North Carolina

North Carolina Data Privacy Laws: Consumer Rights & Protections (2026)

By Recording Law Editorial TeamPublished March 21, 2026Reviewed May 20, 202623 min read

North Carolina does not have a comprehensive consumer data privacy law as of May 2026. The state's personal data protections come from a patchwork of sector-specific statutes: the Identity Theft Protection Act (N.C. Gen. Stat. Chapter 75, Article 2A) is the foundation, covering breach notification, Social Security number handling, credit freezes, and data disposal. Separate laws address student privacy, insurance information, public records, and health data. Three bills introduced in the 2025-2026 legislative session would change that picture, but none has been enacted.

In 2025, North Carolina businesses and government agencies reported 2,349 data breaches to the Department of Justice, a record high, exposing the personal information of approximately 9.3 million North Carolinians. Attorney General Jeff Jackson, who took office in January 2025, has pursued aggressive enforcement using existing breach-notification authority, launching investigations into PowerSchool and 23andMe and securing a court order blocking unlawful federal data-sharing with DOGE.

This guide covers every major North Carolina data privacy statute in force, the status of pending comprehensive privacy legislation, what rights North Carolina residents currently hold, what obligations businesses must meet, and how the Attorney General enforces these laws.

Overview of North Carolina's Data Privacy Framework

North Carolina takes a sector-specific approach to data privacy rather than relying on a single comprehensive consumer privacy law. Unlike California, Virginia, Colorado, and more than a dozen other states that have enacted omnibus consumer data protection statutes, North Carolina's protections are spread across targeted statutes that address identity theft, data breaches, Social Security number safeguards, student privacy, insurance data security, and public records confidentiality.

The most significant of these statutes is the Identity Theft Protection Act (N.C. Gen. Stat. Chapter 75, Article 2A), enacted in 2005 and last substantively amended in 2021. It remains the cornerstone of the state's data protection framework.

data privacy - data protection and privacy

The North Carolina Department of Information Technology (NCDIT) maintains the state's privacy program and has adopted the Fair Information Practice Principles (FIPPs) as a framework guiding how state agencies collect, use, and protect personal information. The Office of Privacy and Data Protection within NCDIT provides guidance, model policies, and technical assistance to state agencies.

North Carolina's data privacy framework covers these distinct areas through separate statutes:

Data breach notification: G.S. 75-65
Social Security number protections: G.S. 75-62
Data disposal requirements: G.S. 75-64
Student privacy protections: G.S. 115C-401.2 and G.S. 115C-402.5
Insurance data security: G.S. Chapter 58, Article 39
State employee personnel records: G.S. Chapter 126, Article 7
Social Security numbers in government records: G.S. 132-1.10

Three bills introduced in the 2025-2026 legislative session would establish the state's first comprehensive consumer privacy law, but all remained in committee as of May 2026.

Identity Theft Protection Act (N.C. Gen. Stat. 75-60 through 75-66)

The Identity Theft Protection Act is North Carolina's most comprehensive data protection statute. It addresses multiple aspects of personal information protection: definitions of covered data, SSN restrictions, credit freezes, data disposal obligations, breach notification, and publication restrictions.

What Qualifies as Personal Information

Under G.S. 75-61, personal information means a person's first name or first initial and last name combined with any of the following: Social Security numbers, driver's license numbers, state identification card numbers, passport numbers, checking or savings account numbers, credit card or debit card numbers, Personal Identification (PIN) codes, electronic identification numbers or routing codes, digital signatures, biometric data, and fingerprints.

Personal information does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated, such as name, address, and telephone number. It also excludes information lawfully available to the general public from federal, state, or local government records.

data privacy - breach notification correspondence

G.S. 75-62 places specific restrictions on how businesses handle Social Security numbers. Businesses operating in North Carolina may not intentionally communicate or make available an individual's Social Security number to the general public. Additional prohibitions include:

Printing or embedding a Social Security number on any card required for accessing products or services
Requiring individuals to transmit their Social Security number over the internet unless the connection is secure or the number is encrypted
Requiring use of a Social Security number to access a website unless a password or unique personal identification number is also required
Printing Social Security numbers on materials mailed to individuals, unless state or federal law requires it
Selling, leasing, loaning, trading, renting, or otherwise intentionally disclosing a Social Security number to a third party without written consent when the disclosing party knows or should reasonably know the third party lacks a legitimate purpose

Exceptions apply when Social Security numbers are included in applications or enrollment documents, or when they are used to establish, amend, or terminate an account, contract, or policy.

