North Carolina’s Personal Privacy Protection Act (SL 2025-79), effective December 1, 2025, introduces new obligations for how organizations collect, store, access, and destroy personal information in their records.

As a North Carolina based records management provider, we see this law as a turning point for how businesses approach privacy focused records management, secure document storage, and defensible destruction.

Key Takeaways

Question	Answer
What is the Personal Privacy Protection Act (SL 2025-79)?	It is a North Carolina law that strengthens protections around the collection, storage, use, and disclosure of personal information in business and organizational records, effective December 1, 2025.
Who must comply with SL 2025-79?	Most organizations that handle identifiable information about North Carolina residents, including healthcare, financial institutions, schools, government entities, law firms, manufacturers, non‑profits, and small businesses. A structured records management audit is the best starting point.
How does it affect physical records and offsite files?	The Act expects organizations to secure physical files, track access, respect retention limits, and ensure confidential destruction. Partnering with a trusted provider of secure document storage helps meet these obligations.
What changes for digital conversion and scanning?	Scanning programs must ensure privacy safeguards across the full lifecycle. Professional document scanning services can digitize records while maintaining chain of custody and compliant retention.
How should businesses handle destruction of records under the Act?	Destruction must be secure, documented, and aligned with retention rules. Using certified secure document shredding and offsite shredding services with Certificates of Destruction supports compliance.
Where can organizations get help preparing for SL 2025-79?	North Carolina organizations can engage FileVault’s business records management services to design end‑to‑end storage, scanning, and shredding programs that support privacy and regulatory compliance.
How do I begin aligning my program before December 1, 2025?	We recommend requesting a tailored assessment and quote through our request a quote page to evaluate your current records environment and action steps.

1. Overview of the Personal Privacy Protection Act (SL 2025-79)

The Personal Privacy Protection Act (SL 2025-79) reflects North Carolina’s commitment to strengthening privacy rights and imposing clearer duties on organizations that control personal data.

From December 1, 2025, businesses will face stricter expectations around how they collect, classify, store, access, and destroy records that contain personal information.

Scope and intent of SL 2025-79

The law focuses on minimizing unnecessary collection of personal data, limiting access to that data, and ensuring secure lifecycle controls, particularly for records that can be linked to identifiable individuals.

For records managers, this means privacy is no longer only an IT or legal issue, but a core requirement embedded in everyday handling of paper and digital files.

Covered entities and records

Although the detailed regulatory text specifies exact thresholds and exclusions, most organizations that maintain personally identifiable information on North Carolina residents should plan for compliance.

This includes customer files, employee records, patient charts, student records, legal case files, financial account information, and vendor or donor information, whether stored on paper or in digital systems.

2. Key privacy and records obligations under SL 2025-79

While each organization should review the specific statutory language with counsel, the core obligations of SL 2025-79 map naturally to the information lifecycle.

Collection, classification, storage, access, retention, and destruction must all incorporate privacy by design and privacy by default principles.

Core duties that impact records management

Limit collection of personal information to what is necessary for a defined business or legal purpose.
Maintain clear inventories of where personal information resides, including offsite boxes and digital archives.
Restrict access to personal records based on job role and documented need to know.
Apply retention schedules that reflect both legal requirements and privacy expectations.
Ensure that destruction of personal information is secure, documented, and irreversible.

Each of these requirements intersects directly with how your boxes are labeled, how your files are indexed, how retrieval works, and which destruction methods you use.

A mature records management program can convert these regulatory obligations into repeatable, low risk workflows instead of ad hoc decisions.

3. How SL 2025-79 impacts business records management in North Carolina

For many organizations, SL 2025-79 will expose gaps in legacy filing rooms, storage closets, and unmanaged offsite storage rooms.

Untracked boxes, unlabeled media, and informal shredding practices will no longer align with the privacy expectations embedded in the Act.

From ad hoc storage to governed records management

We recommend that businesses shift from informal storage to governed business records management that treats information as a regulated asset.

That means creating a clear inventory of boxes and record series, applying retention rules, and using barcoded tracking for every movement of a file or box.

Organizations that already have strong records governance will find it much easier to demonstrate compliance with SL 2025-79 during audits, investigations, or incident reviews.

