Georgia Introduces Privateness Legislation Stricter Than CCPA – High 10 Issues |  Alston & Vogel

On January 26, 2022, the Georgia General Assembly introduced a bill entitled Georgia Computer Data Privacy Act (GCDPA). Despite its title, the GCDPA is not a “computer”-centric bill. Instead, it is a comprehensive privacy law modeled after the California Consumer Privacy Act (CCPA). The GCDPA was introduced by the Republican leadership in the Georgia State Senate, which may give it a better chance of legislative advance than privacy laws in other states.

The GCDPA is the first omnibus privacy law introduced in Georgia and is one of the few state privacy laws modeled primarily on the CCPA. However, the GCDPA stricter than CCPA in many respects likely to be of significant interest to businesses in the United States. This article summarizes the top 10 ways the GCDPA in Georgia would create a privacy regime that replicates or is more stringent than what the CCPA has put in place in California.

1. Consumer consent is required to collect data: The GCDPA does not allow companies to collect and “solicit” personally identifiable information “before” the point at which they have made a notice[ed] Consumer Consent.” 10-1-946(a).

  • The draft GCDPA suggests that this should be “affirmative” consent. “Consent” is defined as an act by which a consumer authorizes a specific “act or practice” in a clear, explicit and unequivocal manner. 10-1-931(8). The legislative findings of the GCDPA suggest that the law would not be satisfied with a pure opt-out approach (“[t]Using a strict privacy “opt-out” methodology is ineffective and poses an imminent risk to the health, safety and well-being of individuals in that State”). § 10-1-93(5).
  • This could have a significant impact on all businesses that do business online. Websites and mobile apps typically collect personally identifiable information as soon as someone lands on their homepage, simply because of the HTTP requests that users send when accessing the page. Websites may need to consider EU-like “consent walls” to comply with the GCDPA.
  • Local businesses may also need to obtain consumer consent to process transactions in a way that collects consumer information. This could include requiring consent for ordinary processes such as B. accepting credit card payments.
  • This rule could also have difficult implications for companies that do not receive data directly from consumers, such as B. Payment processors, shipping companies or credit reference agencies. The GCDPA does not provide any exemptions for these companies, which seems to indicate that they also need to obtain consumer ‘consent’ for data processing – but it is unclear how they engage with the consumer to i
  • This is stricter than in California, which generally permits the collection of personal information if notice is given at or before the collection location.

2. GCDPA appears to encourage privacy class actions. GCDPA expressly provides that “[c]Consumers have a private cause of action against anyone who violates them [the GCDPA].” § 10-1-956(c). Consumers can claim their actual damage and other legal damages in addition to the actual damage. Statutory damages are $2,500 for “any infringement” or $7,500 for any intentional infringement.

  • Therefore, the compliance obligations outlined in this article should be read with a view to potential class action lawsuits. For example, if a retailer fails to obtain consumer consent at its credit card payment terminals, it could face statutory damages of $2,500 for each consumer who made a payment.
  • Again, this is stricter than California rules, which only allow private lawsuits when data breaches occur that result in the theft of certain categories of data.

3. GCDPA adopts CCPA’s definition of “revenue”: The GCDPA defines data “sales” as the disclosure of data to a third party in exchange for “valuable consideration”. 10-1-933(c).

  • As in California, this would mean that whenever a company shares data in the course of receiving or providing a service, the service must be evaluated to determine whether it qualifies as a “sale.” From the California experience, examples might include common business services like payment processing or digital analytics or advertising.

4. Opt-in Required to “Sell” Data: The GCDPA prohibits companies from “selling” data unless the consumer first “opts in”. This must be offered through a “unique and conspicuous link” on the company’s website. 10-1-944(b)(2), (c).

  • If GCDPA were interpreted in the same way as CCPA, it could mean that businesses in Georgia must obtain consumer opt-ins in order to market digitally to their customers.

5. “We Sell Data” notices required, more detailed than in California: To get an opt-in to sell data, a business must tell consumers that:

  • identifies the specific “individuals” to whom data is “sold” and
  • offers “[t]The prorated value of the consumer’s personal information.” 10-1-944(b)(1).

This is a stricter approach than in California. CCPA permits the “sale” of data without identifying specific recipients. Also, CCPA only requires a data rating when a company offers consumers a “financial incentive” in exchange for their data — which presumably provides a basis for the rating. GCDPA assumes that “data sales” also occur without currency exchange, so companies may need to calculate the “value” of data with little basis for doing so.

6. Not just a right to erasure, but an additional “right to be forgotten”: Like other state data protection laws, the GDPR provides a general right for consumers to ask companies to erase their data.

  • But the GCDPA handles it well, adopting an EU-style “right to be forgotten”. This means that if a business has “made public any consumer’s personal information,” it must “take all reasonable steps” to make that information “non-public.” 10-1-942(d).
  • For example, this may require businesses to contact search engines or social media platforms to “remove” links to consumer information pages.
  1. Company research can only be carried out with anonymized data: “Any research” using personal data collected “from a consumer” must only be done using anonymized or aggregated data. 10-1-940(2).
  • This is significantly stricter than the CCPA, which only contains rules designed to support research “in the public interest.” In contrast, GCDPA would impose anonymization/aggregation requirements for all internal company research.
  • This means that core business processes such as product improvement, product development, corporate research and development, or new practices such as AI development may only be able to be performed with de-identified data.
  1. Similar, Anonymous data cannot be recognized without “consumer consent or authorization”..” 10-1-951(a). This may be virtually impossible, as organizations may not know whose data resides in an anonymized data set – and therefore need to obtain whose consent – until they re-identify the data set.
  • This rule can also discourage anonymization and privacy research practices — since once data is anonymized, it is “locked” in that state unless all consumers in the dataset give their consent.
  1. No carve-outs for B2B data or employee data. Unlike privacy laws in California, Colorado, and Virginia, GCDPA does not include an exemption for B2B data or employee data.
  • This means companies could face requests from employees to delete data, provide copies of data, or stop “selling” employee data.
  • European workers have had these types of rights under the GDPR for several years. One experience is that they are often used by former employees to conduct pre-trial investigations into their former employer to gather information that can be used in labor disputes.
  1. Georgia AG does not have exclusive enforcement powers. The General Terms and Conditions do not specify which government bodies are authorized to enforce them. It only states that Georgia AG can reimburse reasonable costs incurred during enforcement measures. 10-1-956(b). This could mean that a variety of state and local agencies could initiate GCDPA enforcement actions.

[View source.]