Security Freeze Rights (G.S. 75-63)

Under G.S. 75-63, North Carolina consumers have the right to place a security freeze on their credit report. When a freeze is in place, a consumer reporting agency may not release credit report information to a third party without the consumer's prior express authorization.

A security freeze can be requested in writing by first-class mail, by telephone, or electronically. Consumer reporting agencies must remove a security freeze within 15 minutes of receiving an electronic removal request, or within three business days of receiving a written or telephonic request.

If a freeze is requested by telephone or mail, the consumer reporting agency may charge a fee not exceeding three dollars. No fee may be charged to consumers over the age of 62, to identity theft victims who have filed a report with law enforcement, or to the spouse of a qualifying identity theft victim. No additional fee may be charged for temporarily lifting, reinstating, or removing a freeze. Federal law under the Economic Growth, Regulatory Relief, and Consumer Protection Act also guarantees free credit freezes nationwide through the three major consumer reporting agencies.

Data Disposal Requirements (G.S. 75-64)

G.S. 75-64 requires any business that conducts business in North Carolina and maintains personal information of North Carolina residents to take reasonable measures to protect against unauthorized access to or use of that information in connection with or after its disposal.

Reasonable measures must include implementing and monitoring compliance with policies and procedures requiring the burning, pulverizing, or shredding of papers containing personal information. For electronic media, businesses must ensure the destruction or erasure of the media so that information cannot be practicably read or reconstructed. Businesses must also describe these disposal procedures as official policy in their written records.

A business may contract with a third party for record destruction after conducting due diligence. Due diligence should ordinarily include reviewing an independent audit of the disposal company's operations, obtaining references or requiring certification by a recognized trade association, or reviewing the disposal company's information security policies.

Data Breach Notification Requirements (G.S. 75-65)

North Carolina's data breach notification law under G.S. 75-65 establishes mandatory notification requirements when personal information is compromised. In 2025, the scope of this law was tested by a record-breaking year: the Attorney General's office received 2,349 breach reports affecting 9.3 million North Carolinians, the most since the law took effect in 2006.

Who Must Comply

Any business that owns or licenses personal information of North Carolina residents, or any business that conducts business in North Carolina and owns or licenses personal information in any form, whether computerized, paper, or otherwise, must comply with the breach notification law.

What Triggers Notification

A security breach is the unauthorized access to or acquisition of unencrypted or unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur, or that creates a material risk of harm to the affected person.

Notification Timeline

Notification must be made without unreasonable delay. The law permits delay consistent with the legitimate needs of law enforcement and any measures necessary to determine sufficient contact information, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the data system.

North Carolina does not specify a fixed number of days for notification, unlike some states that impose 30-day or 60-day deadlines. The "without unreasonable delay" standard gives businesses some flexibility but also exposes them to enforcement action if the Attorney General determines the delay was unreasonable.

Attorney General Reporting

Businesses must notify the Consumer Protection Division of the Attorney General's Office of the nature of the breach, the number of consumers affected, steps taken to investigate the breach, steps taken to prevent a similar breach in the future, and the timing, distribution, and content of the consumer notice.

Large-Scale Breaches

When a business provides notice to more than 1,000 persons at one time, it must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis (as defined in 15 U.S.C. 1681a(p)) of the timing, distribution, and content of the notice.

Third-Party Data Holders

Any business that maintains or possesses records or data containing personal information of North Carolina residents but does not own or license that information must notify the owner or licensee of the information immediately following discovery of the breach.

Publication of Personal Information (G.S. 75-66)

G.S. 75-66 provides additional restrictions on the use and disclosure of sensitive personal information, including Social Security numbers, employer taxpayer identification numbers, driver's license numbers, state identification card numbers, and passport numbers.

The law does not apply to the collection, use, or release of personal information for a purpose permitted, authorized, or required by any federal, state, or local law, regulation, or ordinance. Any person whose property or person is injured by a violation of this section may sue for civil damages under G.S. 1-539.2C.

Identity Theft Criminal Penalties (G.S. 14-113.20)

North Carolina criminalizes identity theft under G.S. 14-113.20. A person who knowingly obtains, possesses, or uses identifying information of another person, living or dead, with the intent to fraudulently represent themselves as that person for financial or credit transactions, to obtain anything of value, or to avoid legal consequences is guilty of a felony.

