GA
Georgia Senate Bill SB111

Georgia 2025-2026 Regular Session

Georgia Senate Bill SB111 Compare Versions

OldNewDifferences
11 25 LC 59 0079
22 Senate Bill 111
33 By: Senators Albers of the 56th, Burns of the 23rd, Rahman of the 5th, Still of the 48th,
44 Setzler of the 37th and others
5-AS PASSED SENATE
65 A BILL TO BE ENTITLED
76 AN ACT
87 To amend Title 10 of the Official Code of Georgia Annotated, relating to commerce and
98 1
109 trade, so as to enact the "Georgia Consumer Privacy Protection Act"; to protect the privacy2
1110 of consumer personal data in this state; to provide for definitions; to provide for applicability;3
1211 to provide for exemptions for certain entities, data, and uses of data; to provide for consumer4
1312 rights regarding personal data; to provide for a consumer to exercise such rights by5
1413 submitting a request to a controller; to provide for a controller to promptly respond to such6
1514 requests; to provide for exemptions; to provide for responsibilities of processors and7
1615 controllers; to provide for notice and disclosure; to provide for security practices to protect8
1716 consumer personal data; to allow a controller to offer different goods or services under9
1817 certain conditions; to provide for limitations; to provide for statutory construction; to provide10
1918 for enforcement and penalties; to provide an affirmative defense; to prohibit the disclosure11
2019 of personal data of consumers to local governments unless pursuant to a subpoena or court12
2120 order; to provide for preemption of local regulation; to provide for related matters; to provide13
2221 an effective date; to repeal conflicting laws; and for other purposes.14
2322 BE IT ENACTED BY THE GENERAL ASSEMBLY OF GEORGIA:15
2423 S. B. 111
2524 - 1 - 25 LC 59 0079
2625 SECTION 1.
2726 16
2827 Title 10 of the Official Code of Georgia Annotated, relating to commerce and trade, is17
2928 amended by adding a new article to Chapter 1, relating to selling and other trade practices,18
3029 to read as follows:19
3130 "ARTICLE 37
3231 20
3332 10-1-960.21
3433 This article shall be known and may be cited as the 'Georgia Consumer Privacy Protection22
3534 Act.'23
3635 10-1-961.24
3736 As used in this article, the term:25
3837 (1) 'Affiliate' means a legal entity that controls, is controlled by, or is under common26
3938 control with another legal entity or shares common branding with another legal entity. As27
4039 used in this paragraph, the term 'control' or 'controlled' means:28
4140 (A) Ownership of, or the power to vote, more than 50 percent of the outstanding shares29
4241 of a class of voting security of an entity;30
4342 (B) Control in any manner over the election of a majority of the directors or of31
4443 individuals exercising similar functions relative to an entity; or32
4544 (C) The power to exercise controlling influence over the management of an entity.33
4645 (2) 'Authenticate' means to verify using reasonable means that a consumer who is34
4746 entitled to exercise the rights in Code Section 10-1-963, is the same consumer who is35
4847 exercising such consumer rights with respect to the personal information at issue.36
4948 (3)(A) 'Biometric data' means data generated by automatic measurement of an37
5049 individual's biological characteristics, such as a fingerprint, voiceprint, eye retina or iris,38
5150 S. B. 111
5251 - 2 - 25 LC 59 0079
5352 or other unique biological patterns or characteristics that are used to identify a specific39
5453 individual.40
5554 (B) Such term shall not include:41
5655 (i) A physical or digital photograph, video recording, or audio recording or data42
5756 generated from a photograph or video or audio recording;43
5857 (ii) Information captured and converted to a mathematical representation, including44
5958 a numeric string or similar configuration, that cannot be used to recreate data45
6059 generated by automatic measurement of an individual's biological patterns or46
6160 characteristics used to identify the specific individual; or47
6261 (iii) Information collected, used, or stored for healthcare treatment, payment, or48
6362 operations under HIPAA.49
6463 (4) 'Business associate' shall have the same meaning as provided by HIPAA.50
6564 (5) 'Consent' means a clear affirmative act signifying a consumer's freely given, specific,51
6665 informed, and unambiguous agreement to process personal information relating to the52
6766 consumer. Such term may include a written statement, including a statement written by53
6867 electronic means, or an unambiguous affirmative action.54
6968 (6) 'Consumer' means an individual who is a resident of this state acting only in a55
7069 personal context. Such term shall not include an individual acting in a commercial or56
7170 employment context.57
7271 (7) 'Controller' means the person that, alone or jointly with others, determines the58
7372 purpose and means of processing personal information.59
7473 (8) 'Covered entity' shall have the same meaning as provided by HIPAA.60
7574 (9) 'Decisions that produce legal or similarly significant effects concerning the consumer'61
7675 means decisions made by the controller that result in the provision or denial by the62
7776 controller of financial or lending services, housing, insurance, education enrollment or63
7877 opportunity, criminal justice, employment opportunities, healthcare services, or access64
7978 to basic necessities, such as food and water.65
8079 S. B. 111
8180 - 3 - 25 LC 59 0079
8281 (10) 'De-identified data' means data that cannot reasonably be linked to an identified or66
8382 identifiable individual, or any device linked to such natural person.67
8483 (11) 'Health record' shall have the same meaning as set forth in paragraph (3) of Code68
8584 Section 31-33-1. Such term includes the substance of a communication made by an69
8685 individual to a healthcare facility described in or licensed pursuant to Title 31 in70
8786 confidence during or in connection with the provision of healthcare services or71
8887 information otherwise acquired by the healthcare entity about an individual in confidence72
8988 and in connection with the provision of healthcare services to the individual.73
9089 (12) 'HIPAA' means the federal Health Insurance Portability and Accountability Act of74
9190 1996, as amended, 42 U.S.C. Section 1320d et seq.75
9291 (13) 'Identified or identifiable individual' means a natural person who can be readily76
9392 identified, whether directly or indirectly.77
9493 (14) 'Institution of higher education' means a public or private college or university in78
9594 this state.79
9695 (15) 'Known child' means an individual who the controller has actual knowledge is under80
9796 13 years of age.81
