25 LC 59 0079
Senate Bill 111
By: Senators Albers of the 56th, Burns of the 23rd, Rahman of the 5th, Still of the 48th,
Setzler of the 37th and others
AS PASSED SENATE
A BILL TO BE ENTITLED
AN ACT
To amend Title 10 of the Official Code of Georgia Annotated, relating to commerce and
1
trade, so as to enact the "Georgia Consumer Privacy Protection Act"; to protect the privacy2
of consumer personal data in this state; to provide for definitions; to provide for applicability;3
to provide for exemptions for certain entities, data, and uses of data; to provide for consumer4
rights regarding personal data; to provide for a consumer to exercise such rights by5
submitting a request to a controller; to provide for a controller to promptly respond to such6
requests; to provide for exemptions; to provide for responsibilities of processors and7
controllers; to provide for notice and disclosure; to provide for security practices to protect8
consumer personal data; to allow a controller to offer different goods or services under9
certain conditions; to provide for limitations; to provide for statutory construction; to provide10
for enforcement and penalties; to provide an affirmative defense; to prohibit the disclosure11
of personal data of consumers to local governments unless pursuant to a subpoena or court12
order; to provide for preemption of local regulation; to provide for related matters; to provide13
an effective date; to repeal conflicting laws; and for other purposes.14
BE IT ENACTED BY THE GENERAL ASSEMBLY OF GEORGIA:15
S. B. 111
- 1 - 25 LC 59 0079
SECTION 1.
16
Title 10 of the Official Code of Georgia Annotated, relating to commerce and trade, is17
amended by adding a new article to Chapter 1, relating to selling and other trade practices,18
to read as follows:19
"ARTICLE 37
20
10-1-960.21
This article shall be known and may be cited as the 'Georgia Consumer Privacy Protection22
Act.'23
10-1-961.24
As used in this article, the term:25
(1) 'Affiliate' means a legal entity that controls, is controlled by, or is under common26
control with another legal entity or shares common branding with another legal entity. As27
used in this paragraph, the term 'control' or 'controlled' means:28
(A) Ownership of, or the power to vote, more than 50 percent of the outstanding shares29
of a class of voting security of an entity;30
(B) Control in any manner over the election of a majority of the directors or of31
individuals exercising similar functions relative to an entity; or32
(C) The power to exercise controlling influence over the management of an entity.33
(2) 'Authenticate' means to verify using reasonable means that a consumer who is34
entitled to exercise the rights in Code Section 10-1-963, is the same consumer who is35
exercising such consumer rights with respect to the personal information at issue.36
(3)(A) 'Biometric data' means data generated by automatic measurement of an37
individual's biological characteristics, such as a fingerprint, voiceprint, eye retina or iris,38
S. B. 111
- 2 - 25 LC 59 0079
or other unique biological patterns or characteristics that are used to identify a specific39
individual.40
(B) Such term shall not include:41
(i) A physical or digital photograph, video recording, or audio recording or data42
generated from a photograph or video or audio recording;43
(ii) Information captured and converted to a mathematical representation, including44
a numeric string or similar configuration, that cannot be used to recreate data45
generated by automatic measurement of an individual's biological patterns or46
characteristics used to identify the specific individual; or47
(iii) Information collected, used, or stored for healthcare treatment, payment, or48
operations under HIPAA.49
(4) 'Business associate' shall have the same meaning as provided by HIPAA.50
(5) 'Consent' means a clear affirmative act signifying a consumer's freely given, specific,51
informed, and unambiguous agreement to process personal information relating to the52
consumer. Such term may include a written statement, including a statement written by53
electronic means, or an unambiguous affirmative action.54
(6) 'Consumer' means an individual who is a resident of this state acting only in a55
personal context. Such term shall not include an individual acting in a commercial or56
employment context.57
(7) 'Controller' means the person that, alone or jointly with others, determines the58
purpose and means of processing personal information.59
(8) 'Covered entity' shall have the same meaning as provided by HIPAA.60
(9) 'Decisions that produce legal or similarly significant effects concerning the consumer'61
means decisions made by the controller that result in the provision or denial by the62
controller of financial or lending services, housing, insurance, education enrollment or63
opportunity, criminal justice, employment opportunities, healthcare services, or access64
to basic necessities, such as food and water.65
S. B. 111
- 3 - 25 LC 59 0079
(10) 'De-identified data' means data that cannot reasonably be linked to an identified or66
identifiable individual, or any device linked to such natural person.67
(11) 'Health record' shall have the same meaning as set forth in paragraph (3) of Code68
Section 31-33-1. Such term includes the substance of a communication made by an69
individual to a healthcare facility described in or licensed pursuant to Title 31 in70
confidence during or in connection with the provision of healthcare services or71
information otherwise acquired by the healthcare entity about an individual in confidence72
and in connection with the provision of healthcare services to the individual.73
(12) 'HIPAA' means the federal Health Insurance Portability and Accountability Act of74
1996, as amended, 42 U.S.C. Section 1320d et seq.75
(13) 'Identified or identifiable individual' means a natural person who can be readily76
identified, whether directly or indirectly.77
(14) 'Institution of higher education' means a public or private college or university in78
this state.79
(15) 'Known child' means an individual who the controller has actual knowledge is under80
13 years of age.81
