24 LC 36 5787S (SCS)
Senate Bill 473
By: Senators Albers of the 56th, Robertson of the 29th, Anavitarte of the 31st, Strickland of
the 17th, Goodman of the 8th and others
AS PASSED SENATE
A BILL TO BE ENTITLED
AN ACT
To amend Title 10 of the Official Code of Georgia Annotated, relating to commerce and
1
trade, so as to enact the "Georgia Consumer Privacy Protection Act"; to protect the privacy2
of consumer personal data in this state; to provide for definitions; to provide for applicability;3
to provide for exemptions for certain entities, data, and uses of data; to provide for consumer4
rights regarding personal data; to provide for a consumer to exercise such rights by5
submitting a request to a controller; to provide for a controller to promptly respond to such6
requests; to provide for exemptions; to provide for responsibilities of processors and7
controllers; to provide for notice and disclosure; to provide for security practices to protect8
consumer personal data; to allow a controller to offer different goods or services under9
certain conditions; to provide for limitations; to provide for statutory construction; to provide10
for enforcement and penalties; to provide an affirmative defense; to prohibit the disclosure11
of personal data of consumers to local governments unless pursuant to a subpoena or court12
order; to provide for preemption of local regulation; to provide for related matters; to provide13
an effective date; to repeal conflicting laws; and for other purposes.14
BE IT ENACTED BY THE GENERAL ASSEMBLY OF GEORGIA:15
S. B. 473
- 1 - 24 LC 36 5787S (SCS)
SECTION 1.
16
Title 10 of the Official Code of Georgia Annotated, relating to commerce and trade, is17
amended by adding a new article to Chapter 1, relating to selling and other trade practices,18
to read as follows:19
"ARTICLE 37
20
10-1-960.21
This article shall be known and may be cited as the 'Georgia Consumer Privacy Protection22
Act.'23
10-1-961.24
As used in this article, the term:25
(1) 'Affiliate' means a legal entity that controls, is controlled by, or is under common26
control with another legal entity or shares common branding with another legal entity. 27
For purposes of this paragraph, the term 'control' or 'controlled' means:28
(A) Ownership of, or the power to vote, more than 50 percent of the outstanding shares29
of a class of voting security of an entity;30
(B) Control in any manner over the election of a majority of the directors or of31
individuals exercising similar functions relative to an entity; or32
(C) The power to exercise controlling influence over the management of an entity.33
(2) 'Authenticate' means to verify using reasonable means that a consumer who is34
entitled to exercise the rights in Code Section 10-1-963, is the same consumer who is35
exercising such consumer rights with respect to the personal information at issue.36
(3)(A) 'Biometric data' means data generated by automatic measurement of an37
individual's biological characteristics, such as a fingerprint, voiceprint, eye retina or iris,38
S. B. 473
- 2 - 24 LC 36 5787S (SCS)
or other unique biological patterns or characteristics that are used to identify a specific39
individual.40
(B) Such term shall not include:41
(i) A physical or digital photograph, video recording, or audio recording or data42
generated from a photograph or video or audio recording; or43
(ii) Information collected, used, or stored for healthcare treatment, payment, or44
operations under HIPAA.45
(4) 'Consent' means a clear affirmative act signifying a consumer's freely given, specific,46
informed, and unambiguous agreement to process personal information relating to the47
consumer. Such term may include a written statement, including a statement written by48
electronic means, or an unambiguous affirmative action.49
(5) 'Consumer' means an individual who is a resident of this state acting only in a50
personal context. Such term shall not include an individual acting in a commercial or51
employment context.52
(6) 'Controller' means the person that, alone or jointly with others, determines the53
purpose and means of processing personal information.54
(7) 'Decisions that produce legal or similarly significant effects concerning the consumer'55
means decisions made by the controller that result in the provision or denial by the56
controller of financial or lending services, housing, insurance, education enrollment or57
opportunity, criminal justice, employment opportunities, healthcare services, or access58
to basic necessities, such as food and water;59
(8) 'De-identified data' means data that cannot reasonably be linked to an identified or60
identifiable individual, or any device linked to such natural person;61
(9) 'Health record' means a written, printed, or electronically recorded material that:62
(A) In the course of providing healthcare services to an individual was created or is63
maintained by a healthcare facility described in or licensed pursuant to Title 31; and64
(B) Concerns the individual and the healthcare services provided.65
S. B. 473
- 3 - 24 LC 36 5787S (SCS)
Such term includes the substance of a communication made by an individual to a66
healthcare facility described in or licensed pursuant to Title 31 in confidence during or67
in connection with the provision of healthcare services or information otherwise acquired68
