLINA
S.B. 569
SESSION 2021 PRINCIPAL CLERK
S D
SENATE BILL DRS15222-LR-88A
Short Title: Consumer Privacy Act. (Public)
Sponsors: Senators Salvador, Clark, and Waddell (Primary Sponsors).
Referred to:
1 A BILL TO BE ENTITLED
2 AN ACT TO PROTECT CONSUMERS BY ENACTING THE CONSUMER PRIVACY ACT
3 OF NORTH CAROLINA.
4 The General Assembly of North Carolina enacts:
5 SECTION 1. This act shall be known and may be cited as the "Consumer Privacy
6 Act of North Carolina."
7 SECTION 2. Chapter 75 of the General Statutes is amended by adding a new Article
8 to read:
9 "Article 2B.
10 "Consumer Privacy Act.
11 "§ 75-70. Definitions; scope; exemptions.
12 (a) Definitions. – The following definitions apply in this Article:
13 (1) Affiliate. – A legal entity that controls, is controlled by, or is under common
14 control with another legal entity or shares common branding with another
15 legal entity. For the purposes of this definition, "control" or "controlled"
16 means (i) ownership of, or the power to vote, more than fifty percent (50%)
17 of the outstanding shares of any class of voting security of a company; (ii)
18 control in any manner over the election of a majority of the directors or of
19 individuals exercising similar functions; or (iii) the power to exercise
20 controlling influence over the management of a company.
21 (2) Authenticate. – Verifying through reasonable means that the consumer
22 entitled to exercise his consumer rights in G.S. 75-71 is the same consumer
23 exercising such consumer rights with respect to the personal data at issue.
24 (3) Biometric data. – Data generated by automatic measurements of an
25 individual's biological characteristics such as a fingerprint, voiceprint, eye
26 retinas, irises, or other unique biological patterns or characteristics that is used
27 to identify a specific individual. "Biometric data" does not include a physical
28 or digital photograph, a video or audio recording or data generated therefrom,
29 or information collected, used, or stored for health care treatment, payment,
30 or operations under HIPAA.
31 (4) Business associate. – The same meaning as the term established by HIPAA.
32 (5) Child. – Any natural person younger than 13 years of age.
33 (6) Consent. – A clear affirmative act signifying a consumer's freely given,
34 specific, informed, and unambiguous agreement to process personal data
35 relating to the consumer. Consent may include a written statement, including
*DRS15222-LR-88A*
 General Assembly Of North Carolina Session 2021
1 a statement written by electronic means, or any other unambiguous affirmative
2 action.
3 (7) Consumer. – A natural person who is a resident of this State acting only in an
4 individual or household context. It does not include a natural person acting in
5 a commercial or employment context.
6 (8) Controller. – The natural or legal person that, alone or jointly with others,
7 determines the purpose and means of processing personal data.
8 (9) Covered entity. – The same as the term established by HIPAA.
9 (10) Decisions that produce legal or similarly significant effects concerning a
10 consumer. – A decision made by the controller that results in the provision or
11 denial by the controller of financial and lending services, housing, insurance,
12 education enrollment, criminal justice, employment opportunities, health care
13 services, or access to basic necessities, such as food and water.
14 (11) De-identified data. – Data that cannot reasonably be linked to an identified or
15 identifiable natural person, or a device linked to such person. A controller that
16 possesses "de-identified data" shall comply with the requirements of
17 subsection (a) of G.S. 74-75.
18 (12) Fund. – The Consumer Privacy Fund established in this Article.
19 (13) Health record. – Any written, printed, or electronically recorded material
20 maintained by a health care entity in the course of providing health services
21 to an individual concerning the individual and the services provided. "Health
22 record" also includes the substance of any communication made by an
23 individual to a health care entity in confidence during or in connection with
24 the provision of health services or information otherwise acquired by the
25 health care entity about an individual in confidence and in connection with the
26 provision of health services to the individual.
