24 LC 36 5726
Senate Bill 473
By: Senators Albers of the 56th, Robertson of the 29th, Anavitarte of the 31st, Strickland of
the 17th, Goodman of the 8th and others
A BILL TO BE ENTITLED
AN ACT
To amend Title 10 of the Official Code of Georgia Annotated, relating to commerce and
1
trade, so as to enact the "Georgia Consumer Privacy Protection Act"; to protect the privacy2
of consumer personal data in this state; to provide for definitions; to provide for applicability;3
to provide for exemptions for certain entities, data, and uses of data; to provide for consumer4
rights regarding personal data; to provide for a consumer to exercise such rights by5
submitting a request to a controller; to provide for a controller to promptly respond to such6
requests; to provide for exemptions; to provide for responsibilities of processors and7
controllers; to provide for notice and disclosure; to provide for security practices to protect8
consumer personal data; to allow a controller to offer different goods or services under9
certain conditions; to provide for limitations; to provide for enforcement and penalties; to10
provide an affirmative defense; to prohibit the disclosure of personal data of consumers to11
local governments unless pursuant to a subpoena or court order; to provide for preemption12
of local regulation; to provide for related matters; to repeal conflicting laws; and for other13
purposes.14
BE IT ENACTED BY THE GENERAL ASSEMBLY OF GEORGIA:15
S. B. 473
- 1 - 24 LC 36 5726
SECTION 1.
16
Title 10 of the Official Code of Georgia Annotated, relating to commerce and trade, is17
amended by adding a new article to Chapter 1, relating to selling and other trade practices,18
to read as follows:19
"ARTICLE 37
20
10-1-960.21
This article shall be known and may be cited as the 'Georgia Consumer Privacy Protection22
Act.'23
10-1-961.24
As used in this article, the term:25
(1) 'Affiliate' means a legal entity that controls, is controlled by, or is under common26
control with another legal entity or shares common branding with another legal entity. 27
For purposes of this paragraph, the term 'control' or 'controlled' means:28
(A) Ownership of, or the power to vote, more than 50 percent of the outstanding shares29
of a class of voting security of an entity;30
(B) Control in any manner over the election of a majority of the directors or of31
individuals exercising similar functions relative to an entity; or32
(C) The power to exercise controlling influence over the management of an entity.33
(2) 'Authenticate' means to verify using reasonable means that a consumer who is34
entitled to exercise the rights in Code Section 10-1-963, is the same consumer who is35
exercising such consumer rights with respect to the personal information at issue.36
(3)(A) 'Biometric data' means data generated by automatic measurement of an37
individual's biological characteristics, such as a fingerprint, voiceprint, eye retina or iris,38
S. B. 473
- 2 - 24 LC 36 5726
or other unique biological patterns or characteristics that are used to identify a specific39
individual.40
(B) Such term shall not include:41
(i) A physical or digital photograph, video recording, or audio recording or data42
generated from a photograph or video or audio recording; or43
(ii) Information collected, used, or stored for healthcare treatment, payment, or44
operations under HIPAA.45
(4) 'Business associate' shall have the same meaning as provided by HIPAA.46
(5) 'Consent' means a clear affirmative act signifying a consumer's freely given, specific,47
informed, and unambiguous agreement to process personal information relating to the48
consumer. Such term may include a written statement, including a statement written by49
electronic means, or an unambiguous affirmative action.50
(6) 'Consumer' means an individual who is a resident of this state acting only in a51
personal context. Such term shall not include an individual acting in a commercial or52
employment context.53
(7) 'Controller' means the person that, alone or jointly with others, determines the54
purpose and means of processing personal information.55
(8) 'Covered entity' shall have the same meaning as provided by HIPAA.56
(9) 'Decisions that produce legal or similarly significant effects concerning the consumer'57
means decisions made by the controller that result in the provision or denial by the58
controller of financial or lending services, housing, insurance, education enrollment or59
opportunity, criminal justice, employment opportunities, healthcare services, or access60
to basic necessities, such as food and water;61
(10) 'De-identified data' means data that cannot reasonably be linked to an identified or62
identifiable individual, or any device linked to such natural person;63
(11) 'Health record' means a written, printed, or electronically recorded material that:64
S. B. 473
- 3 - 24 LC 36 5726
(A) In the course of providing healthcare services to an individual was created or is65
maintained by a healthcare facility described in or licensed pursuant to Title 31; and66
(B) Concerns the individual and the healthcare services provided.67
Such term includes the substance of a communication made by an individual to a68
healthcare facility described in or licensed pursuant to Title 31 in confidence during or69
in connection with the provision of healthcare services or information otherwise acquired70
by the healthcare entity about an individual in confidence and in connection with the71
provision of healthcare services to the individual.72
(12) 'HIPAA' means the federal Health Insurance Portability and Accountability Act of73
1996, as amended, 42 U.S.C. Section 1320d et seq.74
(13) 'Identified or identifiable individual' means a natural person who can be readily75
identified, whether directly or indirectly.76
(14) 'Institution of higher education' means a public or private college or university in77
this state;78
(15) 'Known child' means an individual who is under 13 years of age.79
(16) 'NIST' means the National Institute of Standards and Technology privacy80
framework entitled 'A Tool for Improving Privacy through Enterprise Risk Management81
Version 1.0.'82
