Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Georgia (US) - Sectoral Privacy Overview
Back

Georgia (US) - Sectoral Privacy Overview

August 2024

1. Right To Privacy/Constitutional Protection 

Article I, Section I, Paragraph I of the Constitution of the State of Georgia (the Constitution) reads: 'No person shall be deprived of life, liberty, or property except by a due process of law.'

The Supreme Court of Georgia (the Supreme Court) has long held that Georgia citizens have a 'liberty of privacy' founded in ‘ancient law’ and preserved by this Constitutional provision (see, e.g., Pavesich v. New England Life Ins., 122 Ga. 190, 50 S.E. 68 (1905); Powell v. State, 270 Ga. 327, 510 S.E.2d 18 (1998)).

Four common law privacy torts

Georgia courts recognize four torts based upon the right to privacy:  intrusion upon seclusion; public disclosure of private facts; false light; and appropriation of likeness.

  • Intrusion upon seclusion:
    • This tort involves an unreasonable and highly offensive intrusion upon another's seclusion. Georgia courts have long recognized forms of invasion consisting of intrusion upon physical solitude, or seclusion analogous to a trespass in plaintiff's home or other quarters, such as a hotel room. Georgia courts now extend the principle beyond physical intrusion to include prying and intrusions into private concerns. Anderson v. Mergenhagen, 283 Ga. App. 546, 642 S.E.2d 105 (2007), citing Summers v. Bailey, 55 F.3d 1564, 1566 (11th Cir.1995).
  • Public disclosure of private facts:
    • Public disclosure of private facts requires a plaintiff to prove: (1) the disclosure of private facts was a public disclosure; (2) the facts disclosed to the public must be private, secluded or secret facts, and not public ones; and (3) the matter made public was offensive and objectionable to a reasonable person of ordinary sensibilities under the circumstances. Haughton v. Canning, 287 Ga. App. 28, 650 S.E.2d 718 (2007).
  • False light:
    • To establish a false light invasion of privacy claim, a plaintiff must show the existence of false publicity depicting her as something or someone which she is not, and must demonstrate that the false light in which she was placed would be highly offensive to a reasonable person. Torrance v. Morris Pub. Grp. LLC, 281 Ga. App. 563, 565, 636 S.E.2d 740, 742 (2006).
  • Appropriation of likeness:
    • Unlike a claim based on intrusion upon seclusion, public disclosure of private facts, or false light, an appropriation of likeness claim does not require the invasion of something secret, secluded or private pertaining to a plaintiff, nor does it involve falsity; instead, the tort consists of the appropriation, for a defendant's benefits, uses, or advantages, of a plaintiff's name or likeness. Bullard v. MRA Holding, LLC, 292 Ga. 748, 740 S.E.2d 622 (2013).

2. Key Privacy Laws 

Georgia, like the US as a whole, has many privacy laws but most are industry specific. Three key generally applicable privacy laws are discussed below.

Georgia's Personal Identity Protection Act (PIPA) under §10-1-911 et seq. of the Official Code of Georgia Annotated (Ga. Code Ann.) requires any individual or business to notify consumers when a data breach occurs (Ga. Code Ann. §10-1-911 to §10-1-912). PIPA defines 'breach of the security of a system' and details when such a breach would require notification to consumers. The statute also defines 'personal information' as (Ga. Code Ann. §10-1-911(6)):

  • 'an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
    • social security number;
    • driver's license number or state identification card number;
    • account number, credit card number, or debit card number, if circumstances exist wherein such a number could be used without additional identifying information, access codes, or passwords;
    • account passwords or personal identification numbers or other access codes; or
    • any of the items contained in subparagraphs above when not in connection with the individual's first name or first initial and last name, if the information compromised would be sufficient to perform or attempt to perform identity theft against the person whose information was compromised.'

Note that 'personal information' does not include publicly available information lawfully made available to the general public from federal, state, or local government records (Ga. Code Ann. §10-1-911(6)). PIPA also provides rights to consumers who wish to place a security freeze on their credit report (Ga. Code Ann. §§10-1-913 - 914.1).

PIPA became effective in 2005 and the Office of the Attorney General (OAG) enforces it, although there is no requirement for companies to notify the Attorney General (AG) of a breach affecting Georgia residents. For telecommunications companies, there are separate notification procedures in the event of a breach involving telephone records concerning Georgia residents, namely the Telephone Records Privacy Protection Act under Ga. Code Ann. §46-5-210 et seq.

