Regulon — NC-HB-860 · NC HB 860 (Social Media Control in IT Act)

WHAT THIS BILL REGULATES · 3 REQUIREMENT TYPES

How Is This Bill Enforced

Enforcement Authority

Attorney General enforcement. The Attorney General shall monitor social media platforms for compliance and may bring a civil action when the interests of North Carolina residents are threatened. Platform users may file complaints with the Attorney General. Minors have a private right of action through parens patriae jurisdiction via private action attorneys. Violations constitute unfair or deceptive acts under G.S. 75-1.1.

Private Right of Action

may bring a civil action when the interests of North Carolina residents are threatened.

Penalties

Compensatory damages, punitive damages, injunctive relief, declaratory relief, and reasonable attorneys' fees and litigation costs. No statutory minimum or maximum specified. Violations also constitute unfair or deceptive acts under G.S. 75-1.1, which provides its own remedies including treble damages.

Verbatim statutory text on the left; plain-language analysis and a per-section checklist on the right. Numbered markers cross-link to the matching checklist row.

Statutory Text

Analysis & Obligations

G.S. § 75-70

Title and definitions

(a) This Article shall be known and may be cited as the "Social Media Control in Information Technology Act."

(b) Definitions. – The following definitions apply in this Article: (1) Accessible mechanism. – A user-friendly, clear, easy-to-use, readily available, and technologically feasible method that allows individuals to exercise their data privacy rights without undue burden. The mechanism must be designed to accommodate diverse user needs, including those with disabilities, and should be available across commonly used platforms. The mechanism should provide clear instructions, function without excessive complexity, and be free of unreasonable barriers such as length procedures, hidden settings, or excessive delays. (2) Algorithmic recommendation system. – A computational process that uses machine learning, natural language processing, artificial intelligence techniques, generative artificial intelligence, or other computational processing techniques that makes a decision or facilitates human decision making with respect to user-related data to rank, order, promote, recommend, suggest, amplify, or similarly determine the delivery or display of information to an individual. (3) Collects, collected, or collection. – Buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a user by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer's behavior. (4) Consent. – Any freely given, specific, informed, and unambiguous indication of a user's wishes by which the consumer, or the consumer's legal guardian, a person who has power of attorney, or a person acting as a conservator for the consumer, including by a statement or by a clear affirmative action, signifies agreement to the processing of personal information relating to the consumer for a narrowly defined particular purpose. None of the following constitutes consent: a. Acceptance of a general or broad terms of use, or similar document, that contains descriptions of personal information processing along with other, unrelated information. b. Hovering over, muting, pausing, or closing a given piece of content. c. Agreement obtained through use of dark patterns. (5) Default settings. – The predetermined options, values, and configurations that a program is initially set to whenever it is installed and initially accessed. (6) Minor. – An individual who is under 18 years of age. (7) Operator. – Defined in section 1302 of the Children's Online Privacy Protection Act of 1998, 15 U.S.C. § 6501. (8) Opt-in mechanism. – An accessible mechanism separate from any other notifications, disclosures, or consents, such as a privacy policy or terms of service, that allows the user to consent to the platform engaging in a specific, narrow, and well-defined practice. The Division of Health Service regulations has the authority to specify requirements for the notification and consent process, including specific language and disclosures that may include a warning on the harmful effects of manipulative algorithms, the length of time for which the notification must appear before the user has the option to consent, and the process that the user must follow to consent. (9) Personal information. – Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. (10) Platform user. – An individual who resides in North Carolina who uses a social media platform. (11) Social media platform, covered platform, or platform. – An electronic medium with more than 1,000,000 monthly active users in the United States that functions as a social media service. (12) Third-party data. – Personal data from another person, company, data broker, and/or platform that is not the user to whom the data pertains and is not the platform. (13) Usage data. – Any information that is gathered about a user's interactions, behaviors, preferences, and usage patterns on a platform.

This section establishes the short title of the Act — the Social Media Control in Information Technology Act — and defines thirteen terms used throughout the Article. Key definitions include social media platform (electronic medium with more than 1,000,000 monthly active U.S. users, with carve-outs for common carriers, email, search engines, ISPs, SMS, video games, e-commerce, and non-user-generated streaming), operator (incorporated by reference to COPPA), personal information (broadly defined to include 15 enumerated categories plus inferences), and algorithmic recommendation system (any ML/AI/NLP computational process that ranks, promotes, or determines content delivery using user data).

This section creates no independent compliance obligations — all operative duties are in §§ 75-71 through 75-73.

G.S. § 75-71

User data privacy; targeting minors prohibited; registry

Deployer

(a)(1)(a) 1 A disclosure in a clear, easy-to-read, and accessible format when a user first initializes their use of a platform for the first time, or after a period of inactivity greater than or equal to six months, about how the platform collects personal information, what personal information the platform collects, how the personal information is used by the platform for every use case, and how the user can exercise their rights and choices on the platform. This disclosure must be provided in no more than 500 words, and the platform must obtain a user's consent before the platform collects any user-related data on the user.