9897 (16) 'NIST' means the National Institute of Standards and Technology privacy82
9998 framework entitled 'A Tool for Improving Privacy through Enterprise Risk Management83
10099 Version 1.0' or any subsequent version thereof.84
101100 (17) 'Nonprofit organization' means an organization exempt from taxation under the85
102101 Internal Revenue Code, codified in 26 U.S.C. Sections 501-530.86
103102 (18) 'Person' means any individual or entity.87
104103 (19) 'Personal information' means information that is linked or reasonably linkable to an88
105104 identified or identifiable individual. Such term shall not include information that is89
106105 publicly available or de-identified.90
107106 (20)(A) 'Precise geolocation data' means information derived from technology,91
108107 including, but not limited to, global positioning system level latitude and longitude92
109108 S. B. 111
110109 - 4 - 25 LC 59 0079
111110 coordinates or other mechanisms, that directly identifies the specific location of a93
112111 natural person with precision and accuracy within a radius of 1,750 feet.94
113112 (B) Such term shall not include:95
114113 (i) The content of communications; or96
115114 (ii) Data generated by or connected to advanced utility metering infrastructure97
116115 systems or equipment for use by a utility.98
117116 (21) 'Process' or 'processing' means an operation or set of operations performed, whether99
118117 by manual or automated means, on personal information or on sets of personal100
119118 information, such as the collection, use, storage, disclosure, analysis, deletion, or101
120119 modification of personal information.102
121120 (22) 'Processor' means a person that processes personal information on behalf of a103
122121 controller.104
123122 (23) 'Profiling' means a form of automated processing performed on personal105
124123 information solely to evaluate, analyze, or predict personal aspects related to an identified106
125124 or identifiable individual's economic situation, health, personal preferences, interests,107
126125 reliability, behavior, location, or movements.108
127126 (24) 'Protected health information' shall have the same meaning as provided by HIPAA.109
128127 (25) 'Pseudonymous data' means personal information that cannot be attributed to a110
129128 specific individual without the use of additional information, so long as the additional111
130129 information is kept separately and is subject to appropriate technical and organizational112
131130 measures to ensure that the personal information is not attributed to an identified or113
132131 identifiable individual.114
133132 (26) 'Publicly available information' means information that is lawfully made available115
134133 through federal, state, or local government records, or information that a business has a116
135134 reasonable basis to believe is lawfully made available to the general public through117
136135 widely distributed media, by the consumer, or by a person to which the consumer has118
137136 S. B. 111
138137 - 5 - 25 LC 59 0079
139138 disclosed the information, unless the consumer has restricted the information to a specific119
140139 audience.120
141140 (27)(A) 'Sale of personal information' or 'sell personal information' means the121
142141 exchange of personal information for monetary or other valuable consideration by the122
143142 controller to a third party.123
144143 (B) Such term shall not include:124
145144 (i) The disclosure of personal information to a processor that processes the personal125
146145 information on behalf of the controller;126
147146 (ii) The disclosure of personal information to a third party for purposes of providing127
148147 a product or service requested by the consumer;128
149148 (iii) The disclosure or transfer of personal information to an affiliate of the controller;129
150149 (iv) The disclosure of information that the consumer:130
151150 (I) Intentionally made available to the general public via a channel of mass media;131
152151 and132
153152 (II) Did not restrict to a specific audience; or133
154153 (v) The disclosure or transfer of personal information to a third party as an asset that134
155154 is part of a merger, acquisition, bankruptcy, or other transaction in which the third135
156155 party assumes control of all or part of the controller's assets.136
157156 (28) 'Sensitive data' means a category of personal information that includes:137
158157 (A) Personal information revealing racial or ethnic origin, religious belief, mental or138
159158 physical health diagnosis, sexual orientation, or citizenship or immigration status;139
160159 (B) The processing of genetic data or biometric data for the purpose of uniquely140
161160 identifying an individual;141
162161 (C) The personal information collected from a known child; or142
163162 (D) Precise geolocation data.143
164163 (29) 'State agency' means an agency, institution, board, bureau, commission, council, or144
165164 instrumentality of the executive branch of state government of this state.145
166165 S. B. 111
167166 - 6 - 25 LC 59 0079
168167 (30)(A) 'Targeted advertising' means displaying to a consumer an advertisement that146
169168 is selected based on personal information obtained from such consumer's activities over147
170169 time and across nonaffiliated websites or online applications to predict the consumer's148
171170 preferences or interests.149
172171 (B) Such term shall not include:150
173172 (i) Advertisements based on activities within a controller's own websites or online151
174173 applications;152
175174 (ii) Advertisements based on the context of a consumer's current search query, visit153
176175 to a website, or online application;154
177176 (iii) Advertisements directed to a consumer in response to the consumer's request for155
178177 information or feedback; or156
179178 (iv) Personal information processed solely for measuring or reporting advertising157
180179 performance, reach, or frequency.158
181180 (31) 'Third party' means a person other than the consumer, controller, processor, or an159
182181 affiliate of the controller or processor.160
183182 (32) 'Trade secret' shall have the same meaning as set forth in Code Section 16-8-13.161
184183 10-1-962.162
185184 (a) This article shall apply to a person that conducts business in this state by producing163
186185 products or services targeted to consumers of this state that exceeds $25 million in revenue164
187186 and that:165
188187 (1) Controls or processes personal information of at least 25,000 consumers and derives166
189188 more than 50 percent of gross revenue from the sale of personal information; or167
190189 (2) During a calendar year, controls or processes personal information of at least 175,000168
191190 consumers.169
192191 (b) This article shall not apply to:170
193192 (1) A person that is:171
194193 S. B. 111
195194 - 7 - 25 LC 59 0079
196195 (A) A financial institution or an affiliate of a financial institution subject to Title V of172
197196 the federal Gramm-Leach-Bliley Act, as amended, 15 U.S.C. Section 6801 et seq.;173
198197 (B) Licensed in this state under Title 33 as an insurance company and transacts174
199198 insurance business;175
200199 (C) Licensed in this state under Title 33 as an insurance producer;176
201200 (D) A covered entity or business associate governed by the privacy, security, and177
202201 breach notification rules issued by the United States Department of Health and Human178
203202 Services, 45 C.F.R. Parts 160 and 164 established pursuant to HIPAA, and the federal179
204203 Health Information Technology for Economic and Clinical Health Act (P.L. 111-5);180
205204 (E) An air carrier regulated by the secretary of transportation under 49 U.S.C. Section181
206205 41712 and exempt from state regulations under 49 U.S.C. Section 41713(b)(1); or182
207206 (F) An entity subject to 42 U.S.C. Section 290dd-2;183
208207 (2) Data or personal information that is:184
209208 (A) Subject to Title V of the federal Gramm-Leach-Bliley Act, as amended, 15 U.S.C.185
210209 Section 6801 et seq.;186
211210 (B) Protected health information under HIPAA;187
212211 (C) Considered a health record for purposes of Title 31;188
213212 (D) Considered patient identifying information for purposes of 42 U.S.C.189
214213 Section 290dd-2;190
215214 (E) Processed for purposes of:191
216215 (i) Research conducted in accordance with the federal policy for the protection of192
217216 human subjects under 45 C.F.R. Part 46;193
218217 (ii) Human subjects research conducted in accordance with good clinical practice194
219218 guidelines issued by the International Council for Harmonization of Technical195
220219 Requirements for Pharmaceuticals for Human Use; or196
221220 (iii) Research conducted in accordance with the protection of human subjects under197
222221 21 C.F.R. Parts 6, 50, and 56;198
223222 S. B. 111
224223 - 8 - 25 LC 59 0079
225224 (F) Created for purposes of the federal Health Care Quality Improvement Act of 1986,199
226225 as amended, 42 U.S.C. Section 11101 et seq.;200
227226 (G) Considered patient safety work product for purposes of the federal Patient Safety201
228227 and Quality Improvement Act, as amended, 42 U.S.C. Section 299b-21 et seq.;202
229228 (H) Derived from the healthcare related information listed in this subsection that is203
230229 de-identified in accordance with the requirements for de-identification pursuant to204
231230 HIPAA;205
232231 (I) Included in a limited data set as described in 45 C.F.R. 164.514(e), to the extent that206
233232 the information is used, disclosed, and maintained in the manner specified in207
234233 45 C.F.R. 164.514(e);208
235234 (J) Originated from, and intermingled to be indistinguishable with, or information209
236235 treated in the same manner as, information exempt under this subsection that is210
237236 maintained by a covered entity or business associate as defined by HIPAA or a program211
238237 or a qualified service organization as defined by 42 U.S.C. Section 290dd-2;212
239238 (K) Used only for public health activities and purposes as authorized by HIPAA;213
240239 (L) Collected, maintained, disclosed, sold, communicated, or used, bearing upon a214
241240 consumer's credit worthiness, credit standing, credit capacity, character, general215
242241 reputation, personal characteristics, or mode of living, by a consumer reporting agency216
243242 or furnisher that provides information for use in a consumer report, and by a user of a217
244243 consumer report, but only to the extent that such activity is regulated by and authorized218
245244 under the federal Fair Credit Reporting Act, as amended, 15 U.S.C. Section 1681 et219
246245 seq.;220
247246 (M) Collected, processed, or disclosed in compliance with the federal Driver's Privacy221
248247 Protection Act of 1994, as amended, 18 U.S.C. Section 2721 et seq.;222
249248 (N) Regulated by the federal Family Educational Rights and Privacy Act (FERPA), as223
250249 amended, 20 U.S.C. Section 1232g et seq.;224
251250 S. B. 111
252251 - 9 - 25 LC 59 0079
253252 (O) Collected, processed, or disclosed in compliance with the federal Farm Credit Act,225
254253 as amended, 12 U.S.C. Section 2001 et seq.; or226
255254 (P) Maintained or used for purposes of compliance with the regulation of listed227
256255 chemicals under the federal Controlled Substances Act, as amended, 21 U.S.C.228
257256 Section 830;229
258257 (3) Nonprofit organizations that do not sell data;230
259258 (4) Any state agency, the judicial branch, the legislative branch, or any local government231
260259 of this state;232
261260 (5) Any institution of higher education that does not engage in the sale of personal233
262261 information;234
263262 (6) Any electric supplier as defined in Code Section 46-3-3 that does not engage in the235
264263 sale of personal information; or236
265264 (7) Data processed or maintained:237
266265 (A) In the course of an individual applying to, being employed by, or acting as an agent238
267266 or independent contractor of a controller, processor, or third party, to the extent that the239
268267 data is collected and used within the context of that role;240
269268 (B) As the emergency contact information of an individual employed by or acting as241
270269 an agent or independent contractor of a controller, processor, or third party for use as242
271270 emergency contact purposes with the consent of such individual; or243
272271 (C) As necessary to retain to administer benefits for an individual who qualifies for244
273272 benefits as part of the benefits provided to an individual employed by or acting as an245
274273 agent or independent contractor of a controller, processor, or third party.246
275274 (c) Controllers and processors that comply with the verifiable parental consent247
276275 requirements of the federal Children's Online Privacy Protection Act (COPPA), as248
277276 amended, 15 U.S.C. Section 6501 et seq., shall be deemed compliant with an obligation to249
278277 obtain parental consent under this article.250
279278 S. B. 111
280279 - 10 - 25 LC 59 0079
281280 (d) Nothing in this article shall require a controller, processor, third party, or consumer to251
282281 disclose trade secrets.252
283282 10-1-963.253
284283 (a)(1) A consumer may invoke the consumer rights authorized pursuant to paragraph (2)254
285284 of this subsection at any time by submitting a request to a controller specifying the255
286285 consumer rights the consumer wishes to invoke. A known child's parent or legal guardian256