by the healthcare entity about an individual in confidence and in connection with the69
provision of healthcare services to the individual.70
(10) 'HIPAA' means the federal Health Insurance Portability and Accountability Act of71
1996, as amended, 42 U.S.C. Section 1320d et seq.72
(11) 'Identified or identifiable individual' means a natural person who can be readily73
identified, whether directly or indirectly.74
(12) 'Known child' means an individual who the controller has actual knowledge is under75
13 years of age.76
(13) 'NIST' means the National Institute of Standards and Technology privacy77
framework entitled 'A Tool for Improving Privacy through Enterprise Risk Management78
Version 1.0.'79
(14) 'Person' means any individual or entity.80
(15)(A) 'Personal information' means information that is linked or reasonably linkable81
to an identified or identifiable individual.82
(B) Such term shall not include information that:83
(i) Is publicly available information;84
(ii) Does not identify an individual and with respect to which there is no reasonable85
basis to believe that the information can be used alone or in combination with other86
information to identify an individual; or87
(iii) Is de-identified using a method no less secure than methods provided under88
HIPAA.89
(16)(A) 'Precise geolocation data' means information derived from technology,90
including, but not limited to, global positioning system level latitude and longitude91
S. B. 473
- 4 - 24 LC 36 5787S (SCS)
coordinates or other mechanisms, that directly identifies the specific location of a92
natural person with precision and accuracy within a radius of 1,750 feet.93
(B) Such term shall not include:94
(i) The content of communications; or95
(ii) Data generated by or connected to advanced utility metering infrastructure96
systems or equipment for use by a utility.97
(17) 'Process' or 'processing' means an operation or set of operations performed, whether98
by manual or automated means, on personal information or on sets of personal99
information, such as the collection, use, storage, disclosure, analysis, deletion, or100
modification of personal information.101
(18) 'Processor' means a person that processes personal information on behalf of a102
controller.103
(19) 'Profiling' means a form of automated processing performed on personal104
information solely to evaluate, analyze, or predict personal aspects related to an identified105
or identifiable individual's economic situation, health, personal preferences, interests,106
reliability, behavior, location, or movements.107
(20) 'Pseudonymous data' means personal information that cannot be attributed to a108
specific individual without the use of additional information, so long as the additional109
information is kept separately and is subject to appropriate technical and organizational110
measures to ensure that the personal information is not attributed to an identified or111
identifiable individual.112
(21) 'Publicly available information' means information that is lawfully made available113
through federal, state, or local government records, or information that a business has a114
reasonable basis to believe is lawfully made available to the general public through115
widely distributed media, by the consumer, or by a person to which the consumer has116
disclosed the information, unless the consumer has restricted the information to a specific117
audience.118
S. B. 473
- 5 - 24 LC 36 5787S (SCS)
(22)(A) 'Sale of personal information' means the exchange of personal information for119
monetary or other valuable consideration by the controller to a third party.120
(B) Such term shall not include:121
(i) The disclosure of personal information to a processor that processes the personal122
information on behalf of the controller;123
(ii) The disclosure of personal information to a third party for purposes of providing124
a product or service requested by the consumer;125
(iii) The disclosure or transfer of personal information to an affiliate of the controller;126
(iv) The disclosure of information that the consumer:127
(I) Intentionally made available to the general public via a channel of mass media;128
and129
(II) Did not restrict to a specific audience; or130
(v) The disclosure or transfer of personal information to a third party as an asset that131
is part of a merger, acquisition, bankruptcy, or other transaction in which the third132
party assumes control of all or part of the controller's assets.133
(23) 'Sensitive data' means a category of personal information that includes:134
(A) Personal information revealing racial or ethnic origin, religious belief, mental or135
physical health diagnosis, sexual orientation, or citizenship or immigration status;136
(B) The processing of genetic data, data that contains 'nudity' or 'sexual conduct' as137
defined in subsection (b) of Code Section 16-12-181, or biometric data for the purpose138
of uniquely identifying an individual;139
(C) The personal information collected from a known child; or140
(D) Precise geolocation data.141
(24)(A) 'Targeted advertising' means displaying to a consumer an advertisement that142
is selected based on personal information obtained from such consumer's activities over143
time and across nonaffiliated public websites or online applications to predict the144