(17) 'Nonprofit organization' means:83
(A) A corporation organized under Chapter 3 of Title 14, the 'Georgia Nonprofit84
Corporation Code';85
(B) An organization exempt from taxation under the Internal Revenue Code, codified86
in 26 U.S.C. Sections 501-530;87
(C) A public utility organized under the laws of this state; or88
(D) An entity owned or controlled by a nonprofit organization.89
(18) 'Person' means any individual or entity.90
S. B. 473
- 4 - 24 LC 36 5726
(19)(A) 'Personal information' means information that is linked or reasonably linkable91
to an identified or identifiable individual.92
(B) Such term shall not include information that:93
(i) Is publicly available information;94
(ii) Does not identify an individual and with respect to which there is no reasonable95
basis to believe that the information can be used alone or in combination with other96
information to identify an individual; or97
(iii) Is de-identified using a method no less secure than methods provided under98
HIPPA.99
(20)(A) 'Precise geolocation data' means information derived from technology,100
including, but not limited to, global positioning system level latitude and longitude101
coordinates or other mechanisms, that directly identifies the specific location of a102
natural person with precision and accuracy within a radius of 1,750 feet.103
(B) Such term shall not include:104
(i) The content of communications; or105
(ii) Data generated by or connected to advanced utility metering infrastructure106
systems or equipment for use by a utility.107
(21) 'Process' or 'processing' means an operation or set of operations performed, whether108
by manual or automated means, on personal information or on sets of personal109
information, such as the collection, use, storage, disclosure, analysis, deletion, or110
modification of personal information.111
(22) 'Processor' means a person that processes personal information on behalf of a112
controller.113
(23) 'Profiling' means a form of automated processing performed on personal114
information solely to evaluate, analyze, or predict personal aspects related to an identified115
or identifiable individual's economic situation, health, personal preferences, interests,116
reliability, behavior, location, or movements.117
S. B. 473
- 5 - 24 LC 36 5726
(24) 'Protected health information' shall have the same meaning as provided by HIPAA.118
(25) 'Pseudonymous data' means personal information that cannot be attributed to a119
specific individual without the use of additional information, so long as the additional120
information is kept separately and is subject to appropriate technical and organizational121
measures to ensure that the personal information is not attributed to an identified or122
identifiable individual.123
(26) 'Publicly available information' means information that is lawfully made available124
through federal, state, or local government records, or information that a business has a125
reasonable basis to believe is lawfully made available to the general public through126
widely distributed media, by the consumer, or by a person to which the consumer has127
disclosed the information, unless the consumer has restricted the information to a specific128
audience.129
(27)(A) 'Sale of personal information' means the exchange of personal information for130
monetary or other valuable consideration by the controller to a third party.131
(B) Such term shall not include:132
(i) The disclosure of personal information to a processor that processes the personal133
information on behalf of the controller;134
(ii) The disclosure of personal information to a third party for purposes of providing135
a product or service requested by the consumer;136
(iii) The disclosure or transfer of personal information to an affiliate of the controller;137
(iv) The disclosure of information that the consumer:138
(I) Intentionally made available to the general public via a channel of mass media;139
and140
(II) Did not restrict to a specific audience; or141
(v) The disclosure or transfer of personal information to a third party as an asset that142
is part of a merger, acquisition, bankruptcy, or other transaction in which the third143
party assumes control of all or part of the controller's assets.144
S. B. 473
- 6 - 24 LC 36 5726
(28) 'Sensitive data' means a category of personal information that includes:145
(A) Personal information revealing racial or ethnic origin, religious beliefs, mental or146
physical health diagnosis, sexual orientation, or citizenship or immigration status;147
(B) The processing of genetic or biometric data for the purpose of uniquely identifying148
an individual;149
(C) The personal information collected from a known child; or150
(D) Precise geolocation data.151
(29) 'State agency' means an agency, institution, board, bureau, commission, council, or152
instrumentality of the executive branch of state government of this state.153
(30)(A) 'Targeted advertising' means displaying to a consumer an advertisement that154
is selected based on personal information obtained from such consumer's activities over155
time and across nonaffiliated public websites or online applications to predict the156
consumer's preferences or interests.157
(B) Such term shall not include:158
(i) Advertisements based on activities within a controller's own public websites or159
online applications;160
(ii) Advertisements based on the context of a consumer's current search query, visit161
to a public website, or online application;162
(iii) Advertisements directed to a consumer in response to the consumer's request for163
information or feedback; or164
(iv) Personal information processed solely for measuring or reporting advertising165
performance, reach, or frequency.166
(31) 'Third party' means a person other than the consumer, controller, processor, or an167
affiliate of the controller or processor.168
(32) 'Trade secret' means information, without regard to form, including, but not limited169
to, technical, nontechnical, or financial data or a formula, pattern, compilation, program,170
device, method, technique, plan, or process, that:171
S. B. 473
- 7 - 24 LC 36 5726