287286 may invoke the consumer rights authorized pursuant to paragraph (2) of this subsection257
288287 on behalf of the such known child regarding processing personal information belonging258
289288 to the known child.259
290289 (2) A controller shall comply with an authenticated consumer request to exercise the260
291290 right to:261
292291 (A) Confirm whether a controller is processing the consumer's personal information262
293292 and to access such personal information;263
294293 (B) Correct inaccuracies in the consumer's personal information, taking into account264
295294 the nature of the personal information and the purposes of the processing of such265
296295 consumer's personal information;266
297296 (C) Delete personal information provided by or obtained about the consumer. A267
298297 controller shall not be required to delete information that it maintains or uses as268
299298 aggregate or de-identified data; provided, that such data in the possession of the269
300299 controller is not linked to a specific consumer. A controller that obtained personal270
301300 information about a consumer from a source other than the consumer shall be in271
302301 compliance with a consumer's request to delete such personal information by:272
303302 (i) Retaining a record of the deletion request and the minimum information necessary273
304303 for the purpose of ensuring that the consumer's personal information remains deleted274
305304 from the controller's records and by not using such retained personal information for275
306305 any purpose prohibited under this article; or276
307306 S. B. 111
308307 - 11 - 25 LC 59 0079
309308 (ii) Opting the consumer out of the processing of such personal information for any277
310309 purposes other than those exempted under this article.278
311310 (D) Obtain a copy of the consumer's personal information that the consumer previously279
312311 provided to the controller in a portable and, to the extent technically feasible, readily280
313312 usable format that allows the consumer to transmit such personal information to another281
314313 controller without hindrance, where the processing is carried out by automated means;282
315314 or283
316315 (E) Opt out of a controller's processing of personal information for purposes of:284
317316 (i) Engaging in the sale of personal information about the consumer;285
318317 (ii) Targeted advertising; or286
319318 (iii) Profiling in furtherance of decisions that produce legal or similarly significant287
320319 effects concerning the consumer.288
321320 (b) Except as otherwise provided in this article, a controller shall comply with an289
322321 authenticated request by a consumer to exercise the consumer rights authorized pursuant290
323322 to paragraph (2) of subsection (a) of this Code section as follows:291
324323 (1) A controller shall respond to the consumer without undue delay, but in all cases292
325324 within 45 days of receipt of a request submitted pursuant to subsection (a) of this Code293
326325 section. The response period may be extended once by 45 additional days when294
327326 reasonably necessary, taking into account the complexity and number of the consumer's295
328327 requests, so long as the controller informs the consumer of the extension within the initial296
329328 45 day response period, together with the reason for the extension;297
330329 (2) If a controller declines to take action regarding the consumer's request, then the298
331330 controller shall inform the consumer without undue delay, but in all cases within 45 days299
332331 of receipt of the request, of the justification for declining to take action and instructions300
333332 for how to appeal the decision pursuant to subsection (c) of this Code section;301
334333 (3) Information provided in response to a consumer request shall be provided by a302
335334 controller free of charge, up to twice annually per consumer. If requests from a consumer303
336335 S. B. 111
337336 - 12 - 25 LC 59 0079
338337 are manifestly unfounded, technically infeasible, excessive, or repetitive, then the304
339338 controller may charge the consumer a reasonable fee to cover the administrative costs of305
340339 complying with the request or decline to act on the request. The controller bears the306
341340 burden of demonstrating the manifestly unfounded, technically infeasible, excessive, or307
342341 repetitive nature of the request; and308
343342 (4) If a controller is unable to authenticate the request using commercially reasonable309
344343 efforts, then the controller shall not be required to comply with a request to initiate an310
345344 action under subsection (a) of this Code section and may request that the consumer311
346345 provide additional information reasonably necessary to authenticate the consumer and the312
347346 consumer's request.313
348347 (c)(1) A controller shall establish a process for a consumer to appeal the controller's314
349348 refusal to take action on a request within a reasonable period of time after the consumer's315
350349 receipt of the decision pursuant to paragraph (2) of subsection (b) of this Code section. 316
351350 The appeal process shall be:317
352351 (A) Made available to the consumer in a conspicuous manner;318
353352 (B) Available at no cost to the consumer; and319
354353 (C) Similar to the process for submitting requests to initiate action pursuant to320
355354 subsection (a) of this Code section.321
356355 (2) Within 60 days of receipt of an appeal, a controller shall inform the consumer in322
357356 writing of action taken or not taken in response to the appeal, including a written323
358357 explanation of the reasons for the decision. If the appeal is denied, the controller shall324
359358 then also provide the consumer with an online mechanism, if available, or other method325
360359 through which the consumer may contact the Attorney General to submit a complaint.326
361360 10-1-964.327
362361 (a) A controller shall:328
363362 S. B. 111
364363 - 13 - 25 LC 59 0079
365364 (1) Limit the collection of personal information to what is adequate, relevant, and329
366365 reasonably necessary in relation to the purposes for which the data is processed, as330
367366 disclosed to the consumer;331
368367 (2) Except as otherwise provided in this article, not process personal information for332
369368 purposes that are beyond what is reasonably necessary to and compatible with the333
370369 disclosed purposes for which the personal information is processed, as disclosed to the334
371370 consumer, unless the controller obtains the consumer's consent;335
372371 (3) Establish, implement, and maintain reasonable administrative, technical, and physical336
373372 data security practices, as described in Code Section 10-1-973, to protect the337