(a)(1)(b) 2 A disclosure in a clear, easy-to-read, and accessible format that details (i) the categories of information the platform has collected about the user, (ii) the categories of sources from which the information is collected, (iii) the business or commercial purpose for collecting, selling, or sharing personal information, (iv) the categories of third parties to whom the business discloses personal information, and (v) the specific pieces of personal information it has collected about that user. Such information must be available upon receipt of a verifiable consumer request made through an accessible mechanism on the platform.

(a)(2) 3 Personal information may be used in algorithmic recommendations only when both of the following requirements are met: a. The platform reasonably determines the user is not a minor from personal information collected by and available to the covered platform in its ordinary course of business. b. The user has been notified and expressly consents to the use of their own data in this manner by consenting in an opt-in mechanism.

(a)(3) 4 Through an accessible mechanism, users must be given the capacity to alter, change, and delete what categories of personal information are used in a platform's algorithmic recommendation system or systems. This selection shall be modifiable at any time. If a user indicates that they intend a certain category of personal information not to be used in an algorithmic recommendation system, then the platform must not include said category or categories within an algorithmic recommendation system. A covered platform shall not discriminate against a user because the user exercised any of the rights under this Article in the provision of functionality or features of the covered platform, unless the use of user-related data in an algorithmic recommendation system is reasonably necessary to the feature or functionality.

(b) 5 Targeting Minors Prohibited. – A covered platform must establish comprehensive and effective controls to ensure that a minor's personal information is not used in any algorithmic recommendation system.

(c) 5 Exceptions. – Subsection (b) of this section does not apply to any of the following: (1) Recommending or presenting content from accounts that a user follows in reverse chronological order or a similar method of recommending or presenting content. (2) A user's explicit search for content or request for information for the sole purpose of providing immediate results to the search, and without retention or use of the user-related data from the search or request for purposes other than providing results to the search or request. (3) A covered platform's action, voluntarily taken in good faith to restrict access to or availability of material as described in section 230(c)(2)(A) of the Communications Act of 1934 (47 U.S.C. § 230(c)(2)(A)), is not subject to this subsection, and nothing in this section otherwise limits or otherwise affects the provisions of section 230 of the Communications Act of 1934, except as otherwise provided in this Article.

(d) The operator of a social media platform may be held liable for violating subsection (a) of this section if the user was given algorithmic content recommendations without a proper opt-in mechanism or affirmation from the user from the opt-in process. The operator of a social media platform may be held liable for violating subsection (b) of this section if the operator of the social media platform knew or had reason to know that the user was a minor. The operator of a social media platform that has made an estimation of a user's age based upon the user's self-attestation is not liable if the user was a minor who falsely attested to not being a minor.

Section 75-71 imposes the Act's core data privacy and algorithmic-recommendation obligations on social media platform operators. Subsection (a) requires platforms to disclose data collection practices to users in a concise format (500 words maximum) at first use or after six months of inactivity, and to obtain consent before collecting user data. It also requires platforms to provide detailed data category disclosures upon verifiable consumer request. Personal information may only be used in algorithmic recommendations when the platform reasonably determines the user is not a minor and the user has provided express opt-in consent through a standalone mechanism. Users must also have the ability to alter or delete the categories of personal information used in algorithmic recommendations, and platforms may not discriminate against users who exercise these rights.

Subsection (b) categorically prohibits the use of any minor's personal information in algorithmic recommendation systems. Subsection (c) provides narrow exceptions for chronological feeds, explicit search results, and good-faith content moderation under Section 230(c)(2)(A). Subsection (d) establishes the knowledge standard for liability: operators are liable for subsection (b) violations only if they knew or had reason to know the user was a minor, with a safe harbor when the operator relied on the user's self-attestation of age.

Compliance actions 5 items

Operators must provide a clear, accessible disclosure of no more than 500 words at a user's first use of the platform (or after six months of inactivity) explaining how the platform collects personal information, what personal information is collected, how it is used for every use case, and how users can exercise their rights, and must obtain consent before collecting any user data.

D-01.1

Operators must, upon receipt of a verifiable consumer request through an accessible mechanism, provide a detailed disclosure of (1) categories of information collected, (2) sources of collection, (3) business or commercial purposes for collecting, selling, or sharing the information, (4) categories of third parties receiving disclosures, and (5) the specific pieces of personal information collected about the user.

D-01.1

Operators must not use personal information in algorithmic recommendations unless (1) the platform reasonably determines the user is not a minor and (2) the user has been notified and expressly consents through a standalone opt-in mechanism.