27 (14) Health care provider. – Includes the following persons licensed, certified, or
28 otherwise permitted to conduct business or practice in this State: (i) a hospital,
29 (ii) a nursing home or nursing facility, (iii) any person practicing medicine,
30 osteopathy, or dentistry, or (iv) any person furnishing health care policies or
31 plans.
32 (15) HIPAA. – The federal Health Insurance Portability and Accountability Act of
33 1996 (42 U.S.C. § 1320d, et seq.).
34 (16) Identified or identifiable natural person. – A person who can be readily
35 identified, directly or indirectly.
36 (17) Institution of higher education. – A public or private college or university.
37 (18) Nonprofit organization. – Any corporation exempt from taxation under
38 sections 501(c)(3), 501(c)(6), or 501 (c)(12) of the Internal Revenue Code.
39 (19) Personal data. – Any information that is linked or reasonably linkable to an
40 identified or identifiable natural person. The term does not include
41 de-identified data or publicly available information.
42 (20) Precise geolocation data. – Information derived from technology, including,
43 but not limited to, global positioning system level latitude and longitude
44 coordinates or other mechanisms that directly identify the specific location of
45 a natural person with precision and accuracy within a radius of 1,750 feet.
46 "Precise geolocation data" does not include the content of communications or
47 any data generated by or connected to advanced utility metering infrastructure
48 systems or equipment for use by a utility.
49 (21) Process or processing. – Any operation or set of operations performed,
50 whether by manual or automated means, on personal data or on sets of
Page 2 DRS15222-LR-88A
 General Assembly Of North Carolina Session 2021
1 personal data, such as the collection, use, storage, disclosure, analysis,
2 deletion, or modification of personal data.
3 (22) Processor. – A natural or legal entity that processes personal data on behalf of
4 a controller.
5 (23) Profiling. – Any form of automated processing performed on personal data to
6 evaluate, analyze, or predict personal aspects related to an identified or
7 identifiable natural person's economic situation, health, personal preferences,
8 interests, reliability, behavior, location, or movements.
9 (24) Protected health information. – The same as the term established by HIPAA.
10 (25) Pseudonymous data. – Personal data that cannot be attributed to a specific
11 natural person without the use of additional information, provided that such
12 additional information is kept separately and is subject to appropriate
13 technical and organizational measures to ensure that the personal data is not
14 attributed to an identified or identifiable natural person.
15 (26) Publicly available information. – Information that is lawfully made available
16 through federal, State, or local government records, or information that a
17 business has a reasonable basis to believe is lawfully made available to the
18 general public through widely distributed media, by the consumer, or by a
19 person to whom the consumer has disclosed the information, unless the
20 consumer has restricted the information to a specific audience.
21 (27) Sale of personal data. – The exchange of personal data for monetary
22 consideration by the controller to a third party. "Sale of personal data" does
23 not include any of the following:
24 a. The disclosure of personal data to a processor that processes the
25 personal data on behalf of the controller.
26 b. The disclosure of personal data to a third party for purposes of
27 providing a product or service requested by the consumer.
28 c. The disclosure or transfer of personal data to an affiliate of the
29 controller.
30 d. The disclosure of information that the consumer (i) intentionally made
31 available to the general public via a channel of mass media and (ii) did
32 not restrict to a specific audience.
33 e. The disclosure or transfer of personal data to a third party as an asset
34 that is part of a merger, acquisition, bankruptcy, or other transaction
35 in which the third party assumes control of all or part of the controller's
36 assets.
37 (28) Sensitive data. – A category of personal data that includes the following:
38 a. Personal data revealing racial or ethnic origin, religious beliefs, mental
39 or physical health diagnosis, sexual orientation, or citizenship or
40 immigration status.
41 b. The processing of genetic or biometric data for the purpose of uniquely
42 identifying a natural person.
43 c. The personal data collected from a known child.
44 d. Precise geolocation data.
45 (29) State agency. – A State agency, board, bureau, council, department,
46 institution, or other instrumentality of State government in the executive
47 branch. The term also includes county human services agencies; local
48 departments of social services; county health departments; district health
49 departments; local emergency management agencies; and area mental health,
50 developmental disabilities, and substance abuse authorities.
