GA
Georgia Senate Bill SB473

Georgia 2023-2024 Regular Session

Georgia Senate Bill SB473 Compare Versions

OldNewDifferences
1-24 LC 36 5879S
2-The House Committee on Technology and Infrastructure Innovation offers the following
3-substitute to SB 473:
1+24 LC 36 5787S (SCS)
2+Senate Bill 473
3+By: Senators Albers of the 56th, Robertson of the 29th, Anavitarte of the 31st, Strickland of
4+the 17th, Goodman of the 8th and others
5+AS PASSED SENATE
46 A BILL TO BE ENTITLED
57 AN ACT
6-To amend Title 10 of the Official Code of Georgia Annotated, relating to commerce and1
8+To amend Title 10 of the Official Code of Georgia Annotated, relating to commerce and
9+1
710 trade, so as to enact the "Georgia Consumer Privacy Protection Act"; to protect the privacy2
811 of consumer personal data in this state; to provide for definitions; to provide for applicability;3
912 to provide for exemptions for certain entities, data, and uses of data; to provide for consumer4
1013 rights regarding personal data; to provide for a consumer to exercise such rights by5
1114 submitting a request to a controller; to provide for a controller to promptly respond to such6
1215 requests; to provide for exemptions; to provide for responsibilities of processors and7
1316 controllers; to provide for notice and disclosure; to provide for security practices to protect8
1417 consumer personal data; to allow a controller to offer different goods or services under9
1518 certain conditions; to provide for limitations; to provide for statutory construction; to provide10
1619 for enforcement and penalties; to provide an affirmative defense; to prohibit the disclosure11
1720 of personal data of consumers to local governments unless pursuant to a subpoena or court12
1821 order; to provide for preemption of local regulation; to provide for related matters; to provide13
1922 an effective date; to repeal conflicting laws; and for other purposes.14
2023 BE IT ENACTED BY THE GENERAL ASSEMBLY OF GEORGIA:15
21-S. B. 473 (SUB)
22-- 1 - 24 LC 36 5879S
23-SECTION 1.16
24+S. B. 473
25+- 1 - 24 LC 36 5787S (SCS)
26+SECTION 1.
27+16
2428 Title 10 of the Official Code of Georgia Annotated, relating to commerce and trade, is17
2529 amended by adding a new article to Chapter 1, relating to selling and other trade practices,18
2630 to read as follows:19
27-"ARTICLE 3720
31+"ARTICLE 37
32+20
2833 10-1-960.21
2934 This article shall be known and may be cited as the 'Georgia Consumer Privacy Protection22
3035 Act.'23
3136 10-1-961.24
3237 As used in this article, the term:25
3338 (1) 'Affiliate' means a legal entity that controls, is controlled by, or is under common26
3439 control with another legal entity or shares common branding with another legal entity. 27
3540 For purposes of this paragraph, the term 'control' or 'controlled' means:28
3641 (A) Ownership of, or the power to vote, more than 50 percent of the outstanding shares29
3742 of a class of voting security of an entity;30
3843 (B) Control in any manner over the election of a majority of the directors or of31
3944 individuals exercising similar functions relative to an entity; or32
4045 (C) The power to exercise controlling influence over the management of an entity.33
4146 (2) 'Authenticate' means to verify using reasonable means that a consumer who is34
4247 entitled to exercise the rights in Code Section 10-1-963, is the same consumer who is35
4348 exercising such consumer rights with respect to the personal information at issue.36
4449 (3)(A) 'Biometric data' means data generated by automatic measurement of an37
4550 individual's biological characteristics, such as a fingerprint, voiceprint, eye retina or iris,38
46-S. B. 473 (SUB)
47-- 2 - 24 LC 36 5879S
51+S. B. 473
52+- 2 - 24 LC 36 5787S (SCS)
4853 or other unique biological patterns or characteristics that are used to identify a specific39
4954 individual.40
5055 (B) Such term shall not include:41
5156 (i) A physical or digital photograph, video recording, or audio recording or data42
52-generated from a photograph or video or audio recording;43
53-(ii) Information captured and converted to a mathematical representation, including44
54-a numeric string or similar configuration, that cannot be used to recreate data45
55-generated by automatic measurement of an individual's biological patterns or46
56-characteristics used to identify the specific individual; or47
57-(iii) Information collected, used, or stored for healthcare treatment, payment, or48
58-operations under HIPAA.49
59-(4) 'Business associate' shall have the same meaning as provided by HIPAA.50
60-(5) 'Consent' means a clear affirmative act signifying a consumer's freely given, specific,51
61-informed, and unambiguous agreement to process personal information relating to the52
62-consumer. Such term may include a written statement, including a statement written by53
63-electronic means, or an unambiguous affirmative action.54
64-(6) 'Consumer' means an individual who is a resident of this state acting only in a55
65-personal context. Such term shall not include an individual acting in a commercial or56
66-employment context.57
67-(7) 'Controller' means the person that, alone or jointly with others, determines the58
68-purpose and means of processing personal information.59
69-(8) 'Covered entity' shall have the same meaning as provided by HIPAA.60
70-(9) 'Decisions that produce legal or similarly significant effects concerning the consumer'61
71-means decisions made by the controller that result in the provision or denial by the62
72-controller of financial or lending services, housing, insurance, education enrollment or63
73-opportunity, criminal justice, employment opportunities, healthcare services, or access64
74-to basic necessities, such as food and water.65
75-S. B. 473 (SUB)
76-- 3 - 24 LC 36 5879S
77-(10) 'De-identified data' means data that cannot reasonably be linked to an identified or66
78-identifiable individual, or any device linked to such natural person.67
79-(11) 'Health record' means a written, printed, or electronically recorded material that:68
80-(A) In the course of providing healthcare services to an individual was created or is69
81-maintained by a healthcare facility described in or licensed pursuant to Title 31; and70
82-(B) Concerns the individual and the healthcare services provided.71
83-Such term includes the substance of a communication made by an individual to a72
84-healthcare facility described in or licensed pursuant to Title 31 in confidence during or73
85-in connection with the provision of healthcare services or information otherwise acquired74
86-by the healthcare entity about an individual in confidence and in connection with the75
87-provision of healthcare services to the individual.76
88-(12) 'HIPAA' means the federal Health Insurance Portability and Accountability Act of77
89-1996, as amended, 42 U.S.C. Section 1320d et seq.78
90-(13) 'Identified or identifiable individual' means a natural person who can be readily79
91-identified, whether directly or indirectly.80
92-(14) 'Institution of higher education' means a public or private college or university in81
93-this state.82
94-(15) 'Known child' means an individual who the controller has actual knowledge is under83
95-13 years of age.84
96-(16) 'NIST' means the National Institute of Standards and Technology privacy85
97-framework entitled 'A Tool for Improving Privacy through Enterprise Risk Management86
98-Version 1.0' or any subsequent version thereof.87
99-(17) 'Nonprofit organization' means an organization exempt from taxation under the88
100-Internal Revenue Code, codified in 26 U.S.C. Sections 501-530.89
101-(18) 'Person' means any individual or entity.90
102-(19)(A) 'Personal information' means information that is linked or reasonably linkable91
103-to an identified or identifiable individual.92
104-S. B. 473 (SUB)
105-- 4 - 24 LC 36 5879S
106-(B) Such term shall not include information that:93
107-(i) Is publicly available information;94
108-(ii) Does not identify an individual and with respect to which there is no reasonable95
109-basis to believe that the information can be used alone or in combination with other96
110-information to identify an individual; or97
111-(iii) Is de-identified using a method no less secure than methods provided under98
112-HIPAA.99
113-(20)(A) 'Precise geolocation data' means information derived from technology,100
114-including, but not limited to, global positioning system level latitude and longitude101
115-coordinates or other mechanisms, that directly identifies the specific location of a102
116-natural person with precision and accuracy within a radius of 1,750 feet.103
117-(B) Such term shall not include:104
118-(i) The content of communications; or105
119-(ii) Data generated by or connected to advanced utility metering infrastructure106
120-systems or equipment for use by a utility.107
121-(21) 'Process' or 'processing' means an operation or set of operations performed, whether108
122-by manual or automated means, on personal information or on sets of personal109
123-information, such as the collection, use, storage, disclosure, analysis, deletion, or110
124-modification of personal information.111
125-(22) 'Processor' means a person that processes personal information on behalf of a112
126-controller.113
127-(23) 'Profiling' means a form of automated processing performed on personal114
128-information solely to evaluate, analyze, or predict personal aspects related to an identified115
129-or identifiable individual's economic situation, health, personal preferences, interests,116
130-reliability, behavior, location, or movements.117
131-(24) 'Protected health information' shall have the same meaning as provided by HIPAA.118
132-S. B. 473 (SUB)
133-- 5 - 24 LC 36 5879S
134-(25) 'Pseudonymous data' means personal information that cannot be attributed to a119
135-specific individual without the use of additional information, so long as the additional120
136-information is kept separately and is subject to appropriate technical and organizational121
137-measures to ensure that the personal information is not attributed to an identified or122
138-identifiable individual.123
139-(26) 'Publicly available information' means information that is lawfully made available124
140-through federal, state, or local government records, or information that a business has a125
141-reasonable basis to believe is lawfully made available to the general public through126
142-widely distributed media, by the consumer, or by a person to which the consumer has127
143-disclosed the information, unless the consumer has restricted the information to a specific128
144-audience.129
145-(27)(A) 'Sale of personal information' or 'sell personal information' means the130
146-exchange of personal information for monetary or other valuable consideration by the131
147-controller to a third party.132
148-(B) Such term shall not include:133
149-(i) The disclosure of personal information to a processor that processes the personal134
150-information on behalf of the controller;135
151-(ii) The disclosure of personal information to a third party for purposes of providing136
152-a product or service requested by the consumer;137
153-(iii) The disclosure or transfer of personal information to an affiliate of the controller;138
154-(iv) The disclosure of information that the consumer:139
155-(I) Intentionally made available to the general public via a channel of mass media;140
156-and141
157-(II) Did not restrict to a specific audience; or142
158-(v) The disclosure or transfer of personal information to a third party as an asset that143
159-is part of a merger, acquisition, bankruptcy, or other transaction in which the third144
160-party assumes control of all or part of the controller's assets.145
161-S. B. 473 (SUB)