A standard violation is punishable as a Class G felony under North Carolina's structured sentencing guidelines. The offense is elevated to a Class F felony if the victim suffers arrest, detention, or conviction as a proximate result of the offense, or if the person possesses identifying information pertaining to three or more separate persons.

Under G.S. 14-113.20A, trafficking in stolen identities carries additional penalties. Courts may order convicted offenders to pay restitution for financial losses, including actual losses, lost wages, attorneys' fees, and costs incurred by the victim in correcting credit history or in connection with any criminal, civil, or administrative proceeding brought against the victim.

Student Data Privacy Protections

North Carolina has enacted multiple statutes protecting student data, reflecting a strong commitment to safeguarding children's information in educational settings.

data privacy - children and student data privacy

Student Online Privacy Protection (G.S. 115C-401.2)

The Student Online Privacy Protection Act (G.S. 115C-401.2) regulates how operators of educational technology platforms handle student information. An operator is defined as the operator of a website, online service, online application, or mobile application with actual knowledge that it is used primarily for K-12 school purposes and was designed and marketed for K-12 school purposes.

Covered information includes a broad range of personally identifiable data: first and last name, home address, telephone number, email address, discipline records, test results, special education data, juvenile dependency records, medical and health records, Social Security numbers, biometric information, socioeconomic information, food purchases, political affiliations, religious information, text messages, student identifiers, search activity, voice recordings, and geolocation information.

Operators are prohibited from engaging in targeted advertising based on information acquired through use of their platform for K-12 school purposes. They cannot use information gathered through their platform to amass a profile about a student except in furtherance of K-12 school purposes. They cannot sell or rent a student's information.

Student Data System Security (G.S. 115C-402.5)

G.S. 115C-402.5 establishes security requirements for student data systems and prohibits collection of certain categories of information. The following data about a student or student's family may not be collected in or reported as part of the student data system: biometric information, political affiliation, and voting history.

Protect Our Students Act (SB 49 / Session Law 2023-106)

The Protect Our Students Act, enacted in 2023, strengthened parental rights regarding student data. Schools must provide parents with information about their rights under state and federal law regarding student records, including opt-out opportunities for directory information disclosure under FERPA. The law restricts collection of data about students' political affiliations, beliefs, sex behavior or attitudes, and illegal or demeaning behavior.

The relevance of these statutes was demonstrated in December 2024, when PowerSchool, a company that sells software products used by schools across the country, was hacked. The breach potentially exposed Social Security numbers, addresses, and medical and disciplinary information of approximately 4 million North Carolinians. Attorney General Jeff Jackson opened a formal investigation and issued a Civil Investigative Demand to PowerSchool in early 2025.

Insurance Data Security (G.S. Chapter 58, Article 39)

North Carolina regulates the handling of personal information by insurance companies through the Consumer and Customer Information Privacy Act (G.S. Chapter 58, Article 39). This article contains two key components.

Insurance Information and Privacy Protection Act

Insurance institutions, agents, and insurance-support organizations may not disclose personal or privileged information collected in connection with an insurance transaction unless the disclosure is authorized by law or regulation.

Under G.S. 58-39-25, insurance institutions must provide a notice of information practices to all applicants or policyholders. For policyholders, this notice must be provided at least once in any period of 12 consecutive months during which the policy is in effect.

Customer Information Safeguards Act

The Customer Information Safeguards Act requires insurance companies to maintain policies that protect the confidentiality and security of nonpublic personal information and safeguard that information from unauthorized access.

Public Records and Government Data Protection

G.S. 132-1.10 protects Social Security numbers and other personal identifying information in government records. Identifying information is confidential and not considered a public record under Chapter 132. A record with identifying information removed or redacted remains a public record.

Government agencies may not fail to segregate Social Security numbers on a separate page from the rest of the record when collecting them. Upon request, they must provide a statement of the purpose for which the Social Security number is being collected and used. Records of the register of deeds, the Department of the Secretary of State, or the courts may not include any person's Social Security number unless expressly required by law or court order.

State Employee Personnel Records (G.S. Chapter 126, Article 7)

G.S. Chapter 126, Article 7 protects the privacy of state employee personnel records. Under G.S. 126-22, personnel files are not subject to general public inspection.

Health Information Privacy

North Carolina aligns its health information privacy protections with federal HIPAA standards while maintaining additional state-specific provisions. G.S. 143-518 addresses confidentiality of patient information for medical records maintained by state hospitals and the Department of Health and Human Services.

