North Carolina Data Privacy Laws: Consumer Rights & Protections (2026)

North Carolina takes a sector-specific approach to data privacy rather than relying on a single comprehensive consumer privacy law. The state's protections are spread across several statutes that address identity theft, data breaches, social security number safeguards, student privacy, insurance data security, and public records confidentiality.

This guide covers every major North Carolina data privacy statute currently in effect, the proposed comprehensive privacy legislation, your rights as a consumer or resident, what obligations businesses must meet, and the penalties for noncompliance.

Overview of North Carolina's Data Privacy Framework

Unlike states such as California, Virginia, and Colorado that have enacted comprehensive consumer data privacy laws, North Carolina relies on a patchwork of targeted statutes to protect personal information. The most significant of these is the Identity Theft Protection Act (N.C. Gen. Stat. Chapter 75, Article 2A), which was enacted in 2005 and remains the cornerstone of the state's data protection framework.

North Carolina's approach covers several key areas through separate laws. Data breach notification falls under G.S. 75-65. Social security number protections are addressed in G.S. 75-62. Data disposal requirements are specified in G.S. 75-64. Student privacy protections are codified in G.S. 115C-401.2. Insurance data security is governed by G.S. Chapter 58, Article 39. Employee personnel records privacy is protected under G.S. Chapter 126, Article 7.

The North Carolina Department of Information Technology (NCDIT) maintains the state's privacy program and adopted the Fair Information Practice Principles (FIPPs) in 2022 as a framework guiding how state agencies collect, use, and protect personal information.

Identity Theft Protection Act (N.C. Gen. Stat. 75-60 through 75-66)

The Identity Theft Protection Act is North Carolina's most comprehensive data protection statute. Enacted as Senate Bill 1048 in 2005, it addresses multiple aspects of personal information protection.

What Qualifies as Personal Information

Under G.S. 75-61, personal information means a person's first name or first initial and last name combined with identifying information as defined in G.S. 14-113.20(b). This includes Social Security numbers, driver's license numbers, state identification card numbers, passport numbers, checking or savings account numbers, credit card or debit card numbers, Personal Identification (PIN) codes, electronic identification numbers or routing codes, digital signatures, biometric data, and fingerprints.

Personal information does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated, such as name, address, and telephone number. It also does not include information lawfully available to the general public from federal, state, or local government records.

Social Security Number Protections

G.S. 75-62 places specific restrictions on how businesses handle Social Security numbers. Businesses operating in North Carolina may not intentionally communicate or make available an individual's Social Security number to the general public.

Additional prohibitions include printing or embedding a Social Security number on any card required for accessing products or services. Businesses cannot require individuals to transmit their Social Security number over the internet unless the connection is secure or the number is encrypted. They cannot require use of a Social Security number to access a website unless a password or unique personal identification number is also required.

The law also prohibits printing Social Security numbers on materials mailed to individuals, unless state or federal law requires it. Businesses cannot sell, lease, loan, trade, rent, or otherwise intentionally disclose a Social Security number to a third party without written consent when the disclosing party knows or should reasonably know the third party lacks a legitimate purpose for obtaining it.

Exceptions apply when Social Security numbers are included in applications or enrollment documents, or when they are used to establish, amend, or terminate an account, contract, or policy, or to confirm accuracy for obtaining a credit report.

Security Freeze Rights

Under G.S. 75-63, North Carolina consumers have the right to place a security freeze on their credit report. When a freeze is in place, a consumer reporting agency may not release credit report information to a third party without the consumer's prior express authorization.

A security freeze can be requested in writing by first-class mail, by telephone, or electronically. Consumer reporting agencies must remove a security freeze within 15 minutes of receiving an electronic removal request, or within three business days of receiving a written or telephonic request.

If a freeze is requested by telephone or mail, the consumer reporting agency may charge a fee not exceeding three dollars. However, no fee may be charged to consumers over the age of 62, to identity theft victims who have filed a report with law enforcement, or to the spouse of a qualifying identity theft victim. No additional fee may be charged for temporarily lifting, reinstating, or removing a freeze.

Data Disposal Requirements

G.S. 75-64 requires any business that conducts business in North Carolina and maintains personal information of North Carolina residents to take reasonable measures to protect against unauthorized access to or use of that information in connection with or after its disposal.

Reasonable measures must include implementing and monitoring compliance with policies and procedures requiring the burning, pulverizing, or shredding of papers containing personal information so that the information cannot be practicably read or reconstructed. For electronic and nonpaper media, businesses must ensure the destruction or erasure of the media so that information cannot be practicably read or reconstructed. Businesses must also describe these disposal procedures as official policy in their written records.