(16) 'NIST' means the National Institute of Standards and Technology privacy82
framework entitled 'A Tool for Improving Privacy through Enterprise Risk Management83
Version 1.0' or any subsequent version thereof.84
(17) 'Nonprofit organization' means an organization exempt from taxation under the85
Internal Revenue Code, codified in 26 U.S.C. Sections 501-530.86
(18) 'Person' means any individual or entity.87
(19) 'Personal information' means information that is linked or reasonably linkable to an88
identified or identifiable individual. Such term shall not include information that is89
publicly available or de-identified.90
(20)(A) 'Precise geolocation data' means information derived from technology,91
including, but not limited to, global positioning system level latitude and longitude92
S. B. 111
- 4 - 25 LC 59 0079
coordinates or other mechanisms, that directly identifies the specific location of a93
natural person with precision and accuracy within a radius of 1,750 feet.94
(B) Such term shall not include:95
(i) The content of communications; or96
(ii) Data generated by or connected to advanced utility metering infrastructure97
systems or equipment for use by a utility.98
(21) 'Process' or 'processing' means an operation or set of operations performed, whether99
by manual or automated means, on personal information or on sets of personal100
information, such as the collection, use, storage, disclosure, analysis, deletion, or101
modification of personal information.102
(22) 'Processor' means a person that processes personal information on behalf of a103
controller.104
(23) 'Profiling' means a form of automated processing performed on personal105
information solely to evaluate, analyze, or predict personal aspects related to an identified106
or identifiable individual's economic situation, health, personal preferences, interests,107
reliability, behavior, location, or movements.108
(24) 'Protected health information' shall have the same meaning as provided by HIPAA.109
(25) 'Pseudonymous data' means personal information that cannot be attributed to a110
specific individual without the use of additional information, so long as the additional111
information is kept separately and is subject to appropriate technical and organizational112
measures to ensure that the personal information is not attributed to an identified or113
identifiable individual.114
(26) 'Publicly available information' means information that is lawfully made available115
through federal, state, or local government records, or information that a business has a116
reasonable basis to believe is lawfully made available to the general public through117
widely distributed media, by the consumer, or by a person to which the consumer has118
S. B. 111
- 5 - 25 LC 59 0079
disclosed the information, unless the consumer has restricted the information to a specific119
audience.120
(27)(A) 'Sale of personal information' or 'sell personal information' means the121
exchange of personal information for monetary or other valuable consideration by the122
controller to a third party.123
(B) Such term shall not include:124
(i) The disclosure of personal information to a processor that processes the personal125
information on behalf of the controller;126
(ii) The disclosure of personal information to a third party for purposes of providing127
a product or service requested by the consumer;128
(iii) The disclosure or transfer of personal information to an affiliate of the controller;129
(iv) The disclosure of information that the consumer:130
(I) Intentionally made available to the general public via a channel of mass media;131
and132
(II) Did not restrict to a specific audience; or133
(v) The disclosure or transfer of personal information to a third party as an asset that134
is part of a merger, acquisition, bankruptcy, or other transaction in which the third135
party assumes control of all or part of the controller's assets.136
(28) 'Sensitive data' means a category of personal information that includes:137
(A) Personal information revealing racial or ethnic origin, religious belief, mental or138
physical health diagnosis, sexual orientation, or citizenship or immigration status;139
(B) The processing of genetic data or biometric data for the purpose of uniquely140
identifying an individual;141
(C) The personal information collected from a known child; or142
(D) Precise geolocation data.143
(29) 'State agency' means an agency, institution, board, bureau, commission, council, or144
instrumentality of the executive branch of state government of this state.145
S. B. 111
- 6 - 25 LC 59 0079
(30)(A) 'Targeted advertising' means displaying to a consumer an advertisement that146
is selected based on personal information obtained from such consumer's activities over147
time and across nonaffiliated websites or online applications to predict the consumer's148
preferences or interests.149
(B) Such term shall not include:150
(i) Advertisements based on activities within a controller's own websites or online151
applications;152
(ii) Advertisements based on the context of a consumer's current search query, visit153
to a website, or online application;154
(iii) Advertisements directed to a consumer in response to the consumer's request for155
information or feedback; or156
(iv) Personal information processed solely for measuring or reporting advertising157
performance, reach, or frequency.158
(31) 'Third party' means a person other than the consumer, controller, processor, or an159
affiliate of the controller or processor.160
(32) 'Trade secret' shall have the same meaning as set forth in Code Section 16-8-13.161
10-1-962.162
(a) This article shall apply to a person that conducts business in this state by producing163
products or services targeted to consumers of this state that exceeds $25 million in revenue164
and that:165
(1) Controls or processes personal information of at least 25,000 consumers and derives166
more than 50 percent of gross revenue from the sale of personal information; or167
(2) During a calendar year, controls or processes personal information of at least 175,000168
consumers.169