374373 confidentiality, integrity, and accessibility of personal information. The data security338
375374 practices shall be appropriate to the volume and nature of the personal information at339
376375 issue;340
377376 (4) Not be required to delete information that it maintains or uses as aggregate or341
378377 de-identified data, provided that such data in the possession of the business is not linked342
379378 to a specific consumer;343
380379 (5) Not process personal information in violation of state and federal laws that prohibit344
381380 unlawful discrimination against consumers. A controller shall not discriminate against345
382381 a consumer for exercising the consumer rights contained in this article, including denying346
383382 goods or services, charging different prices or rates for goods or services, or providing347
384383 a different level of quality of goods and services to the consumer. However, this348
385384 paragraph shall not require a controller to provide a product or service that requires the349
386385 personal information of a consumer that the controller does not collect or maintain, or350
387386 prohibit a controller from offering a different price, rate, level, quality, or selection of351
388387 goods or services to a consumer, including offering goods or services for no fee, if the352
389388 consumer has exercised the right to opt out pursuant to subparagraph (E) of paragraph (2)353
390389 of subsection (a) of Code Section 10-1-963 or the offer is related to a consumer's354
391390 S. B. 111
392391 - 14 - 25 LC 59 0079
393392 voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or355
394393 club card program; and356
395394 (6) Not process sensitive data concerning a consumer without obtaining the consumer's357
396395 consent, or, in the case of the processing of sensitive data concerning a known child,358
397396 without processing the data in accordance with the federal Children's Online Privacy359
398397 Protection Act, as amended, 15 U.S.C. Section 6501 et seq., and its implementing360
399398 regulations.361
400399 (b) A provision of a contract or agreement that purports to waive or limit the consumer362
401400 rights described in Code Section 10-1-963 is contrary to public policy and is void and363
402401 unenforceable.364
403402 (c) A controller shall provide a reasonably accessible, clear, and meaningful privacy notice365
404403 that includes:366
405404 (1) The categories of personal information processed by the controller;367
406405 (2) The purpose for processing personal information;368
407406 (3) How consumers may exercise their consumer rights pursuant to Code369
408407 Section 10-1-963, including how a consumer may appeal a controller's decision with370
409408 regard to the consumer's request;371
410409 (4) The categories of personal information that the controller sells to third parties, if any;372
411410 and373
412411 (5) The categories of third parties, if any, with whom the controller engages in the sale374
413412 of personal information.375
414413 (d) If a controller engages in the sale of personal information to third parties or processes376
415414 personal information for targeted advertising, then the controller shall clearly and377
416415 conspicuously disclose the processing, as well as the manner in which a consumer may378
417416 exercise the right to opt out of the processing.379
418417 S. B. 111
419418 - 15 - 25 LC 59 0079
420419 (e)(1) A controller shall provide, and shall describe in a privacy notice, one or more380
421420 secure and reliable means for a consumer to submit a request to exercise the consumer381
422421 rights described in Code Section 10-1-963. Such means shall take into account the:382
423422 (A) Ways in which a consumer normally interacts with the controller;383
424423 (B) Need for secure and reliable communication of such requests; and384
425424 (C) Ability of a controller to authenticate the identity of the consumer making the385
426425 request.386
427426 (2) A controller shall not require a consumer to create a new account in order to exercise387
428427 the consumer rights described in Code Section 10-1-963, but may require a consumer to388
429428 use an existing account.389
430429 10-1-965.390
431430 (a) A processor shall adhere to the instructions of a controller and shall assist the controller391
432431 in meeting its obligations under this article. The assistance provided by the processor shall392
433432 include:393
434433 (1) Taking into account the nature of processing and the information available to the394
435434 processor, by appropriate technical and organizational measures, insofar as reasonably395
436435 practicable, to fulfill the controller's obligation to respond to consumer rights requests396
437436 pursuant to Code Section 10-1-963; and397
438437 (2) Providing necessary information to enable the controller to conduct and document398
439438 data protection assessments pursuant to Code Section 10-1-966.399
440439 (b) A contract between a controller and a processor governs the processor's data processing400
441440 procedures with respect to processing performed on behalf of the controller. The contract401
442441 shall be binding and shall clearly set forth instructions for processing data, the nature and402
443442 purpose of processing, the type of data subject to processing, the duration of processing,403
444443 and the rights and obligations of both parties. The contract shall also include requirements404
445444 that the processor shall:405
446445 S. B. 111
447446 - 16 - 25 LC 59 0079
448447 (1) Ensure that each person processing personal information is subject to a duty of406
449448 confidentiality with respect to the data;407
450449 (2) At the controller's direction, delete or return all personal information to the controller408
451450 as requested at the end of the provision of services, unless retention of the personal409
452451 information is required by law;410
453452 (3) Upon the reasonable request of the controller, make available to the controller all411
454453 information in its possession necessary to demonstrate the processor's compliance with412
455454 the obligations in this article;413
456455 (4) Allow, and cooperate with, reasonable assessments by the controller or the414
457456 controller's designated assessor; alternatively, the processor may arrange for a qualified415
458457 and independent assessor to conduct an assessment of the processor's policies and416
459458 technical and organizational measures in support of the obligations under this article417
460459 using an appropriate and accepted control standard or framework and assessment418
461460 procedure for the assessments. The processor shall provide a report of each assessment419