A business may contract with a third party for record destruction after conducting due diligence. Due diligence should ordinarily include reviewing an independent audit of the disposal company's operations, obtaining references or requiring certification by a recognized trade association, or reviewing the disposal company's information security policies.

Data Breach Notification Requirements (G.S. 75-65)

North Carolina's data breach notification law under G.S. 75-65 is one of the most important provisions of the Identity Theft Protection Act. It establishes mandatory notification requirements when personal information is compromised.

Who Must Comply

Any business that owns or licenses personal information of North Carolina residents, or any business that conducts business in North Carolina and owns or licenses personal information in any form, whether computerized, paper, or otherwise, must comply with the breach notification law.

What Triggers a Notification

A security breach is defined as the unauthorized access to or acquisition of unencrypted or unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur, or that creates a material risk of harm to the affected person.

Notification Timeline

Notification must be made without unreasonable delay. The law permits delay consistent with the legitimate needs of law enforcement and any measures necessary to determine sufficient contact information, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the data system.

North Carolina does not specify a fixed number of days for notification, unlike some states that impose 30-day or 60-day deadlines. The "without unreasonable delay" standard gives businesses some flexibility but also exposes them to enforcement action if the Attorney General determines the delay was unreasonable.

Content of Notification

Notification to affected persons must be clear and conspicuous. The law does not prescribe a specific format, but the notice should describe the nature of the breach, the types of personal information involved, and steps the affected person can take to protect themselves.

Attorney General Reporting

Businesses must notify the Consumer Protection Division of the Attorney General's Office of the nature of the breach, the number of consumers affected, steps taken to investigate the breach, steps taken to prevent a similar breach in the future, and the timing, distribution, and content of the consumer notice.

Large-Scale Breaches

When a business provides notice to more than 1,000 persons at one time, it must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis (as defined in 15 U.S.C. 1681a(p)) of the timing, distribution, and content of the notice.

Third-Party Data Holders

Any business that maintains or possesses records or data containing personal information of North Carolina residents but does not own or license that information must notify the owner or licensee of the information immediately following discovery of the breach.

Publication of Personal Information (G.S. 75-66)

G.S. 75-66 provides additional restrictions on the use and disclosure of sensitive personal information. The statute restricts the use of Social Security numbers, employer taxpayer identification numbers, driver's license numbers, state identification card numbers, and passport numbers.

The law does not apply to the collection, use, or release of personal information for a purpose permitted, authorized, or required by any federal, state, or local law, regulation, or ordinance. Any person whose property or person is injured by a violation of this section may sue for civil damages under G.S. 1-539.2C.

Identity Theft Criminal Penalties (G.S. 14-113.20)

North Carolina criminalizes identity theft under G.S. 14-113.20. A person who knowingly obtains, possesses, or uses identifying information of another person, living or dead, with the intent to fraudulently represent themselves as that person for financial or credit transactions, to obtain anything of value, or to avoid legal consequences is guilty of a felony.

Penalties

A standard violation is punishable as a Class G felony under North Carolina's structured sentencing guidelines. The offense is elevated to a Class F felony if the victim suffers arrest, detention, or conviction as a proximate result of the offense, or if the person possesses identifying information pertaining to three or more separate persons.

Under G.S. 14-113.20A, trafficking in stolen identities carries additional penalties.

Restitution

Courts may order convicted offenders to pay restitution for financial losses caused by the violation. Restitution may include actual losses, lost wages, attorneys' fees, and other costs incurred by the victim in correcting credit history or credit rating, or in connection with any criminal, civil, or administrative proceeding brought against the victim.

Student Data Privacy Protections

North Carolina has enacted multiple statutes protecting student data, reflecting a strong commitment to safeguarding children's information in educational settings.

Student Online Privacy Protection (G.S. 115C-401.2)

The Student Online Privacy Protection Act (G.S. 115C-401.2) regulates how operators of educational technology platforms handle student information. An operator is defined as the operator of a website, online service, online application, or mobile application with actual knowledge that it is used primarily for K-12 school purposes and was designed and marketed for K-12 school purposes.

Covered information under this statute includes a broad range of personally identifiable data. This encompasses first and last name, home address, telephone number, email address, discipline records, test results, special education data, juvenile dependency records, medical and health records, Social Security numbers, biometric information, socioeconomic information, food purchases, political affiliations, religious information, text messages, student identifiers, search activity, voice recordings, and geolocation information.

Operators are prohibited from engaging in targeted advertising based on information acquired through use of their platform for K-12 school purposes. They cannot use information gathered through their platform to amass a profile about a student except in furtherance of K-12 school purposes. They cannot sell or rent a student's information, including covered information.

