USA – GEORGIA Trends and Developments Contributed by: Rose J Hunter Jones and Meredith Perlman, Hilgers Graben PLLC
was passed by the Senate on 27 February 2024, favourably reported from House Committee on 20 March 2024, and is ready for floor considera - tion in the 2025–2026 Regular Session. The Act, effective 1 July 2026 if adopted, aims to bal - ance consumer rights with business obligations but faces scrutiny for its broad exemptions and delayed implementation. Businesses operating in Georgia must prepare to navigate the com - plexities of determining compliance obligations under this new law while addressing the growing demands for enhanced data privacy protections from consumers and regulators alike. The Georgia Consumer Privacy Protection Act is designed to safeguard the personal data of state residents. Modeled after existing privacy laws like the California Consumer Privacy Act (CCPA) and Virginia Consumer Data Protection Act (VCDPA), SB 473 outlines the responsibilities of businesses (controllers and processors) while affording consumers greater control over their personal information. Under the Act, businesses must adhere to standards for transparency, data security, and consumer rights. It applies to companies con - ducting business in Georgia that exceed USD25 million in annual revenue and that either: • control or process the personal data of at least 25,000 consumers, deriving more than 50% of their gross revenue from the sale of personal information; or • process personal data for at least 175,000 consumers annually. One of the notable challenges posed by the Georgia Consumer Privacy Protection Act is navigating the numerous exemptions it estab - lishes, which create ambiguity around which entities must comply. The Act excludes a wide
range of organisations and data types, including financial institutions governed by the Gramm- Leach-Bliley Act, healthcare entities covered under HIPAA, non-profit organisations, and insti - tutions of higher education. Additionally, data regulated under federal laws like the Family Edu - cational Rights and Privacy Act (FERPA) and the Fair Credit Reporting Act (FCRA) is also exempt. Determining whether an entity qualifies for these exemptions, particularly when operations span multiple jurisdictions or involve diverse data types, will require detailed legal and operational analysis. For businesses, understanding wheth - er they fall within the Act’s scope will necessi - tate close examination of their data processing activities, the nature of their business, and their regulatory landscape, further underscoring the need for clear guidance and compliance strate - gies. The Act provides Georgia residents with a suite of rights over their personal information, empow - ering them to: • confirm whether their data is being pro - cessed; • access and correct inaccuracies in their per - sonal data; • request the deletion of personal information; • obtain a copy of their data in a portable for - mat; and • opt out of the sale of their personal informa - tion, targeted advertising, and profiling activi - ties. Controllers are required to respond to authenti - cated consumer requests within 45 days, with a possible 45-day extension for complex inquiries. Businesses must also offer an appeals process for denied requests, with further recourse to the Georgia Attorney General if necessary.
552 CHAMBERS.COM
Powered by FlippingBook