North Carolina Biometric Privacy Laws: Collection, Consent & Penalties (2026)

North Carolina takes a different approach to biometric privacy than states like Illinois or Texas. Rather than enacting a dedicated biometric privacy statute, the state folds biometric data into its existing breach notification and consumer protection framework.

The result is a system where businesses face no up-front consent requirements for collecting biometric data, but they face serious consequences if that data is compromised in a breach. Those consequences include mandatory treble damages under the state's Unfair and Deceptive Trade Practices (UDTP) statute.

For an overview of North Carolina's broader privacy framework, see the parent guide to North Carolina Data Privacy Laws.

How North Carolina Law Defines Biometric Data

North Carolina's breach notification law at N.C. Gen. Stat. 75-65 defines "personal information" by reference to the identity theft statute at N.C. Gen. Stat. 14-113.20(b). That statute lists "identifying information" that includes:

• Biometric data
• Fingerprints
• Digital signatures
• Passwords
• Social Security numbers
• Driver's license numbers
• Financial account numbers

The statute lists "biometric data" and "fingerprints" as separate categories (items 11 and 12 in the list), which means the law covers both general biometric identifiers and fingerprints specifically.

Notably, North Carolina law does not further define what "biometric data" includes. Unlike states with dedicated biometric privacy laws, there is no statutory language specifying whether the term covers voiceprints, iris scans, facial geometry, or other biological measurements. This lack of specificity could create ambiguity in enforcement.

Breach Notification Requirements for Biometric Data

The Identity Theft Protection Act at N.C. Gen. Stat. 75-65 establishes breach notification obligations that apply when biometric data is compromised.

Who must comply. Any business that owns, licenses, or maintains personal information of North Carolina residents must provide notice following a security breach. This applies regardless of whether the business is located in North Carolina.

What triggers notification. A "security breach" is the unauthorized access to and acquisition of unencrypted and unredacted records containing personal information where illegal use has occurred or is reasonably likely, or where the breach creates a material risk of harm. If a breach exposes biometric data in combination with an individual's first name (or initial) and last name, notification is required.

Timing. Businesses must notify affected individuals "without unreasonable delay." North Carolina does not set a specific day count for consumer notification, but businesses must notify the NC Attorney General's Consumer Protection Division without unreasonable delay after providing notice to affected persons.

Notice content. The notification must include:

• A general description of the incident
• The type of personal information exposed
• Steps the business is taking to prevent further unauthorized access
• A contact telephone number
• Advice to monitor account statements and credit reports
• Contact information for major credit reporting agencies
• Contact information for the FTC and the NC Attorney General's Office

Large breaches. When a breach affects more than 1,000 people, the business must also notify all nationwide consumer reporting agencies of the timing, distribution, and content of the notice.

The UDTP Connection: Treble Damages and Private Right of Action

This is where North Carolina's approach becomes uniquely powerful for consumers. Section 75-65(i) explicitly states that a violation of the breach notification law is a violation of N.C. Gen. Stat. 75-1.1, the state's Unfair and Deceptive Trade Practices Act.

This connection triggers two significant remedies:

Treble damages. Under N.C. Gen. Stat. 75-16, any person injured by a UDTP violation can recover treble (triple) the actual damages. If a court finds $10,000 in damages from a biometric data breach, the judgment becomes $30,000.

Attorney fees. Under N.C. Gen. Stat. 75-16.1, the court may award reasonable attorney fees to the prevailing party when the violation was willful and there was an unwarranted refusal to resolve the matter.

Injury requirement. There is an important limitation. Section 75-65(i) provides that no private right of action may be brought unless the individual "is injured as a result of the violation." This means a consumer must show actual harm from the breach, not merely that the breach occurred.

No waiver. Any attempt to waive the protections of the Identity Theft Protection Act is void and unenforceable under Section 75-65(g). A business cannot require consumers to sign away their breach notification rights.

Attorney General Enforcement

The North Carolina Attorney General's Office plays a central role in biometric data protection through breach oversight.

Businesses must report security breaches involving biometric data to the Consumer Protection Division. The report must include:

• The nature of the breach
• The number of consumers affected
• Steps taken to investigate
• Steps taken to prevent future breaches
• Timing, distribution, and content of the consumer notice

The Attorney General can also bring enforcement actions under the UDTP statute for breach notification failures. In 2023, North Carolina received reports of over 2,033 data breaches affecting more than 4.9 million residents, demonstrating the scale of the state's breach notification enforcement activity.