consumer's preferences or interests.145
S. B. 473
- 6 - 24 LC 36 5787S (SCS)
(B) Such term shall not include:146
(i) Advertisements based on activities within a controller's own public websites or147
online applications;148
(ii) Advertisements based on the context of a consumer's current search query, visit149
to a public website, or online application;150
(iii) Advertisements directed to a consumer in response to the consumer's request for151
information or feedback; or152
(iv) Personal information processed solely for measuring or reporting advertising153
performance, reach, or frequency.154
(25) 'Third party' means a person other than the consumer, controller, processor, or an155
affiliate of the controller or processor.156
10-1-962.157
This article shall apply to a person that conducts business in this state by producing158
products or services targeted to consumers of this state that exceeds $25 million in revenue159
and that:160
(1) Controls or processes personal information of at least 25,000 consumers and derives161
more than 50 percent of gross revenue from the sale of personal information; or162
(2) During a calendar year, controls or processes personal information of at least 175,000163
consumers.164
10-1-963.165
(a)(1) A consumer may invoke the consumer rights authorized pursuant to paragraph (2)166
of this subsection at any time by submitting, using a means substantially equivalent to167
that used by the controller to obtain the consent of the consumer for initial use of the168
personal information, a request to a controller specifying the consumer rights the169
consumer wishes to invoke. A known child's parent or legal guardian may invoke the170
S. B. 473
- 7 - 24 LC 36 5787S (SCS)
consumer rights authorized pursuant to paragraph (2) of this subsection on behalf of the171
such known child regarding processing personal information belonging to the known172
child.173
(2) A controller shall comply with an authenticated consumer request to exercise the174
right to:175
(A) Confirm whether a controller is processing the consumer's personal information176
and to access such personal information;177
(B) Correct inaccuracies in the consumer's personal information, taking into account178
the nature of the personal information and the purposes of the processing of such179
consumer's personal information;180
(C) Delete personal information provided by or obtained about the consumer. A181
controller shall not be required to delete information that it maintains or uses as182
aggregate or de-identified data; provided, that such data in the possession of the183
controller is not linked to a specific consumer. A controller that obtained personal184
information about a consumer from a source other than the consumer shall be in185
compliance with a consumer's request to delete such personal information by retaining186
a record of the deletion request and the minimum information necessary for the purpose187
of ensuring that the consumer's personal information remains deleted from the188
controller's records and by not using such retained personal information for any purpose189
prohibited under this article;190
(D) Obtain a copy of the consumer's personal information that the consumer previously191
provided to the controller in a portable and, to the extent technically feasible, readily192
usable format that allows the consumer to transmit such personal information to another193
controller without hindrance, where the processing is carried out by automated means;194
or195
(E) Opt out of a controller's processing of personal information for purposes of:196
(i) Selling personal information about the consumer;197
S. B. 473
- 8 - 24 LC 36 5787S (SCS)
(ii) Targeted advertising; or198
(iii) Profiling in furtherance of decisions that produce legal or similarly significant199
effects concerning the consumer.200
(b) Except as otherwise provided in this article, a controller shall comply with an201
authenticated request by a consumer to exercise the consumer rights authorized pursuant202
to paragraph (2) of subsection (a) of this Code section as follows:203
(1) A controller shall respond to the consumer without undue delay, but in all cases204
within 45 days of receipt of a request submitted pursuant to subsection (a) of this Code205
section. The response period may be extended once by 45 additional days when206
reasonably necessary, taking into account the complexity and number of the consumer's207
requests, so long as the controller informs the consumer of the extension within the initial208
45 day response period, together with the reason for the extension;209
(2) If a controller declines to take action regarding the consumer's request, then the210
controller shall inform the consumer without undue delay, but in all cases within 45 days211
of receipt of the request, of the justification for declining to take action and instructions212
for how to appeal the decision pursuant to subsection (c) of this Code section;213
(3) Information provided in response to a consumer request shall be provided by a214
controller free of charge, up to twice annually per consumer. If requests from a consumer215
are manifestly unfounded, technically infeasible, excessive, or repetitive, then the216
controller may charge the consumer a reasonable fee to cover the administrative costs of217
complying with the request or decline to act on the request. The controller bears the218
burden of demonstrating the manifestly unfounded, technically infeasible, excessive, or219
repetitive nature of the request; and220
(4) If a controller is unable to authenticate the request using commercially reasonable221
efforts, then the controller shall not be required to comply with a request to initiate an222
action under subsection (a) of this Code section and may request that the consumer223
S. B. 473
- 9 - 24 LC 36 5787S (SCS)
provide additional information reasonably necessary to authenticate the consumer and the224
consumer's request.225
(c) A controller shall establish a process for a consumer to appeal the controller's refusal226
to take action on a request within a reasonable period of time after the consumer's receipt227
of the decision pursuant to paragraph (2) of subsection (b) of this Code section. The appeal228
process shall be:229
(1) Made available to the consumer in a conspicuous manner;230
(2) Available at no cost to the consumer; and231
(3) Similar to the process for submitting requests to initiate action pursuant to232
subsection (a) of this Code section.233
Within 60 days of receipt of an appeal, a controller shall inform the consumer in writing234
of action taken or not taken in response to the appeal, including a written explanation of235
the reasons for the decision. If the appeal is denied, the controller shall then also provide236
the consumer with an online mechanism, if available, or other method through which the237
consumer may contact the Attorney General to submit a complaint.238
10-1-964.239
(a) A controller shall:240
(1) Limit the collection of personal information to what is adequate, relevant, and241
reasonably necessary in relation to the purposes for which the data is processed, as242
disclosed to the consumer;243
(2) Except as otherwise provided in this article, not process personal information for244
purposes that are beyond what is reasonably necessary to and compatible with the245
disclosed purposes for which the personal information is processed, as disclosed to the246
consumer, unless the controller obtains the consumer's consent;247
(3) Establish, implement, and maintain reasonable administrative, technical, and physical248
data security practices, as described in Code Section 10-1-973, to protect the249
S. B. 473
- 10 - 24 LC 36 5787S (SCS)
confidentiality, integrity, and accessibility of personal information. The data security250
practices shall be appropriate to the volume and nature of the personal information at251
issue;252
(4) Not be required to delete information that it maintains or uses as aggregate or253
de-identified data, provided that such data in the possession of the business is not linked254
to a specific consumer;255
(5) Not process personal information in violation of state and federal laws that prohibit256
unlawful discrimination against consumers. A controller shall not discriminate against257
a consumer for exercising the consumer rights contained in this article, including denying258
goods or services, charging different prices or rates for goods or services, or providing259
a different level of quality of goods and services to the consumer. However, this260
paragraph shall not require a controller to provide a product or service that requires the261
personal information of a consumer that the controller does not collect or maintain, or262
prohibit a controller from offering a different price, rate, level, quality, or selection of263
goods or services to a consumer, including offering goods or services for no fee, if the264
consumer has exercised the right to opt out pursuant to subparagraph (E) of paragraph (2)265
of subsection (a) of Code Section 10-1-963 or the offer is related to a consumer's266
voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or267
club card program; and268
(6) Not process sensitive data concerning a consumer without obtaining the consumer's269
consent, or, in the case of the processing of sensitive data concerning a known child,270
without processing the data in accordance with the federal Children's Online Privacy271
Protection Act, as amended, 15 U.S.C. Section 6501 et seq., and its implementing272
regulations.273
(b) A provision of a contract or agreement that purports to waive or limit the consumer274
rights described in Code Section 10-1-963 is contrary to public policy and is void and275
unenforceable.276
S. B. 473
- 11 - 24 LC 36 5787S (SCS)
(c) A controller shall provide a reasonably accessible, clear, and meaningful privacy notice277
that includes:278
(1) The categories of personal information processed by the controller;279
(2) The purpose for processing personal information;280
(3) How consumers may exercise their consumer rights pursuant to Code281
Section 10-1-963, including how a consumer may appeal a controller's decision with282
regard to the consumer's request;283
(4) The categories of personal information that the controller sells to third parties, if any;284
and285
(5) The categories of third parties, if any, to whom the controller sells personal286
information.287
(d) If a controller sells personal information to third parties or processes personal288