The Court of Appeals of Georgia has determined, and the Supreme Court has affirmed, that PIPA does not create a duty to safeguard and protect the personal information of others. Instead, PIPA merely creates a duty to notify affected persons of a data breach. McConnell v. Dep't of Labor, 345 Ga. App. 669, 679, 814 S.E.2d 790, 799 (2018), cert. granted (Nov. 15, 2018), aff'd, 305 Ga. 812, 828 S.E.2d 352 (2019); see also Collins v. Athens Orthopedic Clinic, P.A., 307 Ga. 555, 562, 837 S.E.2d 310, 315–16 (2019) (reversing Court of Appeals and allowing negligence claim against the breached entity to proceed because the plaintiff breach victims had shown injury in the form of increased risk of identity theft, but that this 'easier showing of injury may well be offset by a more difficult showing of breach of duty').

Following Collins, the 11th Circuit has applied Georgia's traditional negligence law in assessing whether a breached party failed in its duty to notify affected customers. See, e.g., Ramirez v. Paradies Shops, LLC, 69 F.4th 1213, 1219 (11th Cir. 2023).

Freedom of Information

As a general rule, all public records in Georgia are open for personal inspection and copying by any person (see Georgia Open Records Act (the Open Records Act) under Ga. Code Ann. §50-18-71(a)). A 'public record' is defined as 'all documents, papers, letters, maps, books, tapes, photographs, computer based or generated information, data, data fields, or similar material prepared and maintained or received by an agency or by a private person or entity in the performance of a service or function for or on behalf of an agency or when such documents have been transferred to a private person or entity by an agency for storage or future governmental use' (Ga. Code Ann. §50-18-70(b)(2)).

There are, however, numerous exceptions to this general rule. These exceptions are found in §50-18-72 of the Open Records Act. For instance, that statute sets out that public disclosure shall not be required for records that are medical, 'the disclosure of which would be an invasion of personal privacy' (Ga. Code Ann. §50-18-72(a)(2)). Additionally, records related to confidential evaluations prepared in connection with the appointment or hiring of a public officer or employee are protected from disclosure (Ga. Code Ann. §50-18-72(a)(7)). In contrast, records 'consisting of material obtained in investigations related to the suspension, firing, or investigation of complaints against public officers or employees' are only protected for disclosure until ten days after those materials have been 'presented to the agency or an officer for action or the investigation is otherwise concluded or terminated' (Ga. Code Ann. §50-18-72(a)(8)).

Identity Fraud

Identity fraud is a criminal felony in Georgia, and can also subject an individual to civil penalties. A person commits identity fraud when they willfully and fraudulently (Ga. Code Ann. §16-9-121(a)):

  • without authorization or consent, uses or possesses with intent to fraudulently use identifying information concerning a person;
  • uses identifying information of an individual under 18 years old over whom they exercise custodial authority;
  • uses or possesses with intent to fraudulently use identifying information concerning a deceased individual;
  • creates, uses, or possesses with intent to fraudulently use any counterfeit or fictitious identifying information concerning a fictitious person with the intent to use such counterfeit or fictitious identification information for the purpose of committing or facilitating the commission of a crime or fraud on another person; or
  • without authorization or consent, creates, uses, or possesses with intent to fraudulently use any counterfeit or fictitious identifying information concerning a real person with the intent to use such counterfeit or fictitious identification information for the purpose of committing or facilitating the commission of a crime or fraud on another person.

'Identifying information' is broadly defined and includes, but is not limited to, the following (Ga. Code Ann. §16-9-120(5)):

  • current or former names;
  • social security numbers;
  • driver's license numbers;
  • checking account numbers;
  • savings account numbers;
  • credit and other financial transaction card numbers;
  • debit card numbers;
  • personal identification numbers;
  • electronic identification numbers;
  • digital or electronic signatures;
  • medical identification numbers;
  • birth dates;
  • mother's maiden name;
  • selected personal identification numbers;
  • tax identification numbers;
  • state identification card numbers issued by state departments;
  • veteran and military medical identification numbers; and
  • any other numbers or information which can be used to access a person's or entity's resources or health care records.