162-- 6 - 24 LC 36 5879S
163-(28) 'Sensitive data' means a category of personal information that includes:146
164-(A) Personal information revealing racial or ethnic origin, religious belief, mental or147
165-physical health diagnosis, sexual orientation, or citizenship or immigration status;148
166-(B) The processing of genetic data or biometric data for the purpose of uniquely149
167-identifying an individual;150
168-(C) The personal information collected from a known child; or151
169-(D) Precise geolocation data.152
170-(29) 'State agency' means an agency, institution, board, bureau, commission, council, or153
171-instrumentality of the executive branch of state government of this state.154
172-(30)(A) 'Targeted advertising' means displaying to a consumer an advertisement that155
173-is selected based on personal information obtained from such consumer's activities over156
174-time and across nonaffiliated websites or online applications to predict the consumer's157
175-preferences or interests.158
176-(B) Such term shall not include:159
177-(i) Advertisements based on activities within a controller's own websites or online160
178-applications;161
179-(ii) Advertisements based on the context of a consumer's current search query, visit162
180-to a website, or online application;163
181-(iii) Advertisements directed to a consumer in response to the consumer's request for164
182-information or feedback; or165
183-(iv) Personal information processed solely for measuring or reporting advertising166
184-performance, reach, or frequency.167
185-(31) 'Third party' means a person other than the consumer, controller, processor, or an168
186-affiliate of the controller or processor.169
187-S. B. 473 (SUB)
188-- 7 - 24 LC 36 5879S
189-10-1-962.170
190-(a) This article shall apply to a person that conducts business in this state by producing171
191-products or services targeted to consumers of this state that exceeds $25 million in revenue172
192-and that:173
193-(1) Controls or processes personal information of at least 25,000 consumers and derives174
194-more than 50 percent of gross revenue from the sale of personal information; or175
195-(2) During a calendar year, controls or processes personal information of at least 175,000176
196-consumers.177
197-(b) This article shall not apply to:178
198-(1) A person that is:179
199-(A) A financial institution or an affiliate of a financial institution subject to Title V of180
200-the federal Gramm-Leach-Bliley Act, as amended, 15 U.S.C. Section 6801 et seq.;181
201-(B) Licensed in this state under Title 33 as an insurance company and transacts182
202-insurance business;183
203-(C) Licensed in this state under Title 33 as an insurance producer;184
204-(D) A covered entity or business associate governed by the privacy, security, and185
205-breach notification rules issued by the United States Department of Health and Human186
206-Services, 45 C.F.R. Parts 160 and 164 established pursuant to HIPAA, and the federal187
207-Health Information Technology for Economic and Clinical Health Act (P.L. 111-5);188
208-(E) An air carrier regulated by the secretary of transportation under 49 U.S.C. Section189
209-41712 and exempt from state regulations under 49 U.S.C. Section 41713(b)(1); or190
210-(F) An entity subject to 42 U.S.C. Section 290dd-2;191
211-(2) Data or personal information that is:192
212-(A) Subject to Title V of the federal Gramm-Leach-Bliley Act, as amended, 15 U.S.C.193
213-Section 6801 et seq.;194
214-(B) Protected health information under HIPAA;195
215-(C) Considered a health record for purposes of Title 31;196
216-S. B. 473 (SUB)
217-- 8 - 24 LC 36 5879S
218-(D) Considered patient identifying information for purposes of 42 U.S.C.197
219-Section 290dd-2;198
220-(E) Processed for purposes of:199
221-(i) Research conducted in accordance with the federal policy for the protection of200
222-human subjects under 45 C.F.R. Part 46;201
223-(ii) Human subjects research conducted in accordance with good clinical practice202
224-guidelines issued by the International Council for Harmonization of Technical203
225-Requirements for Pharmaceuticals for Human Use; or204
226-(iii) Research conducted in accordance with the protection of human subjects under205
227-21 C.F.R. Parts 6, 50, and 56;206
228-(F) Created for purposes of the federal Health Care Quality Improvement Act of 1986,207
229-as amended, 42 U.S.C. Section 11101 et seq.;208
230-(G) Considered patient safety work product for purposes of the federal Patient Safety209
231-and Quality Improvement Act, as amended, 42 U.S.C. Section 299b-21 et seq.;210
232-(H) Derived from the healthcare related information listed in this subsection that is211
233-de-identified in accordance with the requirements for de-identification pursuant to212
234-HIPAA;213
235-(I) Included in a limited data set as described in 45 C.F.R. 164.514(e), to the extent that214
236-the information is used, disclosed, and maintained in the manner specified in215
237-45 C.F.R. 164.514(e);216
238-(J) Originated from, and intermingled to be indistinguishable with, or information217
239-treated in the same manner as, information exempt under this subsection that is218
240-maintained by a covered entity or business associate as defined by HIPAA or a program219
241-or a qualified service organization as defined by 42 U.S.C. Section 290dd-2;220
242-(K) Used only for public health activities and purposes as authorized by HIPAA;221
243-(L) Impacted a consumer's credit worthiness, credit standing, credit capacity, character,222
244-general reputation, personal characteristics, or mode of living by a consumer reporting223
245-S. B. 473 (SUB)
246-- 9 - 24 LC 36 5879S
247-agency or furnisher that provides information for use in a consumer report, and by a224
248-user of a consumer report, but only to the extent that such activity is regulated by and225
249-authorized under the federal Fair Credit Reporting Act, as amended, 15 U.S.C.226
250-Section 1681 et seq.;227
251-(M) Collected, processed, or disclosed in compliance with the federal Driver's Privacy228
252-Protection Act of 1994, as amended, 18 U.S.C. Section 2721 et seq.;229
253-(N) Regulated by the federal Family Educational Rights and Privacy Act (FERPA), as230
254-amended, 20 U.S.C. Section 1232g et seq.;231
255-(O) Collected, processed, or disclosed in compliance with the federal Farm Credit Act,232
256-as amended, 12 U.S.C. Section 2001 et seq.; or233
257-(P) Maintained or used for purposes of compliance with the regulation of listed234
258-chemicals under the federal Controlled Substances Act, as amended, 21 U.S.C.235
259-Section 830;236
260-(3) A nonprofit organization;237
261-(4) Any state agency, the judicial branch, the legislative branch, or any local government238
262-of this state;239
263-(5) Any institution of higher education that does not engage in the sale of personal240
264-information; 241
265-(6) Any electric supplier as defined in Code Section 46-3-3 that does not engage in the242
266-sale of personal information; or243
267-(7) Data processed or maintained:244
268-(A) In the course of an individual applying to, being employed by, or acting as an agent245
269-or independent contractor of a controller, processor, or third party, to the extent that the246
270-data is collected and used within the context of that role; 247
271-(B) As the emergency contact information of an individual employed by or acting as248
272-an agent or independent contractor of a controller, processor, or third party for use as249
273-emergency contact purposes with the consent of such individual; or250
274-S. B. 473 (SUB)
275-- 10 - 24 LC 36 5879S
276-(C) As necessary to retain to administer benefits for an individual who qualifies for251
277-benefits as part of the benefits provided to an individual employed by or acting as an252
278-agent or independent contractor of a controller, processor, or third party.253
279-(c) Controllers and processors that comply with the verifiable parental consent254
280-requirements of the federal Children's Online Privacy Protection Act (COPPA), as255
281-amended, 15 U.S.C. Section 6501 et seq., shall be deemed compliant with an obligation to256
282-obtain parental consent under this article.257
283-(d) Nothing in this article shall require a controller, processor, third party, or consumer to258
284-disclose trade secrets.259
285-10-1-963.260
286-(a)(1) A consumer may invoke the consumer rights authorized pursuant to paragraph (2)261
287-of this subsection at any time by submitting a request to a controller specifying the262
288-consumer rights the consumer wishes to invoke. A known child's parent or legal guardian263
289-may invoke the consumer rights authorized pursuant to paragraph (2) of this subsection264
290-on behalf of the such known child regarding processing personal information belonging265
291-to the known child.266
292-(2) A controller shall comply with an authenticated consumer request to exercise the267
293-right to:268
294-(A) Confirm whether a controller is processing the consumer's personal information269
295-and to access such personal information;270
296-(B) Correct inaccuracies in the consumer's personal information, taking into account271
297-the nature of the personal information and the purposes of the processing of such272
298-consumer's personal information;273
299-(C) Delete personal information provided by or obtained about the consumer. A274
300-controller shall not be required to delete information that it maintains or uses as275
301-aggregate or de-identified data; provided, that such data in the possession of the276
302-S. B. 473 (SUB)
303-- 11 - 24 LC 36 5879S
304-controller is not linked to a specific consumer. A controller that obtained personal277
305-information about a consumer from a source other than the consumer shall be in278
306-compliance with a consumer's request to delete such personal information by retaining279
307-a record of the deletion request and the minimum information necessary for the purpose280
308-of ensuring that the consumer's personal information remains deleted from the281
309-controller's records and by not using such retained personal information for any purpose282
310-prohibited under this article;283
311-(D) Obtain a copy of the consumer's personal information that the consumer previously284
312-provided to the controller in a portable and, to the extent technically feasible, readily285
313-usable format that allows the consumer to transmit such personal information to another286
314-controller without hindrance, where the processing is carried out by automated means;287
315-or288
316-(E) Opt out of a controller's processing of personal information for purposes of:289
317-(i) Engaging in the sale of personal information about the consumer;290
318-(ii) Targeted advertising; or291
319-(iii) Profiling in furtherance of decisions that produce legal or similarly significant292
320-effects concerning the consumer.293
321-(b) Except as otherwise provided in this article, a controller shall comply with an294
322-authenticated request by a consumer to exercise the consumer rights authorized pursuant295
323-to paragraph (2) of subsection (a) of this Code section as follows:296
324-(1) A controller shall respond to the consumer without undue delay, but in all cases297
325-within 45 days of receipt of a request submitted pursuant to subsection (a) of this Code298
326-section. The response period may be extended once by 45 additional days when299
327-reasonably necessary, taking into account the complexity and number of the consumer's300
328-requests, so long as the controller informs the consumer of the extension within the initial301
329-45 day response period, together with the reason for the extension;302
330-S. B. 473 (SUB)
331-- 12 - 24 LC 36 5879S
