The Peach State Takes a Bite at Privacy Law

R. Bisi Adeyemo, Janine Anthony Bowen, Antonette Igbenoba, Alissamariah Lynwood
BakerHostetler
Contact
LinkedIn
Facebook
X
Send
Embed

BakerHostetler

The Georgia Senate voted to pass the Georgia Consumer Privacy Protection Act (SB 473) on Feb. 27th. Although the bill is similar to many other comprehensive state privacy laws, there are some notable distinctions.

The law would apply to entities that conduct business in Georgia, exceed $25 million in revenue and either (1) process the personal information of at least 175,000 Georgia consumers or (2) control or process the personal information of at least 25,000 Georgia consumers and derive more than 50 percent of their gross revenue from the sale of personal information. The law would also provide exemptions similar to those of other comprehensive state privacy laws, including exemptions for nonprofit organizations and entity- and data-level exemptions for institutions that comply with the Gramm-Leach-Bliley Act and the Heath Information Portability and Accountability Act. Unlike the California Consumer Privacy Act, the definition of “consumer” does not include individuals acting in a commercial or employment context such as job applicants, employees, independent contractors or commercial business-to-business entities.

The law would provide consumers with rights similar to those provided by other comprehensive privacy laws, including the right to access, delete and correct information; the right to obtain a copy of the consumer’s personal information in a portable format; and the right to opt out of sales, targeted advertising and profiling. Additionally, covered entities would be required to obtain consent prior to processing sensitive data such as race, ethnic origin, sex life or orientation, physical or mental health condition and precise geolocation data.

Covered entities would also be required to provide consumers with a reasonably accessible privacy notice, engage processors pursuant to a written contract, and conduct and document data protection assessments for various processing activities, including targeted advertising, selling of personal information and certain types of profiling.

Covered entities would be able to make an affirmative defense to violations of the law if the covered entity maintains a written privacy program that conforms to National Institute of Standards and Technology or other comparable privacy frameworks. Additionally, the attorney general must provide covered entities with written notice of any violation and an opportunity to cure such violations within 60 days prior to initiating any action. Although there isn’t a private right of action, courts may impose a civil penalty of $7,500 for each violation.

The Georgia General Assembly’s 2024 legislative session is scheduled to conclude at the end of March.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:

BakerHostetler
BakerHostetler
Contact
more
less

BakerHostetler on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide