High Stakes: North Carolina Consumer Privacy Bill Sees Virginia’s CDPA and Raises a Private Right of Action with Automatic Treble Damages

Since California enacted the CCPA in 2018, legislatures in other states throughout the country have sought to pass their own comprehensive privacy laws. So far, only Virginia has succeeded.

Not to be outdone by its neighbor to the north, North Carolina got into the comprehensive privacy legislation game last week. On April 7, state Senators DeAndrea Salvador (D), Ben Clark (D), and Joyce Waddell (D) introduced Senate Bill 569, which would enact the “Consumer Privacy Act of North Carolina.” Because we can’t bear another bad privacy law acronym (CPANC? NCCPA? ConPrANC?), we’ll just refer to it here as “the Act.”

The Act would comprehensively regulate the collection, use, and disclosure of the personal data of North Carolina consumers by businesses that fall within its scope. Fortunately, many of its requirements mirror those of Virginia’s law and comprehensive privacy legislation pending in some other states. But as we’ll also discuss, the Act would also create a potent private right of action that could spawn a wave of privacy and data breach litigation here in the state.

We’ve seen this one before

The good news for companies (or their lawyers, at least) is that the Act is, in substance, largely a carbon copy of the Virginia CDPA, which we covered here. To that end, the Act includes:

  • The same scope, insofar as it would apply to persons that “conduct business in the State or produce products or services that are targeted to residents of this State and that either (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over fifty percent (50%) of gross revenue from the sale of personal data”;
  • The same helpful exemptions and exceptions, which include entity-level exemptions for GLBA-covered financial institutions and HIPAA covered entities and business associates, as well as a broad exception for the processing of personal data of individuals acting in a commercial or employment context;
  • The same baseline obligations for controllers, which include notice and transparency obligations and affirmative data security responsibilities (more on this below);
  • The same rights for consumers, which include a right to opt out of the use of personal data for targeted advertising, sales of personal data, and certain profiling decisions about the individual, and to opt-in to the processing of “sensitive data”; and
  • The same effective date of January 1, 2023.

The only material differences between the Act and the CDPA when it comes to substantive requirements arise with respect to data protection impact assessments. Like the CDPA, the Act would require controllers to conduct these assessments for certain kinds of processing activities. But unlike the CDPA, the Act would require controllers to conduct these assessments “at least annually,” and would specifically require the assessments to include “[a] cybersecurity analysis, including established processes to identify potential risks to the security of personal information and an action plan to remedy deficiencies.”

Now for the bad news . . .

The Act departs from the CDPA, however, when it comes to enforcement. And the departure is decidedly bad for businesses that would be subject to the law.

First, like the CDPA, the Act provides for enforcement by the state’s Attorney General. But unlike the CDPA, the Act does not require the Attorney General to give the controller or processor 30 days’ notice of any alleged violation and a chance to cure before an enforcement action is launched. Instead, the Act merely provides that the Attorney General “may” provide those benefits.

Second, the Act gives rise, indirectly, to a private right of action that allows consumers to sue controllers and processors for violations for both the privacy and the security-related requirements of the Act. And here, it’s a private right of action on steroids: the Act makes any violation of its requirements a per se violation of N.C. Gen. Stat. § 75-1.1, North Carolina’s unfair and deceptive trade practices statute. That’s significant because plaintiffs who prove violations of Section 75-1.1 are automatically entitled to treble damages under Section 75-16, and can recover attorney fees upon a showing that the defendant’s conduct was willful under Section 75-16.1.

The potential impact of the Act’s private right of action

Giving consumers a private right of action under Section 75-1.1 for violations of the Act’s privacy-related requirements—those relating to notice and individual rights, and its restrictions on uses and disclosures of personal data—could lead to an uptick in privacy litigation against companies that do business in North Carolina. For comparison, another state privacy law that includes a private right of action (but also statutory damages), Illinois’ Biometric Information Privacy Act, has led to a wave of class action litigation, including a case against Facebook that recently settled for $650 million. Although the Act doesn’t provide for statutory damages, it does allow plaintiffs damaged by a violation of the Act to seek injunctive relief against future actions that would violate the Act, and to recover reasonable attorneys’ fees if successful.

The Act could also have a major impact on the data breach litigation landscape in the state. Under the Act, controllers would have an affirmative obligation to “[e]stablish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data” that are “appropriate to the volume and nature of the personal data at issue.” Thus, if a company subject to the Act suffers a data breach involving personal data covered by the Act, that breach could give rise to claims by affected individuals under Section 75-1.1, on the theory that the breach arose from the controller’s failure to comply with the Act’s affirmative data security obligation. And Section 75-1.1’s remedies—automatic treble damages and the chance to recover attorney fees—will give those individuals (not to mention the plaintiffs’ class action bar) strong incentives to pursue those claims.

Looking ahead

At this point, the Act’s prospects for passage are unclear, especially given that its sponsors do not currently include any Republicans. After it was introduced, the bill was referred to the Senate’s Rules and Operations of the Senate Committee, where it currently remains. But given the stakes, companies that do business in North Carolina will want to keep a close eye on its progress.

No matter if the Act passes, companies should assume that they’ll need to deal with its requirements—or similar requirements—sooner or later. The CDPA will come online in January 2023, and several other states, including Florida, Connecticut, and Illinois, are actively considering their own comprehensive privacy legislation. And many other state legislatures have introduced their own comprehensive privacy bills. As a result, the days of being able to ignore state consumer privacy requirements, or to narrowly tailor compliance programs based on geographic considerations alone, are likely numbered.

If you’d like to discuss strategies to prepare for this not-too-distant future, please feel free to contact any member of our team.