332-(2) If a controller declines to take action regarding the consumer's request, then the303
333-controller shall inform the consumer without undue delay, but in all cases within 45 days304
334-of receipt of the request, of the justification for declining to take action and instructions305
335-for how to appeal the decision pursuant to subsection (c) of this Code section;306
336-(3) Information provided in response to a consumer request shall be provided by a307
337-controller free of charge, up to twice annually per consumer. If requests from a consumer308
338-are manifestly unfounded, technically infeasible, excessive, or repetitive, then the309
339-controller may charge the consumer a reasonable fee to cover the administrative costs of310
340-complying with the request or decline to act on the request. The controller bears the311
341-burden of demonstrating the manifestly unfounded, technically infeasible, excessive, or312
342-repetitive nature of the request; and313
343-(4) If a controller is unable to authenticate the request using commercially reasonable314
344-efforts, then the controller shall not be required to comply with a request to initiate an315
345-action under subsection (a) of this Code section and may request that the consumer316
346-provide additional information reasonably necessary to authenticate the consumer and the317
347-consumer's request.318
348-(c) A controller shall establish a process for a consumer to appeal the controller's refusal319
349-to take action on a request within a reasonable period of time after the consumer's receipt320
350-of the decision pursuant to paragraph (2) of subsection (b) of this Code section. The appeal321
351-process shall be:322
352-(1) Made available to the consumer in a conspicuous manner;323
353-(2) Available at no cost to the consumer; and324
354-(3) Similar to the process for submitting requests to initiate action pursuant to325
355-subsection (a) of this Code section.326
356-Within 60 days of receipt of an appeal, a controller shall inform the consumer in writing327
357-of action taken or not taken in response to the appeal, including a written explanation of328
358-the reasons for the decision. If the appeal is denied, the controller shall then also provide329
359-S. B. 473 (SUB)
360-- 13 - 24 LC 36 5879S
361-the consumer with an online mechanism, if available, or other method through which the330
362-consumer may contact the Attorney General to submit a complaint.331
363-10-1-964.332
364-(a) A controller shall:333
365-(1) Limit the collection of personal information to what is adequate, relevant, and334
366-reasonably necessary in relation to the purposes for which the data is processed, as335
367-disclosed to the consumer;336
368-(2) Except as otherwise provided in this article, not process personal information for337
369-purposes that are beyond what is reasonably necessary to and compatible with the338
370-disclosed purposes for which the personal information is processed, as disclosed to the339
371-consumer, unless the controller obtains the consumer's consent;340
372-(3) Establish, implement, and maintain reasonable administrative, technical, and physical341
373-data security practices, as described in Code Section 10-1-973, to protect the342
374-confidentiality, integrity, and accessibility of personal information. The data security343
375-practices shall be appropriate to the volume and nature of the personal information at344
376-issue;345
377-(4) Not be required to delete information that it maintains or uses as aggregate or346
378-de-identified data, provided that such data in the possession of the business is not linked347
379-to a specific consumer;348
380-(5) Not process personal information in violation of state and federal laws that prohibit349
381-unlawful discrimination against consumers. A controller shall not discriminate against350
382-a consumer for exercising the consumer rights contained in this article, including denying351
383-goods or services, charging different prices or rates for goods or services, or providing352
384-a different level of quality of goods and services to the consumer. However, this353
385-paragraph shall not require a controller to provide a product or service that requires the354
386-personal information of a consumer that the controller does not collect or maintain, or355
387-S. B. 473 (SUB)
388-- 14 - 24 LC 36 5879S
389-prohibit a controller from offering a different price, rate, level, quality, or selection of356
390-goods or services to a consumer, including offering goods or services for no fee, if the357
391-consumer has exercised the right to opt out pursuant to subparagraph (E) of paragraph (2)358
392-of subsection (a) of Code Section 10-1-963 or the offer is related to a consumer's359
393-voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or360
394-club card program; and361
395-(6) Not process sensitive data concerning a consumer without obtaining the consumer's362
396-consent, or, in the case of the processing of sensitive data concerning a known child,363
397-without processing the data in accordance with the federal Children's Online Privacy364
398-Protection Act, as amended, 15 U.S.C. Section 6501 et seq., and its implementing365
399-regulations.366
400-(b) A provision of a contract or agreement that purports to waive or limit the consumer367
401-rights described in Code Section 10-1-963 is contrary to public policy and is void and368
402-unenforceable.369
403-(c) A controller shall provide a reasonably accessible, clear, and meaningful privacy notice370
404-that includes:371
405-(1) The categories of personal information processed by the controller;372
406-(2) The purpose for processing personal information;373
407-(3) How consumers may exercise their consumer rights pursuant to Code374
408-Section 10-1-963, including how a consumer may appeal a controller's decision with375
409-regard to the consumer's request;376
410-(4) The categories of personal information that the controller sells to third parties, if any;377
411-and378
412-(5) The categories of third parties, if any, with whom the controller engages in the sale379
413-of personal information.380
414-(d) If a controller engages in the sale of personal information to third parties or processes381
415-personal information for targeted advertising, then the controller shall clearly and382
416-S. B. 473 (SUB)
417-- 15 - 24 LC 36 5879S
418-conspicuously disclose the processing, as well as the manner in which a consumer may383
419-exercise the right to opt out of the processing.384
420-(e)(1) A controller shall provide, and shall describe in a privacy notice, one or more385
421-secure and reliable means for a consumer to submit a request to exercise the consumer386
422-rights described in Code Section 10-1-963. Such means shall take into account the:387
423-(A) Ways in which a consumer normally interacts with the controller;388
424-(B) Need for secure and reliable communication of such requests; and389
425-(C) Ability of a controller to authenticate the identity of the consumer making the390
426-request.391
427-(2) A controller shall not require a consumer to create a new account in order to exercise392
428-the consumer rights described in Code Section 10-1-963, but may require a consumer to393
429-use an existing account.394
430-10-1-965.395
431-(a) A processor shall adhere to the instructions of a controller and shall assist the controller396
432-in meeting its obligations under this article. The assistance provided by the processor shall397
433-include:398
434-(1) Taking into account the nature of processing and the information available to the399
435-processor, by appropriate technical and organizational measures, insofar as reasonably400
436-practicable, to fulfill the controller's obligation to respond to consumer rights requests401
437-pursuant to Code Section 10-1-963; and402
438-(2) Providing necessary information to enable the controller to conduct and document403
439-data protection assessments pursuant to Code Section 10-1-966.404
440-(b) A contract between a controller and a processor governs the processor's data processing405
441-procedures with respect to processing performed on behalf of the controller. The contract406
442-shall be binding and shall clearly set forth instructions for processing data, the nature and407
443-purpose of processing, the type of data subject to processing, the duration of processing,408
444-S. B. 473 (SUB)
445-- 16 - 24 LC 36 5879S
446-and the rights and obligations of both parties. The contract shall also include requirements409
447-that the processor shall:410
448-(1) Ensure that each person processing personal information is subject to a duty of411
449-confidentiality with respect to the data;412
450-(2) At the controller's direction, delete or return all personal information to the controller413
451-as requested at the end of the provision of services, unless retention of the personal414
452-information is required by law;415
453-(3) Upon the reasonable request of the controller, make available to the controller all416
454-information in its possession necessary to demonstrate the processor's compliance with417
455-the obligations in this article;418
456-(4) Allow, and cooperate with, reasonable assessments by the controller or the419
457-controller's designated assessor; alternatively, the processor may arrange for a qualified420
458-and independent assessor to conduct an assessment of the processor's policies and421
459-technical and organizational measures in support of the obligations under this article422
460-using an appropriate and accepted control standard or framework and assessment423
461-procedure for the assessments. The processor shall provide a report of each assessment424
462-to the controller upon request; and425
463-(5) Engage a subcontractor pursuant to a written contract in that requires the426
464-subcontractor to meet the obligations of the processor with respect to the personal427
465-information.428
466-(c) Nothing in this Code section shall relieve a controller or a processor from the liabilities429
467-imposed on it by virtue of its role in the processing relationship as described in430
468-subsection (b) of this Code section.431
469-(d) Determining whether a person is acting as a controller or processor with respect to a432
470-specific processing of data is a fact based determination that depends upon the context in433
471-which personal information is to be processed. A processor that continues to adhere to a434
472-S. B. 473 (SUB)
473-- 17 - 24 LC 36 5879S
474-controller's instructions with respect to a specific processing of personal information435
475-remains a processor.436
476-10-1-966.437
477-(a) A controller shall conduct and document a data protection assessment of each of the438
478-following processing activities involving personal information:439
479-(1) The processing of personal information for purposes of targeted advertising;440
480-(2) The sale of personal information;441
481-(3) The processing of personal information for purposes of profiling, where the profiling442
482-presents a reasonably foreseeable risk of:443
483-(A) Unfair or deceptive treatment of, or unlawful disparate impact on, consumers;444
484-(B) Financial, physical, or reputational injury to consumers;445
485-(C) A physical or other intrusion upon the solitude or seclusion, or the private affairs446
486-or concerns, of consumers, where the intrusion would be offensive to a reasonable447
487-person; or448
488-(D) Other substantial injury to consumers;449
489-(4) The processing of sensitive data; and450
490-(5) Processing activities involving personal information that present a heightened risk451
491-of harm to consumers.452
492-(b) Data protection assessments conducted pursuant to subsection (a) of this Code section453