(b) This article shall not apply to:170
(1) A person that is:171
S. B. 111
- 7 - 25 LC 59 0079
(A) A financial institution or an affiliate of a financial institution subject to Title V of172
the federal Gramm-Leach-Bliley Act, as amended, 15 U.S.C. Section 6801 et seq.;173
(B) Licensed in this state under Title 33 as an insurance company and transacts174
insurance business;175
(C) Licensed in this state under Title 33 as an insurance producer;176
(D) A covered entity or business associate governed by the privacy, security, and177
breach notification rules issued by the United States Department of Health and Human178
Services, 45 C.F.R. Parts 160 and 164 established pursuant to HIPAA, and the federal179
Health Information Technology for Economic and Clinical Health Act (P.L. 111-5);180
(E) An air carrier regulated by the secretary of transportation under 49 U.S.C. Section181
41712 and exempt from state regulations under 49 U.S.C. Section 41713(b)(1); or182
(F) An entity subject to 42 U.S.C. Section 290dd-2;183
(2) Data or personal information that is:184
(A) Subject to Title V of the federal Gramm-Leach-Bliley Act, as amended, 15 U.S.C.185
Section 6801 et seq.;186
(B) Protected health information under HIPAA;187
(C) Considered a health record for purposes of Title 31;188
(D) Considered patient identifying information for purposes of 42 U.S.C.189
Section 290dd-2;190
(E) Processed for purposes of:191
(i) Research conducted in accordance with the federal policy for the protection of192
human subjects under 45 C.F.R. Part 46;193
(ii) Human subjects research conducted in accordance with good clinical practice194
guidelines issued by the International Council for Harmonization of Technical195
Requirements for Pharmaceuticals for Human Use; or196
(iii) Research conducted in accordance with the protection of human subjects under197
21 C.F.R. Parts 6, 50, and 56;198
S. B. 111
- 8 - 25 LC 59 0079
(F) Created for purposes of the federal Health Care Quality Improvement Act of 1986,199
as amended, 42 U.S.C. Section 11101 et seq.;200
(G) Considered patient safety work product for purposes of the federal Patient Safety201
and Quality Improvement Act, as amended, 42 U.S.C. Section 299b-21 et seq.;202
(H) Derived from the healthcare related information listed in this subsection that is203
de-identified in accordance with the requirements for de-identification pursuant to204
HIPAA;205
(I) Included in a limited data set as described in 45 C.F.R. 164.514(e), to the extent that206
the information is used, disclosed, and maintained in the manner specified in207
45 C.F.R. 164.514(e);208
(J) Originated from, and intermingled to be indistinguishable with, or information209
treated in the same manner as, information exempt under this subsection that is210
maintained by a covered entity or business associate as defined by HIPAA or a program211
or a qualified service organization as defined by 42 U.S.C. Section 290dd-2;212
(K) Used only for public health activities and purposes as authorized by HIPAA;213
(L) Collected, maintained, disclosed, sold, communicated, or used, bearing upon a214
consumer's credit worthiness, credit standing, credit capacity, character, general215
reputation, personal characteristics, or mode of living, by a consumer reporting agency216
or furnisher that provides information for use in a consumer report, and by a user of a217
consumer report, but only to the extent that such activity is regulated by and authorized218
under the federal Fair Credit Reporting Act, as amended, 15 U.S.C. Section 1681 et219
seq.;220
(M) Collected, processed, or disclosed in compliance with the federal Driver's Privacy221
Protection Act of 1994, as amended, 18 U.S.C. Section 2721 et seq.;222
(N) Regulated by the federal Family Educational Rights and Privacy Act (FERPA), as223
amended, 20 U.S.C. Section 1232g et seq.;224
S. B. 111
- 9 - 25 LC 59 0079
(O) Collected, processed, or disclosed in compliance with the federal Farm Credit Act,225
as amended, 12 U.S.C. Section 2001 et seq.; or226
(P) Maintained or used for purposes of compliance with the regulation of listed227
chemicals under the federal Controlled Substances Act, as amended, 21 U.S.C.228
Section 830;229
(3) Nonprofit organizations that do not sell data;230
(4) Any state agency, the judicial branch, the legislative branch, or any local government231
of this state;232
(5) Any institution of higher education that does not engage in the sale of personal233
information;234
(6) Any electric supplier as defined in Code Section 46-3-3 that does not engage in the235
sale of personal information; or236
(7) Data processed or maintained:237
(A) In the course of an individual applying to, being employed by, or acting as an agent238
or independent contractor of a controller, processor, or third party, to the extent that the239
data is collected and used within the context of that role;240
(B) As the emergency contact information of an individual employed by or acting as241
an agent or independent contractor of a controller, processor, or third party for use as242
emergency contact purposes with the consent of such individual; or243
(C) As necessary to retain to administer benefits for an individual who qualifies for244
benefits as part of the benefits provided to an individual employed by or acting as an245
agent or independent contractor of a controller, processor, or third party.246
(c) Controllers and processors that comply with the verifiable parental consent247
requirements of the federal Children's Online Privacy Protection Act (COPPA), as248
amended, 15 U.S.C. Section 6501 et seq., shall be deemed compliant with an obligation to249
obtain parental consent under this article.250
S. B. 111
- 10 - 25 LC 59 0079
(d) Nothing in this article shall require a controller, processor, third party, or consumer to251
disclose trade secrets.252
10-1-963.253
(a)(1) A consumer may invoke the consumer rights authorized pursuant to paragraph (2)254
of this subsection at any time by submitting a request to a controller specifying the255
consumer rights the consumer wishes to invoke. A known child's parent or legal guardian256