(A) Derives independent economic value, actual or potential, from not being generally172
known to, and not being readily ascertainable by proper means by, other persons that173
can obtain economic value from the information's disclosure or use; and174
(B) Is the subject of efforts that are reasonable under the circumstances to maintain the175
information's secrecy.176
10-1-962.177
This article shall apply to a person that conducts business in this state by producing178
products or services targeted to consumers of this state that exceeds $25 million in revenue179
and that:180
(1) Controls or processes personal information of at least 25,000 consumers and derives181
more than 50 percent of gross revenue from the sale of personal information; or182
(2) During a calendar year, controls or processes personal information of at least 175,000183
consumers.184
10-1-963.185
(a)(1) A consumer may invoke the consumer rights authorized pursuant to paragraph (2)186
of this subsection at any time by submitting a request to a controller specifying the187
consumer rights the consumer wishes to invoke. A known child's parent or legal guardian188
may invoke the consumer rights authorized pursuant to paragraph (2) of this subsection189
on behalf of the such known child regarding processing personal information belonging190
to the known child.191
(2) A controller shall comply with an authenticated consumer request to exercise the192
right to:193
(A) Confirm whether a controller is processing the consumer's personal information194
and to access such personal information;195
S. B. 473
- 8 - 24 LC 36 5726
(B) Correct inaccuracies in the consumer's personal information, taking into account196
the nature of the personal information and the purposes of the processing of such197
consumer's personal information;198
(C) Delete personal information provided by or obtained about the consumer. A199
controller shall not be required to delete information that it maintains or uses as200
aggregate or de-identified data; provided, that such data in the possession of the201
controller is not linked to a specific consumer. A controller that obtained personal202
information about a consumer from a source other than the consumer shall be in203
compliance with a consumer's request to delete such personal information by retaining204
a record of the deletion request and the minimum information necessary for the purpose205
of ensuring that the consumer's personal information remains deleted from the206
controller's records and by not using such retained personal information for any purpose207
prohibited under this article;208
(D) Obtain a copy of the consumer's personal information that the consumer previously209
provided to the controller in a portable and, to the extent technically feasible, readily210
usable format that allows the consumer to transmit such personal information to another211
controller without hindrance, where the processing is carried out by automated means;212
or213
(E) Opt out of a controller's processing of personal information for purposes of:214
(i) Selling personal information about the consumer;215
(ii) Targeted advertising; or216
(iii) Profiling in furtherance of decisions that produce legal or similarly significant217
effects concerning the consumer.218
(b) Except as otherwise provided in this article, a controller shall comply with an219
authenticated request by a consumer to exercise the consumer rights authorized pursuant220
to paragraph (2) of subsection (a) of this Code section as follows:221
S. B. 473
- 9 - 24 LC 36 5726
(1) A controller shall respond to the consumer without undue delay, but in all cases222
within 45 days of receipt of a request submitted pursuant to subsection (a) of this Code223
section. The response period may be extended once by 45 additional days when224
reasonably necessary, taking into account the complexity and number of the consumer's225
requests, so long as the controller informs the consumer of the extension within the initial226
45 day response period, together with the reason for the extension;227
(2) If a controller declines to take action regarding the consumer's request, then the228
controller shall inform the consumer without undue delay, but in all cases within 45 days229
of receipt of the request, of the justification for declining to take action and instructions230
for how to appeal the decision pursuant to subsection (c) of this Code section;231
(3) Information provided in response to a consumer request shall be provided by a232
controller free of charge, up to twice annually per consumer. If requests from a consumer233
are manifestly unfounded, technically infeasible, excessive, or repetitive, then the234
controller may charge the consumer a reasonable fee to cover the administrative costs of235
complying with the request or decline to act on the request. The controller bears the236
burden of demonstrating the manifestly unfounded, technically infeasible, excessive, or237
repetitive nature of the request; and238
(4) If a controller is unable to authenticate the request using commercially reasonable239
efforts, then the controller shall not be required to comply with a request to initiate an240
action under subsection (a) of this Code section and may request that the consumer241
provide additional information reasonably necessary to authenticate the consumer and the242
consumer's request.243
(c) A controller shall establish a process for a consumer to appeal the controller's refusal244
to take action on a request within a reasonable period of time after the consumer's receipt245
of the decision pursuant to paragraph (2) of subsection (b) of this Code section. The appeal246
process shall be:247
(1) Made available to the consumer in a conspicuous manner;248
S. B. 473
- 10 - 24 LC 36 5726
(2) Available at no cost to the consumer; and249
(3) Similar to the process for submitting requests to initiate action pursuant to250
subsection (a) of this Code section.251
Within 60 days of receipt of an appeal, a controller shall inform the consumer in writing252
of action taken or not taken in response to the appeal, including a written explanation of253
