24 LC 36 5879S
The House Committee on Technology and Infrastructure Innovation offers the following
substitute to SB 473:
A BILL TO BE ENTITLED
AN ACT
To amend Title 10 of the Official Code of Georgia Annotated, relating to commerce and1
trade, so as to enact the "Georgia Consumer Privacy Protection Act"; to protect the privacy2
of consumer personal data in this state; to provide for definitions; to provide for applicability;3
to provide for exemptions for certain entities, data, and uses of data; to provide for consumer4
rights regarding personal data; to provide for a consumer to exercise such rights by5
submitting a request to a controller; to provide for a controller to promptly respond to such6
requests; to provide for exemptions; to provide for responsibilities of processors and7
controllers; to provide for notice and disclosure; to provide for security practices to protect8
consumer personal data; to allow a controller to offer different goods or services under9
certain conditions; to provide for limitations; to provide for statutory construction; to provide10
for enforcement and penalties; to provide an affirmative defense; to prohibit the disclosure11
of personal data of consumers to local governments unless pursuant to a subpoena or court12
order; to provide for preemption of local regulation; to provide for related matters; to provide13
an effective date; to repeal conflicting laws; and for other purposes.14
BE IT ENACTED BY THE GENERAL ASSEMBLY OF GEORGIA:15
S. B. 473 (SUB)
- 1 - 24 LC 36 5879S
SECTION 1.16
Title 10 of the Official Code of Georgia Annotated, relating to commerce and trade, is17
amended by adding a new article to Chapter 1, relating to selling and other trade practices,18
to read as follows:19
"ARTICLE 3720
10-1-960.21
This article shall be known and may be cited as the 'Georgia Consumer Privacy Protection22
Act.'23
10-1-961.24
As used in this article, the term:25
(1) 'Affiliate' means a legal entity that controls, is controlled by, or is under common26
control with another legal entity or shares common branding with another legal entity. 27
For purposes of this paragraph, the term 'control' or 'controlled' means:28
(A) Ownership of, or the power to vote, more than 50 percent of the outstanding shares29
of a class of voting security of an entity;30
(B) Control in any manner over the election of a majority of the directors or of31
individuals exercising similar functions relative to an entity; or32
(C) The power to exercise controlling influence over the management of an entity.33
(2) 'Authenticate' means to verify using reasonable means that a consumer who is34
entitled to exercise the rights in Code Section 10-1-963, is the same consumer who is35
exercising such consumer rights with respect to the personal information at issue.36
(3)(A) 'Biometric data' means data generated by automatic measurement of an37
individual's biological characteristics, such as a fingerprint, voiceprint, eye retina or iris,38
S. B. 473 (SUB)
- 2 - 24 LC 36 5879S
or other unique biological patterns or characteristics that are used to identify a specific39
individual.40
(B) Such term shall not include:41
(i) A physical or digital photograph, video recording, or audio recording or data42
generated from a photograph or video or audio recording;43
(ii) Information captured and converted to a mathematical representation, including44
a numeric string or similar configuration, that cannot be used to recreate data45
generated by automatic measurement of an individual's biological patterns or46
characteristics used to identify the specific individual; or47
(iii) Information collected, used, or stored for healthcare treatment, payment, or48
operations under HIPAA.49
(4) 'Business associate' shall have the same meaning as provided by HIPAA.50
(5) 'Consent' means a clear affirmative act signifying a consumer's freely given, specific,51
informed, and unambiguous agreement to process personal information relating to the52
consumer. Such term may include a written statement, including a statement written by53
electronic means, or an unambiguous affirmative action.54
(6) 'Consumer' means an individual who is a resident of this state acting only in a55
personal context. Such term shall not include an individual acting in a commercial or56
employment context.57
(7) 'Controller' means the person that, alone or jointly with others, determines the58
purpose and means of processing personal information.59
(8) 'Covered entity' shall have the same meaning as provided by HIPAA.60
(9) 'Decisions that produce legal or similarly significant effects concerning the consumer'61
means decisions made by the controller that result in the provision or denial by the62
controller of financial or lending services, housing, insurance, education enrollment or63
opportunity, criminal justice, employment opportunities, healthcare services, or access64
to basic necessities, such as food and water.65
S. B. 473 (SUB)
- 3 - 24 LC 36 5879S
(10) 'De-identified data' means data that cannot reasonably be linked to an identified or66
identifiable individual, or any device linked to such natural person.67
(11) 'Health record' means a written, printed, or electronically recorded material that:68
(A) In the course of providing healthcare services to an individual was created or is69
maintained by a healthcare facility described in or licensed pursuant to Title 31; and70
(B) Concerns the individual and the healthcare services provided.71
Such term includes the substance of a communication made by an individual to a72
healthcare facility described in or licensed pursuant to Title 31 in confidence during or73
in connection with the provision of healthcare services or information otherwise acquired74
by the healthcare entity about an individual in confidence and in connection with the75
provision of healthcare services to the individual.76
(12) 'HIPAA' means the federal Health Insurance Portability and Accountability Act of77
1996, as amended, 42 U.S.C. Section 1320d et seq.78
(13) 'Identified or identifiable individual' means a natural person who can be readily79
identified, whether directly or indirectly.80
(14) 'Institution of higher education' means a public or private college or university in81