493-shall identify and weigh the benefits that may flow, directly and indirectly, from the454
494-processing to the controller, the consumer, other stakeholders, and the public against the455
495-potential risks to the rights of the consumer associated with the processing, as mitigated by456
496-safeguards that can be employed by the controller to reduce the risks. The use of457
497-de-identified data and the reasonable expectations of consumers, as well as the context of458
498-the processing and the relationship between the controller and the consumer whose459
499-S. B. 473 (SUB)
500-- 18 - 24 LC 36 5879S
501-personal information will be processed, shall be factored into this assessment by the460
502-controller.461
503-(c) The Attorney General may request pursuant to a civil investigative demand that a462
504-controller disclose a data protection assessment that is relevant to an investigation463
505-conducted by the Attorney General, and the controller shall make the data protection464
506-assessment available to the Attorney General. The Attorney General shall evaluate the data465
507-protection assessment for compliance with the responsibilities set forth in Code466
508-Section 10-1-964. The disclosure of a data protection assessment pursuant to a request467
509-from the Attorney General shall not constitute a waiver of attorney-client privilege or work468
510-product protection with respect to the assessment and information contained in the469
511-assessment. Such data protection assessments shall be confidential and shall not be open470
512-to public inspection and copying under Article 4 of Chapter 18 of Title 50, relating to open471
513-records.472
514-(d) A single data protection assessment may address a comparable set of processing473
515-operations that include similar activities.474
516-(e) A data protection assessment conducted by a controller for the purpose of compliance475
517-with other laws, rules, or regulations may comply with this Code section if such data476
518-protection assessment have a reasonably comparable scope and effect.477
519-(f) The data protection assessment requirements in this article shall apply only to478
520-processing activities created or generated on or after July 1, 2026.479
521-10-1-967.480
522-(a) A controller in possession of de-identified data shall:481
523-(1) Take reasonable measures to ensure that the data cannot be associated with a natural482
524-person;483
525-(2) Publicly commit to maintaining and using de-identified data without attempting to484
526-reidentify the data; and485
527-S. B. 473 (SUB)
528-- 19 - 24 LC 36 5879S
529-(3) Contractually obligate recipients of the de-identified data to comply with this article.486
530-(b) Nothing in this Code section shall require a controller or processor to:487
531-(1) Reidentify de-identified data or pseudonymous data;488
532-(2) Maintain data in identifiable form, or collect, obtain, retain, or access data or489
533-technology, in order to be capable of associating an authenticated consumer request with490
534-personal information; or491
535-(3) Comply with an authenticated consumer rights request, pursuant to Code492
536-Section 10-1-963, if:493
537-(A) The controller is not reasonably capable of associating the request with the494
538-personal information or it would be unreasonably burdensome for the controller to495
539-associate the request with the personal information;496
540-(B) The controller does not use the personal information to recognize or respond to the497
541-specific consumer who is the subject of the personal information, or associate the498
542-personal information with other personal information about the same specific499
543-consumer; and500
544-(C) The controller does not engage in the sale of personal information to a third party501
545-or otherwise voluntarily disclose the personal information to a third party other than a502
546-processor, except as otherwise permitted in this Code section.503
547-(c) The consumer rights described in Code Sections 10-1-963 and 10-1-964 shall not apply504
548-to pseudonymous data in cases where the controller is able to demonstrate information505
549-necessary to identify the consumer is kept separately and is subject to effective technical506
550-and organizational controls that prevent the controller from accessing that information.507
551-(d) A controller that discloses pseudonymous data or de-identified data shall exercise508
552-reasonable oversight to monitor compliance with contractual commitments to which the509
553-pseudonymous data or de-identified data is subject and shall take appropriate steps to510
554-address breaches of those contractual commitments.511
555-S. B. 473 (SUB)
556-- 20 - 24 LC 36 5879S
557-10-1-968.512
558-(a) Nothing in this article shall restrict a controller's or processor's ability to:513
559-(1) Comply with federal, state, or local laws, rules, or regulations;514
560-(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or515
561-summons by federal, state, local, or other governmental authorities;516
562-(3) Cooperate with law enforcement agencies concerning conduct or activity that the517
563-controller or processor reasonably and in good faith believes may violate federal, state,518
564-or local laws, rules, or regulations;519
565-(4) Investigate, establish, exercise, prepare for, or defend legal claims;520
566-(5) Provide a product or service specifically requested by a consumer or the parent or521
567-legal guardian of a known child, perform a contract to which the consumer is a party,522
568-including fulfilling the terms of a written warranty, or take steps at the request of the523
569-consumer prior to entering into a contract;524
570-(6) Take immediate steps to protect an interest that is essential for the life or physical525
571-safety of the consumer or of another natural person, and where the processing cannot be526
572-manifestly based on another legal basis;527
573-(7) Prevent, detect, protect against, or respond to security incidents, identity theft, fraud,528
574-harassment, malicious or deceptive activity, or illegal activity; preserve the integrity or529
575-security of systems; or investigate, report, or prosecute those responsible for such action;530
576-(8) Engage in public reviewed or peer reviewed scientific or statistical research in the531
577-public interest that adheres to all other applicable ethics and privacy laws and is532
578-approved, monitored, and governed by an institutional review board, or similar533
579-independent oversight entity that determines whether:534
580-(A) Deletion of the information is likely to provide substantial benefits that do not535
581-exclusively accrue to the controller;536
582-(B) The expected benefits of the research outweigh the privacy risks; and537
583-S. B. 473 (SUB)
584-- 21 - 24 LC 36 5879S
585-(C) The controller has implemented reasonable safeguards to mitigate privacy risks538
586-associated with research, including risks associated with reidentification; or539
587-(9) Assist another controller, processor, or third party with the obligations under this540
57+generated from a photograph or video or audio recording; or43
58+(ii) Information collected, used, or stored for healthcare treatment, payment, or44
59+operations under HIPAA.45
60+(4) 'Consent' means a clear affirmative act signifying a consumer's freely given, specific,46
61+informed, and unambiguous agreement to process personal information relating to the47
62+consumer. Such term may include a written statement, including a statement written by48
63+electronic means, or an unambiguous affirmative action.49
64+(5) 'Consumer' means an individual who is a resident of this state acting only in a50
65+personal context. Such term shall not include an individual acting in a commercial or51
66+employment context.52
67+(6) 'Controller' means the person that, alone or jointly with others, determines the53
68+purpose and means of processing personal information.54
69+(7) 'Decisions that produce legal or similarly significant effects concerning the consumer'55
70+means decisions made by the controller that result in the provision or denial by the56
71+controller of financial or lending services, housing, insurance, education enrollment or57
72+opportunity, criminal justice, employment opportunities, healthcare services, or access58
73+to basic necessities, such as food and water;59
74+(8) 'De-identified data' means data that cannot reasonably be linked to an identified or60
75+identifiable individual, or any device linked to such natural person;61
76+(9) 'Health record' means a written, printed, or electronically recorded material that:62
77+(A) In the course of providing healthcare services to an individual was created or is63
78+maintained by a healthcare facility described in or licensed pursuant to Title 31; and64
79+(B) Concerns the individual and the healthcare services provided.65
80+S. B. 473
81+- 3 - 24 LC 36 5787S (SCS)
82+Such term includes the substance of a communication made by an individual to a66
83+healthcare facility described in or licensed pursuant to Title 31 in confidence during or67
84+in connection with the provision of healthcare services or information otherwise acquired68
85+by the healthcare entity about an individual in confidence and in connection with the69
86+provision of healthcare services to the individual.70
87+(10) 'HIPAA' means the federal Health Insurance Portability and Accountability Act of71
88+1996, as amended, 42 U.S.C. Section 1320d et seq.72
89+(11) 'Identified or identifiable individual' means a natural person who can be readily73
90+identified, whether directly or indirectly.74
91+(12) 'Known child' means an individual who the controller has actual knowledge is under75
92+13 years of age.76
93+(13) 'NIST' means the National Institute of Standards and Technology privacy77
94+framework entitled 'A Tool for Improving Privacy through Enterprise Risk Management78
95+Version 1.0.'79
96+(14) 'Person' means any individual or entity.80
97+(15)(A) 'Personal information' means information that is linked or reasonably linkable81
98+to an identified or identifiable individual.82
99+(B) Such term shall not include information that:83
100+(i) Is publicly available information;84
101+(ii) Does not identify an individual and with respect to which there is no reasonable85
102+basis to believe that the information can be used alone or in combination with other86
103+information to identify an individual; or87
104+(iii) Is de-identified using a method no less secure than methods provided under88
105+HIPAA.89
106+(16)(A) 'Precise geolocation data' means information derived from technology,90
107+including, but not limited to, global positioning system level latitude and longitude91
108+S. B. 473
109+- 4 - 24 LC 36 5787S (SCS)
110+coordinates or other mechanisms, that directly identifies the specific location of a92
111+natural person with precision and accuracy within a radius of 1,750 feet.93
112+(B) Such term shall not include:94
113+(i) The content of communications; or95
114+(ii) Data generated by or connected to advanced utility metering infrastructure96
115+systems or equipment for use by a utility.97
116+(17) 'Process' or 'processing' means an operation or set of operations performed, whether98
117+by manual or automated means, on personal information or on sets of personal99
118+information, such as the collection, use, storage, disclosure, analysis, deletion, or100
119+modification of personal information.101
120+(18) 'Processor' means a person that processes personal information on behalf of a102
121+controller.103
122+(19) 'Profiling' means a form of automated processing performed on personal104
123+information solely to evaluate, analyze, or predict personal aspects related to an identified105