the reasons for the decision. If the appeal is denied, the controller shall then also provide254
the consumer with an online mechanism, if available, or other method through which the255
consumer may contact the Attorney General to submit a complaint.256
10-1-964.257
(a) A controller shall:258
(1) Limit the collection of personal information to what is adequate, relevant, and259
reasonably necessary in relation to the purposes for which the data is processed, as260
disclosed to the consumer;261
(2) Except as otherwise provided in this article, not process personal information for262
purposes that are beyond what is reasonably necessary to and compatible with the263
disclosed purposes for which the personal information is processed, as disclosed to the264
consumer, unless the controller obtains the consumer's consent;265
(3) Establish, implement, and maintain reasonable administrative, technical, and physical266
data security practices, as described in Code Section 10-1-973, to protect the267
confidentiality, integrity, and accessibility of personal information. The data security268
practices shall be appropriate to the volume and nature of the personal information at269
issue;270
(4) Not be required to delete information that it maintains or uses as aggregate or271
de-identified data, provided that such data in the possession of the business is not linked272
to a specific consumer;273
S. B. 473
- 11 - 24 LC 36 5726
(5) Not process personal information in violation of state and federal laws that prohibit274
unlawful discrimination against consumers. A controller shall not discriminate against275
a consumer for exercising the consumer rights contained in this article, including denying276
goods or services, charging different prices or rates for goods or services, or providing277
a different level of quality of goods and services to the consumer. However, this278
paragraph shall not require a controller to provide a product or service that requires the279
personal information of a consumer that the controller does not collect or maintain, or280
prohibit a controller from offering a different price, rate, level, quality, or selection of281
goods or services to a consumer, including offering goods or services for no fee, if the282
consumer has exercised the right to opt out pursuant to subparagraph (E) of paragraph (2)283
of subsection (a) of Code Section 10-1-963 or the offer is related to a consumer's284
voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or285
club card program; and286
(6) Not process sensitive data concerning a consumer without obtaining the consumer's287
consent, or, in the case of the processing of sensitive data concerning a known child,288
without processing the data in accordance with the federal Children's Online Privacy289
Protection Act, as amended, 15 U.S.C. Section 6501 et seq., and its implementing290
regulations.291
(b) A provision of a contract or agreement that purports to waive or limit the consumer292
rights described in Code Section 10-1-963 is contrary to public policy and is void and293
unenforceable.294
(c) A controller shall provide a reasonably accessible, clear, and meaningful privacy notice295
that includes:296
(1) The categories of personal information processed by the controller;297
(2) The purpose for processing personal information;298
S. B. 473
- 12 - 24 LC 36 5726
(3) How consumers may exercise their consumer rights pursuant to Code299
Section 9-1-963, including how a consumer may appeal a controller's decision with300
regard to the consumer's request;301
(4) The categories of personal information that the controller sells to third parties, if any;302
and303
(5) The categories of third parties, if any, to whom the controller sells personal304
information.305
(d) If a controller sells personal information to third parties or processes personal306
information for targeted advertising, then the controller shall clearly and conspicuously307
disclose the processing, as well as the manner in which a consumer may exercise the right308
to opt out of the processing.309
(e)(1) A controller shall provide, and shall describe in a privacy notice, one or more310
secure and reliable means for a consumer to submit a request to exercise the consumer311
rights described in Code Section 10-1-963. Such means shall take into account the:312
(A) Ways in which a consumer normally interacts with the controller;313
(B) Need for secure and reliable communication of such requests; and314
(C) Ability of a controller to authenticate the identity of the consumer making the315
request.316
(2) A controller shall not require a consumer to create a new account in order to exercise317
the consumer rights described in Code Section 10-1-963, but may require a consumer to318
use an existing account.319
10-1-965.320
(a) A processor shall adhere to the instructions of a controller and shall assist the controller321
in meeting its obligations under this article. The assistance provided by the processor shall322
include:323
S. B. 473
- 13 - 24 LC 36 5726
(1) Taking into account the nature of processing and the information available to the324
processor, by appropriate technical and organizational measures, insofar as reasonably325
practicable, to fulfill the controller's obligation to respond to consumer rights requests326
pursuant to Code Section 10-1-963; and327
(2) Providing necessary information to enable the controller to conduct and document328
data protection assessments pursuant to Code Section 10-1-966.329
(b) A contract between a controller and a processor governs the processor's data processing330
procedures with respect to processing performed on behalf of the controller. The contract331
shall be binding and shall clearly set forth instructions for processing data, the nature and332
purpose of processing, the type of data subject to processing, the duration of processing,333
and the rights and obligations of both parties. The contract shall also include requirements334
that the processor shall:335
(1) Ensure that each person processing personal information is subject to a duty of336
confidentiality with respect to the data;337
(2) At the controller's direction, delete or return all personal information to the controller338
as requested at the end of the provision of services, unless retention of the personal339
information is required by law;340
(3) Upon the reasonable request of the controller, make available to the controller all341
information in its possession necessary to demonstrate the processor's compliance with342
the obligations in this article;343
(4) Allow, and cooperate with, reasonable assessments by the controller or the344
controller's designated assessor; alternatively, the processor may arrange for a qualified345
and independent assessor to conduct an assessment of the processor's policies and346
technical and organizational measures in support of the obligations under this article347
using an appropriate and accepted control standard or framework and assessment348
procedure for the assessments. The processor shall provide a report of each assessment349
to the controller upon request; and350
S. B. 473
- 14 - 24 LC 36 5726
(5) Engage a subcontractor pursuant to a written contract in that requires the351
subcontractor to meet the obligations of the processor with respect to the personal352
information.353
(c) Nothing in this Code section shall relieve a controller or a processor from the liabilities354
imposed on it by virtue of its role in the processing relationship as described in355
subsection (b) of this Code section.356
(d) Determining whether a person is acting as a controller or processor with respect to a357
specific processing of data is a fact based determination that depends upon the context in358
which personal information is to be processed. A processor that continues to adhere to a359
controller's instructions with respect to a specific processing of personal information360
remains a processor.361
10-1-966.362
(a) A controller shall conduct and document a data protection assessment of each of the363
following processing activities involving personal information:364
(1) The processing of personal information for purposes of targeted advertising;365
(2) The sale of personal information;366
(3) The processing of personal information for purposes of profiling, where the profiling367
presents a reasonably foreseeable risk of:368
(A) Unfair or deceptive treatment of, or unlawful disparate impact on, consumers;369
(B) Financial, physical, or reputational injury to consumers;370
(C) A physical or other intrusion upon the solitude or seclusion, or the private affairs371
or concerns, of consumers, where the intrusion would be offensive to a reasonable372
person; or373
(D) Other substantial injury to consumers;374
(4) The processing of sensitive data; and375
S. B. 473
- 15 - 24 LC 36 5726
(5) Processing activities involving personal information that present a heightened risk376
of harm to consumers.377
(b) Data protection assessments conducted pursuant to subsection (a) of this Code section378
shall identify and weigh the benefits that may flow, directly and indirectly, from the379
processing to the controller, the consumer, other stakeholders, and the public against the380
potential risks to the rights of the consumer associated with the processing, as mitigated by381
safeguards that can be employed by the controller to reduce the risks. The use of382
de-identified data and the reasonable expectations of consumers, as well as the context of383
the processing and the relationship between the controller and the consumer whose384
personal information will be processed, shall be factored into this assessment by the385
controller.386
(c) The Attorney General may request pursuant to a civil investigative demand that a387
controller disclose a data protection assessment that is relevant to an investigation388
conducted by the Attorney General, and the controller shall make the data protection389
assessment available to the Attorney General. The Attorney General shall evaluate the data390
protection assessment for compliance with the responsibilities set forth in Code391
Section 10-1-964. The disclosure of a data protection assessment pursuant to a request392
from the Attorney General shall not constitute a waiver of attorney-client privilege or work393
product protection with respect to the assessment and information contained in the394
assessment. Such data protection assessments shall be confidential and shall not be open395
to public inspection and copying under Article 4 of Chapter 18 of Title 50, relating to open396
records.397
(d) A single data protection assessment may address a comparable set of processing398
operations that include similar activities.399
(e) A data protection assessment conducted by a controller for the purpose of compliance400
with other laws, rules, or regulations may comply with this Code section if such data401
protection assessment have a reasonably comparable scope and effect.402
S. B. 473
- 16 - 24 LC 36 5726
(f) The data protection assessment requirements in this article shall apply only to403
processing activities created or generated on or after July 1, 2024.404
10-1-967.405
(a) A controller in possession of de-identified data shall:406
(1) Take reasonable measures to ensure that the data cannot be associated with a natural407
person;408
(2) Publicly commit to maintaining and using de-identified data without attempting to409
reidentify the data; and410
(3) Contractually obligate recipients of the de-identified data to comply with this article.411
(b) Nothing in this Code section shall require a controller or processor to:412
(1) Reidentify de-identified data or pseudonymous data;413
(2) Maintain data in identifiable form, or collect, obtain, retain, or access data or414
technology, in order to be capable of associating an authenticated consumer request with415
personal information; or416
(3) Comply with an authenticated consumer rights request, pursuant to Code417
Section 10-1-963, if:418
(A) The controller is not reasonably capable of associating the request with the419
personal information or it would be unreasonably burdensome for the controller to420
associate the request with the personal information;421
(B) The controller does not use the personal information to recognize or respond to the422