The North Carolina Health Information Exchange Authority ensures that privacy and security safeguards for health data exchanged electronically meet or exceed federal, state, and local requirements, including the HIPAA Privacy Rule, HIPAA Security Rule, and HITECH Act. The NC Department of Public Instruction maintains separate data privacy and policy guidance for the K-12 education context.

Federal Privacy Laws Covering North Carolina Residents

Because North Carolina lacks a comprehensive state consumer privacy law, federal statutes provide significant baseline protection for North Carolina residents.

data privacy - health data and HIPAA

TAKE IT DOWN Act (Pub. L. 119-12, signed May 19, 2025). This federal law criminalizes the nonconsensual publication of intimate images, including AI-generated deepfakes (nonconsensual intimate images, or NCII). Criminal prohibitions took effect immediately upon signing. Covered online platforms were required to establish notice-and-removal processes by May 19, 2026, with FTC enforcement beginning on that date. North Carolina residents who are victims of NCII have both a federal criminal remedy and can report to the FTC.

Health Insurance Portability and Accountability Act (HIPAA). HIPAA governs how healthcare providers, insurers, and their business associates handle protected health information. The HIPAA Privacy Rule and Security Rule apply to covered entities in North Carolina regardless of whether state law imposes additional requirements.

Gramm-Leach-Bliley Act (GLBA). GLBA requires financial institutions to explain their information-sharing practices and safeguard sensitive data. North Carolina financial institutions operating under federal charters or state licenses must comply with GLBA's privacy notices and data security requirements.

Fair Credit Reporting Act (FCRA) and FACTA. FCRA regulates how consumer reporting agencies collect, access, use, and distribute credit information. FACTA's disposal rule requires businesses to dispose of consumer report information securely. North Carolina's G.S. 75-64 parallels the FACTA disposal rule for personal information generally.

Children's Online Privacy Protection Act (COPPA). COPPA restricts the collection of personal information from children under 13 by website operators. Operators serving North Carolina children must obtain verifiable parental consent before collecting, using, or disclosing personal information.

FTC Act Section 5. The Federal Trade Commission's authority to prevent unfair or deceptive acts or practices in commerce extends to data security failures. The FTC has taken enforcement action against companies that made material misrepresentations about their data security or failed to maintain reasonable safeguards, without a state comprehensive privacy law being required.

American Privacy Rights Act (APRA). A bipartisan federal comprehensive privacy bill, APRA, was introduced in the 118th Congress in 2024 but did not pass. The bill expired when the 118th Congress ended in January 2025 and has not been re-enacted as of May 2026. No federal comprehensive consumer privacy law is currently in effect.

Pending Legislation: North Carolina's Path to Comprehensive Privacy Law

Three bills introduced in the 2025-2026 legislative session would create North Carolina's first comprehensive consumer data privacy protections. None had been enacted as of May 2026.

stack of official legal documents with decorative embossed seal on a marble surface, fountain pen alongside

House Bill 462, introduced in the 2025-2026 session, contains two substantive parts. Part I would enact the North Carolina Personal Data Privacy Act, creating a new Chapter 75F of the General Statutes. Part II would enact the Social Media Safety Act, requiring social media platforms to use commercial age-verification systems before allowing North Carolina minors to open accounts.

Consumer rights under Part I. The bill would grant North Carolina consumers six key rights: the right to confirm whether a controller is processing their personal data and to access that data; the right to correct inaccuracies; the right to delete personal data; the right to obtain a portable copy of their data; the right to opt out of targeted advertising, data sales, and profiling; and the right to have an authorized agent exercise these rights on their behalf.

Scope thresholds. The bill would apply to entities that conduct business in North Carolina or target products or services to North Carolina residents and either control or process the personal data of at least 35,000 consumers (excluding data processed solely for payment transactions), or control or process the personal data of at least 10,000 consumers and derive more than 20 percent of gross revenue from the sale of personal data.

Enforcement. Exclusive enforcement authority would reside with the North Carolina Attorney General, with a 60-day cure period before initiating an enforcement action.

Status. As of May 2026, HB 462 was re-referred to the Committee on Commerce and Economic Development on April 29, 2025. It has not advanced to a floor vote.

Senate Bill 757: Consumer Privacy Act

Senate Bill 757, introduced March 2025, is a separate comprehensive consumer privacy bill in the Senate. The bill would establish the Consumer Privacy Act and provide residents with rights to access, correct, delete, and opt out of sales and targeted advertising. SB 757 remained in committee as of May 2026.