this state.82
(15) 'Known child' means an individual who the controller has actual knowledge is under83
13 years of age.84
(16) 'NIST' means the National Institute of Standards and Technology privacy85
framework entitled 'A Tool for Improving Privacy through Enterprise Risk Management86
Version 1.0' or any subsequent version thereof.87
(17) 'Nonprofit organization' means an organization exempt from taxation under the88
Internal Revenue Code, codified in 26 U.S.C. Sections 501-530.89
(18) 'Person' means any individual or entity.90
(19)(A) 'Personal information' means information that is linked or reasonably linkable91
to an identified or identifiable individual.92
S. B. 473 (SUB)
- 4 - 24 LC 36 5879S
(B) Such term shall not include information that:93
(i) Is publicly available information;94
(ii) Does not identify an individual and with respect to which there is no reasonable95
basis to believe that the information can be used alone or in combination with other96
information to identify an individual; or97
(iii) Is de-identified using a method no less secure than methods provided under98
HIPAA.99
(20)(A) 'Precise geolocation data' means information derived from technology,100
including, but not limited to, global positioning system level latitude and longitude101
coordinates or other mechanisms, that directly identifies the specific location of a102
natural person with precision and accuracy within a radius of 1,750 feet.103
(B) Such term shall not include:104
(i) The content of communications; or105
(ii) Data generated by or connected to advanced utility metering infrastructure106
systems or equipment for use by a utility.107
(21) 'Process' or 'processing' means an operation or set of operations performed, whether108
by manual or automated means, on personal information or on sets of personal109
information, such as the collection, use, storage, disclosure, analysis, deletion, or110
modification of personal information.111
(22) 'Processor' means a person that processes personal information on behalf of a112
controller.113
(23) 'Profiling' means a form of automated processing performed on personal114
information solely to evaluate, analyze, or predict personal aspects related to an identified115
or identifiable individual's economic situation, health, personal preferences, interests,116
reliability, behavior, location, or movements.117
(24) 'Protected health information' shall have the same meaning as provided by HIPAA.118
S. B. 473 (SUB)
- 5 - 24 LC 36 5879S
(25) 'Pseudonymous data' means personal information that cannot be attributed to a119
specific individual without the use of additional information, so long as the additional120
information is kept separately and is subject to appropriate technical and organizational121
measures to ensure that the personal information is not attributed to an identified or122
identifiable individual.123
(26) 'Publicly available information' means information that is lawfully made available124
through federal, state, or local government records, or information that a business has a125
reasonable basis to believe is lawfully made available to the general public through126
widely distributed media, by the consumer, or by a person to which the consumer has127
disclosed the information, unless the consumer has restricted the information to a specific128
audience.129
(27)(A) 'Sale of personal information' or 'sell personal information' means the130
exchange of personal information for monetary or other valuable consideration by the131
controller to a third party.132
(B) Such term shall not include:133
(i) The disclosure of personal information to a processor that processes the personal134
information on behalf of the controller;135
(ii) The disclosure of personal information to a third party for purposes of providing136
a product or service requested by the consumer;137
(iii) The disclosure or transfer of personal information to an affiliate of the controller;138
(iv) The disclosure of information that the consumer:139
(I) Intentionally made available to the general public via a channel of mass media;140
and141
(II) Did not restrict to a specific audience; or142
(v) The disclosure or transfer of personal information to a third party as an asset that143
is part of a merger, acquisition, bankruptcy, or other transaction in which the third144
party assumes control of all or part of the controller's assets.145
S. B. 473 (SUB)
- 6 - 24 LC 36 5879S
(28) 'Sensitive data' means a category of personal information that includes:146
(A) Personal information revealing racial or ethnic origin, religious belief, mental or147
physical health diagnosis, sexual orientation, or citizenship or immigration status;148
(B) The processing of genetic data or biometric data for the purpose of uniquely149
identifying an individual;150
(C) The personal information collected from a known child; or151
(D) Precise geolocation data.152
(29) 'State agency' means an agency, institution, board, bureau, commission, council, or153
instrumentality of the executive branch of state government of this state.154
(30)(A) 'Targeted advertising' means displaying to a consumer an advertisement that155
is selected based on personal information obtained from such consumer's activities over156
time and across nonaffiliated websites or online applications to predict the consumer's157
preferences or interests.158
(B) Such term shall not include:159
(i) Advertisements based on activities within a controller's own websites or online160
applications;161
(ii) Advertisements based on the context of a consumer's current search query, visit162
to a website, or online application;163
(iii) Advertisements directed to a consumer in response to the consumer's request for164
information or feedback; or165
(iv) Personal information processed solely for measuring or reporting advertising166
performance, reach, or frequency.167
(31) 'Third party' means a person other than the consumer, controller, processor, or an168
affiliate of the controller or processor.169
S. B. 473 (SUB)
- 7 - 24 LC 36 5879S
10-1-962.170
(a) This article shall apply to a person that conducts business in this state by producing171