specific consumer who is the subject of the personal information, or associate the423
personal information with other personal information about the same specific424
consumer; and425
(C) The controller does not sell the personal information to a third party or otherwise426
voluntarily disclose the personal information to a third party other than a processor,427
except as otherwise permitted in this Code section.428
S. B. 473
- 17 - 24 LC 36 5726
(c) The consumer rights described in Code Sections 10-1-963 and 10-1-964 shall not apply429
to pseudonymous data in cases where the controller is able to demonstrate information430
necessary to identify the consumer is kept separately and is subject to effective technical431
and organizational controls that prevent the controller from accessing that information.432
(d) A controller that discloses pseudonymous data or de-identified data shall exercise433
reasonable oversight to monitor compliance with contractual commitments to which the434
pseudonymous data or de-identified data is subject and shall take appropriate steps to435
address breaches of those contractual commitments.436
10-1-968.437
(a) Nothing in this article shall restrict a controller's or processor's ability to:438
(1) Comply with federal, state, or local laws, rules, or regulations;439
(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or440
summons by federal, state, local, or other governmental authorities;441
(3) Cooperate with law enforcement agencies concerning conduct or activity that the442
controller or processor reasonably and in good faith believes may violate federal, state,443
or local laws, rules, or regulations;444
(4) Investigate, establish, exercise, prepare for, or defend legal claims;445
(5) Provide a product or service specifically requested by a consumer or the parent or446
legal guardian of a known child, perform a contract to which the consumer is a party,447
including fulfilling the terms of a written warranty, or take steps at the request of the448
consumer prior to entering into a contract;449
(6) Take immediate steps to protect an interest that is essential for the life or physical450
safety of the consumer or of another natural person, and where the processing cannot be451
manifestly based on another legal basis;452
S. B. 473
- 18 - 24 LC 36 5726
(7) Prevent, detect, protect against, or respond to security incidents, identity theft, fraud,453
harassment, malicious or deceptive activity, or illegal activity; preserve the integrity or454
security of systems; or investigate, report, or prosecute those responsible for such action;455
(8) Engage in public reviewed or peer reviewed scientific or statistical research in the456
public interest that adheres to all other applicable ethics and privacy laws and is457
approved, monitored, and governed by an institutional review board, or similar458
independent oversight entity that determines whether:459
(A) Deletion of the information is likely to provide substantial benefits that do not460
exclusively accrue to the controller;461
(B) The expected benefits of the research outweigh the privacy risks; and462
(C) The controller has implemented reasonable safeguards to mitigate privacy risks463
associated with research, including risks associated with reidentification; or464
(9) Assist another controller, processor, or third party with the obligations under this465
article.466
(b) The obligations imposed on controllers or processors under this article shall not restrict467
a controller's or processor's ability to collect, use, or retain data to:468
(1) Conduct internal research to develop, improve, or repair products, services, or469
technology;470
(2) Effectuate a product recall;471
(3) Identify and repair technical errors that impair existing or intended functionality; or472
(4) Perform internal operations that are reasonably aligned with the expectations of the473
consumer or reasonably anticipated based on the consumer's existing relationship with474
the controller or are otherwise compatible with processing data in furtherance of the475
provision of a product or service specifically requested by a consumer or the performance476
of a contract to which the consumer is a party.477
(c) The obligations imposed on controllers or processors under this article shall not apply478
where compliance with this article by the controller or processor would violate an479
S. B. 473
- 19 - 24 LC 36 5726
evidentiary privilege under the laws of this state. Nothing in this article shall prevent a480
controller or processor from providing personal information concerning a consumer to a481
person covered by an evidentiary privilege under the laws of this state as part of a482
privileged communication.483
(d)(1) A controller or processor that discloses personal information to a third-party484
controller or processor, in compliance with the requirements of this article, shall not be485
in violation of this article if:486
(A) The third-party controller or processor that receives and processes the personal487
information is in violation of this article; and488
(B) At the time of disclosing the personal information, the disclosing controller or489
processor did not have actual knowledge that the recipient intended to commit a490
violation.491
(2) A third-party controller or processor receiving personal information from a controller492
or processor in compliance with the requirements of this article is likewise not in493
violation of this article for the violations of the controller or processor from which it494
receives such personal information.495
(e) This article shall not impose an obligation on controllers and processors that adversely496
affects the rights or freedoms of a person, such as exercising the right of free speech497
pursuant to the First Amendment to the United States Constitution, or that applies to the498
processing of personal information by a person in the course of a purely personal activity.499
(f) A controller shall not process personal information for purposes other than those500
expressly listed in this Code section unless otherwise allowed by this article. Personal501
