The Georgia Senate recently introduced an omnibus privacy bill modeled after (but significantly broader than) California’s Consumer Privacy Act (“CCPA”), titled the Georgia Computer Data Privacy Act (“GCDPA”). The introduction of the GCDPA is surprising in a number of ways, including its sponsorship by Republican leadership. It is also notable in the burdens it seeks to impose on businesses, surpassing even those in the CCPA and other recently enacted state privacy laws. However, given that the leadership of the controlling party in the Georgia legislature supports it, it is likely to pass, though perhaps not in its current form.
Some of the most notable provisions of the GCDPA include:
-
Consumer consent required for collection of personal information. The GCDPA prohibits businesses from collecting personal information unless they have provided a notice and obtained the consumer’s consent. This is more onerous than the CCPA, which generally permits businesses to collect personal information as long as they provide a sufficient notice at or before the point of collection.
-
Consumers must opt in to “sales” of personal information. The GCDPA prohibits businesses from “selling” data unless the consumer first opts in to the sale, which opt-in mechanism must be offered by a “clear and conspicuous link” on the business’s website. Note that the definition of “sale” is the same as the CCPA’s; i.e., a transfer for “money or other valuable consideration.” In addition, a business that sells personal information must provide a notice on its website that identifies the specific “persons” to whom data will be sold, and that discloses “the pro rata value of the consumer’s personal information.”
-
Very plaintiff-friendly private right of action. Unlike existing state privacy laws, the GCDPA expressly provides for a private right of action pursuant to which consumers may seek statutory damages. Under most federal and state statutes that provide for statutory damages, a consumer can seek to recover their actual damages or a specified amount of statutory damages, whichever is higher. However, the GCDPA provides that consumers can recover their actual damages and statutory damages of up to $2,500 for each violation, or $7,500 for each intentional violation. As with the other provisions described above, this is stricter than the CCPA, which only provides for a private right of action for certain types of data events—which could turn Georgia into the next jurisdiction focused on by the plaintiffs’ privacy bar.
-
No exemption for employee or business contact information. Unlike the CCPA and the privacy statutes enacted in Colorado and Virginia, the GCDPA does not contain a general exemption employee data or business contact information.