Senate Bill 963: AI Chatbots Safety and Privacy

Senate Bill 963 addresses privacy and safety obligations specific to AI chatbot operators, including age-verification, disclosure, and data-handling requirements. The bill remained in committee as of May 2026.

Tracking pending legislation. North Carolina residents and businesses should monitor ncleg.gov for updates on all three bills. The 2025-2026 session is a long session; legislation can move quickly once a bill reaches the floor.

Attorney General Enforcement

The North Carolina Attorney General's Consumer Protection Division plays a central role in enforcing data privacy protections. Attorney General Jeff Jackson took office in January 2025 and has made data privacy enforcement a priority from his first months in office.

2025 Record Breach Statistics

The 2025 North Carolina Data Breach Report recorded 2,349 data breaches reported to the Department of Justice, the highest total since reporting began in 2006, exposing approximately 9.3 million North Carolinians. Hacking-related incidents caused 77 percent of all reported breaches. Since 2006, businesses have reported 19,318 total breaches impacting over 40 million people in all.

PowerSchool Investigation (2025)

In December 2024, PowerSchool, a company that sells software products used by schools across the country, was hacked, potentially exposing Social Security numbers, addresses, and medical and disciplinary information of 62.4 million current and former students and teachers nationally, including nearly 4 million people in North Carolina. Attorney General Jackson issued a Civil Investigative Demand to PowerSchool to obtain detailed information about the cause of the breach and the company's data security practices. The investigation was ongoing as of the publication date.

23andMe Genetic Data Lawsuit

Attorney General Jackson filed a lawsuit in 2025 against 23andMe in bankruptcy court to prevent the sale of North Carolinians' sensitive genetic information without their knowledge or consent. Jackson secured a consent order appointing a consumer privacy ombudsman to advocate for customers' privacy and security interests throughout the sale process. The case raised questions about the adequacy of North Carolina's existing privacy framework for protecting genetic and health-adjacent data outside of HIPAA.

In February 2025, a federal judge blocked the federal government from sharing North Carolinians' financial data with the Department of Government Efficiency (DOGE) following a lawsuit brought by Attorney General Jackson. The court held that the planned data-sharing raised serious concerns about the lawful use of sensitive personal and financial information.

AI Task Force

In 2025, Attorney General Jackson formed a bipartisan, nationwide AI task force alongside Utah Attorney General Derek Brown. The task force collaborates with leading AI developers, including OpenAI and Microsoft, to identify emerging privacy risks from AI-enabled misuse, promote responsible innovation, and develop consumer protection safeguards.

Major Prior Enforcement Settlements

Two significant multistate settlements from the prior administration remain precedent for North Carolina's data breach enforcement posture. A $52 million settlement with Marriott International resolved investigations into a multi-year data breach that affected hundreds of millions of guests, with North Carolina receiving $2,059,176. A $49.5 million settlement with Blackbaud addressed deficient data security practices and the company's response to a 2020 ransomware attack that exposed personal information of millions of nonprofit donors and healthcare organizations.

Unfair and Deceptive Trade Practices

The Attorney General can pursue data privacy violations under North Carolina's Unfair and Deceptive Trade Practices Act (G.S. Chapter 75, Article 1), which prohibits unfair or deceptive acts in commerce. A business that misrepresents its data security practices or fails to protect consumer data may face enforcement under this statute independent of a specific breach notification violation.

Practical Steps for North Carolina Residents

North Carolina residents can take several steps to protect their personal information under existing law.

You have the right to place a free or low-cost security freeze on your credit report with each of the three major credit bureaus. No fee may be charged if you are over age 62 or an identity theft victim who has filed a law enforcement report. Monitor your credit reports for unauthorized accounts or new account openings.

If you are a victim of identity theft, file a report with your local law enforcement agency and the NC Attorney General's office. The AG's office provides a breach reporting portal and identity theft resources at ncdoj.gov.

Parents of K-12 students should review their school's data privacy policies and exercise opt-out rights for directory information. Request information about which educational technology vendors have access to your child's data. The 2025 PowerSchool breach, which exposed 4 million North Carolinians' student records, underscores that school software vendors are a significant attack surface.