information processed by a controller pursuant to this Code section may be processed to502
the extent that the processing is:503
(1) Reasonably necessary and proportionate to the purposes listed in this section; and504
(2) Adequate, relevant, and limited to what is necessary in relation to the specific505
purposes listed in this section. Personal information collected, used, or retained pursuant506
S. B. 473
- 20 - 24 LC 36 5726
to subsection (b) of this Code section shall, where applicable, take into account the nature507
and purpose or purposes of the collection, use, or retention. The data shall be subject to508
reasonable administrative, technical, and physical measures to protect the confidentiality,509
integrity, and accessibility of the personal information and to reduce reasonably510
foreseeable risks of harm to consumers relating to the collection, use, or retention of511
personal information.512
(g) If a controller processes personal information pursuant to an exemption in this Code513
section, then the controller bears the burden of demonstrating that the processing qualifies514
for the exemption and complies with subsection (f) of this Code section.515
(h) Processing personal information for the purposes expressly identified in any of the516
paragraphs (1) through (9) of subsection of (a) of this Code Section shall not solely make517
an entity a controller with respect to the processing.518
10-1-969.519
If the Attorney General has reasonable cause to believe that an individual, controller, or520
processor has engaged in, is engaging in, or is about to engage in a violation of this article,521
then the Attorney General may issue a civil investigative demand.522
10-1-970.523
(a) This article shall not apply to:524
(1) Any state agency, the judicial branch, the legislative branch, or any local government525
of this state;526
(2) A financial institution, an affiliate of a financial institution, or data subject to Title V527
of the federal Gramm-Leach-Bliley Act, as amended, 15 U.S.C. Section 6801 et seq.;528
(3) A person that is licensed in this state under Title 33 as an insurance company and529
transacts insurance business;530
S. B. 473
- 21 - 24 LC 36 5726
(4) A covered entity or business associate governed by the privacy, security, and breach531
notification rules issued by the United States Department of Health and Human Services,532
45 C.F.R. Parts 160 and 164 established pursuant to HIPAA, and the federal Health533
Information Technology for Economic and Clinical Health Act (P.L. 111-5);534
(5) A nonprofit organization;535
(6) An institution of higher education;536
(7) Protected health information under HIPAA;537
(8) Health records for purposes of Title 31;538
(9) Patient identifying information for purposes of 42 U.S.C. Section 290dd-2;539
(10) Personal information that is:540
(A) Processed for purposes of:541
(i) Research conducted in accordance with the federal policy for the protection of542
human subjects under 45 C.F.R. Part 46;543
(ii) Human subjects research conducted in accordance with good clinical practice544
guidelines issued by the International Council for Harmonization of Technical545
Requirements for Pharmaceuticals for Human Use; or546
(iii) Research conducted in accordance with the protection of human subjects under547
21 C.F.R. Parts 6, 50, and 56; or548
(B) Processed or sold in connection with research conducted in accordance with the549
requirements set forth in this article, or other research conducted in accordance with550
applicable law;551
(11) Information and documents created for purposes of the federal Health Care Quality552
Improvement Act of 1986, as amended, 42 U.S.C. Section 11101 et seq.;553
(12) Patient safety work product for purposes of the federal Patient Safety and Quality554
Improvement Act, as amended, 42 U.S.C. Section 299b-21 et seq.;555
(13) Information that is:556
S. B. 473
- 22 - 24 LC 36 5726
(A) Derived from the healthcare related information listed in this subsection that is557
de-identified in accordance with the requirements for de-identification pursuant to558
HIPAA; or559
(B) Included in a limited data set as described in 45 C.F.R. 164.514(e), to the extent560
that the information is used, disclosed, and maintained in the manner specified in 45561
C.F.R. 164.514(e);562
(14) Information originating from, and intermingled to be indistinguishable with, or563
information treated in the same manner as, information exempt under this subsection that564
is maintained by a covered entity or business associate as defined by HIPAA or a565
program or a qualified service organization as defined by 42 U.S.C. Section 290dd-2;566
(15) Information used only for public health activities and purposes as authorized by567
HIPAA;568
(16) The collection, maintenance, disclosure, sale, communication, or use of personal569
information bearing on a consumer's credit worthiness, credit standing, credit capacity,570
character, general reputation, personal characteristics, or mode of living by a consumer571
reporting agency or furnisher that provides information for use in a consumer report, and572
by a user of a consumer report, but only to the extent that such activity is regulated by573
and authorized under the federal Fair Credit Reporting Act, as amended, 15 U.S.C.574
Section 1681 et seq.;575
(17) Personal information collected, processed, sold, or disclosed in compliance with the576
federal Driver's Privacy Protection Act of 1994, as amended, 18 U.S.C. Section 2721 et577
seq.;578
(18) Personal information or educational information regulated by the federal Family579
Educational Rights and Privacy Act (FERPA), as amended, 20 U.S.C. Section 1232g et580
seq.;581
(19) Personal information collected, processed, sold, or disclosed in compliance with the582
federal Farm Credit Act, as amended, 12 U.S.C. Section 2001 et seq.;583
S. B. 473
- 23 - 24 LC 36 5726
(20) Data processed or maintained:584
(A) In the course of an individual applying to, being employed by, or acting as an agent585
or independent contractor of a controller, processor, or third party, to the extent that the586