124+or identifiable individual's economic situation, health, personal preferences, interests,106
125+reliability, behavior, location, or movements.107
126+(20) 'Pseudonymous data' means personal information that cannot be attributed to a108
127+specific individual without the use of additional information, so long as the additional109
128+information is kept separately and is subject to appropriate technical and organizational110
129+measures to ensure that the personal information is not attributed to an identified or111
130+identifiable individual.112
131+(21) 'Publicly available information' means information that is lawfully made available113
132+through federal, state, or local government records, or information that a business has a114
133+reasonable basis to believe is lawfully made available to the general public through115
134+widely distributed media, by the consumer, or by a person to which the consumer has116
135+disclosed the information, unless the consumer has restricted the information to a specific117
136+audience.118
137+S. B. 473
138+- 5 - 24 LC 36 5787S (SCS)
139+(22)(A) 'Sale of personal information' means the exchange of personal information for119
140+monetary or other valuable consideration by the controller to a third party.120
141+(B) Such term shall not include:121
142+(i) The disclosure of personal information to a processor that processes the personal122
143+information on behalf of the controller;123
144+(ii) The disclosure of personal information to a third party for purposes of providing124
145+a product or service requested by the consumer;125
146+(iii) The disclosure or transfer of personal information to an affiliate of the controller;126
147+(iv) The disclosure of information that the consumer:127
148+(I) Intentionally made available to the general public via a channel of mass media;128
149+and129
150+(II) Did not restrict to a specific audience; or130
151+(v) The disclosure or transfer of personal information to a third party as an asset that131
152+is part of a merger, acquisition, bankruptcy, or other transaction in which the third132
153+party assumes control of all or part of the controller's assets.133
154+(23) 'Sensitive data' means a category of personal information that includes:134
155+(A) Personal information revealing racial or ethnic origin, religious belief, mental or135
156+physical health diagnosis, sexual orientation, or citizenship or immigration status;136
157+(B) The processing of genetic data, data that contains 'nudity' or 'sexual conduct' as137
158+defined in subsection (b) of Code Section 16-12-181, or biometric data for the purpose138
159+of uniquely identifying an individual;139
160+(C) The personal information collected from a known child; or140
161+(D) Precise geolocation data.141
162+(24)(A) 'Targeted advertising' means displaying to a consumer an advertisement that142
163+is selected based on personal information obtained from such consumer's activities over143
164+time and across nonaffiliated public websites or online applications to predict the144
165+consumer's preferences or interests.145
166+S. B. 473
167+- 6 - 24 LC 36 5787S (SCS)
168+(B) Such term shall not include:146
169+(i) Advertisements based on activities within a controller's own public websites or147
170+online applications;148
171+(ii) Advertisements based on the context of a consumer's current search query, visit149
172+to a public website, or online application;150
173+(iii) Advertisements directed to a consumer in response to the consumer's request for151
174+information or feedback; or152
175+(iv) Personal information processed solely for measuring or reporting advertising153
176+performance, reach, or frequency.154
177+(25) 'Third party' means a person other than the consumer, controller, processor, or an155
178+affiliate of the controller or processor.156
179+10-1-962.157
180+This article shall apply to a person that conducts business in this state by producing158
181+products or services targeted to consumers of this state that exceeds $25 million in revenue159
182+and that:160
183+(1) Controls or processes personal information of at least 25,000 consumers and derives161
184+more than 50 percent of gross revenue from the sale of personal information; or162
185+(2) During a calendar year, controls or processes personal information of at least 175,000163
186+consumers.164
187+10-1-963.165
188+(a)(1) A consumer may invoke the consumer rights authorized pursuant to paragraph (2)166
189+of this subsection at any time by submitting, using a means substantially equivalent to167
190+that used by the controller to obtain the consent of the consumer for initial use of the168
191+personal information, a request to a controller specifying the consumer rights the169
192+consumer wishes to invoke. A known child's parent or legal guardian may invoke the170
193+S. B. 473
194+- 7 - 24 LC 36 5787S (SCS)
195+consumer rights authorized pursuant to paragraph (2) of this subsection on behalf of the171
196+such known child regarding processing personal information belonging to the known172
197+child.173
198+(2) A controller shall comply with an authenticated consumer request to exercise the174
199+right to:175
200+(A) Confirm whether a controller is processing the consumer's personal information176
201+and to access such personal information;177
202+(B) Correct inaccuracies in the consumer's personal information, taking into account178
203+the nature of the personal information and the purposes of the processing of such179
204+consumer's personal information;180
205+(C) Delete personal information provided by or obtained about the consumer. A181
206+controller shall not be required to delete information that it maintains or uses as182
207+aggregate or de-identified data; provided, that such data in the possession of the183
208+controller is not linked to a specific consumer. A controller that obtained personal184
209+information about a consumer from a source other than the consumer shall be in185
210+compliance with a consumer's request to delete such personal information by retaining186
211+a record of the deletion request and the minimum information necessary for the purpose187
212+of ensuring that the consumer's personal information remains deleted from the188
213+controller's records and by not using such retained personal information for any purpose189
214+prohibited under this article;190
215+(D) Obtain a copy of the consumer's personal information that the consumer previously191
216+provided to the controller in a portable and, to the extent technically feasible, readily192
217+usable format that allows the consumer to transmit such personal information to another193
218+controller without hindrance, where the processing is carried out by automated means;194
219+or195
220+(E) Opt out of a controller's processing of personal information for purposes of:196
221+(i) Selling personal information about the consumer;197
222+S. B. 473
223+- 8 - 24 LC 36 5787S (SCS)
224+(ii) Targeted advertising; or198
225+(iii) Profiling in furtherance of decisions that produce legal or similarly significant199
226+effects concerning the consumer.200
227+(b) Except as otherwise provided in this article, a controller shall comply with an201
228+authenticated request by a consumer to exercise the consumer rights authorized pursuant202
229+to paragraph (2) of subsection (a) of this Code section as follows:203
230+(1) A controller shall respond to the consumer without undue delay, but in all cases204
231+within 45 days of receipt of a request submitted pursuant to subsection (a) of this Code205
232+section. The response period may be extended once by 45 additional days when206
233+reasonably necessary, taking into account the complexity and number of the consumer's207
234+requests, so long as the controller informs the consumer of the extension within the initial208
235+45 day response period, together with the reason for the extension;209
236+(2) If a controller declines to take action regarding the consumer's request, then the210
237+controller shall inform the consumer without undue delay, but in all cases within 45 days211
238+of receipt of the request, of the justification for declining to take action and instructions212
239+for how to appeal the decision pursuant to subsection (c) of this Code section;213
240+(3) Information provided in response to a consumer request shall be provided by a214
241+controller free of charge, up to twice annually per consumer. If requests from a consumer215
242+are manifestly unfounded, technically infeasible, excessive, or repetitive, then the216
243+controller may charge the consumer a reasonable fee to cover the administrative costs of217
244+complying with the request or decline to act on the request. The controller bears the218
245+burden of demonstrating the manifestly unfounded, technically infeasible, excessive, or219
246+repetitive nature of the request; and220
247+(4) If a controller is unable to authenticate the request using commercially reasonable221
248+efforts, then the controller shall not be required to comply with a request to initiate an222
249+action under subsection (a) of this Code section and may request that the consumer223
250+S. B. 473
251+- 9 - 24 LC 36 5787S (SCS)
252+provide additional information reasonably necessary to authenticate the consumer and the224
253+consumer's request.225
254+(c) A controller shall establish a process for a consumer to appeal the controller's refusal226
255+to take action on a request within a reasonable period of time after the consumer's receipt227
256+of the decision pursuant to paragraph (2) of subsection (b) of this Code section. The appeal228
257+process shall be:229
258+(1) Made available to the consumer in a conspicuous manner;230
259+(2) Available at no cost to the consumer; and231
260+(3) Similar to the process for submitting requests to initiate action pursuant to232
261+subsection (a) of this Code section.233
262+Within 60 days of receipt of an appeal, a controller shall inform the consumer in writing234
263+of action taken or not taken in response to the appeal, including a written explanation of235
264+the reasons for the decision. If the appeal is denied, the controller shall then also provide236
265+the consumer with an online mechanism, if available, or other method through which the237
266+consumer may contact the Attorney General to submit a complaint.238
267+10-1-964.239
268+(a) A controller shall:240
269+(1) Limit the collection of personal information to what is adequate, relevant, and241
270+reasonably necessary in relation to the purposes for which the data is processed, as242
271+disclosed to the consumer;243
272+(2) Except as otherwise provided in this article, not process personal information for244
273+purposes that are beyond what is reasonably necessary to and compatible with the245
274+disclosed purposes for which the personal information is processed, as disclosed to the246
275+consumer, unless the controller obtains the consumer's consent;247
276+(3) Establish, implement, and maintain reasonable administrative, technical, and physical248
277+data security practices, as described in Code Section 10-1-973, to protect the249
278+S. B. 473
279+- 10 - 24 LC 36 5787S (SCS)
280+confidentiality, integrity, and accessibility of personal information. The data security250
281+practices shall be appropriate to the volume and nature of the personal information at251
282+issue;252
283+(4) Not be required to delete information that it maintains or uses as aggregate or253
284+de-identified data, provided that such data in the possession of the business is not linked254
285+to a specific consumer;255
286+(5) Not process personal information in violation of state and federal laws that prohibit256
