Georgia Consumer Privacy Law

Primary law

Georgia's breach-notification duty applies to an information broker or data collector that maintains computerized data including personal information of individuals.

Any information broker or data collector that maintains computerized data that includes personal information of individuals shall give notice of any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

See O.C.G.A. § 10-1-912(a).

Primary law

The Georgia FBPA declares unfair or deceptive acts or practices in consumer transactions and consumer acts or practices in trade or commerce unlawful.

Unfair or deceptive acts or practices in the conduct of consumer transactions and consumer acts or practices in trade or commerce are declared unlawful.

See O.C.G.A. § 10-1-393(a).

Primary law

Georgia defines a data collector as a state or local government agency or subdivision, and an information broker as a fee-based business furnishing personal information to nonaffiliated third parties.

“Information broker” means any person or entity who, for monetary fees or dues, engages in whole or in part in the business of collecting, assembling, evaluating, compiling, reporting, transmitting, transferring, or communicating information concerning individuals for the primary purpose of furnishing personal information to nonaffiliated third parties

See O.C.G.A. § 10-1-911(2)-(3).

Primary law

A vendor maintaining covered computerized data it does not own must notify the information broker or data collector within 24 hours after discovering a breach involving unauthorized acquisition or reasonably believed acquisition.

Any person or business that maintains computerized data on behalf of an information broker or data collector that includes personal information of individuals that the person or business does not own shall notify the information broker or data collector of any breach of the security of the system within 24 hours following discovery

See O.C.G.A. § 10-1-912(b).

Primary law

The FBPA is intended to protect consumers and legitimate businesses from unfair or deceptive practices and is construed consistently with federal-court interpretations of FTC Act § 5.

The purpose of this part shall be to protect consumers and legitimate business enterprises from unfair or deceptive practices in the conduct of any trade or commerce in part or wholly in the state.

See O.C.G.A. § 10-1-391(a)-(b).

Primary law

The FBPA declares unfair or deceptive acts or practices in consumer transactions and consumer acts or practices in trade or commerce unlawful.

Unfair or deceptive acts or practices in the conduct of consumer transactions and consumer acts or practices in trade or commerce are declared unlawful.

See O.C.G.A. § 10-1-393(a).

Primary law

Georgia directs the FBPA to be interpreted consistently with federal-court interpretations of FTC Act § 5.

It is the intent of the General Assembly that this part be interpreted and construed consistently with interpretations given by the Federal Trade Commission in the federal courts pursuant to Section 5(a)(1) of the Federal Trade Commission Act (15 U.S.C. Section 45(a)(1)), as from time to time amended.

See O.C.G.A. § 10-1-391(b).

Primary law

A GLBA financial institution may not disclose nonpublic personal information to a nonaffiliated third party unless it has provided the consumer a compliant privacy notice.

a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 6803 of this title.

See 15 U.S.C. § 6802(a).

Primary law

A HIPAA covered entity must give individuals a notice describing uses and disclosures of protected health information, individual rights, and the entity's legal duties.

an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information

See 45 C.F.R. § 164.520(a)(1).

Primary law

COPPA prohibits covered operators from collecting children's personal information in violation of the FTC's notice and parental-consent regulations.

It is unlawful for an operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child, to collect personal information from a child in a manner that violates the regulations prescribed under subsection (b).

See 15 U.S.C. § 6502(a)(1).

Primary law

A vendor maintaining covered computerized data it does not own must notify the information broker or data collector within 24 hours after discovering a breach involving unauthorized acquisition or reasonably believed acquisition.

Any person or business that maintains computerized data on behalf of an information broker or data collector that includes personal information of individuals that the person or business does not own shall notify the information broker or data collector of any breach of the security of the system within 24 hours following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

See O.C.G.A. § 10-1-912(b).

Primary law

The GLBA Safeguards Rule requires a financial institution to oversee its service providers — selecting capable providers, requiring safeguards by contract, and periodically assessing them.

Oversee service providers, by: (1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; (2) Requiring your service providers by contract to implement and maintain such safeguards; and (3) Periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards.

See 16 C.F.R. § 314.4(f).

Primary law

HIPAA requires a written business-associate contract that establishes the permitted and required uses and disclosures of protected health information by the business associate.

A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate.

See 45 C.F.R. § 164.504(e)(2).

Primary law

A covered information broker or data collector must notify affected Georgia residents in the most expedient time possible and without unreasonable delay after discovery or notification of a breach involving unencrypted personal information.

The notice shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (c) of this Code section, or with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.

See O.C.G.A. § 10-1-912(a).