Student Data System Security (G.S. 115C-402.5)

G.S. 115C-402.5 establishes security requirements for student data systems and prohibits the collection of certain categories of information. The following data about a student or student's family may not be collected in or reported as part of the student data system: biometric information, political affiliation, and voting history.

Protect Our Students Act (SB 49 / Session Law 2023-106)

The Protect Our Students Act, enacted in 2023, strengthened parental rights regarding student data. Schools must provide parents with information about their rights under state and federal law regarding student records, including opt-out opportunities for directory information disclosure under FERPA. Parents have the right to inspect and review education records and to seek amendments to inaccurate records. The law restricts collection of data about students' political affiliations, beliefs, sex behavior or attitudes, and illegal or demeaning behavior.

Insurance Data Security (G.S. Chapter 58, Article 39)

North Carolina regulates the handling of personal information by insurance companies through the Consumer and Customer Information Privacy Act (G.S. Chapter 58, Article 39). This article has two key components.

Insurance Information and Privacy Protection Act

Insurance institutions, agents, and insurance-support organizations may not disclose personal or privileged information collected in connection with an insurance transaction unless the disclosure is authorized by law or regulation.

Under G.S. 58-39-25, insurance institutions must provide a notice of information practices to all applicants or policyholders. For policyholders, this notice must be provided at least annually, meaning at least once in any period of 12 consecutive months during which the policy is in effect.

Customer Information Safeguards Act

The Customer Information Safeguards Act requires insurance companies to maintain policies that protect the confidentiality and security of nonpublic personal information and safeguard the nonpublic personal information of consumers from unauthorized access.

Public Records and Government Data Protection

Social Security Numbers in Public Records (G.S. 132-1.10)

G.S. 132-1.10 protects Social Security numbers and other personal identifying information in government records. Identifying information is confidential and not considered a public record under Chapter 132. A record with identifying information removed or redacted remains a public record.

Government agencies may not fail to segregate Social Security numbers on a separate page from the rest of the record when collecting them. Upon request, they must provide a statement of the purpose for which the Social Security number is being collected and used. They may not use the Social Security number for any purpose other than the stated purpose, and they may not intentionally communicate or make available a person's Social Security number to the general public.

Records of the register of deeds, the Department of the Secretary of State, or the courts may not include any person's Social Security number unless expressly required by law or court order. When responding to public records requests, agencies must redact identifying information before providing the record.

State Employee Personnel Records (G.S. Chapter 126, Article 7)

G.S. Chapter 126, Article 7 protects the privacy of state employee personnel records. Under G.S. 126-22, personnel files are not subject to general public inspection. The information contained in a personnel file is confidential and may only be accessed by specific persons designated by law.

Health Information Privacy

North Carolina aligns its health information privacy protections with federal HIPAA standards while maintaining additional state-specific provisions. G.S. 143-518 addresses confidentiality of patient information for medical records compiled and maintained by state hospitals and the Department of Health and Human Services.

The North Carolina Health Information Exchange Authority ensures that privacy and security safeguards for health data exchanged electronically meet or exceed federal, state, and local requirements, including the HIPAA Privacy Rule, HIPAA Security Rule, and HITECH Act. State law requires reporting of certain conditions, such as child abuse and neglect, which involves the controlled release of otherwise confidential medical information under specific statutory authority.

Federal Privacy Laws Covering North Carolina Residents

Because North Carolina lacks a comprehensive state consumer privacy law, federal laws play a significant role in protecting residents' personal information.

The Health Insurance Portability and Accountability Act (HIPAA) governs how healthcare providers, insurers, and their business associates handle protected health information. The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices and safeguard sensitive data. The Fair Credit Reporting Act (FCRA) regulates how consumer reporting agencies collect, access, use, and distribute credit information. The Children's Online Privacy Protection Act (COPPA) restricts the collection of personal information from children under 13 by website operators. The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records at institutions receiving federal funding.

These federal laws provide a baseline of protection, but they are limited to specific sectors and do not cover all types of personal data collection and processing by private businesses.

Proposed Legislation: NC Personal Data Privacy Act (HB 462)

The most significant pending data privacy legislation in North Carolina is House Bill 462, introduced in the 2025-2026 legislative session. If enacted, this would establish the North Carolina Personal Data Privacy Act, the state's first comprehensive consumer data protection law.

Consumer Rights Under HB 462

The bill would grant North Carolina consumers six key rights: the right to confirm whether a controller is processing their personal data and to access that data; the right to correct inaccuracies; the right to delete personal data; the right to obtain a copy of their data in a portable format; the right to opt out of the processing of personal data for targeted advertising, sale, or profiling; and the right to have an authorized agent exercise these rights on their behalf.