287+unlawful discrimination against consumers. A controller shall not discriminate against257
288+a consumer for exercising the consumer rights contained in this article, including denying258
289+goods or services, charging different prices or rates for goods or services, or providing259
290+a different level of quality of goods and services to the consumer. However, this260
291+paragraph shall not require a controller to provide a product or service that requires the261
292+personal information of a consumer that the controller does not collect or maintain, or262
293+prohibit a controller from offering a different price, rate, level, quality, or selection of263
294+goods or services to a consumer, including offering goods or services for no fee, if the264
295+consumer has exercised the right to opt out pursuant to subparagraph (E) of paragraph (2)265
296+of subsection (a) of Code Section 10-1-963 or the offer is related to a consumer's266
297+voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or267
298+club card program; and268
299+(6) Not process sensitive data concerning a consumer without obtaining the consumer's269
300+consent, or, in the case of the processing of sensitive data concerning a known child,270
301+without processing the data in accordance with the federal Children's Online Privacy271
302+Protection Act, as amended, 15 U.S.C. Section 6501 et seq., and its implementing272
303+regulations.273
304+(b) A provision of a contract or agreement that purports to waive or limit the consumer274
305+rights described in Code Section 10-1-963 is contrary to public policy and is void and275
306+unenforceable.276
307+S. B. 473
308+- 11 - 24 LC 36 5787S (SCS)
309+(c) A controller shall provide a reasonably accessible, clear, and meaningful privacy notice277
310+that includes:278
311+(1) The categories of personal information processed by the controller;279
312+(2) The purpose for processing personal information;280
313+(3) How consumers may exercise their consumer rights pursuant to Code281
314+Section 10-1-963, including how a consumer may appeal a controller's decision with282
315+regard to the consumer's request;283
316+(4) The categories of personal information that the controller sells to third parties, if any;284
317+and285
318+(5) The categories of third parties, if any, to whom the controller sells personal286
319+information.287
320+(d) If a controller sells personal information to third parties or processes personal288
321+information for targeted advertising, then the controller shall clearly and conspicuously289
322+disclose the processing, as well as the manner in which a consumer may exercise the right290
323+to opt out of the processing.291
324+(e)(1) A controller shall provide, and shall describe in a privacy notice, one or more292
325+secure and reliable means for a consumer to submit a request to exercise the consumer293
326+rights described in Code Section 10-1-963. Such means shall take into account the:294
327+(A) Ways in which a consumer normally interacts with the controller;295
328+(B) Need for secure and reliable communication of such requests; and296
329+(C) Ability of a controller to authenticate the identity of the consumer making the297
330+request.298
331+(2) A controller shall not require a consumer to create a new account in order to exercise299
332+the consumer rights described in Code Section 10-1-963, but may require a consumer to300
333+use an existing account.301
334+S. B. 473
335+- 12 - 24 LC 36 5787S (SCS)
336+10-1-965.302
337+(a) A processor shall adhere to the instructions of a controller and shall assist the controller303
338+in meeting its obligations under this article. The assistance provided by the processor shall304
339+include:305
340+(1) Taking into account the nature of processing and the information available to the306
341+processor, by appropriate technical and organizational measures, insofar as reasonably307
342+practicable, to fulfill the controller's obligation to respond to consumer rights requests308
343+pursuant to Code Section 10-1-963; and309
344+(2) Providing necessary information to enable the controller to conduct and document310
345+data protection assessments pursuant to Code Section 10-1-966.311
346+(b) A contract between a controller and a processor governs the processor's data processing312
347+procedures with respect to processing performed on behalf of the controller. The contract313
348+shall be binding and shall clearly set forth instructions for processing data, the nature and314
349+purpose of processing, the type of data subject to processing, the duration of processing,315
350+and the rights and obligations of both parties. The contract shall also include requirements316
351+that the processor shall:317
352+(1) Ensure that each person processing personal information is subject to a duty of318
353+confidentiality with respect to the data;319
354+(2) At the controller's direction, delete or return all personal information to the controller320
355+as requested at the end of the provision of services, unless retention of the personal321
356+information is required by law;322
357+(3) Upon the reasonable request of the controller, make available to the controller all323
358+information in its possession necessary to demonstrate the processor's compliance with324
359+the obligations in this article;325
360+(4) Allow, and cooperate with, reasonable assessments by the controller or the326
361+controller's designated assessor; alternatively, the processor may arrange for a qualified327
362+and independent assessor to conduct an assessment of the processor's policies and328
363+S. B. 473
364+- 13 - 24 LC 36 5787S (SCS)
365+technical and organizational measures in support of the obligations under this article329
366+using an appropriate and accepted control standard or framework and assessment330
367+procedure for the assessments. The processor shall provide a report of each assessment331
368+to the controller upon request; and332
369+(5) Engage a subcontractor pursuant to a written contract in that requires the333
370+subcontractor to meet the obligations of the processor with respect to the personal334
371+information.335
372+(c) Nothing in this Code section shall relieve a controller or a processor from the liabilities336
373+imposed on it by virtue of its role in the processing relationship as described in337
374+subsection (b) of this Code section.338
375+(d) Determining whether a person is acting as a controller or processor with respect to a339
376+specific processing of data is a fact based determination that depends upon the context in340
377+which personal information is to be processed. A processor that continues to adhere to a341
378+controller's instructions with respect to a specific processing of personal information342
379+remains a processor.343
380+10-1-966.344
381+(a) A controller shall conduct and document a data protection assessment of each of the345
382+following processing activities involving personal information:346
383+(1) The processing of personal information for purposes of targeted advertising;347
384+(2) The sale of personal information;348
385+(3) The processing of personal information for purposes of profiling, where the profiling349
386+presents a reasonably foreseeable risk of:350
387+(A) Unfair or deceptive treatment of, or unlawful disparate impact on, consumers;351
388+(B) Financial, physical, or reputational injury to consumers;352
389+S. B. 473
390+- 14 - 24 LC 36 5787S (SCS)
391+(C) A physical or other intrusion upon the solitude or seclusion, or the private affairs353
392+or concerns, of consumers, where the intrusion would be offensive to a reasonable354
393+person; or355
394+(D) Other substantial injury to consumers;356
395+(4) The processing of sensitive data; and357
396+(5) Processing activities involving personal information that present a heightened risk358
397+of harm to consumers.359
398+(b) Data protection assessments conducted pursuant to subsection (a) of this Code section360
399+shall identify and weigh the benefits that may flow, directly and indirectly, from the361
400+processing to the controller, the consumer, other stakeholders, and the public against the362
401+potential risks to the rights of the consumer associated with the processing, as mitigated by363
402+safeguards that can be employed by the controller to reduce the risks. The use of364
403+de-identified data and the reasonable expectations of consumers, as well as the context of365
404+the processing and the relationship between the controller and the consumer whose366
405+personal information will be processed, shall be factored into this assessment by the367
406+controller.368
407+(c) The Attorney General may request pursuant to a civil investigative demand that a369
408+controller disclose a data protection assessment that is relevant to an investigation370
409+conducted by the Attorney General, and the controller shall make the data protection371
410+assessment available to the Attorney General. The Attorney General shall evaluate the data372
411+protection assessment for compliance with the responsibilities set forth in Code373
412+Section 10-1-964. The disclosure of a data protection assessment pursuant to a request374
413+from the Attorney General shall not constitute a waiver of attorney-client privilege or work375
414+product protection with respect to the assessment and information contained in the376
415+assessment. Such data protection assessments shall be confidential and shall not be open377
416+to public inspection and copying under Article 4 of Chapter 18 of Title 50, relating to open378
417+records.379
418+S. B. 473
419+- 15 - 24 LC 36 5787S (SCS)
420+(d) A single data protection assessment may address a comparable set of processing380
421+operations that include similar activities.381
422+(e) A data protection assessment conducted by a controller for the purpose of compliance382
423+with other laws, rules, or regulations may comply with this Code section if such data383
424+protection assessment have a reasonably comparable scope and effect.384
425+(f) The data protection assessment requirements in this article shall apply only to385
426+processing activities created or generated on or after July 1, 2026.386
427+10-1-967.387
428+(a) A controller in possession of de-identified data shall:388
429+(1) Take reasonable measures to ensure that the data cannot be associated with a natural389
430+person;390
431+(2) Publicly commit to maintaining and using de-identified data without attempting to391
432+reidentify the data; and392
433+(3) Contractually obligate recipients of the de-identified data to comply with this article.393
434+(b) Nothing in this Code section shall require a controller or processor to:394
435+(1) Reidentify de-identified data or pseudonymous data;395
436+(2) Maintain data in identifiable form, or collect, obtain, retain, or access data or396
437+technology, in order to be capable of associating an authenticated consumer request with397
438+personal information; or398
439+(3) Comply with an authenticated consumer rights request, pursuant to Code399
440+Section 10-1-963, if:400
441+(A) The controller is not reasonably capable of associating the request with the401
442+personal information or it would be unreasonably burdensome for the controller to402
443+associate the request with the personal information;403
444+(B) The controller does not use the personal information to recognize or respond to the404
445+specific consumer who is the subject of the personal information, or associate the405
446+S. B. 473
447+- 16 - 24 LC 36 5787S (SCS)
448+personal information with other personal information about the same specific406
449+consumer; and407
450+(C) The controller does not sell the personal information to a third party or otherwise408