may invoke the consumer rights authorized pursuant to paragraph (2) of this subsection257
on behalf of the such known child regarding processing personal information belonging258
to the known child.259
(2) A controller shall comply with an authenticated consumer request to exercise the260
right to:261
(A) Confirm whether a controller is processing the consumer's personal information262
and to access such personal information;263
(B) Correct inaccuracies in the consumer's personal information, taking into account264
the nature of the personal information and the purposes of the processing of such265
consumer's personal information;266
(C) Delete personal information provided by or obtained about the consumer. A267
controller shall not be required to delete information that it maintains or uses as268
aggregate or de-identified data; provided, that such data in the possession of the269
controller is not linked to a specific consumer. A controller that obtained personal270
information about a consumer from a source other than the consumer shall be in271
compliance with a consumer's request to delete such personal information by:272
(i) Retaining a record of the deletion request and the minimum information necessary273
for the purpose of ensuring that the consumer's personal information remains deleted274
from the controller's records and by not using such retained personal information for275
any purpose prohibited under this article; or276
S. B. 111
- 11 - 25 LC 59 0079
(ii) Opting the consumer out of the processing of such personal information for any277
purposes other than those exempted under this article.278
(D) Obtain a copy of the consumer's personal information that the consumer previously279
provided to the controller in a portable and, to the extent technically feasible, readily280
usable format that allows the consumer to transmit such personal information to another281
controller without hindrance, where the processing is carried out by automated means;282
or283
(E) Opt out of a controller's processing of personal information for purposes of:284
(i) Engaging in the sale of personal information about the consumer;285
(ii) Targeted advertising; or286
(iii) Profiling in furtherance of decisions that produce legal or similarly significant287
effects concerning the consumer.288
(b) Except as otherwise provided in this article, a controller shall comply with an289
authenticated request by a consumer to exercise the consumer rights authorized pursuant290
to paragraph (2) of subsection (a) of this Code section as follows:291
(1) A controller shall respond to the consumer without undue delay, but in all cases292
within 45 days of receipt of a request submitted pursuant to subsection (a) of this Code293
section. The response period may be extended once by 45 additional days when294
reasonably necessary, taking into account the complexity and number of the consumer's295
requests, so long as the controller informs the consumer of the extension within the initial296
45 day response period, together with the reason for the extension;297
(2) If a controller declines to take action regarding the consumer's request, then the298
controller shall inform the consumer without undue delay, but in all cases within 45 days299
of receipt of the request, of the justification for declining to take action and instructions300
for how to appeal the decision pursuant to subsection (c) of this Code section;301
(3) Information provided in response to a consumer request shall be provided by a302
controller free of charge, up to twice annually per consumer. If requests from a consumer303
S. B. 111
- 12 - 25 LC 59 0079
are manifestly unfounded, technically infeasible, excessive, or repetitive, then the304
controller may charge the consumer a reasonable fee to cover the administrative costs of305
complying with the request or decline to act on the request. The controller bears the306
burden of demonstrating the manifestly unfounded, technically infeasible, excessive, or307
repetitive nature of the request; and308
(4) If a controller is unable to authenticate the request using commercially reasonable309
efforts, then the controller shall not be required to comply with a request to initiate an310
action under subsection (a) of this Code section and may request that the consumer311
provide additional information reasonably necessary to authenticate the consumer and the312
consumer's request.313
(c)(1) A controller shall establish a process for a consumer to appeal the controller's314
refusal to take action on a request within a reasonable period of time after the consumer's315
receipt of the decision pursuant to paragraph (2) of subsection (b) of this Code section. 316
The appeal process shall be:317
(A) Made available to the consumer in a conspicuous manner;318
(B) Available at no cost to the consumer; and319
(C) Similar to the process for submitting requests to initiate action pursuant to320
subsection (a) of this Code section.321
(2) Within 60 days of receipt of an appeal, a controller shall inform the consumer in322
writing of action taken or not taken in response to the appeal, including a written323
explanation of the reasons for the decision. If the appeal is denied, the controller shall324
then also provide the consumer with an online mechanism, if available, or other method325
through which the consumer may contact the Attorney General to submit a complaint.326
10-1-964.327
(a) A controller shall:328
S. B. 111
- 13 - 25 LC 59 0079
(1) Limit the collection of personal information to what is adequate, relevant, and329
reasonably necessary in relation to the purposes for which the data is processed, as330
disclosed to the consumer;331
(2) Except as otherwise provided in this article, not process personal information for332
purposes that are beyond what is reasonably necessary to and compatible with the333
disclosed purposes for which the personal information is processed, as disclosed to the334
consumer, unless the controller obtains the consumer's consent;335
(3) Establish, implement, and maintain reasonable administrative, technical, and physical336
data security practices, as described in Code Section 10-1-973, to protect the337
