summary
Introduced
02/05/2025
02/05/2025
In Committee
03/27/2025
03/27/2025
Crossed Over
03/03/2025
03/03/2025
Passed
Dead
Introduced Session
2025-2026 Regular Session
Bill Summary
AN ACT To amend Title 10 of the Official Code of Georgia Annotated, relating to commerce and trade, so as to enact the "Georgia Consumer Privacy Protection Act"; to protect the privacy of consumer personal data in this state; to provide for definitions; to provide for applicability; to provide for exemptions for certain entities, data, and uses of data; to provide for consumer rights regarding personal data; to provide for a consumer to exercise such rights by submitting a request to a controller; to provide for a controller to promptly respond to such requests; to provide for exemptions; to provide for responsibilities of processors and controllers; to provide for notice and disclosure; to provide for security practices to protect consumer personal data; to allow a controller to offer different goods or services under certain conditions; to provide for limitations; to provide for statutory construction; to provide for enforcement and penalties; to provide an affirmative defense; to prohibit the disclosure of personal data of consumers to local governments unless pursuant to a subpoena or court order; to provide for preemption of local regulation; to provide for related matters; to provide an effective date; to repeal conflicting laws; and for other purposes.
AI Summary
This bill enacts the Georgia Consumer Privacy Protection Act, a comprehensive data privacy law that establishes new rights for consumers and obligations for businesses handling personal information. The law applies to businesses that conduct business in Georgia, have over $25 million in revenue, and either process personal information of at least 25,000 consumers (with over 50% of revenue from selling personal information) or process information of at least 175,000 consumers. Consumers are granted several key rights, including the ability to confirm what personal information a company has, access that information, correct inaccuracies, delete their personal information, obtain a copy of their data, and opt out of data sales, targeted advertising, and certain types of profiling. Companies must provide clear privacy notices, obtain consent for processing sensitive data, and implement reasonable data security practices. The law includes extensive exemptions for certain types of entities and data, such as healthcare providers, financial institutions, and government agencies. Enforcement is exclusively handled by the Attorney General, who must provide a 60-day cure period before taking action, with potential civil penalties of up to $7,500 per violation. The law does not create a private right of action for consumers, meaning individuals cannot sue companies directly for violations. The act will become effective on July 1, 2026, and preempts local privacy regulations in Georgia.
Committee Categories
Business and Industry, Justice
Sponsors (8)
John Albers (R)*,
Max Burns (R)*,
Chuck Payne (R)*,
Sheikh Rahman (D)*,
Randy Robertson (R)*,
Ed Setzler (R)*,
Shawn Still (R)*,
Brad Thomas (R),
Last Action
House Judiciary (upon Adjournment) (13:00:00 3/28/2025 132 CAP) (on 03/28/2025)
Official Document
bill text
bill summary
Loading...
bill summary
Loading...
bill summary
| Document Type | Source Location |
|---|---|
| State Bill Page | https://www.legis.ga.gov/legislation/69990 |
| BillText | https://www.legis.ga.gov/api/legislation/document/20252026/235009 |
| BillText | https://www.legis.ga.gov/api/legislation/document/20252026/231441 |
Loading...