462461 to the controller upon request; and420
463462 (5) Engage a subcontractor pursuant to a written contract in that requires the421
464463 subcontractor to meet the obligations of the processor with respect to the personal422
465464 information.423
466465 (c) Nothing in this Code section shall relieve a controller or a processor from the liabilities424
467466 imposed on it by virtue of its role in the processing relationship as described in425
468467 subsection (b) of this Code section.426
469468 (d) Determining whether a person is acting as a controller or processor with respect to a427
470469 specific processing of data is a fact based determination that depends upon the context in428
471470 which personal information is to be processed. A processor that continues to adhere to a429
472471 controller's instructions with respect to a specific processing of personal information430
473472 remains a processor.431
474473 S. B. 111
475474 - 17 - 25 LC 59 0079
476475 10-1-966.432
477476 (a) A controller shall conduct and document a data protection assessment of each of the433
478477 following processing activities involving personal information:434
479478 (1) The processing of personal information for purposes of targeted advertising;435
480479 (2) The sale of personal information;436
481480 (3) The processing of personal information for purposes of profiling, where the profiling437
482481 presents a reasonably foreseeable risk of:438
483482 (A) Unfair or deceptive treatment of, or unlawful disparate impact on, consumers;439
484483 (B) Financial, physical, or reputational injury to consumers;440
485484 (C) A physical or other intrusion upon the solitude or seclusion, or the private affairs441
486485 or concerns, of consumers, where the intrusion would be offensive to a reasonable442
487486 person; or443
488487 (D) Other substantial injury to consumers;444
489488 (4) The processing of sensitive data; and445
490489 (5) Processing activities involving personal information that present a heightened risk446
491490 of harm to consumers.447
492491 (b) Data protection assessments conducted pursuant to subsection (a) of this Code section448
493492 shall identify and weigh the benefits that may flow, directly and indirectly, from the449
494493 processing to the controller, the consumer, other stakeholders, and the public against the450
495494 potential risks to the rights of the consumer associated with the processing, as mitigated by451
496495 safeguards that can be employed by the controller to reduce the risks. The use of452
497496 de-identified data and the reasonable expectations of consumers, as well as the context of453
498497 the processing and the relationship between the controller and the consumer whose454
499498 personal information will be processed, shall be factored into this assessment by the455
500499 controller.456
501500 (c) The Attorney General may request pursuant to a civil investigative demand that a457
502501 controller disclose a data protection assessment that is relevant to an investigation458
503502 S. B. 111
504503 - 18 - 25 LC 59 0079
505504 conducted by the Attorney General, and the controller shall make the data protection459
506505 assessment available to the Attorney General. The Attorney General shall evaluate the data460
507506 protection assessment for compliance with the responsibilities set forth in Code461
508507 Section 10-1-964. The disclosure of a data protection assessment pursuant to a request462
509508 from the Attorney General shall not constitute a waiver of attorney-client privilege or work463
510509 product protection with respect to the assessment and information contained in the464
511510 assessment. Such data protection assessments shall be confidential and shall not be open465
512511 to public inspection and copying under Article 4 of Chapter 18 of Title 50, relating to open466
513512 records.467
514513 (d) A single data protection assessment may address a comparable set of processing468
515514 operations that include similar activities.469
516515 (e) A data protection assessment conducted by a controller for the purpose of compliance470
517516 with other laws, rules, or regulations may comply with this Code section if such data471
518517 protection assessment have a reasonably comparable scope and effect.472
519518 (f) The data protection assessment requirements in this article shall apply only to473
520519 processing activities created or generated on or after July 1, 2026.474
521520 10-1-967.475
522521 (a) A controller in possession of de-identified data shall:476
523522 (1) Take reasonable measures to ensure that the data cannot be associated with a natural477
524523 person;478
525524 (2) Publicly commit to maintaining and using de-identified data without attempting to479
526525 reidentify the data; and480
527526 (3) Contractually obligate recipients of the de-identified data to comply with this article.481
528527 (b) Nothing in this Code section shall require a controller or processor to:482
529528 (1) Reidentify de-identified data or pseudonymous data;483
530529 S. B. 111
531530 - 19 - 25 LC 59 0079
532531 (2) Maintain data in identifiable form, or collect, obtain, retain, or access data or484
533532 technology, in order to be capable of associating an authenticated consumer request with485
534533 personal information; or486
535534 (3) Comply with an authenticated consumer rights request, pursuant to Code487
536535 Section 10-1-963, if:488
537536 (A) The controller is not reasonably capable of associating the request with the489
538537 personal information or it would be unreasonably burdensome for the controller to490
539538 associate the request with the personal information;491
540539 (B) The controller does not use the personal information to recognize or respond to the492
541540 specific consumer who is the subject of the personal information, or associate the493
542541 personal information with other personal information about the same specific494
543542 consumer; and495
544543 (C) The controller does not engage in the sale of personal information to a third party496
545544 or otherwise voluntarily disclose the personal information to a third party other than a497
546545 processor, except as otherwise permitted in this Code section.498
547546 (c) The consumer rights described in Code Sections 10-1-963 and 10-1-964 shall not apply499
548547 to pseudonymous data in cases where the controller is able to demonstrate information500
549548 necessary to identify the consumer is kept separately and is subject to effective technical501
550549 and organizational controls that prevent the controller from accessing that information.502
551550 (d) A controller that discloses pseudonymous data or de-identified data shall exercise503