Primary law

A vendor maintaining covered computerized data it does not own must notify the information broker or data collector within 24 hours after discovering a breach involving unauthorized acquisition or reasonably believed acquisition.

Any person or business that maintains computerized data on behalf of an information broker or data collector that includes personal information of individuals that the person or business does not own shall notify the information broker or data collector of any breach of the security of the system within 24 hours following discovery

See O.C.G.A. § 10-1-912(b).

Primary law

Georgia defines breach of security as unauthorized acquisition of electronic data that compromises personal information, with a good-faith employee or agent exception if the information is not used or further disclosed without authorization.

“Breach of the security of the system” means unauthorized acquisition of an individual’s electronic data that compromises the security, confidentiality, or integrity of personal information of such individual maintained by an information broker or data collector.

See O.C.G.A. § 10-1-911(1).

Primary law

Georgia personal information includes a name linked to unencrypted or unredacted Social Security number, driver's license or state ID number, account or payment-card number usable without more, account passwords, PINs, or access codes.

“Personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted

See O.C.G.A. § 10-1-911(6)(A)-(D).

Primary law

Georgia also treats the listed identity-theft-enabling elements as personal information without a name if the compromised information would be sufficient to perform or attempt identity theft.

Any of the items contained in subparagraphs (A) through (D) of this paragraph when not in connection with the individual’s first name or first initial and last name, if the information compromised would be sufficient to perform or attempt to perform identity theft against the person whose information was compromised.

See O.C.G.A. § 10-1-911(6)(E).

Primary law

Georgia permits written, telephone, electronic, or substitute notice; substitute notice is available when cost exceeds $50,000, the affected class exceeds 100,000, or contact information is insufficient, and requires email where available, website posting where available, and major statewide media.

Substitute notice, if the information broker or data collector demonstrates that the cost of providing notice would exceed $50,000.00, that the affected class of individuals to be notified exceeds 100,000, or that the information broker or data collector does not have sufficient contact information to provide written or electronic notice to such individuals.

See O.C.G.A. § 10-1-911(4).

Primary law

When notice is required for more than 10,000 Georgia residents at one time, the information broker or data collector must also notify nationwide consumer reporting agencies without unreasonable delay.

In the event that an information broker or data collector discovers circumstances requiring notification pursuant to this Code section of more than 10,000 residents of this state at one time, the information broker or data collector shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nation-wide basis

See O.C.G.A. § 10-1-912(d).

Primary law

The FBPA authorizes an injured person to bring an individual, but not representative, action for equitable injunctive relief and general and exemplary damages.

any person who suffers injury or damages as a result of a violation of Chapter 5B of this title, as a result of consumer acts or practices in violation of this part, as a result of office supply transactions in violation of this part or whose business or property has been injured or damaged as a result of such violations may bring an action individually, but not in a representative capacity

See O.C.G.A. § 10-1-399(a).

Primary law

A claimant generally must deliver a written demand for relief at least 30 days before filing an FBPA action.

At least 30 days prior to the filing of any such action, a written demand for relief, identifying the claimant and reasonably describing the unfair or deceptive act or practice relied upon and the injury suffered, shall be delivered to any prospective respondent.

See O.C.G.A. § 10-1-399(b).

Primary law

Subject to the demand-and-tender subsection, a court must award three times actual damages for an intentional FBPA violation.

Subject to subsection (b) of this Code section, a court shall award three times actual damages for an intentional violation.

See O.C.G.A. § 10-1-399(c).

Primary law

If the court finds an FBPA violation, the injured person receives reasonable attorney's fees and litigation expenses, subject to the statute's settlement and bad-faith limitations.

If the court finds in any action that there has been a violation of this part, the person injured by such violation shall, in addition to other relief provided for in this Code section and irrespective of the amount in controversy, be awarded reasonable attorneys’ fees and expenses of litigation incurred in connection with said action

See O.C.G.A. § 10-1-399(d).

Primary law

The Attorney General must be served with the initial complaint and amended complaints in an FBPA action within 20 days after filing and is entitled to be heard.

In any action brought under this Code section the Attorney General shall be served by certified or registered mail or statutory overnight delivery with a copy of the initial complaint and any amended complaint within 20 days of the filing of such complaint.

See O.C.G.A. § 10-1-399(g).

Primary law

The FBPA's underlying prohibition is limited to unfair or deceptive practices in consumer transactions and consumer acts or practices in trade or commerce.

Unfair or deceptive acts or practices in the conduct of consumer transactions and consumer acts or practices in trade or commerce are declared unlawful.

See O.C.G.A. § 10-1-393(a).