With respect to civil liability for identity fraud, the OAG can initiate proceedings to prosecute identity fraud, and businesses and consumers can bring civil suits to obtain equitable relief and recover general and punitive damages (Ga. Code Ann. §§16-9-127, 16-9-129, 16-9-130(a)). A consumer can bring a suit in their individual capacity or as a class action and can obtain treble damages and punitive damages if the violation was intentional (Ga. Code Ann. §16-9-130(a), (b)). Once the complaint is filed, the plaintiff must serve the AG with a copy of the initial complaint (and any amended complaint) within 20 days of filing (Ga. Code Ann. §16-9-130(e)).

3. Health Data

Georgia has several statutes addressing the confidentiality of medical records and the circumstances in which those records can be protected from subpoena. Those statutes are found in Ga. Code Ann. §§24-12-1 and 2. Notably, confidential raw medical research data is generally not subject to subpoena in Georgia (Ga. Code Ann. §24-12-2(c)).

Patients/residents of long-term-care facilities in Georgia have a specific, statutory right to privacy detailed in Ga. Code Ann. §31-8-114, within the 'Bill of Rights for Residents of Long-Term Care Facilities,' including the 'right to receive confidential treatment of the resident's personal and medical records.'

Health insurers who obtain medical records are subject to statutory restrictions on releasing that information without the patient's consent (Ga. Code Ann. §33-24-59.4).

In 2019, Georgia created the Georgia Data Analytics Center (GDAC) as a warehouse of information about people receiving services from state agencies, including healthcare services. The GDAC is required to adopt and publish policies and procedures regarding privacy and data security that comply with federal and state privacy and security statutes and regulations, including the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).

4. Financial Data

Georgia has a privacy law affecting financial institutions’ disclosure of customer records, O.C.G.A. §7-1-360.

This law prohibits a financial institution from disclosing a customer’s financial records except in the following instances O.C.G.A. §7-1-360(a)(1-4) (2022):

  • where the financial institution itself is a proper or necessary party to a proceeding in a court of competent jurisdiction;
  • where the records of accounts or other customer records are requested through a subpoena or other administrative process issued by a state, federal, or local administrative agency having competent jurisdiction over the depositor or other customer or where such records are requested pursuant to Georgia or federal law governing civil practice or procedure in conjunction with an ongoing civil action in a Georgia state or federal court of competent jurisdiction;
  • where the records of accounts or other customer records are requested in conjunction with an ongoing criminal or tax investigation of the depositor or other customer by a state or federal grand jury, taxing authority, or law enforcement agency; or

where the records of accounts or other customer records are requested by any state or federal regulatory agency having jurisdiction over the financial institution. Where records are sought by a discovery request or subpoena in a civil case, Georgia's privacy law requires the requestor to notify the customer of the request. The customer may file a written motion asking that the subpoena or discovery request be limited in some manner or be nullified in whole ('quashed'). If a customer receives notice of the subpoena or discovery request but does not file a motion with the court prior to the deadline for the financial institution to comply, the customer legally consents to the bank’s production of the requested documents under Georgia law.

5. Employment Data

Georgia does not have any laws that provide statutory protections regarding data collected by private companies during the employment process. Notably, there is the Employment Security Law (ESL) under Ga. Code Ann. §34-8-1 et seq. Within the ESL, the Department of Labor has defined a 'right to privacy and confidentiality' regarding employment records maintained by that agency, specifically as that right is in tension with the public's right to free access to public records (as discussed above (Ga. Code Ann. §34-8-120(b)).

6. Online Privacy

Georgia does not have any key laws in effect that regulate online privacy and online behavioral advertising across industries.

The Student Data Privacy, Accessibility, and Transparency Act (SDPAT), however, protects and regulates access to K-12 and postsecondary student data (Ga. Code Ann. §20-2-660 et seq.).

The SDPAT defines 'operator' as any entity other than the department, local boards of education, the Georgia Student Finance Commission, or schools to the extent that the entity (Ga. Code Ann. §20-2-662(8)):

  • operates an internet website, online service, online application, or mobile application with actual knowledge that the website, service, or application is used for K-12 school purposes and was designed and marketed for K-12 school purposes to the extent that it is operating in that capacity; and
  • collects, maintains, or uses student personally identifiable information in a digital or electronic format.