information for targeted advertising, then the controller shall clearly and conspicuously289
disclose the processing, as well as the manner in which a consumer may exercise the right290
to opt out of the processing.291
(e)(1) A controller shall provide, and shall describe in a privacy notice, one or more292
secure and reliable means for a consumer to submit a request to exercise the consumer293
rights described in Code Section 10-1-963. Such means shall take into account the:294
(A) Ways in which a consumer normally interacts with the controller;295
(B) Need for secure and reliable communication of such requests; and296
(C) Ability of a controller to authenticate the identity of the consumer making the297
request.298
(2) A controller shall not require a consumer to create a new account in order to exercise299
the consumer rights described in Code Section 10-1-963, but may require a consumer to300
use an existing account.301
S. B. 473
- 12 - 24 LC 36 5787S (SCS)
10-1-965.302
(a) A processor shall adhere to the instructions of a controller and shall assist the controller303
in meeting its obligations under this article. The assistance provided by the processor shall304
include:305
(1) Taking into account the nature of processing and the information available to the306
processor, by appropriate technical and organizational measures, insofar as reasonably307
practicable, to fulfill the controller's obligation to respond to consumer rights requests308
pursuant to Code Section 10-1-963; and309
(2) Providing necessary information to enable the controller to conduct and document310
data protection assessments pursuant to Code Section 10-1-966.311
(b) A contract between a controller and a processor governs the processor's data processing312
procedures with respect to processing performed on behalf of the controller. The contract313
shall be binding and shall clearly set forth instructions for processing data, the nature and314
purpose of processing, the type of data subject to processing, the duration of processing,315
and the rights and obligations of both parties. The contract shall also include requirements316
that the processor shall:317
(1) Ensure that each person processing personal information is subject to a duty of318
confidentiality with respect to the data;319
(2) At the controller's direction, delete or return all personal information to the controller320
as requested at the end of the provision of services, unless retention of the personal321
information is required by law;322
(3) Upon the reasonable request of the controller, make available to the controller all323
information in its possession necessary to demonstrate the processor's compliance with324
the obligations in this article;325
(4) Allow, and cooperate with, reasonable assessments by the controller or the326
controller's designated assessor; alternatively, the processor may arrange for a qualified327
and independent assessor to conduct an assessment of the processor's policies and328
S. B. 473
- 13 - 24 LC 36 5787S (SCS)
technical and organizational measures in support of the obligations under this article329
using an appropriate and accepted control standard or framework and assessment330
procedure for the assessments. The processor shall provide a report of each assessment331
to the controller upon request; and332
(5) Engage a subcontractor pursuant to a written contract in that requires the333
subcontractor to meet the obligations of the processor with respect to the personal334
information.335
(c) Nothing in this Code section shall relieve a controller or a processor from the liabilities336
imposed on it by virtue of its role in the processing relationship as described in337
subsection (b) of this Code section.338
(d) Determining whether a person is acting as a controller or processor with respect to a339
specific processing of data is a fact based determination that depends upon the context in340
which personal information is to be processed. A processor that continues to adhere to a341
controller's instructions with respect to a specific processing of personal information342
remains a processor.343
10-1-966.344
(a) A controller shall conduct and document a data protection assessment of each of the345
following processing activities involving personal information:346
(1) The processing of personal information for purposes of targeted advertising;347
(2) The sale of personal information;348
(3) The processing of personal information for purposes of profiling, where the profiling349
presents a reasonably foreseeable risk of:350
(A) Unfair or deceptive treatment of, or unlawful disparate impact on, consumers;351
(B) Financial, physical, or reputational injury to consumers;352
S. B. 473
- 14 - 24 LC 36 5787S (SCS)
(C) A physical or other intrusion upon the solitude or seclusion, or the private affairs353
or concerns, of consumers, where the intrusion would be offensive to a reasonable354
person; or355
(D) Other substantial injury to consumers;356
(4) The processing of sensitive data; and357
(5) Processing activities involving personal information that present a heightened risk358
of harm to consumers.359
(b) Data protection assessments conducted pursuant to subsection (a) of this Code section360
shall identify and weigh the benefits that may flow, directly and indirectly, from the361