No General Consent Requirement for Biometric Collection

Unlike Illinois (which requires written informed consent before collecting biometric data) or Texas (which requires notice and consent), North Carolina currently has no law requiring businesses to obtain consent before collecting, using, or storing biometric data.

This means:

• An employer can require fingerprint scans for timekeeping without specific notice or consent
• A retailer can use facial recognition technology without informing customers
• A business can store biometric data indefinitely with no retention limits
• There is no requirement to publish a biometric data policy

The only obligation arises if that biometric data is later compromised in a breach. At that point, the breach notification and UDTP frameworks activate.

Employer Use of Biometric Data

North Carolina does not have a law specifically regulating employer collection or use of biometric data. Employers routinely collect biometric information for several purposes:

Fingerprint-based background checks. North Carolina law authorizes fingerprint collection for criminal history record checks through the NC State Bureau of Investigation. Certain positions, particularly those involving work with children, require fingerprint-based background checks under state law.

Biometric timekeeping. Many North Carolina employers use fingerprint or hand-geometry scanners for employee time and attendance tracking. No state law requires consent for this practice.

Facility access. Fingerprint scanners, iris readers, and facial recognition systems used for building access are not regulated under any NC biometric-specific statute.

While state law does not impose consent requirements, employers should be aware that biometric data collected in the workplace is still subject to breach notification requirements if compromised. The treble damages available under the UDTP statute create a strong incentive for employers to secure biometric data properly.

Pending Legislation: The NC Personal Data Privacy Act (HB 462)

North Carolina legislators have been working on comprehensive privacy legislation. House Bill 462, introduced in the 2025 session, would create the NC Personal Data Privacy Act under a new Chapter 75F of the General Statutes.

If enacted, HB 462 would significantly change the biometric privacy landscape in North Carolina:

Biometric data definition. The bill defines biometric data as information generated by automatic measurements of an individual's unique biological characteristics, including fingerprints, voiceprints, eye retinas, irises, or other unique biological patterns used to identify or authenticate a specific individual. Photographs, video, and audio recordings would be excluded unless used to identify someone.

Sensitive data classification. Biometric data processed for identification would be classified as "sensitive data," the highest protection tier under the proposed law.

Opt-in consent. Businesses would need to obtain affirmative consent before processing biometric data for identification purposes.

Consumer rights. North Carolinians would gain the right to access, correct, delete, and obtain portable copies of their biometric data.

AG enforcement only. The bill does not include a private right of action. The Attorney General would have exclusive enforcement authority.

As of early 2026, HB 462 remains in committee and has not been enacted. A companion bill, Senate Bill 757, contains similar provisions.

How North Carolina Compares to Other States

North Carolina's approach to biometric privacy sits in the lower-middle tier of state protections:

Stronger than states with no protections. North Carolina's inclusion of biometric data in its breach notification law and the availability of treble damages through the UDTP statute provide more protection than states like Alabama or Mississippi, which have minimal biometric data protections.

Weaker than dedicated biometric privacy states. States with standalone biometric privacy laws, including Illinois, Texas, and Washington, require consent before collection, mandate retention and destruction policies, and (in Illinois's case) provide a private right of action that has generated billions in settlements.

Weaker than comprehensive privacy law states. States like Virginia, Colorado, and Kentucky have enacted comprehensive consumer privacy laws that classify biometric data as sensitive data requiring opt-in consent. North Carolina has not yet joined this group.

Notable strength: treble damages. One area where North Carolina stands out is the automatic treble damages available through the UDTP statute. Most states with comprehensive privacy laws cap penalties per violation and exclude private lawsuits entirely. North Carolina's approach allows individual consumers to sue and potentially recover three times their actual damages, plus attorney fees.

More North Carolina Laws

• North Carolina Recording Laws
• North Carolina Recording Laws
• North Carolina Data Privacy Laws
• North Carolina Recording Laws
• North Carolina Recording Laws
• North Carolina Lemon Laws
• North Carolina Recording Laws
• North Carolina Recording Laws

Sources and References

This article references North Carolina statutes and official state government publications. For the full text of the Identity Theft Protection Act, visit the NC General Assembly website. To report a data breach or file a complaint, contact the NC Attorney General's Consumer Protection Division.

This article provides general legal information about North Carolina biometric privacy laws. It is not legal advice. Consult a qualified attorney for guidance on your specific situation. Laws and regulations change frequently. Verify current requirements through official North Carolina government sources.