On January 26, 2022, the Georgia General Assembly introduced a bill titled the Georgia Computer Data Privacy Act (GCDPA). Despite its title, the GCDPA is not a “computer”-focused bill. It is instead is an omnibus privacy statute modeled after California’s Consumer Privacy Act (CCPA). The GCDPA was introduced by the Republican leadership in Georgia’s state Senate, potentially granting it more favorable chances of making legislative progress than privacy bills in other states.
The GCDPA represents the first omnibus privacy bill introduced in Georgia, and one of the few state privacy bills primarily modeled after CCPA. However, the GCDPA is stricter than CCPA in a number of ways likely to be of significant interest to businesses across the United States. This article summarizes the top 10 ways in which GCDPA would create a privacy regime in Georgia that adopts, or is stricter than, what CCPA introduced in California.
1. Consumer consent needed to collect data: The GCDPA does not permit businesses to collect personal information “prior to” the point where they have provided a notice, and “obtain[ed] the consumer’s consent.” 10-1-946(a).
-
- GCDPA’s drafting suggests this should be an “affirmative” consent. “Consent” is defined as an act by which a consumer clearly, conspicuously, and unambiguously authorizes a specific “act or practice.” 10-1-931(8). The GCDPA’s legislative findings suggest the law would not be satisfied with a purely opt-out approach (“[t]he use of a strictly ‘opt-out’ method for data privacy is ineffectual and poses and immediate risk to the health, safety, and welfare of individuals in this state”). § 10-1-93(5).
- This could have substantial impact on any businesses that operate online. Websites and mobile apps tend to collect personal information as soon as someone lands on their home page, simply by virtue of the HTTP requests users send when accessing the page. Websites could potentially have to consider EU-style “consent walls” to comply with GCDPA.
- Brick-and-mortar businesses may also need to collect consumer consents in order to process transactions in any way that collects consumer information. This could include requiring consent for ordinary-course processes, like accepting credit card payments.
- This rule could also have difficult effects for companies that do not receive data directly from consumers, like payment processors, shipping companies, or credit bureaus. The GCDPA does not provide exemptions for these companies, which would seem to indicate they also need to obtain consumer “consent” to process data – but it is unclear how they interface with the consumer to collect it.
- This is stricter than California, which generally permits personal data to be collected if proper notice is given at or before the point of collection.
2. GCDPA seems to encourage privacy class actions. GCDPA expressly provides that “[c]onsumers shall have a private cause of action against any person who violates [the GCDPA].” § 10-1-956(c). Consumers can recover their actual damages, and additional statutory damages on top of actual damages. Statutory damages are $2,500 for “each violation,” or $7,500 for each intentional violation.
-
- Thus, the compliance obligations outlined in this article should be read in light of potential class actions. For example, a retailer’s failure to collect consumer consents at its credit card payment terminals could expose it to statutory damages of $2,500 for each consumer who made a payment.
- This is again stricter than California’s rules, which only permit private actions to be brought if data breaches occur that result in the theft of specified categories of data.
3. GCDPA adopts CCPA’s “sales” definition: The GCDPA defines data “sales” as the disclosure of data to a third party for any “valuable consideration.” 10-1-933(c).
-
- Like in California, this would mean that any time a business shares data as part of receiving or providing a service, the service must be evaluated as to whether it may be deemed a “sale.” From experience with California, examples could include common enterprise services like payment processing or digital analytics or advertising.
4. Opt-in required to “sell” data: The GCDPA bans companies from “selling” data unless the consumer first gives an “opt-in.” This must be offered by a “clear and conspicuous link” on the business’s website. 10-1-944(b)(2), (c).
-
- If GCDPA were to be interpreted in the same manner as the CCPA, this could mean that Georgia businesses must get consumer opt-ins to market digitally to their customers.
5. “We Sell Data” notices requried, with more detail than in California: To obtain an opt-in to sell data, a business must provide a notice to consumers that:
-
- identifies the specific “persons” to whom data will be “sold,” and
- provides “[t]he pro rata value of the consumer’s personal information.” 10-1-944(b)(1).
This is a stricter approach than California. CCPA permits data to be “sold” without identifying specific recipients. Also, CCPA only requires data valuation when a business is offering consumers a “financial incentive” in exchange for their data – which presumably offers a basis for valuation. GCDPA deems “data sales” to occur even without money changing hands, so companies may be required to calculate the “value” of data with little basis for doing so.
6. Not just a right of Deletion, but an additional “Right to be Forgotten”: Like other state privacy statutes, the GCDPA provides a general right for consumers to ask companies to delete their data.
-
- But GCDPA goes well this and adopts an EU-style “Right to be Forgotten”. This means that if a company has “made a consumer’s personal information public,” it has to “take all reasonable steps” it can to make that data “un-public.” 10-1-942(d).
- As an example, this may require companies to contact search engines or social media platforms to “take down” links to pages containing consumer information.
- Corporate research can only be done with anonymized data: “Any research” using personal information collected “from a consumer” must be done only using deidentified or aggregate data. 10-1-940(2).
-
- This is significantly stricter than the CCPA, which only contains rules designed to support research “in the public interest.” In contrast, GCDPA would impose anonymization/aggregation requirements on all internal corporate research.
- This means that core business processes, like product improvement, product development, corporate R&D, or emerging practices like AI development, may only be able to be done with deidentified data.
- Similarly, anonymous data cannot be reidentified without “the consumer’s consent or authorization.” 10-1-951(a). This may be factually impossible, since companies may not know whose data is in an anonymized data set – and thus whose consent they need to obtain – until they reidentify the data set.
-
- This rule may also de-incentivize anonymization and privacy-protective research practices – since once data is deidentified, it is “locked” in that state unless all consumers in the data set provide consent.
- No carve-outs for B2B data or employee data. Unlike privacy statutes in California, Colorado, and Virginia, GCDPA does not contain a carve-out for B2B data or employee data.
-
- That means that companies could face employee requests to delete data, provide copies of data, or to stop “selling” employee data.
- European employees have had these kind of rights for several years under GDPR. One experience has been that they are often used by former employees to conduct pre-litigation discovery of their former employer, to collect information that can be used in employment litigation.
- Georgia AG does not have exclusive enforcement authority. The GCDPA does not specify what state agencies are entitled to enforce it. It merely states the Georgia AG can recover reasonable expenses incurred in enforcement actions. 10-1-956(b). This could mean a variety of state and local agencies could bring GCDPA enforcement actions.
Note that, at present, the GCDPA may set forth a more limited scope of application than CCPA, as it currently limits its application to businesses that derive at least 50% of their revenue from the sale of personal information. The CCPA contains a similar threshold, but there, it is one of several alternative criteria that can lead a business to be subject to the statute. Under GCDPA, it would need to be met generally to argue a business is subject to the GCDPA’s requirements. It is unclear if the Georgia legislature has intended to draft the GCDPA in this fashion. It could be that, for instance, the legislature intends for the GCDPA to apply similarly as Georgia’s data breach notification statute, which generally applies only to information brokers.
Alston & Bird is closely watching the development of the GCDPA. For more information, contact Alston & Bird’s Privacy, Cyber & Data Strategy team.