451+voluntarily disclose the personal information to a third party other than a processor,409
452+except as otherwise permitted in this Code section.410
453+(c) The consumer rights described in Code Sections 10-1-963 and 10-1-964 shall not apply411
454+to pseudonymous data in cases where the controller is able to demonstrate information412
455+necessary to identify the consumer is kept separately and is subject to effective technical413
456+and organizational controls that prevent the controller from accessing that information.414
457+(d) A controller that discloses pseudonymous data or de-identified data shall exercise415
458+reasonable oversight to monitor compliance with contractual commitments to which the416
459+pseudonymous data or de-identified data is subject and shall take appropriate steps to417
460+address breaches of those contractual commitments.418
461+10-1-968.419
462+(a) Nothing in this article shall restrict a controller's or processor's ability to:420
463+(1) Comply with federal, state, or local laws, rules, or regulations;421
464+(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or422
465+summons by federal, state, local, or other governmental authorities;423
466+(3) Cooperate with law enforcement agencies concerning conduct or activity that the424
467+controller or processor reasonably and in good faith believes may violate federal, state,425
468+or local laws, rules, or regulations;426
469+(4) Investigate, establish, exercise, prepare for, or defend legal claims;427
470+(5) Provide a product or service specifically requested by a consumer or the parent or428
471+legal guardian of a known child, perform a contract to which the consumer is a party,429
472+including fulfilling the terms of a written warranty, or take steps at the request of the430
473+consumer prior to entering into a contract;431
474+S. B. 473
475+- 17 - 24 LC 36 5787S (SCS)
476+(6) Take immediate steps to protect an interest that is essential for the life or physical432
477+safety of the consumer or of another natural person, and where the processing cannot be433
478+manifestly based on another legal basis;434
479+(7) Prevent, detect, protect against, or respond to security incidents, identity theft, fraud,435
480+harassment, malicious or deceptive activity, or illegal activity; preserve the integrity or436
481+security of systems; or investigate, report, or prosecute those responsible for such action;437
482+(8) Engage in public reviewed or peer reviewed scientific or statistical research in the438
483+public interest that adheres to all other applicable ethics and privacy laws and is439
484+approved, monitored, and governed by an institutional review board, or similar440
485+independent oversight entity that determines whether:441
486+(A) Deletion of the information is likely to provide substantial benefits that do not442
487+exclusively accrue to the controller;443
488+(B) The expected benefits of the research outweigh the privacy risks; and444
489+(C) The controller has implemented reasonable safeguards to mitigate privacy risks445
490+associated with research, including risks associated with reidentification; or446
491+(9) Assist another controller, processor, or third party with the obligations under this447
492+article.448
493+(b) The obligations imposed on controllers or processors under this article shall not restrict449
494+a controller's or processor's ability to collect, use, or retain data to:450
495+(1) Conduct internal research to develop, improve, or repair products, services, or451
496+technology;452
497+(2) Effectuate a product recall;453
498+(3) Identify and repair technical errors that impair existing or intended functionality; or454
499+(4) Perform internal operations that are reasonably aligned with the expectations of the455
500+consumer or reasonably anticipated based on the consumer's existing relationship with456
501+the controller or are otherwise compatible with processing data in furtherance of the457
502+S. B. 473
503+- 18 - 24 LC 36 5787S (SCS)
504+provision of a product or service specifically requested by a consumer or the performance458
505+of a contract to which the consumer is a party.459
506+(c) The obligations imposed on controllers or processors under this article shall not apply460
507+where compliance with this article by the controller or processor would violate an461
508+evidentiary privilege under the laws of this state. Nothing in this article shall prevent a462
509+controller or processor from providing personal information concerning a consumer to a463
510+person covered by an evidentiary privilege under the laws of this state as part of a464
511+privileged communication.465
512+(d)(1) A controller or processor that discloses personal information to a third-party466
513+controller or processor, in compliance with the requirements of this article, shall not be467
514+in violation of this article if:468
515+(A) The third-party controller or processor that receives and processes the personal469
516+information is in violation of this article; and470
517+(B) At the time of disclosing the personal information, the disclosing controller or471
518+processor did not have actual knowledge that the recipient intended to commit a472
519+violation.473
520+(2) A third-party controller or processor receiving personal information from a controller474
521+or processor in compliance with the requirements of this article is likewise not in475
522+violation of this article for the violations of the controller or processor from which it476
523+receives such personal information.477
524+(e) This article shall not impose an obligation on controllers and processors that adversely478
525+affects the rights or freedoms of a person, such as exercising the right of free speech479
526+pursuant to the First Amendment to the United States Constitution, or that applies to the480
527+processing of personal information by a person in the course of a purely personal activity.481
528+(f) A controller shall not process personal information for purposes other than those482
529+expressly listed in this Code section unless otherwise allowed by this article. Personal483
530+S. B. 473
531+- 19 - 24 LC 36 5787S (SCS)
532+information processed by a controller pursuant to this Code section may be processed to484
533+the extent that the processing is:485
534+(1) Reasonably necessary and proportionate to the purposes listed in this section; and486
535+(2) Adequate, relevant, and limited to what is necessary in relation to the specific487
536+purposes listed in this section. Personal information collected, used, or retained pursuant488
537+to subsection (b) of this Code section shall, where applicable, take into account the nature489
538+and purpose or purposes of the collection, use, or retention. The data shall be subject to490
539+reasonable administrative, technical, and physical measures to protect the confidentiality,491
540+integrity, and accessibility of the personal information and to reduce reasonably492
541+foreseeable risks of harm to consumers relating to the collection, use, or retention of493
542+personal information.494
543+(g) If a controller processes personal information pursuant to an exemption in this Code495
544+section, then the controller bears the burden of demonstrating that the processing qualifies496
545+for the exemption and complies with subsection (f) of this Code section.497
546+(h) Processing personal information for the purposes expressly identified in any of the498
547+paragraphs (1) through (9) of subsection of (a) of this Code section shall not solely make499
548+an entity a controller with respect to the processing.500
549+10-1-969.501
550+Nothing in this article shall be construed to conflict with the specific requirements:502
551+(1) Related to the management of health records under Title 31; or503
552+(2) Mandated by any provision of federal law.504
553+10-1-970.505
554+(a) A provision of a contract or agreement that waives or limits a consumer's rights or506
555+cause of actionunder this article, including, but not limited to, a right to a remedy or means507
556+of enforcement, is contrary to public policy, void, and unenforceable.508
557+S. B. 473
558+- 20 - 24 LC 36 5787S (SCS)
559+(b) Nothing in this article shall prevent a consumer from declining to request information509
560+from a controller, declining to opt out of a controller's sale of the consumer's personal510
561+information, or authorizing a controller to sell the consumer's personal information after511
562+previously opting out.512
563+(c) This article shall apply to contracts entered into, amended, or renewed on or after513
564+July 1, 2026.514
565+10-1-971.515
566+If the Attorney General has reasonable cause to believe that an individual, controller, or516
567+processor has engaged in, is engaging in, or is about to engage in a violation of this article,517
568+then the Attorney General may issue a civil investigative demand.518
569+10-1-972.519
570+(a) The Attorney General may develop reasonable cause to believe that a controller or520
571+processor is in violation of this article, based on the Attorney General's own inquiry or on521
572+consumer or public complaints. Prior to initiating an action under this article, the Attorney522
573+General shall provide a controller or processor 60 days' written notice identifying the523
574+specific provisions of this article the Attorney General alleges have been or are being524
575+violated. If within the 60 day period, the controller or processor cures the noticed violation525
576+and provides the Attorney General an express written statement that the alleged violations526
577+have been cured and that no such further violations shall occur, then the Attorney General527
578+shall not initiate an action against the controller or processor.528
579+(b) If a controller or processor continues to violate this article following the cure period529
580+provided for in subsection (a) of this Code section or breaches an express written statement530
581+provided to the Attorney General under subsection (a) of this Code section, then the531
582+Attorney General may bring an action in a court of competent jurisdiction seeking any of532
583+the following relief:533
584+S. B. 473
585+- 21 - 24 LC 36 5787S (SCS)
586+(1) Declaratory judgment that the act or practice violates this article;534
587+(2) Injunctive relief, including preliminary and permanent injunctions, to prevent an535
588+additional violation of and compel compliance with this article;536
589+(3) Civil penalties, as described in subsection (c) of this Code section;537
590+(4) Reasonable attorney's fees and investigative costs; or538
591+(5) Other relief the court determines appropriate.539
592+(c)(1) A court may impose a civil penalty of up to $7,500.00 for each violation of this540
588593 article.541
589-(b) The obligations imposed on controllers or processors under this article shall not restrict542
590-a controller's or processor's ability to collect, use, or retain data to:543
591-(1) Conduct internal research to develop, improve, or repair products, services, or544
592-technology;545
593-(2) Effectuate a product recall;546
594-(3) Identify and repair technical errors that impair existing or intended functionality;547
595-(4) Authenticate an individual for the purpose of allowing access to a secure location or548
596-facility; or 549
597-(5) Perform internal operations that are reasonably aligned with the expectations of the550
598-consumer or reasonably anticipated based on the consumer's existing relationship with551
599-the controller or are otherwise compatible with processing data in furtherance of the552
600-provision of a product or service specifically requested by a consumer or the performance553