products or services targeted to consumers of this state that exceeds $25 million in revenue172
and that:173
(1) Controls or processes personal information of at least 25,000 consumers and derives174
more than 50 percent of gross revenue from the sale of personal information; or175
(2) During a calendar year, controls or processes personal information of at least 175,000176
consumers.177
(b) This article shall not apply to:178
(1) A person that is:179
(A) A financial institution or an affiliate of a financial institution subject to Title V of180
the federal Gramm-Leach-Bliley Act, as amended, 15 U.S.C. Section 6801 et seq.;181
(B) Licensed in this state under Title 33 as an insurance company and transacts182
insurance business;183
(C) Licensed in this state under Title 33 as an insurance producer;184
(D) A covered entity or business associate governed by the privacy, security, and185
breach notification rules issued by the United States Department of Health and Human186
Services, 45 C.F.R. Parts 160 and 164 established pursuant to HIPAA, and the federal187
Health Information Technology for Economic and Clinical Health Act (P.L. 111-5);188
(E) An air carrier regulated by the secretary of transportation under 49 U.S.C. Section189
41712 and exempt from state regulations under 49 U.S.C. Section 41713(b)(1); or190
(F) An entity subject to 42 U.S.C. Section 290dd-2;191
(2) Data or personal information that is:192
(A) Subject to Title V of the federal Gramm-Leach-Bliley Act, as amended, 15 U.S.C.193
Section 6801 et seq.;194
(B) Protected health information under HIPAA;195
(C) Considered a health record for purposes of Title 31;196
S. B. 473 (SUB)
- 8 - 24 LC 36 5879S
(D) Considered patient identifying information for purposes of 42 U.S.C.197
Section 290dd-2;198
(E) Processed for purposes of:199
(i) Research conducted in accordance with the federal policy for the protection of200
human subjects under 45 C.F.R. Part 46;201
(ii) Human subjects research conducted in accordance with good clinical practice202
guidelines issued by the International Council for Harmonization of Technical203
Requirements for Pharmaceuticals for Human Use; or204
(iii) Research conducted in accordance with the protection of human subjects under205
21 C.F.R. Parts 6, 50, and 56;206
(F) Created for purposes of the federal Health Care Quality Improvement Act of 1986,207
as amended, 42 U.S.C. Section 11101 et seq.;208
(G) Considered patient safety work product for purposes of the federal Patient Safety209
and Quality Improvement Act, as amended, 42 U.S.C. Section 299b-21 et seq.;210
(H) Derived from the healthcare related information listed in this subsection that is211
de-identified in accordance with the requirements for de-identification pursuant to212
HIPAA;213
(I) Included in a limited data set as described in 45 C.F.R. 164.514(e), to the extent that214
the information is used, disclosed, and maintained in the manner specified in215
45 C.F.R. 164.514(e);216
(J) Originated from, and intermingled to be indistinguishable with, or information217
treated in the same manner as, information exempt under this subsection that is218
maintained by a covered entity or business associate as defined by HIPAA or a program219
or a qualified service organization as defined by 42 U.S.C. Section 290dd-2;220
(K) Used only for public health activities and purposes as authorized by HIPAA;221
(L) Impacted a consumer's credit worthiness, credit standing, credit capacity, character,222
general reputation, personal characteristics, or mode of living by a consumer reporting223
S. B. 473 (SUB)
- 9 - 24 LC 36 5879S
agency or furnisher that provides information for use in a consumer report, and by a224
user of a consumer report, but only to the extent that such activity is regulated by and225
authorized under the federal Fair Credit Reporting Act, as amended, 15 U.S.C.226
Section 1681 et seq.;227
(M) Collected, processed, or disclosed in compliance with the federal Driver's Privacy228
Protection Act of 1994, as amended, 18 U.S.C. Section 2721 et seq.;229
(N) Regulated by the federal Family Educational Rights and Privacy Act (FERPA), as230
amended, 20 U.S.C. Section 1232g et seq.;231
(O) Collected, processed, or disclosed in compliance with the federal Farm Credit Act,232
as amended, 12 U.S.C. Section 2001 et seq.; or233
(P) Maintained or used for purposes of compliance with the regulation of listed234
chemicals under the federal Controlled Substances Act, as amended, 21 U.S.C.235
Section 830;236
(3) A nonprofit organization;237
(4) Any state agency, the judicial branch, the legislative branch, or any local government238
of this state;239
(5) Any institution of higher education that does not engage in the sale of personal240
information; 241
(6) Any electric supplier as defined in Code Section 46-3-3 that does not engage in the242
sale of personal information; or243
(7) Data processed or maintained:244
(A) In the course of an individual applying to, being employed by, or acting as an agent245
or independent contractor of a controller, processor, or third party, to the extent that the246
data is collected and used within the context of that role; 247
(B) As the emergency contact information of an individual employed by or acting as248
an agent or independent contractor of a controller, processor, or third party for use as249
emergency contact purposes with the consent of such individual; or250
S. B. 473 (SUB)
- 10 - 24 LC 36 5879S
(C) As necessary to retain to administer benefits for an individual who qualifies for251
benefits as part of the benefits provided to an individual employed by or acting as an252
agent or independent contractor of a controller, processor, or third party.253
(c) Controllers and processors that comply with the verifiable parental consent254
requirements of the federal Children's Online Privacy Protection Act (COPPA), as255
amended, 15 U.S.C. Section 6501 et seq., shall be deemed compliant with an obligation to256
obtain parental consent under this article.257
(d) Nothing in this article shall require a controller, processor, third party, or consumer to258
disclose trade secrets.259
10-1-963.260