processing to the controller, the consumer, other stakeholders, and the public against the362
potential risks to the rights of the consumer associated with the processing, as mitigated by363
safeguards that can be employed by the controller to reduce the risks. The use of364
de-identified data and the reasonable expectations of consumers, as well as the context of365
the processing and the relationship between the controller and the consumer whose366
personal information will be processed, shall be factored into this assessment by the367
controller.368
(c) The Attorney General may request pursuant to a civil investigative demand that a369
controller disclose a data protection assessment that is relevant to an investigation370
conducted by the Attorney General, and the controller shall make the data protection371
assessment available to the Attorney General. The Attorney General shall evaluate the data372
protection assessment for compliance with the responsibilities set forth in Code373
Section 10-1-964. The disclosure of a data protection assessment pursuant to a request374
from the Attorney General shall not constitute a waiver of attorney-client privilege or work375
product protection with respect to the assessment and information contained in the376
assessment. Such data protection assessments shall be confidential and shall not be open377
to public inspection and copying under Article 4 of Chapter 18 of Title 50, relating to open378
records.379
S. B. 473
- 15 - 24 LC 36 5787S (SCS)
(d) A single data protection assessment may address a comparable set of processing380
operations that include similar activities.381
(e) A data protection assessment conducted by a controller for the purpose of compliance382
with other laws, rules, or regulations may comply with this Code section if such data383
protection assessment have a reasonably comparable scope and effect.384
(f) The data protection assessment requirements in this article shall apply only to385
processing activities created or generated on or after July 1, 2026.386
10-1-967.387
(a) A controller in possession of de-identified data shall:388
(1) Take reasonable measures to ensure that the data cannot be associated with a natural389
person;390
(2) Publicly commit to maintaining and using de-identified data without attempting to391
reidentify the data; and392
(3) Contractually obligate recipients of the de-identified data to comply with this article.393
(b) Nothing in this Code section shall require a controller or processor to:394
(1) Reidentify de-identified data or pseudonymous data;395
(2) Maintain data in identifiable form, or collect, obtain, retain, or access data or396
technology, in order to be capable of associating an authenticated consumer request with397
personal information; or398
(3) Comply with an authenticated consumer rights request, pursuant to Code399
Section 10-1-963, if:400
(A) The controller is not reasonably capable of associating the request with the401
personal information or it would be unreasonably burdensome for the controller to402
associate the request with the personal information;403
(B) The controller does not use the personal information to recognize or respond to the404
specific consumer who is the subject of the personal information, or associate the405
S. B. 473
- 16 - 24 LC 36 5787S (SCS)
personal information with other personal information about the same specific406
consumer; and407
(C) The controller does not sell the personal information to a third party or otherwise408
voluntarily disclose the personal information to a third party other than a processor,409
except as otherwise permitted in this Code section.410
(c) The consumer rights described in Code Sections 10-1-963 and 10-1-964 shall not apply411
to pseudonymous data in cases where the controller is able to demonstrate information412
necessary to identify the consumer is kept separately and is subject to effective technical413
and organizational controls that prevent the controller from accessing that information.414
(d) A controller that discloses pseudonymous data or de-identified data shall exercise415
reasonable oversight to monitor compliance with contractual commitments to which the416
pseudonymous data or de-identified data is subject and shall take appropriate steps to417
address breaches of those contractual commitments.418
10-1-968.419
(a) Nothing in this article shall restrict a controller's or processor's ability to:420
(1) Comply with federal, state, or local laws, rules, or regulations;421
(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or422
summons by federal, state, local, or other governmental authorities;423
(3) Cooperate with law enforcement agencies concerning conduct or activity that the424
controller or processor reasonably and in good faith believes may violate federal, state,425
or local laws, rules, or regulations;426
(4) Investigate, establish, exercise, prepare for, or defend legal claims;427
(5) Provide a product or service specifically requested by a consumer or the parent or428
legal guardian of a known child, perform a contract to which the consumer is a party,429
including fulfilling the terms of a written warranty, or take steps at the request of the430
consumer prior to entering into a contract;431
S. B. 473
- 17 - 24 LC 36 5787S (SCS)
