North Carolina Privacy Policy
North Carolina privacy laws help protect residents’ personal information in certain contexts, especially after data breaches and in the handling of specific categories of data. However, North Carolina does not currently have a comprehensive consumer privacy law that gives residents broad rights to access, delete, correct, or opt out of the sale or processing of personal data. Instead, the state’s protections are found in narrower statutes, including the Identity Theft Protection Act and related laws governing Social Security numbers, medical records, and breach notification. To better understand your rights as a North Carolina resident, reach out to Class Action U today.
- April 10, 2026
Overview of Key North Carolina Privacy Statutes
North Carolina Identity Theft Protection Act
The North Carolina Identity Theft Protection Act (ITPA) imposes obligations on businesses and other entities that handle residents’ personal information. In practice, the law focuses on protecting certain personal data through requirements such as proper disposal, limits on the use and display of Social Security numbers, and notice duties when a qualifying security breach occurs. These steps typically include administrative, technical, and physical security measures designed to prevent data breaches.
North Carolina Security Breach Notification Law
Under North Carolina law, businesses that own or license personal information of North Carolina residents must notify affected individuals after discovering a qualifying security breach involving personal information. The statute generally defines a security breach as unauthorized access to and acquisition of unencrypted or unredacted records or data containing personal information when illegal use has occurred or is reasonably likely to occur, or when the incident creates a material risk of harm to a consumer. Notice must be given without unreasonable delay, subject to the needs of law enforcement and measures necessary to determine the scope of the breach and restore the integrity of the system.
Businesses must adhere to the following reporting timeline:
- Notify affected individuals without unreasonable delay after discovery of a qualifying breach, subject to lawful delay and reasonable investigation needs.
- Notify the Consumer Protection Division of the North Carolina Attorney General’s Office without unreasonable delay if notice is provided to affected individuals.
- Notify nationwide consumer reporting agencies without unreasonable delay if the business notifies more than 1,000 persons at one time.
Other Relevant Data Protection Laws in North Carolina
Social Security Number Protection
North Carolina law places specific restrictions on the use, display, and disposal of Social Security numbers. For example, covered entities generally may not intentionally communicate or otherwise make an individual’s Social Security number available to the general public, print it on cards required for accessing products or services in certain ways, or require transmission of an SSN over the internet unless the connection is secure or the number is encrypted. The statute also includes requirements related to the secure disposal of records containing personal information.
Healthcare Data Protection (HIPAA Compliance)
North Carolina does not have a standalone general health-data privacy statute equivalent to HIPAA, but state law does regulate medical records in important ways. For example, North Carolina law recognizes that records maintained electronically are subject to the same legal rights and responsibilities as paper medical records with respect to security, confidentiality, integrity, and access. Healthcare providers and other covered entities in North Carolina may also be subject to federal HIPAA requirements, depending on the circumstances.
Financial Data Protection Laws in North Carolina
How North Carolina’s Privacy Laws Compare To Other States
North Carolina’s privacy laws are more limited than those of states with more comprehensive consumer privacy frameworks. For instance, unlike California or Virginia, North Carolina residents do not have broad rights to access, delete, or control their personal data. North Carolina law mostly responds to problems, addressing breaches and misuse after they occur. In contrast, California and Virginia allow consumers to take a more active role in controlling how their data is collected and used.
Your Rights Under the North Carolina Privacy Act
North Carolina does not currently have a comprehensive consumer privacy law that gives residents broad rights to access, correct, delete, or opt out of the sale or processing of personal data, though legislation has been proposed as of early 2026. Instead, North Carolina law focuses mainly on specific protections, including restrictions on the use of Social Security numbers, secure disposal of certain personal information, and notification duties after a qualifying security breach. If a business violates the state’s breach-notification law and a consumer is injured as a result, remedies may be available under North Carolina law.
How To File a Data Privacy Claim
If your personal information was exposed in a data breach, it is important to document what happened and preserve any related records. The steps to do so may include:
- Document the breach and any personal, financial, or identity-related harm you suffered.
- Gather evidence such as breach notices, emails, account statements, fraud alerts, or records of unauthorized activity.
- Submit complaints to appropriate agencies or pursue available legal remedies where supported by the facts and applicable law.
Because North Carolina does not provide a blanket private right of action for every data-privacy issue, and because available remedies may depend on the specific statutory violation and whether you suffered injury, it is wise to consult a lawyer before filing a claim.
New cases and investigations, settlement deadlines, and news straight to your inbox.
Contact a Data Privacy Lawyer in North Carolina
The privacy laws that North Carolina has put in place are designed to protect residents’ personal information from data breaches and fraud. Businesses are required to secure data and report breaches when they occur. If you or your loved one believes that your information has been compromised, get in touch with Class Action U today. Our team can help you understand your rights and connect you with an experienced legal advocate.
New cases and investigations, settlement deadlines, and news straight to your inbox.