Georgia Privacy Laws Explained: Everything You Need to Know

      All About Georgia Privacy Laws

      Georgia takes the privacy of its residents very seriously. While it lacks a comprehensive suite of privacy regulations, Georgia does have strong data security requirements for private and public entities that handle individual personal information . Georgia is also part of a select group of states that impose obligations around the media’s use of personal information for commercial purposes. Any individuals, companies, or practitioners who interact with Georgia residents and their personal information should familiarize themselves with these key laws, as violations can lead to severe civil penalties.

      Privacy Laws Governing Georgia

      When navigating the complex landscape of privacy laws, Georgia stands out as a state with particular regulations that impact businesses and consumers alike. The Georgia Personal Identity Protection Act (GPIPA) and the Georgia Fair Business Practices Act (FBPA) are the two major state law components governing privacy. Concurrently, various federal privacy laws also have significant influence in the state.
      The Georgia Personal Identity Protection Act (GPIPA)
      Enacted in 2007 in response to growing identity theft concerns, GPIPA sets a baseline for how companies should handle consumer data. While the Act lays out a general requirement that businesses should take "reasonable measures" to protect unencrypted electronic records containing personal information, it is intentionally vague as to what "reasonable" means. This lack of specificity has left it open to interpretation by businesses, consumers, courts, and legislators alike. The unclear standard is both a blessing and a curse—an enigma that fosters creativity in business implementation but leaves consumers with uncertainty as to what rights and protections are ultimately afforded to them.
      Key terms in the Act include the following: Under GPIPA, business that own or license records including personal information of Georgia residents have an affirmative duty to disclose any breach of security involving the unauthorized acquisition of such information. The Accreditations Council for Pharmacy Education (ACPE) has recommended that pharmacy policy be amended to include a provision requiring the reporting of security breaches to the person whose information was compromised. GPIPA imposes fines between $50-$500 per violation per year.
      Enforcement of GPIPA is limited to the Georgia Attorney General, district attorneys, and the consumer (someone who has suffered injury due to a violation of the Act). GPIPA is not a private cause of action. Successful plaintiffs may be awarded treble damages.
      Georgia Fair Business Practices Act
      More aggressive than GPIPA, the FBPA can only be brought by the Georgia Attorney General, district attorneys, or a private citizen who has suffered a loss due to a violation of the Act. A defendant found liable under the FBPA may be ordered, among other things, to pay restitution to the injured party, publicize the judgment, and to pay damages for harm suffered, up to $5,000 per violation for a maximum of $25,000 per day.
      Technology and Federal Laws
      Technology inspires creativity in companies, as well as concerns about individual privacy. Federal laws more generally restrict privacy in the workplace and with respect to video recordings and telecommunications by restricting interception and recording. Notably, Georgia recognizes the "one-party consent" standard, which is a threshold for recording phone conversations without notice to or permission from the other party.

      Rules on Data Protection in Georgia

      Businesses must adhere to a range of data protection guidelines to comply with the privacy and security laws in Georgia. Understanding these requirements is crucial for companies that collect, maintain, or disseminate personal information in the state.
      One legal requirement for businesses in Georgia is to provide clear and conspicuous notice on their websites if they use "plug-ins" from third parties to track users. According to the state’s privacy and security regulations, a "plug-in" is a button that enables consumers to obtain and disclose their personal information to third parties without the need for websites to display a separate privacy policy. Additionally, if a business has a social networking site, it is required to post a privacy policy on that site that is accessible to users.
      This disclosure requirement also extends to mobile applications, which cannot track an individual unless there is prior consent from the user. Consent is achieved when a business communicates the terms in writing and the user "expressly accepts" them.
      For businesses collecting the personal information of individuals under the age of 13, general rules and federal regulations state that there must be written permission from the parent or legal guardian of the minor before collecting and disseminating that data. The same is true if a company wants to share the information of clients in the healthcare sector or details of individuals who have succumbed to their injuries.
      General rules and federal laws further state that a Georgia business cannot provide its customers with the opportunity to opt-in or opt-out of receiving disclosure of their personal information to third parties. If a business chooses to share information with third parties, then it must enable customers to opt out.
      Testimony about these regulations was added to the House bill to amend Title 10 called the "Georgia Protection of Personal Information Act of 2018." The amendments were then enacted by the Georgia General Assembly and signed by Governor Nathan Deal.
      Under the changes, if there are amendments to the Fair Credit Reporting Act, the Official Code of Georgia Annotated regarding criminal records and child abuse investigations, or the Fair and Accurate Credit Transactions Act (FACTA), then they will have to comply with Georgia’s pre-existing statutory privacy requirements.
      To improve upon its protections, Georgia will be also adopting the NIST Cybersecurity Framework for improving critical infrastructure cybersecurity.

      The Rights of Consumers Under Georgia Privacy Laws

      Consumer rights under Georgia privacy laws are limited, but a few privacy protections have been enacted in legislation on both public and private level. While a number of state privacy laws exist that protect the privacy of personal information, such as education or driver’s information, only a few laws apply generally to personal data. Georgia law does not require a merchant to notify individuals of a security breach with regard to "unencrypted" personal data, unless the breach exposes "sensitive personally identifiable information." Sensitive personally identifiable information is defined as an individual’s first initial and last name in combination, along with their social security number, driver’s license number or financial institution account number or card number with their personal access code or password.
      Georgia is one of the few states that has not enacted a "data destruction" law. To date, 24 states have passed laws requiring businesses to properly dispose of personal data once it is no longer needed. Georgia does not have a law promoting transparency with regard to privacy policies. Privacy and security policies are covered by laws such as the Children’s Online Privacy Protection Act (COPPA) and state laws relating to educational privacy. By contrast, privacy and security policies are not required under the Health Insurance Portability and Accountability Act (HIPAA) or Gramm-Leach-Bliley Act.
      Georgia does not have a state consumer bill of rights that addresses the privacy of personal data. However, consumer protection rights are protected under the Federal Trade Commission Act, which is applied to Georgia. Violators of the Georgia Fair Business Practices Act (FBPA) can be fined up to $1,000 per violation, provided that any fine does not exceed $25,000 for any related series of violations.
      Georgia residents do have a right to access, obtain and correct information held by "consumer reporting agencies," commonly known as credit bureaus. Requesting personal information also includes the right to request the nature and source of such information and to dispute the accuracy of such information.