D-01.3

Operators must provide users with an accessible mechanism to alter, change, and delete categories of personal information used in the platform's algorithmic recommendation system at any time, must honor user selections by excluding deselected categories from recommendations, and must not discriminate against users for exercising these rights unless the data use is reasonably necessary for the feature or functionality.

D-01.2

Operators must establish comprehensive and effective controls to ensure that no minor's personal information is used in any algorithmic recommendation system. Exceptions apply for chronological feeds from followed accounts, explicit search results without data retention, and good-faith Section 230(c)(2)(A) content moderation. Operators are liable only if they knew or had reason to know the user was a minor; reliance on the user's self-attestation of age provides a safe harbor.

MN-01.7

G.S. § 75-72

Design features and digital rights of users

Deployer

(a) 6 Protective Default Settings for Minors. – A covered platform shall configure all privacy settings provided to any user by the online service, product, or feature be both available to minors and, by default, set to preferences that offer the highest level of privacy, unless the business can demonstrate a compelling reason that a different setting is in the best interest of minors. These settings must include all of the following: (1) Notifications must be turned off by default. (2) The visibility of reaction or interaction counts on all content, including content generated by a minor and content seen by a minor generated from others, must be turned off by default. (3) The ability of other users, not added by the user to a list of approved contacts, to communicate with the minor must be turned off by default. (4) The ability of other users, whether registered or not, and not added by the user to a list of approved contacts, to view the minor's user-related data collected by or shared on the platform must be disabled by default. (5) The ability of other users to see the geolocation of a minor must be disabled by default. (6) Features that increase, sustain, or extend the use of the covered platform by a minor, such as automatic playing of media and rewards for time spent on the platform, must be disabled by default.

(b)(1) 7 An accessible mechanism to request the correction of any inaccurate personal information about the user, taking into account the nature of the personal information and the purposes of the personal information. A platform that receives a verifiable request to correct inaccurate personal information shall use commercially reasonable efforts to correct the inaccurate personal information as directed by the user. A covered platform shall maintain a record of all requests.

(b)(2) 8 An accessible mechanism to request the deletion of personal information about the user, taking into account the nature of the personal information and the purposes of the personal information. If the personal information is reasonably necessary for the platform to complete a transaction, to ensure the security and integrity of the user's personal information, to debug or identify and repair errors in the platform, to exercise free speech and ensure the user's right to exercise free speech, to comply with existing federal and State regulations, to engage in public or peer-reviewed scientific research, or to enable solely internal uses reasonably aligned with a consumer's expectations, then the covered platform is not required to comply with the user's request. Otherwise, the covered platform is required to complete the request. A covered platform shall maintain a confidential record of all requests.

(c)(1) 9 Right to protection from manipulative design. – Every minor has the right to be protected from manipulative design techniques which exploit psychological vulnerability or have been shown by the preponderance of the evidence to create addiction or dependency.

(c)(2) 10 Right to transparency. – Every minor has the right to understand the nature of their digital experiences. Platforms and services should provide clear and accessible explanations of the platform features as well as how covered platforms can negatively affect their well-being.

(c)(3) 11 Right to protection from personalized recommendation systems. – Every minor has the right to be protected from algorithmic recommendation systems.

Section 75-72 imposes two categories of obligations: protective default settings for minors and data correction/deletion rights for all users. Subsection (a) requires covered platforms to set all privacy settings to the highest available level by default for minors, with six enumerated design requirements — disabling notifications, hiding reaction counts, blocking unsolicited contact, hiding user data from non-approved contacts, disabling geolocation visibility, and disabling engagement-extending features such as autoplay and time-based rewards. These defaults may be overridden only if the platform can demonstrate a compelling reason the different setting is in the minor's best interest.

Subsection (b) grants all users the right to request correction and deletion of personal information through accessible mechanisms. Deletion requests are subject to enumerated exceptions (transaction completion, security, debugging, free speech, legal compliance, scientific research, and internal uses aligned with consumer expectations). Subsection (c) enumerates three affirmative digital rights for minors: protection from manipulative design, transparency about digital experiences, and protection from personalized recommendation systems.

Compliance actions 6 items

Operators must configure all privacy settings for minor users to the highest level of privacy by default, including (1) disabling notifications, (2) hiding reaction and interaction counts, (3) blocking unsolicited contact from non-approved users, (4) disabling visibility of the minor's data to non-approved users, (5) disabling geolocation sharing, and (6) disabling engagement-extending features such as autoplay and time-based rewards. A different default is permitted only if the platform demonstrates a compelling reason it is in the minor's best interest.

MN-01.4

Operators must provide all users with an accessible mechanism to request correction of inaccurate personal information, must use commercially reasonable efforts to correct the information as directed, and must maintain a record of all correction requests.