Who Would Be Covered

The bill would apply to entities that conduct business in North Carolina or target products or services to North Carolina residents and either control or process the personal data of at least 35,000 consumers (excluding data processed solely for payment transactions), or control or process the personal data of at least 10,000 consumers and derive more than 20 percent of gross revenue from the sale of personal data.

Controller and Processor Obligations

The bill defines a controller as a person that, alone or jointly with others, determines the purpose and means of processing personal data. A processor is a person that processes personal data on behalf of a controller. Both would have specific obligations regarding data handling and consumer rights.

Enforcement

The bill grants exclusive enforcement authority to the North Carolina Attorney General and permits a 60-day cure period before initiating an enforcement action.

Current Status

As of early 2026, HB 462 was re-referred to the Committee on Commerce and Economic Development on April 29, 2025, and has not been enacted. North Carolina residents should monitor ncleg.gov for updates on this legislation.

Attorney General Enforcement

The North Carolina Attorney General's Consumer Protection Division plays a central role in enforcing data privacy protections.

Breach Reporting

Once a business or agency discovers a security breach, they must provide notice to affected people and report to the Attorney General. The Attorney General's office tracks these breaches and uses the data to pursue enforcement actions and inform the public. In 2021, the office recorded a record 2,009 data breaches affecting more than 2.4 million North Carolinians.

Major Enforcement Actions

The Attorney General has participated in significant multistate enforcement actions. A $52 million settlement with Marriott International resolved investigations into a multi-year data breach, with North Carolina receiving $2,059,176. Marriott agreed to strengthen its data security practices. A $49.5 million settlement with Blackbaud addressed deficient data security practices and the company's response to a 2020 ransomware attack that exposed personal information of millions of people.

Unfair and Deceptive Practices

The Attorney General can also pursue data privacy violations under North Carolina's broader Unfair and Deceptive Trade Practices Act (G.S. Chapter 75, Article 1), which prohibits unfair or deceptive acts in commerce. A business that misrepresents its data security practices or fails to protect consumer data adequately may face enforcement under this statute.

Practical Steps for North Carolina Residents

North Carolina residents can take several steps to protect their personal information under existing state law. You have the right to place a free or low-cost security freeze on your credit report with each of the three major credit bureaus. You should monitor your credit reports for unauthorized accounts. If you are a victim of identity theft, file a report with your local law enforcement agency and the NC Attorney General's office.

Parents of K-12 students should review their school's data privacy policies and exercise opt-out rights for directory information. Request information about which educational technology vendors have access to your child's data.

If you receive a data breach notification, take it seriously. Change passwords for affected accounts, monitor financial statements, and consider placing a fraud alert or security freeze on your credit file.

Practical Steps for Businesses Operating in North Carolina

Businesses that collect personal information from North Carolina residents have several legal obligations. Develop and implement a written data disposal policy that includes shredding paper records and destroying electronic media. Establish a breach response plan that includes notifying affected consumers and the Attorney General without unreasonable delay.

Review your handling of Social Security numbers to ensure compliance with G.S. 75-62. Never transmit Social Security numbers over unsecured internet connections. Do not print them on mailed materials unless required by law.

If you contract with third-party data processors or record destruction companies, conduct due diligence and maintain written contracts. Monitor compliance with your data security policies on an ongoing basis.

If you use educational technology platforms in K-12 settings, ensure your vendors comply with G.S. 115C-401.2 restrictions on targeted advertising, profiling, and data sales.

More North Carolina Laws

• North Carolina Hit and Run Laws
• North Carolina Car Seat Laws
• North Carolina Whistleblower Laws
• North Carolina Child Support Laws
• North Carolina Sexting Laws
• North Carolina Statute of Limitations
• North Carolina Lemon Laws
• North Carolina Recording Laws

Sources and References

• North Carolina Identity Theft Protection Act (G.S. Chapter 75, Article 2A) - Full text of the ITPA
• G.S. 75-65: Protection from Security Breaches - Breach notification requirements
• G.S. 75-62: Social Security Number Protection - SSN handling restrictions
• G.S. 14-113.20: Identity Theft - Criminal identity theft statute
• G.S. 115C-401.2: Student Online Privacy Protection - Student data protections
• NC Attorney General: Security Breach Information - Breach reporting and enforcement
• NC Attorney General: Report a Security Breach - Business breach reporting portal
• NCDIT: Privacy Laws, Policies & Guidance - State privacy framework overview
• House Bill 462 (2025-2026 Session) - Proposed NC Personal Data Privacy Act
• Protect Our Students Act (SB 49 / SL 2023-106) - Student privacy legislation
• G.S. Chapter 58, Article 39: Insurance Data Privacy - Insurance information protections
• G.S. 132-1.10: Social Security Numbers in Public Records - Government records protections
• G.S. Chapter 126, Article 7: State Employee Personnel Records - Employee records privacy