(a)(1) A consumer may invoke the consumer rights authorized pursuant to paragraph (2)261
of this subsection at any time by submitting a request to a controller specifying the262
consumer rights the consumer wishes to invoke. A known child's parent or legal guardian263
may invoke the consumer rights authorized pursuant to paragraph (2) of this subsection264
on behalf of the such known child regarding processing personal information belonging265
to the known child.266
(2) A controller shall comply with an authenticated consumer request to exercise the267
right to:268
(A) Confirm whether a controller is processing the consumer's personal information269
and to access such personal information;270
(B) Correct inaccuracies in the consumer's personal information, taking into account271
the nature of the personal information and the purposes of the processing of such272
consumer's personal information;273
(C) Delete personal information provided by or obtained about the consumer. A274
controller shall not be required to delete information that it maintains or uses as275
aggregate or de-identified data; provided, that such data in the possession of the276
S. B. 473 (SUB)
- 11 - 24 LC 36 5879S
controller is not linked to a specific consumer. A controller that obtained personal277
information about a consumer from a source other than the consumer shall be in278
compliance with a consumer's request to delete such personal information by retaining279
a record of the deletion request and the minimum information necessary for the purpose280
of ensuring that the consumer's personal information remains deleted from the281
controller's records and by not using such retained personal information for any purpose282
prohibited under this article;283
(D) Obtain a copy of the consumer's personal information that the consumer previously284
provided to the controller in a portable and, to the extent technically feasible, readily285
usable format that allows the consumer to transmit such personal information to another286
controller without hindrance, where the processing is carried out by automated means;287
or288
(E) Opt out of a controller's processing of personal information for purposes of:289
(i) Engaging in the sale of personal information about the consumer;290
(ii) Targeted advertising; or291
(iii) Profiling in furtherance of decisions that produce legal or similarly significant292
effects concerning the consumer.293
(b) Except as otherwise provided in this article, a controller shall comply with an294
authenticated request by a consumer to exercise the consumer rights authorized pursuant295
to paragraph (2) of subsection (a) of this Code section as follows:296
(1) A controller shall respond to the consumer without undue delay, but in all cases297
within 45 days of receipt of a request submitted pursuant to subsection (a) of this Code298
section. The response period may be extended once by 45 additional days when299
reasonably necessary, taking into account the complexity and number of the consumer's300
requests, so long as the controller informs the consumer of the extension within the initial301
45 day response period, together with the reason for the extension;302
S. B. 473 (SUB)
- 12 - 24 LC 36 5879S
(2) If a controller declines to take action regarding the consumer's request, then the303
controller shall inform the consumer without undue delay, but in all cases within 45 days304
of receipt of the request, of the justification for declining to take action and instructions305
for how to appeal the decision pursuant to subsection (c) of this Code section;306
(3) Information provided in response to a consumer request shall be provided by a307
controller free of charge, up to twice annually per consumer. If requests from a consumer308
are manifestly unfounded, technically infeasible, excessive, or repetitive, then the309
controller may charge the consumer a reasonable fee to cover the administrative costs of310
complying with the request or decline to act on the request. The controller bears the311
burden of demonstrating the manifestly unfounded, technically infeasible, excessive, or312
repetitive nature of the request; and313
(4) If a controller is unable to authenticate the request using commercially reasonable314
efforts, then the controller shall not be required to comply with a request to initiate an315
action under subsection (a) of this Code section and may request that the consumer316
provide additional information reasonably necessary to authenticate the consumer and the317
consumer's request.318
(c) A controller shall establish a process for a consumer to appeal the controller's refusal319
to take action on a request within a reasonable period of time after the consumer's receipt320
of the decision pursuant to paragraph (2) of subsection (b) of this Code section. The appeal321
process shall be:322
(1) Made available to the consumer in a conspicuous manner;323
(2) Available at no cost to the consumer; and324
(3) Similar to the process for submitting requests to initiate action pursuant to325
subsection (a) of this Code section.326
Within 60 days of receipt of an appeal, a controller shall inform the consumer in writing327
of action taken or not taken in response to the appeal, including a written explanation of328
the reasons for the decision. If the appeal is denied, the controller shall then also provide329
S. B. 473 (SUB)
- 13 - 24 LC 36 5879S
the consumer with an online mechanism, if available, or other method through which the330
consumer may contact the Attorney General to submit a complaint.331
10-1-964.332
(a) A controller shall:333
(1) Limit the collection of personal information to what is adequate, relevant, and334
reasonably necessary in relation to the purposes for which the data is processed, as335
disclosed to the consumer;336
(2) Except as otherwise provided in this article, not process personal information for337
purposes that are beyond what is reasonably necessary to and compatible with the338
disclosed purposes for which the personal information is processed, as disclosed to the339
consumer, unless the controller obtains the consumer's consent;340
(3) Establish, implement, and maintain reasonable administrative, technical, and physical341