      Technology’s Role in the Future of Georgia Privacy Laws

      The rapid advancement of technology is a double-edged sword in the context of data privacy and laws governing the handling of personal data in Georgia. On the one hand, technological growth has greatly enhanced corporate capabilities, creating new and more complex forms of data, for example, by improving the ability of companies to collect, retain, and analyze customer and employee data. On the other hand, the cutting-edge uses of data that were once only the stuff of movies have become a reality, fueling the need for data privacy laws to protect consumers more than ever.
      Technological advancements in recent decades have led to increased interconnectivity between businesses and consumers and to more robust exchange of personal information, often without the consumer’s knowledge. Businesses can now quickly and easily share personal information amongst themselves and with third parties. This builds a large network of interdependent operations, often to the consumer’s detriment.
      Because of this interdependence, when a breach occurs, all connected businesses may suffer losses. In addition to legal consequences, these risks can undermine customer trust, which can be particularly devastating for small to mid-sized businesses whose customers are often private individuals and other small businesses. This dynamic bears out in actual numbers; Data Breach Investigations Report shows that nearly 78% of data breaches published in 2015 targeted small businesses.
      These factors have contributed to a noticeable uptick in state-level data privacy legislation across the U.S. Over the past several years , Georgia has introduced numerous bills to expand data privacy protections for the benefit of consumers. Though many of those bills were ultimately unsuccessful, the fact that these bills were introduced points to the need for stronger consumer privacy protection in the digital age. Though many have yet to succeed in making their way into law, some have survived repeated introduction through multiple legislative sessions, and have garnered considerable bipartisan support. One such example is the creation of the Georgia Cyber Crime Center, which both houses of the Georgia General Assembly unanimously passed SB 315, a bill to establish the Georgia Cyber Crime Center and to create an annual Cyber Crime Conference and Technology Day.
      Safety in numbers applies not only to the potential harm to a company in the event of a breach; it also applies to the breadth and depth of current knowledge. In order to adequately protect the privacy of consumers, businesses must operate within a framework that accounts for both state and federal laws. In the U.S., 2016 saw the enactment of new data privacy law in California, Illinois, New York, South Carolina, Connecticut, and North Carolina, among other states. To account for these type issues, the Georgia Legislature introduced several bills to streamline the process of responding to a data breach, and to help equip consumers and businesses to handle the threat of a data breach. Even if most of these bills fail, the introduction of so many bills on this issue will undoubtedly continue to push this issue to the forefront in 2019.

      What’s Coming in Georgia Privacy Laws

      While the Georgia Legislature has introduced some notable legislation regarding privacy and electronic surveillance, past sessions have hinted at further comprehensive regulations on the horizon for privacy issues in Georgia. For example, the Equal Rights for Privacy in the Workplace Act of 2012 sought to impose strict employee privacy protections. Although the bill did not pass, its introduction signals that lawmakers are interested in advancing privacy rights for employees in 2019. Similar legislation is pending this year.
      Although there are a host of hot privacy issues under consideration in other jurisdictions, such as biometric privacy, autonomous vehicles, and facial recognition technology, these issues have not yet captured the attention of Georgia lawmakers. Individual device privacy, where devices that track user location have proliferated, may be ripe for legislative protection, as this issue may very well come to a head when courts eventually examine the merits of whether cell phones and smart watches can be remotely accessed without probable cause. How the U.S. Supreme Court decides the Carpenter v. United States case later this term will directly impact the issue in Georgia.
      Additionally, as more and more courts begin to address wiretap issues both in the workplace and with virtual assistants like Amazon’s Alexa, legislators may address the warrant requirements and monitoring provisions for employers and national technology companies.
      One factor that may hinder privacy protection expansion is the current Republican majority in the Georgia Legislature. If Democrats reclaim a majority in the Georgia General Assembly in November, privacy legislation could be an area in which progressive lawmakers focus their efforts.

      Georgia Privacy Law Requirements

      There are a number of resources and guidelines provided by government agencies and industry groups that can help both individuals and businesses stay informed about, and in compliance with, Georgia privacy laws.
      Websites such as the Georgia Department of Law’s Privacy Program page provides information and educational materials on issues relating to personal information privacy. These materials include a sample privacy policy and a "Do Not Mail/Call" checklist that assists consumers in reducing junk mail and phone solicitations.
      The United States Federal Trade Commission provides information on privacy and identity protection which is relevant in Georgia as well as around the country. This federal agency has published numerous guidance and policy recommendations that affect various aspects of privacy laws and compliance.
      Industry groups also provide guidance on privacy and data protection. For example , the Direct Marketing Association (DMA), an organization aimed at increasing trust and transparency in the world of direct marketing, provides many educational resources on privacy issues as they relate to this industry.
      Besides these resources, individuals and businesses may want to consider enlisting the help of legal counsel in navigating the increasingly complicated privacy landscape. Third party providers also offer some online privacy and data protection solutions.

      Leave a Reply

      Your email address will not be published. Required fields are marked *