'Student data' includes data descriptive of a student, such as first and last name and date of birth, as well as 'emails, text messages, documents, search activity, photos, voice recordings, and geolocation information' (Ga. Code Ann. §20-2-662(12)(A)(i), (v), (xiv)). 'Targeted advertising' means 'presenting advertisements to a student where the advertisement is selected based on information obtained or inferred from that student's online behavior, usage of applications, or student data,' but does not include advertising to a student at an online location based upon that student's current visit to that location or single search query without collection and retention of a student's online activities over time (Ga. Code Ann. §20-2-662(14)).

Among other restrictions, operators are precluded from engaging in the following activities without explicit written consent from a student's parent or guardian or, where the student is an 'eligible student' (meaning they have reached 18 years of age or is attending a postsecondary institution), the student themselves (Ga. Code Ann. §20-2-666(a)(1)-(4)):

  • use student data to engage in behaviorally targeted advertising on the operator's site, service, or application or target advertising on any other site, service, or application when the targeting of the advertising is based upon any student data and state-assigned student identifiers or other persistent unique identifiers that the operator has acquired because of the use of such operator's site, service, or application;
  • use information, including state-assigned student identifiers or other persistent unique identifiers, created, or gathered by the operator's site, service, or application, to amass a profile about a student except in furtherance of K-12 school purposes. For purposes of Ga. Code Ann. §20-2-666(a), 'amass a profile' does not include collection and retention of account records or information that remains under the control of the student, parent, or local board of education;
  • sell a student's data; this prohibition does not apply to the purchase, merger, or another type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of Ga. Code Ann. §20-2-666(a) with respect to previously acquired student data that is subject to Ga. Code Ann. §20-2-666; or
  • disclose student personally identifiable data without explicit written or electronic consent from a student over the age of 13 or a student's parent or guardian, given in response to clear and conspicuous notice of the activity, unless the disclosure is made:
    • in furtherance of the K-12 school purposes of the site, service, or application; provided, however, that the recipient of the student data disclosed:
      • shall not further disclose the student data unless done to allow or improve the operability and functionality within that student's classroom or school; and
      • is legally required to comply with the requirements of this article and not use the student information in violation of this article;
    • to ensure legal or regulatory compliance or protect against liability;
    • to respond to or participate in judicial process;
    • to protect the security or integrity of the entity's website, service, or application;
    • to protect the safety of users or others or security of the site;
    • to a service provider, provided that the operator contractually:
      • prohibits the service provider from using any student data for any purpose other than providing the contracted service to, or on behalf of, the operator;
      • requires the service provider to implement and maintain reasonable security procedures and practices as provided in Ga. Code Ann. §20-2-666(b); or
      • requires such service provider to impose the same restrictions as in this paragraph on its own service providers; and
    • for an educational, public health, or employment purpose requested by the student's parent or guardian, provided that the information is not used or further disclosed for any purpose.

Moreover, operators must implement and maintain reasonable security procedures and practices to protect student data from unauthorized access, destruction, use, modification, or disclosure (Ga. Code Ann. §20-2-666(b)(1)). Operators must also delete student data within a reasonable timeframe, not to exceed 45 days, if the school or local board of education requests the deletion of data under the control of the school or local board of education (Ga. Code Ann. §20-2-666(b)(2)).

7. Unsolicited Commercial Communications

Georgia's Fair Business Practices Act (FBPA) generally prohibits all unfair acts and practices by businesses but specifically regulates telemarketing in two sections: Ga. Code Ann. §§10-1-393.5 and 10-1-393.6.

Ga. Code Ann. §10-1-393.5 prohibits any person engaged in 'telemarketing', 'activity involving or using a computer or home network', or 'home repair work or home improvement work' from (Ga. Code Ann. §10-1-393.5(b)):

  • employing any device, scheme, or artifice to defraud a person, organization, or entity;
  • engaging in any act, practice, or course of business that operates or would operate as a fraud or deceit upon a person, organization, or entity; or
  • committing any offense involving theft as defined in Ga. Code Ann.