552551 reasonable oversight to monitor compliance with contractual commitments to which the504
553552 pseudonymous data or de-identified data is subject and shall take appropriate steps to505
554553 address breaches of those contractual commitments.506
555554 10-1-968.507
556555 (a) Nothing in this article shall restrict a controller's or processor's ability to:508
557556 (1) Comply with federal, state, or local laws, rules, or regulations;509
558557 S. B. 111
559558 - 20 - 25 LC 59 0079
560559 (2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or510
561560 summons by federal, state, local, or other governmental authorities;511
562561 (3) Cooperate with law enforcement agencies concerning conduct or activity that the512
563562 controller or processor reasonably and in good faith believes may violate federal, state,513
564563 or local laws, rules, or regulations;514
565564 (4) Investigate, establish, exercise, prepare for, or defend legal claims;515
566565 (5) Provide a product or service specifically requested by a consumer or the parent or516
567566 legal guardian of a known child, perform a contract to which the consumer is a party,517
568567 including fulfilling the terms of a written warranty, or take steps at the request of the518
569568 consumer prior to entering into a contract;519
570569 (6) Take immediate steps to protect an interest that is essential for the life or physical520
571570 safety of the consumer or of another natural person, and where the processing cannot be521
572571 manifestly based on another legal basis;522
573572 (7) Prevent, detect, protect against, or respond to security incidents, identity theft, fraud,523
574573 harassment, malicious or deceptive activity, or illegal activity; preserve the integrity or524
575574 security of systems; or investigate, report, or prosecute those responsible for such action;525
576575 (8) Engage in public reviewed or peer reviewed scientific or statistical research in the526
577576 public interest that adheres to all other applicable ethics and privacy laws and is527
578577 approved, monitored, and governed by an institutional review board, or similar528
579578 independent oversight entity that determines whether:529
580579 (A) Deletion of the information is likely to provide substantial benefits that do not530
581580 exclusively accrue to the controller;531
582581 (B) The expected benefits of the research outweigh the privacy risks; and532
583582 (C) The controller has implemented reasonable safeguards to mitigate privacy risks533
584583 associated with research, including risks associated with reidentification; or534
585584 (9) Assist another controller, processor, or third party with the obligations under this535
586585 article.536
587586 S. B. 111
588587 - 21 - 25 LC 59 0079
589588 (b) The obligations imposed on controllers or processors under this article shall not restrict537
590589 a controller's or processor's ability to collect, use, or retain data to:538
591590 (1) Conduct internal research to develop, improve, or repair products, services, or539
592591 technology;540
593592 (2) Effectuate a product recall;541
594593 (3) Identify and repair technical errors that impair existing or intended functionality;542
595594 (4) Authenticate an individual for the purpose of allowing access to a secure location or543
596595 facility; or 544
597596 (5) Perform internal operations that are reasonably aligned with the expectations of the545
598597 consumer or reasonably anticipated based on the consumer's existing relationship with546
599598 the controller or are otherwise compatible with processing data in furtherance of the547
600599 provision of a product or service specifically requested by a consumer or the performance548
601600 of a contract to which the consumer is a party.549
602601 (c) The obligations imposed on controllers or processors under this article shall not apply550
603602 where compliance with this article by the controller or processor would violate an551
604603 evidentiary privilege under the laws of this state. Nothing in this article shall prevent a552
605604 controller or processor from providing personal information concerning a consumer to a553
606605 person covered by an evidentiary privilege under the laws of this state as part of a554
607606 privileged communication.555
608607 (d)(1) A controller or processor that discloses personal information to a third-party556
609608 controller or processor, in compliance with the requirements of this article, shall not be557
610609 in violation of this article if:558
611610 (A) The third-party controller or processor that receives and processes the personal559
612611 information is in violation of this article; and560
613612 (B) At the time of disclosing the personal information, the disclosing controller or561
614613 processor did not have actual knowledge that the recipient intended to commit a562
615614 violation.563
616615 S. B. 111
617616 - 22 - 25 LC 59 0079
618617 (2) A third-party controller or processor receiving personal information from a controller564
619618 or processor in compliance with the requirements of this article is likewise not in565
620619 violation of this article for the violations of the controller or processor from which it566
621620 receives such personal information.567
622621 (e) This article shall not impose an obligation on controllers and processors that adversely568
623622 affects the rights or freedoms of a person, such as exercising the right of free speech569
624623 pursuant to the First Amendment to the United States Constitution, or that applies to the570
625624 processing of personal information by a person in the course of a purely personal activity.571
626625 (f) A controller shall not process personal information for purposes other than those572
627626 expressly listed in this Code section unless otherwise allowed by this article. Personal573
628627 information processed by a controller pursuant to this Code section may be processed to574
629628 the extent that the processing is:575
630629 (1) Reasonably necessary and proportionate to the purposes listed in this section; and576
631630 (2) Adequate, relevant, and limited to what is necessary in relation to the specific577
632631 purposes listed in this section. Personal information collected, used, or retained pursuant578
633632 to subsection (b) of this Code section shall, where applicable, take into account the nature579
634633 and purpose or purposes of the collection, use, or retention. The data shall be subject to580
635634 reasonable administrative, technical, and physical measures to protect the confidentiality,581
636635 integrity, and accessibility of the personal information and to reduce reasonably582
637636 foreseeable risks of harm to consumers relating to the collection, use, or retention of583