D-01.2

Operators must provide all users with an accessible mechanism to request deletion of personal information, must complete deletion requests unless the data falls within enumerated exceptions (transaction completion, security, debugging, free speech, legal compliance, scientific research, or aligned internal uses), and must maintain a confidential record of all deletion requests.

D-01.4

Operators must protect minors from manipulative design techniques that exploit psychological vulnerability or that have been shown by a preponderance of the evidence to create addiction or dependency.

CP-01.1

Operators must provide minors with clear and accessible explanations of platform features and how covered platforms can negatively affect their well-being.

CP-01.3

Operators must protect every minor user from algorithmic recommendation systems.

MN-01.7

G.S. § 75-73

Investigation; enforcement; private right of action

(a) Violations. – Effective January 1, 2026, a platform's violation of this Article is an unfair or deceptive act or practice under G.S. 75-1.1.

(b) Investigations. – The Attorney General shall monitor social media platforms for compliance with this Article.

(c) Complaints. – A platform user may make a complaint to the Attorney General alleging that a social media platform has failed to comply with the requirements of this Article. The Attorney General may bring a civil action in any case in which the Attorney General has reason to believe that the interest of the residents of this State has been or is threatened due to noncompliance with this Article.

(d) Private Right of Action. – Minors can file suit if they are affected by any covered platform found to be in violation of this Article through mechanisms involved in parens patriae jurisdiction by the following: (1) Civil suit brought through private action attorneys. (2) Relief. – In a civil action brought under subsection (c) of this section or this subsection in which a plaintiff prevails, the court may award the plaintiff any one or more of the following: a. An amount equal to the sum of any compensatory damages. b. Punitive damages. c. Injunctive relief. d. Declaratory relief. e. Reasonable attorneys' fees and litigation costs.

Section 75-73 establishes the enforcement framework. Violations of the Article constitute unfair or deceptive acts under G.S. 75-1.1, effective January 1, 2026. The Attorney General is charged with monitoring social media platforms for compliance and may bring civil actions when residents' interests are threatened. Platform users may file complaints with the Attorney General. Minors have a private right of action through parens patriae jurisdiction, brought through private action attorneys. Prevailing plaintiffs in AG or private actions may recover compensatory damages, punitive damages, injunctive relief, declaratory relief, and reasonable attorneys' fees and litigation costs.

G.S. § 75-74

North Carolina Data Privacy Task Force

Government

(a)–(c) There is created the North Carolina Data Privacy Task Force (Task Force) within the Department of Justice for budgetary purposes only. The Task Force shall be composed of 21 members. The ex officio members listed in subdivisions (1) through (6) of this subsection may designate representatives from their particular departments, divisions, or offices to represent them on the Task Force. In making appointments or designating representatives, appointing authorities and ex officio members shall use best efforts to select members or representatives with sufficient knowledge and experience to effectively contribute to the issues examined by the Task Force and, to the extent possible, to reflect the geographical, political, gender, and racial diversity of this State.

(d) 12 Beginning March 15, 2026, and then annually thereafter, the Task Force shall report to the General Assembly on its work, with a special focus on mental health issues related to social media, along with findings, recommendations, and any legislative proposals.

Section 75-74 creates a 21-member North Carolina Data Privacy Task Force within the Department of Justice. The Task Force includes the Attorney General, the State CIO, senior DHHS officials, the SBI Director, child advocacy representatives, medical professionals, legislators, educators, social workers, youth representatives, and public members. Members serve two-year terms and elect their own chair. Beginning March 15, 2026, and annually thereafter, the Task Force must report to the General Assembly on its work, with a special focus on mental health issues related to social media, including findings, recommendations, and legislative proposals.

Compliance actions 1 item

The North Carolina Data Privacy Task Force must report annually to the General Assembly, beginning March 15, 2026, on its work with a special focus on mental health issues related to social media, including findings, recommendations, and legislative proposals.

—

Minor Safety Parental consent · controls · termination workflows

3 items

MN-01.7

MN-01.4

MN-01.7

Operators must protect every minor user from algorithmic recommendation systems.

Data Controls Data sale restrictions · deidentification

6 items

D-01.1

D-01.3

D-01.2

D-01.4

Deceptive Conduct AI-generated likeness · consent requirements

2 items

CP-01.1

CP-01.3

Operators must provide minors with clear and accessible explanations of platform features and how covered platforms can negatively affect their well-being.

—

Other

1 item

—

Passage Likelihood

Failed

Status Failed

Final action Re-ref Com On Appropriations

Legislative History

2025-04-09 Filed

2025-04-10 Passed 1st Reading

2025-04-10 Ref to the Com on Commerce and Economic Development, if favorable, Appropriations, if favorable, Rules, Calendar, and Operations of the House

2025-06-17 Reptd Fav Com Substitute

2025-06-17 Re-ref Com On Appropriations

Sources

Full Text ↗

Entry Last Reviewed

2026-05-20

AI generated