SixFifty has created state-specific privacy tools to automatically generate privacy notices and policies. Read on to learn about Georgia’s proposed privacy rules, and how we make it simple and easy to stay in compliance, no matter how the law changes.
Who is affected by Georgia data privacy laws?
In January 2022, the Georgia General Assembly introduced the Georgia Computer Data Privacy Act (GCPDA). If the bill passes and is signed into law, it will affect any business collecting, storing, processing, or selling data from Georgia residents and consumers. This isn’t limited to companies doing business online, either: the way the law is written could affect brick-and-mortar businesses collecting consumer information to process credit card payments, for example.
What’s the difference between privacy policies and privacy notices?
Georgia privacy law
The GCDPA is an omnibus privacy statue modeled after the California Consumer Privacy Act. The proposed law is actually stricter than California’s privacy laws, which are currently the strictest in the nation.
The bill is stricter in several key areas:
- Consumer consent is needed to collect data: The law requires affirmative consent before collecting any consumer data, so businesses cannot simply provide an “opt out” option. Because websites and apps collect personal information as soon as someone visits a website, this could affect companies operating online in Georgia. Furthermore, they may need to collect consumer consent before processing credit card or similar transactions in person.
- Sales definition: “Sales” are defined as the disclosure of consumer data to a third party for any valuable consideration. Therefore, if a company needs to share data to receive or provide a service, it could be classified as a “sale.”
- Selling data: If passed, the GCDPA would ban companies from “selling” data (including the definition above) unless the consumer affirmatively opts in. This could affect digital marketing. Moreover, the “we sell data” notice requires more detail than California’s laws, including to whom the data might be sold and the pro rata value of that information.
- Right of deletion and right to be forgotten: Consumers would have the right to ask a company to delete their data—but in addition, if they’ve made the data public, they have to take “reasonable steps” to remove that data from public access.
- Corporate research and anonymized data: If a company uses personal consumer information, the data must be anonymized first. Furthermore, that anonymized data can’t be “reidentified” without the consumer’s consent or authorization.
- No exceptions for employee or B2B data: Companies would be subject to employee requests to provide, stop selling, or delete their consumer data.
- Enforcement and private right of action: Finally, the attorney general does not have exclusive right to enforcement—other agencies may be entitled to do the same. The GCDPA also allows consumers a private right of action against companies who violate the law, including class actions.
Our software pairs technology with real legal expertise, to deliver custom, compliant Georgia privacy policies and notices in record time. Simply answer a series of questions, download the generated document, and have your lawyer review. It’s the easiest way to stay compliant and avoid incurring penalties—all while saving money.