DRS15222-LR-88A Page 3
 General Assembly Of North Carolina Session 2021
1 (30) Targeted advertising. – Displaying advertisements to a consumer where the
2 advertisement is selected based on personal data obtained from that
3 consumer's activities over time and across nonaffiliated websites or online
4 applications to predict such consumer's preferences or interests. "Targeted
5 advertising" does not include any of the following:
6 a. Advertisements based on activities within a controller's own websites
7 or online applications.
8 b. Advertisements based on the context of a consumer's current search
9 query, visit to a website, or online application.
10 c. Advertisements directed to a consumer in response to the consumer's
11 request for information or feedback.
12 d. Processing personal data processed solely for measuring or reporting
13 advertising performance, reach, or frequency.
14 (31) Third party. – A natural or legal person, public authority, agency, or body
15 other than the consumer, controller, processor, or an affiliate of the processor
16 or the controller.
17 (b) Scope. – This Article applies to persons that conduct business in the State or produce
18 products or services that are targeted to residents of this State and that either (i) during a calendar
19 year, control or process personal data of at least 100,000 consumers or (ii) control or process
20 personal data of at least 25,000 consumers and derive over fifty percent (50%) of gross revenue
21 from the sale of personal data.
22 (c) Coverage Exemptions. – This Article does not apply to any of the following:
23 (1) Political subdivisions of the State.
24 (2) Financial institutions or data subject to Title V of the federal
25 Gramm-Leach-Bliley Act, 15 U.S.C. § 6801, et seq.
26 (3) A covered entity or business associate governed by the privacy, security, and
27 breach notification rules issued by the U.S. Department of Health and Human
28 Services, 45 C.F.R. Parts 160 and 164 established pursuant to HIPAA, and the
29 Health Information Technology for Economic and Clinical Health Act, P.L.
30 111-5.
31 (4) A nonprofit organization.
32 (5) An institution of higher education.
33 (6) A public school unit, as defined in G.S. 115C-5(7a).
34 (7) Controller or processor that complies with the verifiable parental consent
35 requirements of the Children's Online Privacy Protection Act, 15 U.S.C.
36 section 6501, et seq., but only to the extent that the controller or processor
37 shall be deemed compliant with any obligation to obtain parental consent
38 under this Article.
39 (d) Data Exemption. – The following information and data are exempt from this Article:
40 (1) Protected health information under HIPAA.
41 (2) Health records for the purpose of carrying out the duties and responsibilities
42 of the North Carolina Department of Health and Human Services.
43 (3) Patient identifying information for purposes of 42 U.S.C. § 290dd-2.
44 (4) Identifiable private information for purposes of the federal policy for the
45 protection of human subjects under 45 C.F.R. Part 46; identifiable private
46 information that is otherwise information collected as part of human subjects
47 research pursuant to the good clinical practice guidelines issued by the
48 International Council for Harmonisation of Technical Requirements for
49 Pharmaceuticals for Human Use; the protection of human subjects under 21
50 C.F.R. Parts 6, 50, and 56, or personal data used or shared in research
Page 4 DRS15222-LR-88A
 General Assembly Of North Carolina Session 2021
1 conducted in accordance with the requirements set forth in this Article, or
2 other research conducted in accordance with applicable law.
3 (5) Information and documents created for purposes of the federal Health Care
4 Quality Improvement Act of 1986, 42 U.S.C. § 11101, et seq.
5 (6) Patient safety work products for purposes of the federal Patient Safety and
6 Quality Improvement Act, 42 U.S.C. § 299b-21, et seq.
7 (7) Information derived from any of the health care-related information listed in
8 this subsection that is de-identified in accordance with the requirements for
9 de-identification pursuant to HIPAA.
10 (8) Information originating from, and intermingled to be indistinguishable with,
11 or information treated in the same manner as information exempt under this
12 subsection that