601-of a contract to which the consumer is a party.554
602-(c) The obligations imposed on controllers or processors under this article shall not apply555
603-where compliance with this article by the controller or processor would violate an556
604-evidentiary privilege under the laws of this state. Nothing in this article shall prevent a557
605-controller or processor from providing personal information concerning a consumer to a558
606-person covered by an evidentiary privilege under the laws of this state as part of a559
607-privileged communication.560
608-(d)(1) A controller or processor that discloses personal information to a third-party561
609-controller or processor, in compliance with the requirements of this article, shall not be562
610-in violation of this article if:563
611-S. B. 473 (SUB)
612-- 22 - 24 LC 36 5879S
613-(A) The third-party controller or processor that receives and processes the personal564
614-information is in violation of this article; and565
615-(B) At the time of disclosing the personal information, the disclosing controller or566
616-processor did not have actual knowledge that the recipient intended to commit a567
617-violation.568
618-(2) A third-party controller or processor receiving personal information from a controller569
619-or processor in compliance with the requirements of this article is likewise not in570
620-violation of this article for the violations of the controller or processor from which it571
621-receives such personal information.572
622-(e) This article shall not impose an obligation on controllers and processors that adversely573
623-affects the rights or freedoms of a person, such as exercising the right of free speech574
624-pursuant to the First Amendment to the United States Constitution, or that applies to the575
625-processing of personal information by a person in the course of a purely personal activity.576
626-(f) A controller shall not process personal information for purposes other than those577
627-expressly listed in this Code section unless otherwise allowed by this article. Personal578
628-information processed by a controller pursuant to this Code section may be processed to579
629-the extent that the processing is:580
630-(1) Reasonably necessary and proportionate to the purposes listed in this section; and581
631-(2) Adequate, relevant, and limited to what is necessary in relation to the specific582
632-purposes listed in this section. Personal information collected, used, or retained pursuant583
633-to subsection (b) of this Code section shall, where applicable, take into account the nature584
634-and purpose or purposes of the collection, use, or retention. The data shall be subject to585
635-reasonable administrative, technical, and physical measures to protect the confidentiality,586
636-integrity, and accessibility of the personal information and to reduce reasonably587
637-foreseeable risks of harm to consumers relating to the collection, use, or retention of588
638-personal information.589
639-S. B. 473 (SUB)
640-- 23 - 24 LC 36 5879S
641-(g) If a controller processes personal information pursuant to an exemption in this Code590
642-section, then the controller bears the burden of demonstrating that the processing qualifies591
643-for the exemption and complies with subsection (f) of this Code section.592
644-(h) Processing personal information for the purposes expressly identified in any of the593
645-paragraphs (1) through (9) of subsection of (a) of this Code section shall not solely make594
646-an entity a controller with respect to the processing.595
647-10-1-969.596
648-Nothing in this article shall be construed to conflict with the specific requirements:597
649-(1) Related to the management of health records under Title 31; or598
650-(2) Included in federal law.599
651-10-1-970.600
652-(a) A provision of a contract or agreement that waives or limits a consumer's rights under601
653-this article, including, but not limited to, a right to a remedy or means of enforcement, is602
654-contrary to public policy, void, and unenforceable.603
655-(b) Nothing in this article shall prevent a consumer from declining to request information604
656-from a controller, declining to opt out of a controller's sale of the consumer's personal605
657-information, or authorizing a controller to sell the consumer's personal information after606
658-previously opting out.607
659-(c) This article shall apply to contracts entered into, amended, or renewed on or after608
660-July 1, 2026.609
661-10-1-971.610
662-If the Attorney General has reasonable cause to believe that an individual, controller, or611
663-processor has engaged in, is engaging in, or is about to engage in a violation of this article,612
664-then the Attorney General may issue a civil investigative demand.613
665-S. B. 473 (SUB)
666-- 24 - 24 LC 36 5879S
667-10-1-972.614
668-(a) The Attorney General shall have exclusive authority to enforce this article.615
669-(b) The Attorney General may develop reasonable cause to believe that a controller or616
670-processor is in violation of this article, based on the Attorney General's own inquiry or on617
671-consumer or public complaints. Prior to initiating an action under this article, the Attorney618
672-General shall provide a controller or processor 60 days' written notice identifying the619
673-specific provisions of this article the Attorney General alleges have been or are being620
674-violated. If within the 60 day period, the controller or processor cures the noticed violation621
675-and provides the Attorney General an express written statement that the alleged violations622
676-have been cured and that no such further violations shall occur, then the Attorney General623
677-shall not initiate an action against the controller or processor.624
678-(c) If a controller or processor continues to violate this article following the cure period625
679-provided for in subsection (b) of this Code section or breaches an express written statement626
680-provided to the Attorney General under subsection (b) of this Code section, then the627
681-Attorney General may bring an action in a court of competent jurisdiction seeking any of628
682-the following relief:629
683-(1) Declaratory judgment that the act or practice violates this article;630
684-(2) Injunctive relief, including preliminary and permanent injunctions, to prevent an631
685-additional violation of and compel compliance with this article;632
686-(3) Civil penalties, as described in subsection (d) of this Code section;633
687-(4) Reasonable attorney's fees and investigative costs; or634
688-(5) Other relief the court determines appropriate.635
689-(d)(1) A court may impose a civil penalty of up to $7,500.00 for each violation of this636
690-article.637
691-(2) If the court finds the controller or processor willfully or knowingly violated this638
692-article, then the court may, in its discretion, award treble damages.639
693-S. B. 473 (SUB)
694-- 25 - 24 LC 36 5879S
695-(e) A violation of this article shall not serve as the basis for, or be subject to, a private right640
696-of action, including a class action lawsuit, under this article or any other law.641
697-(f) The Attorney General may recover reasonable expenses incurred in investigating and642
698-preparing a case, including attorney's fees, in an action initiated under this article.643
699-10-1-973.644
700-(a) A controller or processor shall have an affirmative defense to a cause of action for a645
701-violation of this article if the controller or processor creates, maintains, and complies with646
702-a written privacy program that:647
703-(1)(A) Reasonably conforms to the NIST or comparable privacy framework designed648
704-to safeguard consumer privacy; and649
705-(B) Is updated to reasonably conform with a subsequent revision to the NIST or650
706-comparable privacy framework within two years of the publication date stated in the651
707-most recent revision to the NIST or comparable privacy framework; and652
708-(2) Provides a person with the substantive rights required by this article.653
709-(b) The scale and scope of a controller or processor's privacy program under subsection (a)654
710-of this Code section shall be appropriate if it is based on all of the following factors:655
711-(1) The size and complexity of the controller or processor's business;656
712-(2) The nature and scope of the activities of the controller or processor;657
713-(3) The sensitivity of the personal information processed;658
714-(4) The cost and availability of tools to improve privacy protections and data659
715-governance; and660
716-(5) Compliance with a comparable state or federal law, if applicable.661
717-S. B. 473 (SUB)
718-- 26 - 24 LC 36 5879S
719-10-1-974.662
720-(a) A municipality, county, or consolidated government shall not require a controller or663
721-processor to disclose personal information of consumers, unless pursuant to a subpoena or664
722-court order.665
723-(b) This article shall supersede and preempt any conflicting provisions of any ordinances,666
724-resolutions, regulations, or the equivalent adopted by any municipality, county, or667
725-consolidated government in this state regarding the processing of personal information by668
726-controllers or processors."669
727-SECTION 2.670
728-This Act shall become effective on July 1, 2026.671
729-SECTION 3.672
730-All laws and parts of laws in conflict with this Act are repealed.673
731-S. B. 473 (SUB)
732-- 27 -
594+(2) If the court finds the controller or processor willfully or knowingly violated this542
595+article, then the court may, in its discretion, award treble damages.543
596+(d) The Attorney General may recover reasonable expenses incurred in investigating and544
597+preparing a case, including attorney's fees, in an action initiated under this article.545
598+10-1-973.546
599+(a) A controller or processor shall have an affirmative defense to a cause of action for a547
600+violation of this article if the controller or processor creates, maintains, and complies with548
601+a written privacy policy that:549
602+(1)(A) Reasonably conforms to the NIST procedures designed to safeguard consumer550
603+privacy; and551
604+(B) Is updated to reasonably conform with a subsequent revision to the NIST within552
605+two years of the publication date stated in the most recent revision to the NIST; and553
606+(2) Provides a person with the substantive rights required by this article.554
607+(b) The scale and scope of a controller or processor's privacy program under subsection (a)555
608+of this Code section shall be appropriate if it is based on all of the following factors:556
609+(1) The size and complexity of the controller or processor's business;557
610+(2) The nature and scope of the activities of the controller or processor;558
611+(3) The sensitivity of the personal information processed;559
612+S. B. 473
613+- 22 - 24 LC 36 5787S (SCS)
614+(4) The cost and availability of tools to improve privacy protections and data560
615+governance; and561
616+(5) Compliance with a comparable state or federal law.562
617+10-1-974.563
618+(a) A municipality, county, or consolidated government shall not require a controller or564
619+processor to disclose personal data of consumers, unless pursuant to a subpoena or court565
620+order.566
621+(b) This article shall supersede and preempt any conflicting provisions of any ordinances,567
622+resolutions, regulations, or the equivalent adopted by any municipality, county, or568
623+consolidated government regarding the processing of personal data by controllers or569
624+processors."570
625+SECTION 2.571
626+This Act shall become effective on July 1, 2026.572
627+SECTION 3.573
628+All laws and parts of laws in conflict with this Act are repealed.574
629+S. B. 473
630+- 23 -