Ga. Code Ann. §10-1-393.6 prohibits any person from requesting certain fee advances and payments, including (Ga. Code Ann. §10-1-393.6(b)):

  • in connection with a telemarketing transaction, request a fee in advance to remove derogatory information from or improve a person's credit history or credit record;
  • request or receive payment in advance from a person to recover, or otherwise aid in the return of, money or any other item lost by the consumer in a prior telemarketing transaction; provided, however, that Ga. Code Ann. §10-1-393.6(b)) shall not apply to goods or services provided to a person by a licensed attorney; or
  • in connection with a telemarketing transaction, procure the services of any professional delivery, courier, or another pickup service to obtain immediate receipt or possession of a consumer's payment, unless the goods are delivered with the opportunity to inspect before any payment is collected.

In both sections above, 'telemarketing' has the same definition as used in the Federal Trade Commission's Telemarketing Sales Rule (TSR), except the Georgia statutes include intrastate as well as interstate commerce (Ga. Code Ann. §§10-1-393.5(a) and 10-1-393.6(a)).

The FBPA also prohibits any telemarketer from using 'any part of an electronic record to attempt to induce payment or attempt collection of any payment that the seller or telemarketer claims is due and owing to it pursuant to a telephone conversation or series of telephone conversations with a residential subscriber.' (see Ga. Code Ann. §10-1-393(b)(31)(A)).

The FBPA is enforced by the OAG but it contains a private right of action as well. Only consumers (as opposed to businesses) may file an individual action (as opposed to a class action) under the FBPA, and only where the consumer is alleging a breach of a duty owed to the public in general as opposed to a deceptive or unfair act or practice that occurs in an essentially private transaction (Goodwyn v. Capital One, N.A., 127 F. Supp. 3d 1367, 1377 (M.D. Ga. 2015)).

Prior to filing an individual action under the FBPA, the individual must make a written demand for relief on the prospective defendant 30 days prior to filing the complaint (Ga. Code Ann. §10-1-399(b)). After filing the complaint, the individual must serve the AG with the initial complaint and any amendments within 20 days of filing the complaint (Ga. Code Ann. §10-1-399(g)).

Telephone solicitations

The FBPA also regulates telephone solicitations made on 'ADAD equipment,' which is defined as 'any device or system of devices which is used, whether alone or in conjunction with other equipment, for the purpose of automatically selecting or dialling telephone numbers and disseminating pre-recorded messages to the numbers so selected or dialed' (see Ga. Code Ann. § 10-1-393.13(a)(1)). A 'telephone solicitation' is defined as (Ga. Code Ann. §10-1-393.13(6)):

  • 'any voice communication from a live operator, through the use of ADAD equipment or by other means, over a telephone line or computer network for the purpose of encouraging the purchase or rental of, or investment in, property, goods, or services or donation to any organization, but shall not include communications:
    • to any subscriber with that subscriber's prior express invitation or permission;
    • by or on behalf of any person or entity with whom a subscriber has a prior or current business or personal relationship; or
    • which convey a political message.'

In connection with telephone solicitations (as defined above), at the beginning of the call, the person or entity making the call must state clearly the identity of the person or entity initiating the call; the telephone number displayed on the caller identification service must be a working telephone number capable of receiving incoming calls at the time the call is placed; and the identity of the caller displayed on the caller identification service must accurately reflect the identity of the caller (Ga. Code Ann. §10-1-393.13(b)(1), (3), and (4)). Further, no person or entity making a telephone solicitation 'to the telephone line of a subscriber in this state shall knowingly utilize any method to block or otherwise circumvent such subscriber's use of a caller identification service.' (see Ga. Code Ann. §10-1-393(b)(2)).

Interestingly, this provision is an exception to the FBPA's rule prohibiting class action lawsuits. Claims under Ga. Code Ann. §10-1-393.13 may be brought in a representative capacity, and damages shall be the greater of actual damages or $10 per violation (Ga. Code Ann. §10-1-393.13(c)).

8. Privacy Policies 

Georgia does not have any statutes addressing the implementation of online privacy policies for private businesses.

9. Data Disposal/Cybersecurity/Data Security

As discussed above, Georgia's SDPAT requires certain vendors and website operators to implement and maintain reasonable security procedures and practices to protect student data from unauthorized access, destruction, use, modification, or disclosure (Ga. Code Ann. § 20-2-666(b)(1)). Those operators must also delete student data within a reasonable timeframe, not to exceed 45 days, if the school or local board of education requests the deletion of data under the control of the school or local board of education (Ga. Code Ann. §20-2-666(b)(2)).

