Bipartisan Ga. Privacy Bill Includes Many Exemptions

Sen. John Albers (R) proposed the Georgia Consumer Privacy Protection Act (SB-111) with five other Republicans and one Democrat. It would apply to entities doing business in Georgia that have more than $25 million in annual revenue and control or process personal data of at least 175,000 consumers, or at least 25,000 consumers if they derive more than 50% of their revenue from selling personal data.

But the bill would exempt many groups, including governments, nonprofits, higher education, electric suppliers, air carriers, licensed insurance companies, financial institutions subject to the Gramm-Leach-Bliley Act and entities that the Health Insurance Portability and Accountability Act cover. It would also have data-level exemptions, including for GLBA, HIPAA, the Fair Credit Reporting Act, Driver’s Privacy Protection Act and the Family Educational Rights and Privacy Act.

Consumers would get Virginia-like rights to (1) confirm controller is processing personal data (2) correct inaccuracies in collected personal data (3) delete personal data (4) obtain copies of consumer-provided personal data (5) opt out of personal data sale, targeted advertising and profiling. Sensitive data subject to opt-in would cover typical categories including (1) racial or ethnic origin; (2) religious beliefs; (3) mental or physical health diagnosis; (4) sexual orientation; (5) citizenship or immigration status; (6) genetic or biometric data; (7) children's data; and (8) precise geolocation data.

Georgia’s attorney general would have exclusive enforcement authority.