As a records management company in Charlotte, we see this law driving demand for centralized North Carolina based records management services that integrate storage, scanning, and destruction with clear privacy controls.

This is particularly important for organizations coordinating multiple offices across the state and needing consistent controls from Asheville to Wilmington.

Infographic of 5 key provisions of North Carolina's Personal Privacy Protection Act (SL 2025-79), effective Dec 1, 2025.

This infographic outlines the five key provisions of North Carolina’s Personal Privacy Protection Act (SL 2025-79), effective December 1, 2025.

4. Personal data, paper files, and secure document storage in Charlotte

SL 2025-79 does not distinguish between sensitive data in a server and the same data on paper in a banker’s box.

For organizations that rely on physical files, especially in sectors like healthcare, legal, insurance, and financial services, secure document storage in Charlotte and across North Carolina becomes central to compliance.

Why offsite secure document storage supports privacy compliance

Moving personal information from open office shelves to a controlled, monitored facility reduces physical risks, including theft, loss, and unauthorized browsing.

Our climate controlled, access controlled facilities use barcodes, scanning, and chain of custody logs to record each time a box or file is handled or delivered.

Controlled facility access with role based permissions.
24/7 monitoring and environmental controls.
System based tracking of box locations and retrievals.
Documented procedures for handling and delivery to your staff.

For organizations seeking HIPAA compliant document storage or financial records storage under GLBA and similar frameworks, SL 2025-79 aligns closely with the same expectations around privacy and security.

Centralizing personal information in a secure offsite archive allows you to apply one consistent set of privacy standards rather than leaving each department to manage on its own.

5. Document scanning services, digitization, and privacy by design

SL 2025-79 encourages organizations to better control who can see personal information, and when, through appropriate access and minimization.

For many North Carolina businesses, that means expanding document scanning services to convert legacy paper into structured, permission controlled digital repositories.

Scanning as a privacy control, not just a convenience

Digitization, when executed under strict chain of custody, helps ensure that only appropriate staff can access sensitive data and that access can be logged and reviewed.

Our document scanning services integrate indexing, quality control, and secure delivery of digital files into your preferred system or portal.

Secure pickup and transport of paper records to our facility.
High resolution imaging and indexing aligned to your field structure.
Optional redaction workflows for highly sensitive fields.
Secure return, offsite storage, or shredding of paper originals based on your policy and retention rules.

This approach supports both privacy and operational goals, so your teams have faster, controlled access to information without compromising SL 2025-79 requirements.

Combined with strong retention rules, digital conversion also makes it easier to identify and securely delete personal data once it is no longer required.

6. Secure document shredding and defensible disposition under SL 2025-79

The Act expects that personal information is not kept longer than necessary and is destroyed using methods that prevent reconstruction or unauthorized access.

This pushes organizations to formalize secure document shredding processes, replacing informal in office shredders and “to be shredded later” piles.

Why certified shredding matters for privacy compliance

Professional shredding services provide more than just destruction, they offer proof that destruction occurred, which is critical under SL 2025-79 if privacy questions arise.

Our secure document shredding and offsite shredding services include Certificates of Destruction, documented chain of custody, and industrial grade cross cut shredding that renders records unreadable.

Locked collection containers at your site for day to day disposal.
Scheduled or one time purge pickups handled by security screened staff.
Secure transport to our shredding facility with vehicle tracking.
Certificates of Destruction that align with audit and legal needs.

When combined with accurate retention schedules, this level of destruction control demonstrates that your organization respects data minimization and privacy expectations embedded in the Act.

It also reduces the volume of legacy files you must review if a data subject or regulator requests evidence of your compliance posture.

7. Industry specific impacts across North Carolina organizations

Different sectors face different combinations of state, federal, and industry regulations, and SL 2025-79 adds another layer of expectations around personal data.

We work with organizations across healthcare, finance, education, legal, government, and other sectors in North Carolina, and we see common themes in how they must prepare.

Examples of industry specific considerations

Healthcare: Alignment of HIPAA compliant document storage with SL 2025-79 expectations for privacy, including access limitations and secure destruction of PHI once retention periods expire.
Financial and banking: Coordinating GLBA driven protections with the Act’s expectations for minimizing the spread of personal financial information across unmanaged locations.
Education: Managing student records, disciplinary files, and special education documentation with stronger privacy controls across paper and digital formats.
Government: Balancing public records obligations with privacy protections for sensitive personal details.
Legal and insurance: Handling case files, claims records, and discovery materials in a way that records history while still destroying information no longer necessary.