confidentiality, integrity, and accessibility of personal information. The data security338
practices shall be appropriate to the volume and nature of the personal information at339
issue;340
(4) Not be required to delete information that it maintains or uses as aggregate or341
de-identified data, provided that such data in the possession of the business is not linked342
to a specific consumer;343
(5) Not process personal information in violation of state and federal laws that prohibit344
unlawful discrimination against consumers. A controller shall not discriminate against345
a consumer for exercising the consumer rights contained in this article, including denying346
goods or services, charging different prices or rates for goods or services, or providing347
a different level of quality of goods and services to the consumer. However, this348
paragraph shall not require a controller to provide a product or service that requires the349
personal information of a consumer that the controller does not collect or maintain, or350
prohibit a controller from offering a different price, rate, level, quality, or selection of351
goods or services to a consumer, including offering goods or services for no fee, if the352
consumer has exercised the right to opt out pursuant to subparagraph (E) of paragraph (2)353
of subsection (a) of Code Section 10-1-963 or the offer is related to a consumer's354
S. B. 111
- 14 - 25 LC 59 0079
voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or355
club card program; and356
(6) Not process sensitive data concerning a consumer without obtaining the consumer's357
consent, or, in the case of the processing of sensitive data concerning a known child,358
without processing the data in accordance with the federal Children's Online Privacy359
Protection Act, as amended, 15 U.S.C. Section 6501 et seq., and its implementing360
regulations.361
(b) A provision of a contract or agreement that purports to waive or limit the consumer362
rights described in Code Section 10-1-963 is contrary to public policy and is void and363
unenforceable.364
(c) A controller shall provide a reasonably accessible, clear, and meaningful privacy notice365
that includes:366
(1) The categories of personal information processed by the controller;367
(2) The purpose for processing personal information;368
(3) How consumers may exercise their consumer rights pursuant to Code369
Section 10-1-963, including how a consumer may appeal a controller's decision with370
regard to the consumer's request;371
(4) The categories of personal information that the controller sells to third parties, if any;372
and373
(5) The categories of third parties, if any, with whom the controller engages in the sale374
of personal information.375
(d) If a controller engages in the sale of personal information to third parties or processes376
personal information for targeted advertising, then the controller shall clearly and377
conspicuously disclose the processing, as well as the manner in which a consumer may378
exercise the right to opt out of the processing.379
S. B. 111
- 15 - 25 LC 59 0079
(e)(1) A controller shall provide, and shall describe in a privacy notice, one or more380
secure and reliable means for a consumer to submit a request to exercise the consumer381
rights described in Code Section 10-1-963. Such means shall take into account the:382
(A) Ways in which a consumer normally interacts with the controller;383
(B) Need for secure and reliable communication of such requests; and384
(C) Ability of a controller to authenticate the identity of the consumer making the385
request.386
(2) A controller shall not require a consumer to create a new account in order to exercise387
the consumer rights described in Code Section 10-1-963, but may require a consumer to388
use an existing account.389
10-1-965.390
(a) A processor shall adhere to the instructions of a controller and shall assist the controller391
in meeting its obligations under this article. The assistance provided by the processor shall392
include:393
(1) Taking into account the nature of processing and the information available to the394
processor, by appropriate technical and organizational measures, insofar as reasonably395
practicable, to fulfill the controller's obligation to respond to consumer rights requests396
pursuant to Code Section 10-1-963; and397
(2) Providing necessary information to enable the controller to conduct and document398
data protection assessments pursuant to Code Section 10-1-966.399
(b) A contract between a controller and a processor governs the processor's data processing400
procedures with respect to processing performed on behalf of the controller. The contract401
shall be binding and shall clearly set forth instructions for processing data, the nature and402
purpose of processing, the type of data subject to processing, the duration of processing,403
and the rights and obligations of both parties. The contract shall also include requirements404
that the processor shall:405
S. B. 111
- 16 - 25 LC 59 0079
(1) Ensure that each person processing personal information is subject to a duty of406
confidentiality with respect to the data;407
(2) At the controller's direction, delete or return all personal information to the controller408
as requested at the end of the provision of services, unless retention of the personal409
information is required by law;410
(3) Upon the reasonable request of the controller, make available to the controller all411
information in its possession necessary to demonstrate the processor's compliance with412
the obligations in this article;413
(4) Allow, and cooperate with, reasonable assessments by the controller or the414
controller's designated assessor; alternatively, the processor may arrange for a qualified415
and independent assessor to conduct an assessment of the processor's policies and416
technical and organizational measures in support of the obligations under this article417
using an appropriate and accepted control standard or framework and assessment418
procedure for the assessments. The processor shall provide a report of each assessment419