data security practices, as described in Code Section 10-1-973, to protect the342
confidentiality, integrity, and accessibility of personal information. The data security343
practices shall be appropriate to the volume and nature of the personal information at344
issue;345
(4) Not be required to delete information that it maintains or uses as aggregate or346
de-identified data, provided that such data in the possession of the business is not linked347
to a specific consumer;348
(5) Not process personal information in violation of state and federal laws that prohibit349
unlawful discrimination against consumers. A controller shall not discriminate against350
a consumer for exercising the consumer rights contained in this article, including denying351
goods or services, charging different prices or rates for goods or services, or providing352
a different level of quality of goods and services to the consumer. However, this353
paragraph shall not require a controller to provide a product or service that requires the354
personal information of a consumer that the controller does not collect or maintain, or355
S. B. 473 (SUB)
- 14 - 24 LC 36 5879S
prohibit a controller from offering a different price, rate, level, quality, or selection of356
goods or services to a consumer, including offering goods or services for no fee, if the357
consumer has exercised the right to opt out pursuant to subparagraph (E) of paragraph (2)358
of subsection (a) of Code Section 10-1-963 or the offer is related to a consumer's359
voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or360
club card program; and361
(6) Not process sensitive data concerning a consumer without obtaining the consumer's362
consent, or, in the case of the processing of sensitive data concerning a known child,363
without processing the data in accordance with the federal Children's Online Privacy364
Protection Act, as amended, 15 U.S.C. Section 6501 et seq., and its implementing365
regulations.366
(b) A provision of a contract or agreement that purports to waive or limit the consumer367
rights described in Code Section 10-1-963 is contrary to public policy and is void and368
unenforceable.369
(c) A controller shall provide a reasonably accessible, clear, and meaningful privacy notice370
that includes:371
(1) The categories of personal information processed by the controller;372
(2) The purpose for processing personal information;373
(3) How consumers may exercise their consumer rights pursuant to Code374
Section 10-1-963, including how a consumer may appeal a controller's decision with375
regard to the consumer's request;376
(4) The categories of personal information that the controller sells to third parties, if any;377
and378
(5) The categories of third parties, if any, with whom the controller engages in the sale379
of personal information.380
(d) If a controller engages in the sale of personal information to third parties or processes381
personal information for targeted advertising, then the controller shall clearly and382
S. B. 473 (SUB)
- 15 - 24 LC 36 5879S
conspicuously disclose the processing, as well as the manner in which a consumer may383
exercise the right to opt out of the processing.384
(e)(1) A controller shall provide, and shall describe in a privacy notice, one or more385
secure and reliable means for a consumer to submit a request to exercise the consumer386
rights described in Code Section 10-1-963. Such means shall take into account the:387
(A) Ways in which a consumer normally interacts with the controller;388
(B) Need for secure and reliable communication of such requests; and389
(C) Ability of a controller to authenticate the identity of the consumer making the390
request.391
(2) A controller shall not require a consumer to create a new account in order to exercise392
the consumer rights described in Code Section 10-1-963, but may require a consumer to393
use an existing account.394
10-1-965.395
(a) A processor shall adhere to the instructions of a controller and shall assist the controller396
in meeting its obligations under this article. The assistance provided by the processor shall397
include:398
(1) Taking into account the nature of processing and the information available to the399
processor, by appropriate technical and organizational measures, insofar as reasonably400
practicable, to fulfill the controller's obligation to respond to consumer rights requests401
pursuant to Code Section 10-1-963; and402
(2) Providing necessary information to enable the controller to conduct and document403
data protection assessments pursuant to Code Section 10-1-966.404
(b) A contract between a controller and a processor governs the processor's data processing405
procedures with respect to processing performed on behalf of the controller. The contract406
shall be binding and shall clearly set forth instructions for processing data, the nature and407
purpose of processing, the type of data subject to processing, the duration of processing,408
S. B. 473 (SUB)
- 16 - 24 LC 36 5879S
and the rights and obligations of both parties. The contract shall also include requirements409
that the processor shall:410
(1) Ensure that each person processing personal information is subject to a duty of411
confidentiality with respect to the data;412
(2) At the controller's direction, delete or return all personal information to the controller413
as requested at the end of the provision of services, unless retention of the personal414
information is required by law;415
(3) Upon the reasonable request of the controller, make available to the controller all416
information in its possession necessary to demonstrate the processor's compliance with417
the obligations in this article;418
(4) Allow, and cooperate with, reasonable assessments by the controller or the419
controller's designated assessor; alternatively, the processor may arrange for a qualified420
and independent assessor to conduct an assessment of the processor's policies and421
technical and organizational measures in support of the obligations under this article422
using an appropriate and accepted control standard or framework and assessment423
procedure for the assessments. The processor shall provide a report of each assessment424