638637 personal information.584
639638 (g) If a controller processes personal information pursuant to an exemption in this Code585
640639 section, then the controller bears the burden of demonstrating that the processing qualifies586
641640 for the exemption and complies with subsection (f) of this Code section.587
642641 (h) Processing personal information for the purposes expressly identified in any of the588
643642 paragraphs (1) through (9) of subsection of (a) of this Code section shall not solely make589
644643 an entity a controller with respect to the processing.590
645644 S. B. 111
646645 - 23 - 25 LC 59 0079
647646 10-1-969.591
648647 Nothing in this article shall be construed to conflict with the specific requirements:592
649648 (1) Related to the management of health records under Title 31; or593
650649 (2) Included in federal law.594
651650 10-1-970.595
652651 (a) A provision of a contract or agreement that waives or limits a consumer's rights under596
653652 this article, including, but not limited to, a right to a remedy or means of enforcement, is597
654653 contrary to public policy, void, and unenforceable.598
655654 (b) Nothing in this article shall prevent a consumer from declining to request information599
656655 from a controller, declining to opt out of a controller's sale of the consumer's personal600
657656 information, or authorizing a controller to sell the consumer's personal information after601
658657 previously opting out.602
659658 10-1-971.603
660659 If the Attorney General has reasonable cause to believe that an individual, controller, or604
661660 processor has engaged in, is engaging in, or is about to engage in a violation of this article,605
662661 then the Attorney General may issue a civil investigative demand.606
663662 10-1-972.607
664663 (a) The Attorney General shall have exclusive authority to enforce this article.608
665664 (b) The Attorney General may develop reasonable cause to believe that a controller or609
666665 processor is in violation of this article, based on the Attorney General's own inquiry or on610
667666 consumer or public complaints. Prior to initiating an action under this article, the Attorney611
668667 General shall provide a controller or processor 60 days' written notice identifying the612
669668 specific provisions of this article the Attorney General alleges have been or are being613
670669 violated. If within the 60 day period, the controller or processor cures the noticed violation614
671670 S. B. 111
672671 - 24 - 25 LC 59 0079
673672 and provides the Attorney General an express written statement that the alleged violations615
674673 have been cured and that no such further violations shall occur, then the Attorney General616
675674 shall not initiate an action against the controller or processor.617
676675 (c) If a controller or processor continues to violate this article following the cure period618
677676 provided for in subsection (b) of this Code section or breaches an express written statement619
678677 provided to the Attorney General under subsection (b) of this Code section, then the620
679678 Attorney General may bring an action in a court of competent jurisdiction seeking any of621
680679 the following relief:622
681680 (1) Declaratory judgment that the act or practice violates this article;623
682681 (2) Injunctive relief, including preliminary and permanent injunctions, to prevent an624
683682 additional violation of and compel compliance with this article;625
684683 (3) Civil penalties, as described in subsection (d) of this Code section;626
685684 (4) Reasonable attorney's fees and investigative costs; or627
686685 (5) Other relief the court determines appropriate.628
687686 (d)(1) A court may impose a civil penalty of up to $7,500.00 for each violation of this629
688687 article.630
689688 (2) If the court finds the controller or processor willfully or knowingly violated this631
690689 article, then the court may, in its discretion, award treble damages.632
691690 (e) A violation of this article shall not serve as the basis for, or be subject to, a private right633
692691 of action, including a class action lawsuit, under this article or any other law.634
693692 (f) The Attorney General may recover reasonable expenses incurred in investigating and635
694693 preparing a case, including attorney's fees, in an action initiated under this article.636
695694 10-1-973.637
696695 (a) A controller or processor shall have an affirmative defense to a cause of action for a638
697696 violation of this article if the controller or processor creates, maintains, and complies with639
698697 a written privacy program that:640
699698 S. B. 111
700699 - 25 - 25 LC 59 0079
701700 (1)(A) Reasonably conforms to the NIST or comparable privacy framework designed641
702701 to safeguard consumer privacy; and642
703702 (B) Is updated to reasonably conform with a subsequent revision to the NIST or643
704703 comparable privacy framework within two years of the publication date stated in the644
705704 most recent revision to the NIST or comparable privacy framework; and645
706705 (2) Provides a person with the substantive rights required by this article.646
707706 (b) The scale and scope of a controller or processor's privacy program under subsection (a)647
708707 of this Code section shall be appropriate if it is based on all of the following factors:648
709708 (1) The size and complexity of the controller or processor's business;649
710709 (2) The nature and scope of the activities of the controller or processor;650
711710 (3) The sensitivity of the personal information processed;651
712711 (4) The cost and availability of tools to improve privacy protections and data652
713712 governance; and653
714713 (5) Compliance with a comparable state or federal law, if applicable.654
715714 10-1-974.655
716715 (a) A municipality, county, or consolidated government shall not require a controller or656
717716 processor to disclose personal information of consumers, unless pursuant to a subpoena or657
718717 court order.658
719718 (b) This article shall supersede and preempt any conflicting provisions of any ordinances,659
720719 resolutions, regulations, or the equivalent adopted by any municipality, county, or660
721720 consolidated government in this state regarding the processing of personal information by661
722721 controllers or processors."662
723722 SECTION 2.663
724723 This Act shall become effective on July 1, 2026, and shall apply to contracts entered into,664
725724 amended, or renewed on or after such date.665
726725 S. B. 111
727726 - 26 - 25 LC 59 0079
728727 SECTION 3.
729728 666
730729 All laws and parts of laws in conflict with this Act are repealed.667
731730 S. B. 111
732731 - 27 -