to the controller upon request; and420
(5) Engage a subcontractor pursuant to a written contract in that requires the421
subcontractor to meet the obligations of the processor with respect to the personal422
information.423
(c) Nothing in this Code section shall relieve a controller or a processor from the liabilities424
imposed on it by virtue of its role in the processing relationship as described in425
subsection (b) of this Code section.426
(d) Determining whether a person is acting as a controller or processor with respect to a427
specific processing of data is a fact based determination that depends upon the context in428
which personal information is to be processed. A processor that continues to adhere to a429
controller's instructions with respect to a specific processing of personal information430
remains a processor.431
S. B. 111
- 17 - 25 LC 59 0079
10-1-966.432
(a) A controller shall conduct and document a data protection assessment of each of the433
following processing activities involving personal information:434
(1) The processing of personal information for purposes of targeted advertising;435
(2) The sale of personal information;436
(3) The processing of personal information for purposes of profiling, where the profiling437
presents a reasonably foreseeable risk of:438
(A) Unfair or deceptive treatment of, or unlawful disparate impact on, consumers;439
(B) Financial, physical, or reputational injury to consumers;440
(C) A physical or other intrusion upon the solitude or seclusion, or the private affairs441
or concerns, of consumers, where the intrusion would be offensive to a reasonable442
person; or443
(D) Other substantial injury to consumers;444
(4) The processing of sensitive data; and445
(5) Processing activities involving personal information that present a heightened risk446
of harm to consumers.447
(b) Data protection assessments conducted pursuant to subsection (a) of this Code section448
shall identify and weigh the benefits that may flow, directly and indirectly, from the449
processing to the controller, the consumer, other stakeholders, and the public against the450
potential risks to the rights of the consumer associated with the processing, as mitigated by451
safeguards that can be employed by the controller to reduce the risks. The use of452
de-identified data and the reasonable expectations of consumers, as well as the context of453
the processing and the relationship between the controller and the consumer whose454
personal information will be processed, shall be factored into this assessment by the455
controller.456
(c) The Attorney General may request pursuant to a civil investigative demand that a457
controller disclose a data protection assessment that is relevant to an investigation458
S. B. 111
- 18 - 25 LC 59 0079
conducted by the Attorney General, and the controller shall make the data protection459
assessment available to the Attorney General. The Attorney General shall evaluate the data460
protection assessment for compliance with the responsibilities set forth in Code461
Section 10-1-964. The disclosure of a data protection assessment pursuant to a request462
from the Attorney General shall not constitute a waiver of attorney-client privilege or work463
product protection with respect to the assessment and information contained in the464
assessment. Such data protection assessments shall be confidential and shall not be open465
to public inspection and copying under Article 4 of Chapter 18 of Title 50, relating to open466
records.467
(d) A single data protection assessment may address a comparable set of processing468
operations that include similar activities.469
(e) A data protection assessment conducted by a controller for the purpose of compliance470
with other laws, rules, or regulations may comply with this Code section if such data471
protection assessment have a reasonably comparable scope and effect.472
(f) The data protection assessment requirements in this article shall apply only to473
processing activities created or generated on or after July 1, 2026.474
10-1-967.475
(a) A controller in possession of de-identified data shall:476
(1) Take reasonable measures to ensure that the data cannot be associated with a natural477
person;478
(2) Publicly commit to maintaining and using de-identified data without attempting to479
reidentify the data; and480
(3) Contractually obligate recipients of the de-identified data to comply with this article.481
(b) Nothing in this Code section shall require a controller or processor to:482
(1) Reidentify de-identified data or pseudonymous data;483
S. B. 111
- 19 - 25 LC 59 0079
(2) Maintain data in identifiable form, or collect, obtain, retain, or access data or484
technology, in order to be capable of associating an authenticated consumer request with485
personal information; or486
(3) Comply with an authenticated consumer rights request, pursuant to Code487
Section 10-1-963, if:488
(A) The controller is not reasonably capable of associating the request with the489
personal information or it would be unreasonably burdensome for the controller to490
associate the request with the personal information;491
(B) The controller does not use the personal information to recognize or respond to the492
specific consumer who is the subject of the personal information, or associate the493
personal information with other personal information about the same specific494
consumer; and495
(C) The controller does not engage in the sale of personal information to a third party496
or otherwise voluntarily disclose the personal information to a third party other than a497
processor, except as otherwise permitted in this Code section.498
(c) The consumer rights described in Code Sections 10-1-963 and 10-1-964 shall not apply499
to pseudonymous data in cases where the controller is able to demonstrate information500
necessary to identify the consumer is kept separately and is subject to effective technical501
and organizational controls that prevent the controller from accessing that information.502
(d) A controller that discloses pseudonymous data or de-identified data shall exercise503