data is collected and used within the context of that role;587
(B) As the emergency contact information of an individual under this article used for588
emergency contact purposes; or589
(C) That is necessary to retain to administer benefits for another individual relating to590
the individual under subparagraph (A) of this paragraph and used for the purposes of591
administering those benefits;592
(21) Information collected as part of public reviewed or peer reviewed scientific or593
statistical research in the public interest;594
(22) An insurance producer licensed under Title 33; or595
(23) Personal information maintained or used for purposes of compliance with the596
regulation of listed chemicals under the federal Controlled Substances Act, as amended,597
21 U.S.C. Section 830.598
(b) Controllers and processors that comply with the verifiable parental consent599
requirements of the federal Children's Online Privacy Protection Act, as amended, 15600
U.S.C. Section 6501 et seq., are deemed compliant with an obligation to obtain parental601
consent under this article.602
(c) Nothing in this article shall require a controller, processor, third party, or consumer to603
disclose trade secrets.604
10-1-971.605
(a) A provision of a contract or agreement that waives or limits a consumer's rights under606
this article, including, but not limited to, a right to a remedy or means of enforcement, is607
contrary to public policy, void, and unenforceable.608
S. B. 473
- 24 - 24 LC 36 5726
(b) Nothing in this article shall prevent a consumer from declining to request information609
from a controller, declining to opt out of a controller's sale of the consumer's personal610
information, or authorizing a controller to sell the consumer's personal information after611
previously opting out.612
(c) This article shall apply to contracts entered into, amended, or renewed on or after July613
1, 2024.614
10-1-972.615
(a) The Attorney General has exclusive authority to enforce this article.616
(b) The Attorney General may develop reasonable cause to believe that a controller or617
processor is in violation of this article, based on the Attorney General's own inquiry or on618
consumer or public complaints. Prior to initiating an action under this article, the Attorney619
General shall provide a controller or processor 60 days' written notice identifying the620
specific provisions of this article the Attorney General alleges have been or are being621
violated. If within the 60 day period, the controller or processor cures the noticed violation622
and provides the Attorney General an express written statement that the alleged violations623
have been cured and that no such further violations shall occur, then the Attorney General624
shall not initiate an action against the controller or processor.625
(c) If a controller or processor continues to violate this article following the cure period626
provided for in subsection (b) of this Code section or breaches an express written statement627
provided to the Attorney General under subsection (b) of this Code section, then the628
Attorney General may bring an action in a court of competent jurisdiction seeking any of629
the following relief:630
(1) Declaratory judgment that the act or practice violates this article;631
(2) Injunctive relief, including preliminary and permanent injunctions, to prevent an632
additional violation of and compel compliance with this article;633
(3) Civil penalties, as described in subsection (d) of this Code section;634
S. B. 473
- 25 - 24 LC 36 5726
(4) Reasonable attorney's fees and investigative costs; or635
(5) Other relief the court determines appropriate.636
(d)(1) A court may impose a civil penalty of up to $7,500.00 for each violation of this637
article.638
(2) If the court finds the controller or processor willfully or knowingly violated this639
article, then the court may, in its discretion, award treble damages.640
(e) A violation of this article shall not serve as the basis for, or be subject to, a private right641
of action, including a class action lawsuit, under this article or any other law.642
(f) The Attorney General may recover reasonable expenses incurred in investigating and643
preparing a case, including attorney's fees, in an action initiated under this article.644
10-1-973.645
(a) A controller or processor shall have an affirmative defense to a cause of action for a646
violation of this article if the controller or processor creates, maintains, and complies with647
a written privacy policy that:648
(1)(A) Reasonably conforms to the NIST or other documented policies, standards, and649
procedures designed to safeguard consumer privacy; and650
(B) Is updated to reasonably conform with a subsequent revision to the NIST or651
comparable privacy framework within two years of the publication date stated in the652
most recent revision to the NIST or comparable privacy framework; and653
(2) Provides a person with the substantive rights required by this article.654
(b) The scale and scope of a controller or processor's privacy program under subsection (a)655
of this Code section shall be appropriate if it is based on all of the following factors:656
(1) The size and complexity of the controller or processor's business;657
(2) The nature and scope of the activities of the controller or processor;658
(3) The sensitivity of the personal information processed;659
S. B. 473
- 26 - 24 LC 36 5726
(4) The cost and availability of tools to improve privacy protections and data660
governance; and661
(5) Compliance with a comparable state or federal law.662
10-1-974.663
(a) No municipality, county, or consolidated government shall not require a controller or664
processor to disclose personal data of consumers, unless pursuant to a subpoena or court665
order.666
(b) This article shall supersede and preempt any conflicting provisions of any ordinances,667
resolutions, regulations, or the equivalent adopted by any municipality, county, or668
consolidated government regarding the processing of personal data by controllers or669
processors."670
SECTION 2.671
All laws and parts of laws in conflict with this Act are repealed.672
S. B. 473
- 27 -