If you receive a data breach notification, take it seriously. Change passwords for affected accounts, monitor financial statements, and consider placing a fraud alert or security freeze on your credit file. If the breach involved genetic or medical data (similar to the 23andMe situation), contact the Attorney General's office to report any suspected misuse.

Practical Steps for Businesses Operating in North Carolina

data privacy - data protection compliance

Businesses that collect personal information from North Carolina residents have several legal obligations under current law, regardless of whether a comprehensive privacy statute is enacted.

Develop and implement a written data disposal policy that includes shredding paper records and destroying electronic media in accordance with G.S. 75-64. Establish a breach response plan that includes notifying affected consumers and the Attorney General without unreasonable delay under G.S. 75-65.

Review your handling of Social Security numbers to ensure compliance with G.S. 75-62. Never transmit Social Security numbers over unsecured internet connections. Do not print them on mailed materials unless required by law.

If you use educational technology platforms in K-12 settings, ensure your vendors comply with G.S. 115C-401.2 restrictions on targeted advertising, profiling, and data sales. Maintain written contracts with vendors that address breach notification obligations.

Monitor the status of HB 462, SB 757, and SB 963 in the 2025-2026 legislative session. If any of these bills passes, businesses meeting the applicable thresholds will need to implement consumer rights processes, data processing agreements, data protection assessments, and privacy notices before the effective date.

If you are an insurance company or insurance-related entity, review your obligations under G.S. Chapter 58, Article 39 regarding privacy notices and customer information safeguards.

Consider whether the federal TAKE IT DOWN Act (Pub. L. 119-12) affects your platform. If you operate an interactive online service that allows users to post content, FTC enforcement of platform takedown obligations began May 19, 2026.

More North Carolina Laws

Frequently Asked Questions

Does North Carolina have a comprehensive consumer data privacy law?

No. As of May 2026, North Carolina does not have a comprehensive consumer data privacy law comparable to California's CCPA or Virginia's VCDPA. The state relies on a patchwork of targeted statutes, primarily the Identity Theft Protection Act (G.S. 75-60 through 75-66). Three bills introduced in the 2025-2026 session would change that: House Bill 462 (NC Personal Data Privacy Act plus Social Media Safety Act), Senate Bill 757 (Consumer Privacy Act), and Senate Bill 963 (AI chatbot safety and privacy). None had been enacted as of May 2026.

How quickly must businesses notify North Carolina residents of a data breach?

North Carolina law requires notification 'without unreasonable delay' under G.S. 75-65 but does not set a specific number of days. Delays are permitted for law enforcement needs and to determine the scope of the breach. Businesses must also report breach details to the Attorney General's Consumer Protection Division. For breaches affecting more than 1,000 people, the three major consumer reporting agencies must also be notified.

What are the penalties for identity theft in North Carolina?

Identity theft is a Class G felony under G.S. 14-113.20. If the victim suffers arrest, detention, or conviction as a result, or if the offender possesses identifying information of three or more people, the offense is elevated to a Class F felony. Trafficking in stolen identities carries additional penalties under G.S. 14-113.20A. Courts may also order restitution for financial losses, attorneys' fees, and costs of correcting credit history.

Can I place a security freeze on my credit report in North Carolina for free?

If you request a freeze by telephone or mail, the consumer reporting agency may charge up to $3.00. However, no fee may be charged to consumers over age 62, identity theft victims who have filed a law enforcement report, or their spouses. Electronic freeze requests and any requests to temporarily lift, reinstate, or remove a freeze are free of charge. Federal law under the Economic Growth, Regulatory Relief, and Consumer Protection Act also guarantees free credit freezes through the major reporting agencies.

How does North Carolina protect student data privacy?

North Carolina has multiple student data privacy protections. G.S. 115C-401.2 prohibits operators of educational technology platforms from targeted advertising based on student data, building non-educational profiles on students, or selling student information. G.S. 115C-402.5 bans collection of biometric data, political affiliations, and voting history in student data systems. The 2023 Protect Our Students Act (SB 49) strengthened parental rights to inspect records and opt out of directory information disclosure.

What has Attorney General Jeff Jackson done on data privacy since taking office in January 2025?

Attorney General Jeff Jackson has pursued several significant data privacy enforcement actions. He investigated PowerSchool over a breach that exposed records of 4 million North Carolinians. He filed a lawsuit to prevent 23andMe from selling North Carolinians' genetic data in bankruptcy, securing a consent order appointing a privacy ombudsman. He won a temporary restraining order blocking DOGE from accessing North Carolinians' financial data. He also formed a bipartisan AI task force with Utah's AG to address AI-enabled privacy risks. In 2025, his office reported a record 2,349 data breaches affecting 9.3 million North Carolinians.