Additionally, each state agency has a duty to submit to the Division of Archives and History of the University System of Georgia a 'recommended retention schedule for each record series in its custody' and 'cause to be made and preserved records containing adequate and proper documentation of the organization, functions, policies, decisions, procedures, and essential transactions of the agency and designed to furnish the information necessary to protect the legal and financial rights of the government and of persons directly affected by the agency's activities (Ga. Code Ann. §50-18-94(5), (1)). Further, '[a]ny records designated confidential by law shall be so treated by the division in the maintenance, storage, and disposition of such confidential records. These records shall be destroyed in such a manner that they cannot be read, interpreted, or reconstructed.' (see Ga. Code Ann. §50-18-95(b)).

The Motor Vehicle Dealer's Day in Court Act (GDDCA), which regulates the relationship between automobile franchisors and their franchise dealers, was amended in 2019 to require franchisors to protect consumer data acquired in motor vehicle sales or lease transactions (Ga. Code Ann. §10-1-632). Franchisors 'shall provide a written statement to the dealer upon request describing the established procedures adopted by such franchisor, manufacturer, distributor, or a third party acting on behalf of the franchisor, manufacturer, or distributor that meet or exceed any federal or state requirements to safeguard the consumer data, including, but not limited to, those established in the Gramm-Leach-Bliley Act of 1999 (see Ga. Code Ann. §10-1-632(a)(2)).

10. Other Specific Jurisdictional Requirements 

Telecommunications companies are prohibited from releasing the telephone records of any end-user with a Georgia address without the express consent of the user, with some exceptions such as law enforcement or some Public Service Commission agreements (Ga. Code Ann. §46-5-211).

The FBPA contains a restriction on an individual's and a business's ability to display, transmit, and use social security numbers (Ga. Code Ann. §10-1-393.8).

There are other statutes establishing the Georgia Public Service Commission's rules surrounding the use of 'ADAD equipment' (see Ga. Code. Ann. §§46-5-23, 24). Specifically, it is prohibited to use ADAD equipment in connection with 'advertising, offering for sale, lease, rental, or as a gift any goods, services or property' or 'for the purpose of conducting polls or soliciting information where' (Ga. Code Ann. §46-5-23(a)(2)):

  • consent is not received prior to the initiation of the calls, as specified in (Ga. Code Ann. §46-5-23(a)(3));
  • such use is other than between the hours of 8:00 A.M. and 9:00 P.M.;
  • the ADAD equipment will operate unattended or is not so designed and equipped with an automatic clock and calendar device that it will not operate unattended, even in the event of power failures;
  • such use involves either the random or sequential dialing of telephone numbers;
  • the telephone number required to be stated in Ga. Code Ann. §46-5-23(a)(2))(G) is not one which during normal business hours is promptly answered in person by a person who is an agent of the person on whose behalf the automatic calls are made and who is willing and able to provide information concerning the automatic calls;
  • the automatic dialing and recorded message player does not automatically and immediately terminate its connection with any telephone call within ten seconds after the person called fails to give consent for the playing of a recorded message or hangs up their telephone;
  • the recorded message fails to state clearly the name and telephone number of the person or organization initiating the call within the first 25 seconds of the call and at the conclusion of the call; or
  • such use involves calls to telephone numbers that at the request of the customer have been omitted from the telephone directory published by the local exchange company serving the customer or involves calls to hospitals, nursing homes, fire protection agencies, or law enforcement agencies.

In February 2024, the Georgia Consumer Privacy Protection Act (GPCPPA) (SB 473) was introduced in the Georgia state senate. The GCPPA aims to protect the privacy of consumer personal data by granting Georgia consumers certain rights including:

  •  the right to know what personal information companies have collected about them;
  •  the right to access, correct, and delete that information; and
  •  the right to stop disclosure of certain information to third parties.

Consumer advocacy groups like the ACLU of Georgia and Consumer Reports oppose the bill in its current form, arguing it does not provide sufficient privacy protections and favors companies over consumers. The GCPPA would impose a lesser burden on holders of data than the Georgia Computer Data Privacy Act, a 2022 proposed bill that stalled in committee. The 2022 bill would have prohibited businesses from collecting personal information unless they have provided a notice and obtained the consumer’s consent. The GPCPPA, on the other hand, imposes no such front-end prohibition. As of June 2024, whether the GPCPPA will survive through a vote by the Georgia legislature remains to be seen.