reasonable oversight to monitor compliance with contractual commitments to which the504
pseudonymous data or de-identified data is subject and shall take appropriate steps to505
address breaches of those contractual commitments.506
10-1-968.507
(a) Nothing in this article shall restrict a controller's or processor's ability to:508
(1) Comply with federal, state, or local laws, rules, or regulations;509
S. B. 111
- 20 - 25 LC 59 0079
(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or510
summons by federal, state, local, or other governmental authorities;511
(3) Cooperate with law enforcement agencies concerning conduct or activity that the512
controller or processor reasonably and in good faith believes may violate federal, state,513
or local laws, rules, or regulations;514
(4) Investigate, establish, exercise, prepare for, or defend legal claims;515
(5) Provide a product or service specifically requested by a consumer or the parent or516
legal guardian of a known child, perform a contract to which the consumer is a party,517
including fulfilling the terms of a written warranty, or take steps at the request of the518
consumer prior to entering into a contract;519
(6) Take immediate steps to protect an interest that is essential for the life or physical520
safety of the consumer or of another natural person, and where the processing cannot be521
manifestly based on another legal basis;522
(7) Prevent, detect, protect against, or respond to security incidents, identity theft, fraud,523
harassment, malicious or deceptive activity, or illegal activity; preserve the integrity or524
security of systems; or investigate, report, or prosecute those responsible for such action;525
(8) Engage in public reviewed or peer reviewed scientific or statistical research in the526
public interest that adheres to all other applicable ethics and privacy laws and is527
approved, monitored, and governed by an institutional review board, or similar528
independent oversight entity that determines whether:529
(A) Deletion of the information is likely to provide substantial benefits that do not530
exclusively accrue to the controller;531
(B) The expected benefits of the research outweigh the privacy risks; and532
(C) The controller has implemented reasonable safeguards to mitigate privacy risks533
associated with research, including risks associated with reidentification; or534
(9) Assist another controller, processor, or third party with the obligations under this535
article.536
S. B. 111
- 21 - 25 LC 59 0079
(b) The obligations imposed on controllers or processors under this article shall not restrict537
a controller's or processor's ability to collect, use, or retain data to:538
(1) Conduct internal research to develop, improve, or repair products, services, or539
technology;540
(2) Effectuate a product recall;541
(3) Identify and repair technical errors that impair existing or intended functionality;542
(4) Authenticate an individual for the purpose of allowing access to a secure location or543
facility; or 544
(5) Perform internal operations that are reasonably aligned with the expectations of the545
consumer or reasonably anticipated based on the consumer's existing relationship with546
the controller or are otherwise compatible with processing data in furtherance of the547
provision of a product or service specifically requested by a consumer or the performance548
of a contract to which the consumer is a party.549
(c) The obligations imposed on controllers or processors under this article shall not apply550
where compliance with this article by the controller or processor would violate an551
evidentiary privilege under the laws of this state. Nothing in this article shall prevent a552
controller or processor from providing personal information concerning a consumer to a553
person covered by an evidentiary privilege under the laws of this state as part of a554
privileged communication.555
(d)(1) A controller or processor that discloses personal information to a third-party556
controller or processor, in compliance with the requirements of this article, shall not be557
in violation of this article if:558
(A) The third-party controller or processor that receives and processes the personal559
information is in violation of this article; and560
(B) At the time of disclosing the personal information, the disclosing controller or561
processor did not have actual knowledge that the recipient intended to commit a562
violation.563
S. B. 111
- 22 - 25 LC 59 0079
(2) A third-party controller or processor receiving personal information from a controller564
or processor in compliance with the requirements of this article is likewise not in565
violation of this article for the violations of the controller or processor from which it566
receives such personal information.567
(e) This article shall not impose an obligation on controllers and processors that adversely568
affects the rights or freedoms of a person, such as exercising the right of free speech569
pursuant to the First Amendment to the United States Constitution, or that applies to the570
processing of personal information by a person in the course of a purely personal activity.571
(f) A controller shall not process personal information for purposes other than those572
expressly listed in this Code section unless otherwise allowed by this article. Personal573
information processed by a controller pursuant to this Code section may be processed to574
the extent that the processing is:575
(1) Reasonably necessary and proportionate to the purposes listed in this section; and576
(2) Adequate, relevant, and limited to what is necessary in relation to the specific577
purposes listed in this section. Personal information collected, used, or retained pursuant578
to subsection (b) of this Code section shall, where applicable, take into account the nature579
and purpose or purposes of the collection, use, or retention. The data shall be subject to580
reasonable administrative, technical, and physical measures to protect the confidentiality,581
integrity, and accessibility of the personal information and to reduce reasonably582