(6) Take immediate steps to protect an interest that is essential for the life or physical432
safety of the consumer or of another natural person, and where the processing cannot be433
manifestly based on another legal basis;434
(7) Prevent, detect, protect against, or respond to security incidents, identity theft, fraud,435
harassment, malicious or deceptive activity, or illegal activity; preserve the integrity or436
security of systems; or investigate, report, or prosecute those responsible for such action;437
(8) Engage in public reviewed or peer reviewed scientific or statistical research in the438
public interest that adheres to all other applicable ethics and privacy laws and is439
approved, monitored, and governed by an institutional review board, or similar440
independent oversight entity that determines whether:441
(A) Deletion of the information is likely to provide substantial benefits that do not442
exclusively accrue to the controller;443
(B) The expected benefits of the research outweigh the privacy risks; and444
(C) The controller has implemented reasonable safeguards to mitigate privacy risks445
associated with research, including risks associated with reidentification; or446
(9) Assist another controller, processor, or third party with the obligations under this447
article.448
(b) The obligations imposed on controllers or processors under this article shall not restrict449
a controller's or processor's ability to collect, use, or retain data to:450
(1) Conduct internal research to develop, improve, or repair products, services, or451
technology;452
(2) Effectuate a product recall;453
(3) Identify and repair technical errors that impair existing or intended functionality; or454
(4) Perform internal operations that are reasonably aligned with the expectations of the455
consumer or reasonably anticipated based on the consumer's existing relationship with456
the controller or are otherwise compatible with processing data in furtherance of the457
S. B. 473
- 18 - 24 LC 36 5787S (SCS)
provision of a product or service specifically requested by a consumer or the performance458
of a contract to which the consumer is a party.459
(c) The obligations imposed on controllers or processors under this article shall not apply460
where compliance with this article by the controller or processor would violate an461
evidentiary privilege under the laws of this state. Nothing in this article shall prevent a462
controller or processor from providing personal information concerning a consumer to a463
person covered by an evidentiary privilege under the laws of this state as part of a464
privileged communication.465
(d)(1) A controller or processor that discloses personal information to a third-party466
controller or processor, in compliance with the requirements of this article, shall not be467
in violation of this article if:468
(A) The third-party controller or processor that receives and processes the personal469
information is in violation of this article; and470
(B) At the time of disclosing the personal information, the disclosing controller or471
processor did not have actual knowledge that the recipient intended to commit a472
violation.473
(2) A third-party controller or processor receiving personal information from a controller474
or processor in compliance with the requirements of this article is likewise not in475
violation of this article for the violations of the controller or processor from which it476
receives such personal information.477
(e) This article shall not impose an obligation on controllers and processors that adversely478
affects the rights or freedoms of a person, such as exercising the right of free speech479
pursuant to the First Amendment to the United States Constitution, or that applies to the480
processing of personal information by a person in the course of a purely personal activity.481
(f) A controller shall not process personal information for purposes other than those482
expressly listed in this Code section unless otherwise allowed by this article. Personal483
S. B. 473
- 19 - 24 LC 36 5787S (SCS)
information processed by a controller pursuant to this Code section may be processed to484
the extent that the processing is:485
(1) Reasonably necessary and proportionate to the purposes listed in this section; and486
(2) Adequate, relevant, and limited to what is necessary in relation to the specific487
purposes listed in this section. Personal information collected, used, or retained pursuant488
to subsection (b) of this Code section shall, where applicable, take into account the nature489
and purpose or purposes of the collection, use, or retention. The data shall be subject to490
reasonable administrative, technical, and physical measures to protect the confidentiality,491
integrity, and accessibility of the personal information and to reduce reasonably492
foreseeable risks of harm to consumers relating to the collection, use, or retention of493
personal information.494
(g) If a controller processes personal information pursuant to an exemption in this Code495
section, then the controller bears the burden of demonstrating that the processing qualifies496
for the exemption and complies with subsection (f) of this Code section.497
(h) Processing personal information for the purposes expressly identified in any of the498