In every industry, consistent records management services that span intake, storage, scanning, and destruction are key to making SL 2025-79 compliance practical rather than burdensome.

Central governance backed by an experienced records management company in Charlotte allows organizations to adapt the same framework to multiple locations and departments.

8. Conducting a records management audit before December 1, 2025

With a fixed effective date, organizations should not wait until late 2025 to start adapting their records controls to SL 2025-79.

A structured records management audit provides a baseline view of where personal information resides, how it is controlled, and where risks exist.

What a privacy focused records audit should cover

Inventory of physical records by location, department, and record type.
Review of existing retention schedules and destruction practices.
Assessment of access controls for storage rooms, file rooms, and digital repositories.
Evaluation of current document scanning, imaging, and indexing practices.
Analysis of existing contracts with storage and shredding vendors for privacy protections.

By identifying unmanaged storage, inconsistent retention, or informal destruction, your organization can prioritize remediation efforts ahead of the December 1, 2025 deadline.

This also supports internal communication, so leadership and stakeholders understand both the regulatory drivers and the operational benefits of improved records governance.

9. Building a compliant records lifecycle program in North Carolina

Aligning with SL 2025-79 is easier when you think in terms of the full lifecycle of records rather than isolated tasks.

A comprehensive program integrates intake, indexing, offsite storage, document scanning, and secure shredding under one consistent set of privacy controls.

Key components of a compliant lifecycle

Lifecycle Stage	Privacy Focus	Operational Example
Capture & Intake	Collect only necessary personal data and label records accurately.	Standardized box labels by record series and retention category.
Storage	Control physical and system access, track movement and access history.	Barcode tracked boxes in secure document storage facilities.
Use & Access	Role based access, logging of retrievals, and time bound access rights.	Authenticated requests for file pulls, with reporting on request history.
Digitization	Secure scanning, controlled metadata, and privacy focused indexing.	Document scanning services with chain of custody and QA checks.
Disposition	Timely destruction when no longer needed, proof of destruction retained.	Scheduled secure shredding with Certificates of Destruction.

Working with a single North Carolina partner for these functions allows you to maintain a consistent, documented chain of custody from initial storage through final destruction.

This approach also simplifies internal reporting and supports audits related to SL 2025-79, HIPAA, GLBA, and other applicable frameworks.

10. Practical next steps to prepare for the December 1, 2025 effective date

With the countdown to SL 2025-79 underway, North Carolina organizations should take concrete steps to ready their records environments.

Preparation does not need to be overwhelming if approached methodically and supported by experienced records management professionals.

Action plan for the next 6 to 18 months

Engage stakeholders. Involve legal, compliance, IT, operations, and key business units in understanding the Act and your current state.
Perform a gap focused records assessment. Identify high risk storage locations, unmanaged boxes, and inconsistent destruction practices.
Prioritize high sensitivity data. Start with records containing health, financial, or identity related information, and records of minors.
Update policies and retention schedules. Align your policies with both SL 2025-79 and existing federal or industry regulations.
Consolidate vendors where possible. Reduce complexity by working with a single North Carolina provider for offsite storage, scanning, and shredding.
Document procedures and train staff. Ensure front line staff understand new privacy expectations and how to use the services available to them.

Taking these steps now positions your organization to meet the law’s requirements, avoid last minute scrambling, and strengthen overall information governance.

It also reduces long term risk by eliminating unmanaged records and implementing consistent controls across your facilities and departments.

Conclusion

North Carolina’s Personal Privacy Protection Act (SL 2025-79), effective December 1, 2025, raises the bar for how organizations manage personal information across both paper and digital records.

For businesses across the state, the most practical way to respond is to strengthen business records management, centralize secure document storage, expand privacy aware document scanning services, and adopt certified secure document shredding supported by clear policies and auditable processes.

As a records management company in Charlotte serving clients throughout North Carolina, we help organizations design and operate compliant, efficient records programs that support privacy, security, and operational needs.

Contact Us to learn more about how we can help your organization prepare for SL 2025-79 with a comprehensive, compliant records lifecycle solution.