to the controller upon request; and425
(5) Engage a subcontractor pursuant to a written contract in that requires the426
subcontractor to meet the obligations of the processor with respect to the personal427
information.428
(c) Nothing in this Code section shall relieve a controller or a processor from the liabilities429
imposed on it by virtue of its role in the processing relationship as described in430
subsection (b) of this Code section.431
(d) Determining whether a person is acting as a controller or processor with respect to a432
specific processing of data is a fact based determination that depends upon the context in433
which personal information is to be processed. A processor that continues to adhere to a434
S. B. 473 (SUB)
- 17 - 24 LC 36 5879S
controller's instructions with respect to a specific processing of personal information435
remains a processor.436
10-1-966.437
(a) A controller shall conduct and document a data protection assessment of each of the438
following processing activities involving personal information:439
(1) The processing of personal information for purposes of targeted advertising;440
(2) The sale of personal information;441
(3) The processing of personal information for purposes of profiling, where the profiling442
presents a reasonably foreseeable risk of:443
(A) Unfair or deceptive treatment of, or unlawful disparate impact on, consumers;444
(B) Financial, physical, or reputational injury to consumers;445
(C) A physical or other intrusion upon the solitude or seclusion, or the private affairs446
or concerns, of consumers, where the intrusion would be offensive to a reasonable447
person; or448
(D) Other substantial injury to consumers;449
(4) The processing of sensitive data; and450
(5) Processing activities involving personal information that present a heightened risk451
of harm to consumers.452
(b) Data protection assessments conducted pursuant to subsection (a) of this Code section453
shall identify and weigh the benefits that may flow, directly and indirectly, from the454
processing to the controller, the consumer, other stakeholders, and the public against the455
potential risks to the rights of the consumer associated with the processing, as mitigated by456
safeguards that can be employed by the controller to reduce the risks. The use of457
de-identified data and the reasonable expectations of consumers, as well as the context of458
the processing and the relationship between the controller and the consumer whose459
S. B. 473 (SUB)
- 18 - 24 LC 36 5879S
personal information will be processed, shall be factored into this assessment by the460
controller.461
(c) The Attorney General may request pursuant to a civil investigative demand that a462
controller disclose a data protection assessment that is relevant to an investigation463
conducted by the Attorney General, and the controller shall make the data protection464
assessment available to the Attorney General. The Attorney General shall evaluate the data465
protection assessment for compliance with the responsibilities set forth in Code466
Section 10-1-964. The disclosure of a data protection assessment pursuant to a request467
from the Attorney General shall not constitute a waiver of attorney-client privilege or work468
product protection with respect to the assessment and information contained in the469
assessment. Such data protection assessments shall be confidential and shall not be open470
to public inspection and copying under Article 4 of Chapter 18 of Title 50, relating to open471
records.472
(d) A single data protection assessment may address a comparable set of processing473
operations that include similar activities.474
(e) A data protection assessment conducted by a controller for the purpose of compliance475
with other laws, rules, or regulations may comply with this Code section if such data476
protection assessment have a reasonably comparable scope and effect.477
(f) The data protection assessment requirements in this article shall apply only to478
processing activities created or generated on or after July 1, 2026.479
10-1-967.480
(a) A controller in possession of de-identified data shall:481
(1) Take reasonable measures to ensure that the data cannot be associated with a natural482
person;483
(2) Publicly commit to maintaining and using de-identified data without attempting to484
reidentify the data; and485
S. B. 473 (SUB)
- 19 - 24 LC 36 5879S
(3) Contractually obligate recipients of the de-identified data to comply with this article.486
(b) Nothing in this Code section shall require a controller or processor to:487
(1) Reidentify de-identified data or pseudonymous data;488
(2) Maintain data in identifiable form, or collect, obtain, retain, or access data or489
technology, in order to be capable of associating an authenticated consumer request with490
personal information; or491
(3) Comply with an authenticated consumer rights request, pursuant to Code492
Section 10-1-963, if:493
(A) The controller is not reasonably capable of associating the request with the494
personal information or it would be unreasonably burdensome for the controller to495
associate the request with the personal information;496
(B) The controller does not use the personal information to recognize or respond to the497
specific consumer who is the subject of the personal information, or associate the498
personal information with other personal information about the same specific499
consumer; and500
(C) The controller does not engage in the sale of personal information to a third party501
or otherwise voluntarily disclose the personal information to a third party other than a502
processor, except as otherwise permitted in this Code section.503
(c) The consumer rights described in Code Sections 10-1-963 and 10-1-964 shall not apply504
to pseudonymous data in cases where the controller is able to demonstrate information505
necessary to identify the consumer is kept separately and is subject to effective technical506
and organizational controls that prevent the controller from accessing that information.507
(d) A controller that discloses pseudonymous data or de-identified data shall exercise508