What is the TAKE IT DOWN Act and how does it affect North Carolina residents?

The TAKE IT DOWN Act (Pub. L. 119-12) is a federal law signed on May 19, 2025, that criminalizes the nonconsensual publication of intimate images, including AI-generated deepfakes. Criminal prohibitions took effect immediately upon signing. Online platforms were required to establish notice-and-removal processes by May 19, 2026, with FTC enforcement beginning on that date. North Carolina residents who are victims of nonconsensual intimate image publication can report violations to the FTC and may have criminal remedies available at the federal level.

Does North Carolina have a biometric data privacy law?

North Carolina does not have a standalone biometric data privacy law comparable to Illinois' BIPA. However, biometric data is included in the definition of personal information under G.S. 75-61, meaning unauthorized acquisition of biometric data can trigger breach notification obligations under G.S. 75-65. The student data statutes (G.S. 115C-402.5) expressly prohibit collection of biometric information in the student data system. If HB 462 or SB 757 passes, sensitive data definitions in those bills would likely include biometric data with heightened protections.

Sources and References

North Carolina Identity Theft Protection Act (G.S. Chapter 75, Article 2A)(ncleg.gov).gov
G.S. 75-65: Protection from Security Breaches(ncleg.gov).gov
G.S. 75-62: Social Security Number Protection(ncleg.gov).gov
G.S. 75-61: Definitions(ncleg.gov).gov
G.S. 75-63: Security Freeze(ncleg.gov).gov
G.S. 75-64: Destruction of Personal Information Records(ncleg.gov).gov
G.S. 75-66: Publication of Personal Information(ncleg.gov).gov
G.S. 14-113.20: Identity Theft(ncleg.gov).gov
G.S. 14-113.20A: Trafficking in Stolen Identities(ncleg.gov).gov
G.S. 115C-401.2: Student Online Privacy Protection(ncleg.gov).gov
G.S. 115C-402.5: Student Data System Security(ncleg.gov).gov
Protect Our Students Act (SB 49 / SL 2023-106)(ncleg.gov).gov
G.S. Chapter 58, Article 39: Insurance Data Privacy(ncleg.gov).gov
G.S. 58-39-25: Notice of Insurance Information Practices(ncleg.gov).gov
G.S. 132-1.10: Social Security Numbers in Public Records(ncleg.gov).gov
G.S. Chapter 126, Article 7: State Employee Personnel Records(ncleg.gov).gov
NC Attorney General: Security Breach Information(ncdoj.gov).gov
NC Attorney General: Report a Security Breach(ncdoj.gov).gov
Attorney General Marriott Settlement ($52M)(ncdoj.gov).gov
Attorney General Blackbaud Settlement ($49.5M)(ncdoj.gov).gov
NCDIT: Privacy Laws, Policies & Guidance(it.nc.gov).gov
NCDIT: Office of Privacy & Data Protection(it.nc.gov).gov
House Bill 462: NC Personal Data Privacy Act (2025-2026)(ncleg.gov).gov
G.S. 143-518: Confidentiality of Patient Information(ncleg.gov).gov
NC Health Information Exchange Authority: Privacy & Security(hiea.nc.gov).gov
NC DPI: Data Privacy and Policy(dpi.nc.gov).gov
NC Attorney General: 2025 Data Breach Report (Record 2,349 Breaches)(ncdoj.gov).gov
AG Jeff Jackson Investigates PowerSchool Data Breach (4M North Carolinians)(ncdoj.gov).gov
AG Jeff Jackson Sues 23andMe Over Genetic Data Sale(ncdoj.gov).gov
AG Jeff Jackson Wins TRO Blocking DOGE Data Access(ncdoj.gov).gov
Senate Bill 757: Consumer Privacy Act (2025-2026)(ncleg.gov).gov
Senate Bill 963: AI Chatbots Safety and Privacy (2025-2026)(ncleg.gov).gov
TAKE IT DOWN Act, Pub. L. 119-12 (signed May 19, 2025)(congress.gov).gov
FTC: TAKE IT DOWN Act Enforcement Begins May 19, 2026(ftc.gov).gov
15 U.S.C. 1681a: FCRA Definitions(law.cornell.edu)

Data Privacy Laws

North Carolina Laws