foreseeable risks of harm to consumers relating to the collection, use, or retention of583
personal information.584
(g) If a controller processes personal information pursuant to an exemption in this Code585
section, then the controller bears the burden of demonstrating that the processing qualifies586
for the exemption and complies with subsection (f) of this Code section.587
(h) Processing personal information for the purposes expressly identified in any of the588
paragraphs (1) through (9) of subsection of (a) of this Code section shall not solely make589
an entity a controller with respect to the processing.590
S. B. 111
- 23 - 25 LC 59 0079
10-1-969.591
Nothing in this article shall be construed to conflict with the specific requirements:592
(1) Related to the management of health records under Title 31; or593
(2) Included in federal law.594
10-1-970.595
(a) A provision of a contract or agreement that waives or limits a consumer's rights under596
this article, including, but not limited to, a right to a remedy or means of enforcement, is597
contrary to public policy, void, and unenforceable.598
(b) Nothing in this article shall prevent a consumer from declining to request information599
from a controller, declining to opt out of a controller's sale of the consumer's personal600
information, or authorizing a controller to sell the consumer's personal information after601
previously opting out.602
10-1-971.603
If the Attorney General has reasonable cause to believe that an individual, controller, or604
processor has engaged in, is engaging in, or is about to engage in a violation of this article,605
then the Attorney General may issue a civil investigative demand.606
10-1-972.607
(a) The Attorney General shall have exclusive authority to enforce this article.608
(b) The Attorney General may develop reasonable cause to believe that a controller or609
processor is in violation of this article, based on the Attorney General's own inquiry or on610
consumer or public complaints. Prior to initiating an action under this article, the Attorney611
General shall provide a controller or processor 60 days' written notice identifying the612
specific provisions of this article the Attorney General alleges have been or are being613
violated. If within the 60 day period, the controller or processor cures the noticed violation614
S. B. 111
- 24 - 25 LC 59 0079
and provides the Attorney General an express written statement that the alleged violations615
have been cured and that no such further violations shall occur, then the Attorney General616
shall not initiate an action against the controller or processor.617
(c) If a controller or processor continues to violate this article following the cure period618
provided for in subsection (b) of this Code section or breaches an express written statement619
provided to the Attorney General under subsection (b) of this Code section, then the620
Attorney General may bring an action in a court of competent jurisdiction seeking any of621
the following relief:622
(1) Declaratory judgment that the act or practice violates this article;623
(2) Injunctive relief, including preliminary and permanent injunctions, to prevent an624
additional violation of and compel compliance with this article;625
(3) Civil penalties, as described in subsection (d) of this Code section;626
(4) Reasonable attorney's fees and investigative costs; or627
(5) Other relief the court determines appropriate.628
(d)(1) A court may impose a civil penalty of up to $7,500.00 for each violation of this629
article.630
(2) If the court finds the controller or processor willfully or knowingly violated this631
article, then the court may, in its discretion, award treble damages.632
(e) A violation of this article shall not serve as the basis for, or be subject to, a private right633
of action, including a class action lawsuit, under this article or any other law.634
(f) The Attorney General may recover reasonable expenses incurred in investigating and635
preparing a case, including attorney's fees, in an action initiated under this article.636
10-1-973.637
(a) A controller or processor shall have an affirmative defense to a cause of action for a638
violation of this article if the controller or processor creates, maintains, and complies with639
a written privacy program that:640
S. B. 111
- 25 - 25 LC 59 0079
(1)(A) Reasonably conforms to the NIST or comparable privacy framework designed641
to safeguard consumer privacy; and642
(B) Is updated to reasonably conform with a subsequent revision to the NIST or643
comparable privacy framework within two years of the publication date stated in the644
most recent revision to the NIST or comparable privacy framework; and645
(2) Provides a person with the substantive rights required by this article.646
(b) The scale and scope of a controller or processor's privacy program under subsection (a)647
of this Code section shall be appropriate if it is based on all of the following factors:648
(1) The size and complexity of the controller or processor's business;649
(2) The nature and scope of the activities of the controller or processor;650
(3) The sensitivity of the personal information processed;651
(4) The cost and availability of tools to improve privacy protections and data652
governance; and653
(5) Compliance with a comparable state or federal law, if applicable.654
10-1-974.655
(a) A municipality, county, or consolidated government shall not require a controller or656
processor to disclose personal information of consumers, unless pursuant to a subpoena or657
court order.658
(b) This article shall supersede and preempt any conflicting provisions of any ordinances,659
resolutions, regulations, or the equivalent adopted by any municipality, county, or660
consolidated government in this state regarding the processing of personal information by661
controllers or processors."662
SECTION 2.663
This Act shall become effective on July 1, 2026, and shall apply to contracts entered into,664
amended, or renewed on or after such date.665
S. B. 111
- 26 - 25 LC 59 0079
SECTION 3.
666
All laws and parts of laws in conflict with this Act are repealed.667
S. B. 111
- 27 -