paragraphs (1) through (9) of subsection of (a) of this Code section shall not solely make499
an entity a controller with respect to the processing.500
10-1-969.501
Nothing in this article shall be construed to conflict with the specific requirements:502
(1) Related to the management of health records under Title 31; or503
(2) Mandated by any provision of federal law.504
10-1-970.505
(a) A provision of a contract or agreement that waives or limits a consumer's rights or506
cause of actionunder this article, including, but not limited to, a right to a remedy or means507
of enforcement, is contrary to public policy, void, and unenforceable.508
S. B. 473
- 20 - 24 LC 36 5787S (SCS)
(b) Nothing in this article shall prevent a consumer from declining to request information509
from a controller, declining to opt out of a controller's sale of the consumer's personal510
information, or authorizing a controller to sell the consumer's personal information after511
previously opting out.512
(c) This article shall apply to contracts entered into, amended, or renewed on or after513
July 1, 2026.514
10-1-971.515
If the Attorney General has reasonable cause to believe that an individual, controller, or516
processor has engaged in, is engaging in, or is about to engage in a violation of this article,517
then the Attorney General may issue a civil investigative demand.518
10-1-972.519
(a) The Attorney General may develop reasonable cause to believe that a controller or520
processor is in violation of this article, based on the Attorney General's own inquiry or on521
consumer or public complaints. Prior to initiating an action under this article, the Attorney522
General shall provide a controller or processor 60 days' written notice identifying the523
specific provisions of this article the Attorney General alleges have been or are being524
violated. If within the 60 day period, the controller or processor cures the noticed violation525
and provides the Attorney General an express written statement that the alleged violations526
have been cured and that no such further violations shall occur, then the Attorney General527
shall not initiate an action against the controller or processor.528
(b) If a controller or processor continues to violate this article following the cure period529
provided for in subsection (a) of this Code section or breaches an express written statement530
provided to the Attorney General under subsection (a) of this Code section, then the531
Attorney General may bring an action in a court of competent jurisdiction seeking any of532
the following relief:533
S. B. 473
- 21 - 24 LC 36 5787S (SCS)
(1) Declaratory judgment that the act or practice violates this article;534
(2) Injunctive relief, including preliminary and permanent injunctions, to prevent an535
additional violation of and compel compliance with this article;536
(3) Civil penalties, as described in subsection (c) of this Code section;537
(4) Reasonable attorney's fees and investigative costs; or538
(5) Other relief the court determines appropriate.539
(c)(1) A court may impose a civil penalty of up to $7,500.00 for each violation of this540
article.541
(2) If the court finds the controller or processor willfully or knowingly violated this542
article, then the court may, in its discretion, award treble damages.543
(d) The Attorney General may recover reasonable expenses incurred in investigating and544
preparing a case, including attorney's fees, in an action initiated under this article.545
10-1-973.546
(a) A controller or processor shall have an affirmative defense to a cause of action for a547
violation of this article if the controller or processor creates, maintains, and complies with548
a written privacy policy that:549
(1)(A) Reasonably conforms to the NIST procedures designed to safeguard consumer550
privacy; and551
(B) Is updated to reasonably conform with a subsequent revision to the NIST within552
two years of the publication date stated in the most recent revision to the NIST; and553
(2) Provides a person with the substantive rights required by this article.554
(b) The scale and scope of a controller or processor's privacy program under subsection (a)555
of this Code section shall be appropriate if it is based on all of the following factors:556
(1) The size and complexity of the controller or processor's business;557
(2) The nature and scope of the activities of the controller or processor;558
(3) The sensitivity of the personal information processed;559
S. B. 473
- 22 - 24 LC 36 5787S (SCS)
(4) The cost and availability of tools to improve privacy protections and data560
governance; and561
(5) Compliance with a comparable state or federal law.562
10-1-974.563
(a) A municipality, county, or consolidated government shall not require a controller or564
processor to disclose personal data of consumers, unless pursuant to a subpoena or court565
order.566
(b) This article shall supersede and preempt any conflicting provisions of any ordinances,567
resolutions, regulations, or the equivalent adopted by any municipality, county, or568
consolidated government regarding the processing of personal data by controllers or569
processors."570
SECTION 2.571
This Act shall become effective on July 1, 2026.572
SECTION 3.573
All laws and parts of laws in conflict with this Act are repealed.574
S. B. 473
- 23 -