reasonable oversight to monitor compliance with contractual commitments to which the509
pseudonymous data or de-identified data is subject and shall take appropriate steps to510
address breaches of those contractual commitments.511
S. B. 473 (SUB)
- 20 - 24 LC 36 5879S
10-1-968.512
(a) Nothing in this article shall restrict a controller's or processor's ability to:513
(1) Comply with federal, state, or local laws, rules, or regulations;514
(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or515
summons by federal, state, local, or other governmental authorities;516
(3) Cooperate with law enforcement agencies concerning conduct or activity that the517
controller or processor reasonably and in good faith believes may violate federal, state,518
or local laws, rules, or regulations;519
(4) Investigate, establish, exercise, prepare for, or defend legal claims;520
(5) Provide a product or service specifically requested by a consumer or the parent or521
legal guardian of a known child, perform a contract to which the consumer is a party,522
including fulfilling the terms of a written warranty, or take steps at the request of the523
consumer prior to entering into a contract;524
(6) Take immediate steps to protect an interest that is essential for the life or physical525
safety of the consumer or of another natural person, and where the processing cannot be526
manifestly based on another legal basis;527
(7) Prevent, detect, protect against, or respond to security incidents, identity theft, fraud,528
harassment, malicious or deceptive activity, or illegal activity; preserve the integrity or529
security of systems; or investigate, report, or prosecute those responsible for such action;530
(8) Engage in public reviewed or peer reviewed scientific or statistical research in the531
public interest that adheres to all other applicable ethics and privacy laws and is532
approved, monitored, and governed by an institutional review board, or similar533
independent oversight entity that determines whether:534
(A) Deletion of the information is likely to provide substantial benefits that do not535
exclusively accrue to the controller;536
(B) The expected benefits of the research outweigh the privacy risks; and537
S. B. 473 (SUB)
- 21 - 24 LC 36 5879S
(C) The controller has implemented reasonable safeguards to mitigate privacy risks538
associated with research, including risks associated with reidentification; or539
(9) Assist another controller, processor, or third party with the obligations under this540
article.541
(b) The obligations imposed on controllers or processors under this article shall not restrict542
a controller's or processor's ability to collect, use, or retain data to:543
(1) Conduct internal research to develop, improve, or repair products, services, or544
technology;545
(2) Effectuate a product recall;546
(3) Identify and repair technical errors that impair existing or intended functionality;547
(4) Authenticate an individual for the purpose of allowing access to a secure location or548
facility; or 549
(5) Perform internal operations that are reasonably aligned with the expectations of the550
consumer or reasonably anticipated based on the consumer's existing relationship with551
the controller or are otherwise compatible with processing data in furtherance of the552
provision of a product or service specifically requested by a consumer or the performance553
of a contract to which the consumer is a party.554
(c) The obligations imposed on controllers or processors under this article shall not apply555
where compliance with this article by the controller or processor would violate an556
evidentiary privilege under the laws of this state. Nothing in this article shall prevent a557
controller or processor from providing personal information concerning a consumer to a558
person covered by an evidentiary privilege under the laws of this state as part of a559
privileged communication.560
(d)(1) A controller or processor that discloses personal information to a third-party561
controller or processor, in compliance with the requirements of this article, shall not be562
in violation of this article if:563
S. B. 473 (SUB)
- 22 - 24 LC 36 5879S
(A) The third-party controller or processor that receives and processes the personal564
information is in violation of this article; and565
(B) At the time of disclosing the personal information, the disclosing controller or566
processor did not have actual knowledge that the recipient intended to commit a567
violation.568
(2) A third-party controller or processor receiving personal information from a controller569
or processor in compliance with the requirements of this article is likewise not in570
violation of this article for the violations of the controller or processor from which it571
receives such personal information.572
(e) This article shall not impose an obligation on controllers and processors that adversely573
affects the rights or freedoms of a person, such as exercising the right of free speech574
pursuant to the First Amendment to the United States Constitution, or that applies to the575
processing of personal information by a person in the course of a purely personal activity.576
(f) A controller shall not process personal information for purposes other than those577
expressly listed in this Code section unless otherwise allowed by this article. Personal578
information processed by a controller pursuant to this Code section may be processed to579
the extent that the processing is:580
(1) Reasonably necessary and proportionate to the purposes listed in this section; and581
(2) Adequate, relevant, and limited to what is necessary in relation to the specific582
purposes listed in this section. Personal information collected, used, or retained pursuant583
to subsection (b) of this Code section shall, where applicable, take into account the nature584
and purpose or purposes of the collection, use, or retention. The data shall be subject to585
reasonable administrative, technical, and physical measures to protect the confidentiality,586
integrity, and accessibility of the personal information and to reduce reasonably587
foreseeable risks of harm to consumers relating to the collection, use, or retention of588
personal information.589
S. B. 473 (SUB)
- 23 - 24 LC 36 5879S
(g) If a controller processes personal information pursuant to an exemption in this Code590
section, then the controller bears the burden of demonstrating that the processing qualifies591
for the exemption and complies with subsection (f) of this Code section.592
(h) Processing personal information for the purposes expressly identified in any of the593
paragraphs (1) through (9) of subsection of (a) of this Code section shall not solely make594
an entity a controller with respect to the processing.595
10-1-969.596
Nothing in this article shall be construed to conflict with the specific requirements:597
(1) Related to the management of health records under Title 31; or598
(2) Included in federal law.599
10-1-970.600
(a) A provision of a contract or agreement that waives or limits a consumer's rights under601
this article, including, but not limited to, a right to a remedy or means of enforcement, is602
contrary to public policy, void, and unenforceable.603
(b) Nothing in this article shall prevent a consumer from declining to request information604
from a controller, declining to opt out of a controller's sale of the consumer's personal605
information, or authorizing a controller to sell the consumer's personal information after606
previously opting out.607
(c) This article shall apply to contracts entered into, amended, or renewed on or after608
July 1, 2026.609
10-1-971.610
If the Attorney General has reasonable cause to believe that an individual, controller, or611
processor has engaged in, is engaging in, or is about to engage in a violation of this article,612
then the Attorney General may issue a civil investigative demand.613
S. B. 473 (SUB)
- 24 - 24 LC 36 5879S
10-1-972.614
(a) The Attorney General shall have exclusive authority to enforce this article.615
(b) The Attorney General may develop reasonable cause to believe that a controller or616
processor is in violation of this article, based on the Attorney General's own inquiry or on617
consumer or public complaints. Prior to initiating an action under this article, the Attorney618
General shall provide a controller or processor 60 days' written notice identifying the619
specific provisions of this article the Attorney General alleges have been or are being620
violated. If within the 60 day period, the controller or processor cures the noticed violation621
and provides the Attorney General an express written statement that the alleged violations622
have been cured and that no such further violations shall occur, then the Attorney General623
shall not initiate an action against the controller or processor.624
(c) If a controller or processor continues to violate this article following the cure period625
provided for in subsection (b) of this Code section or breaches an express written statement626
provided to the Attorney General under subsection (b) of this Code section, then the627
Attorney General may bring an action in a court of competent jurisdiction seeking any of628
the following relief:629
(1) Declaratory judgment that the act or practice violates this article;630
(2) Injunctive relief, including preliminary and permanent injunctions, to prevent an631
additional violation of and compel compliance with this article;632
(3) Civil penalties, as described in subsection (d) of this Code section;633
(4) Reasonable attorney's fees and investigative costs; or634
(5) Other relief the court determines appropriate.635
(d)(1) A court may impose a civil penalty of up to $7,500.00 for each violation of this636
article.637
(2) If the court finds the controller or processor willfully or knowingly violated this638
article, then the court may, in its discretion, award treble damages.639
S. B. 473 (SUB)
- 25 - 24 LC 36 5879S
(e) A violation of this article shall not serve as the basis for, or be subject to, a private right640
of action, including a class action lawsuit, under this article or any other law.641
(f) The Attorney General may recover reasonable expenses incurred in investigating and642
preparing a case, including attorney's fees, in an action initiated under this article.643
10-1-973.644
(a) A controller or processor shall have an affirmative defense to a cause of action for a645
violation of this article if the controller or processor creates, maintains, and complies with646
a written privacy program that:647
(1)(A) Reasonably conforms to the NIST or comparable privacy framework designed648
to safeguard consumer privacy; and649
(B) Is updated to reasonably conform with a subsequent revision to the NIST or650
comparable privacy framework within two years of the publication date stated in the651
most recent revision to the NIST or comparable privacy framework; and652
(2) Provides a person with the substantive rights required by this article.653
(b) The scale and scope of a controller or processor's privacy program under subsection (a)654
of this Code section shall be appropriate if it is based on all of the following factors:655
(1) The size and complexity of the controller or processor's business;656
(2) The nature and scope of the activities of the controller or processor;657
(3) The sensitivity of the personal information processed;658
(4) The cost and availability of tools to improve privacy protections and data659
governance; and660
(5) Compliance with a comparable state or federal law, if applicable.661
S. B. 473 (SUB)
- 26 - 24 LC 36 5879S
10-1-974.662
(a) A municipality, county, or consolidated government shall not require a controller or663
processor to disclose personal information of consumers, unless pursuant to a subpoena or664
court order.665
(b) This article shall supersede and preempt any conflicting provisions of any ordinances,666
resolutions, regulations, or the equivalent adopted by any municipality, county, or667
consolidated government in this state regarding the processing of personal information by668
controllers or processors."669
SECTION 2.670
This Act shall become effective on July 1, 2026.671
SECTION 3.672
All laws and parts of laws in conflict with this Act are repealed.673
S. B. 473 (SUB)
- 27 -