Georgia introduces privateness regulation that’s stricter than CCPA – Prime 10 points – privateness

United States:

Georgia Introduces Privacy Law Stricter Than CCPA – Top 10 Problems

February 11, 2022

Alston & Vogel

To print this article, all you need to do is register or log in to Mondaq.com.

On January 26, 2022, the Georgia General Assembly introduced a bill entitled Georgia Computer Data Privacy Act (GCDPA). Despite its title, the GCDPA is not a “computer”-centric bill. Instead, it is a comprehensive privacy law modeled after the California Consumer Privacy Act (CCPA). The GCDPA was introduced by the Republican leadership in the Georgia State Senate, which may give it a better chance of legislative advance than privacy laws in other states.

The GCDPA is the first omnibus privacy law introduced in Georgia and is one of the few state privacy laws modeled primarily on the CCPA. However, the GCDPA stricter than CCPA in many respects likely to be of significant interest to businesses in the United States. This article summarizes the top 10 ways the GCDPA in Georgia would create a privacy regime that replicates or is more stringent than what the CCPA has put in place in California.

1. Consumer Consent Required
Collect data: The GCDPA does not allow companies to collect personal information “prior to” the point at which you provided and “received” a notice[ed] Consumer Consent.” 10-1-946(a).

  • The GCDPA draft suggests that this should be “affirmative” approval. “Consent” is defined as an act by which a consumer authorizes a specific “act or practice” in a clear, explicit and unequivocal manner. 10-1-931(8). The legislative findings of the GCDPA indicate that the law would not be satisfied with a pure opt-out approach (“[t]Use of a strict privacy “opt-out” method is ineffective and poses an imminent risk to the health, safety and welfare of individuals in that state). § 10-1-93(5).
  • This could have a significant impact on all businesses that do business online. Websites and mobile apps typically collect personally identifiable information as soon as someone lands on their homepage, simply because of the HTTP requests that users send when accessing the page. Websites may need to consider EU-like “consent walls” to comply with the GCDPA.
  • Local businesses may also need to obtain consumer consent to process transactions in a way that collects consumer information. This could include requiring consent for ordinary processes such as B. accepting credit card payments.
  • This rule could also have difficult implications for companies that do not receive data directly from consumers, such as B. Payment processors, shipping companies or credit reference agencies. The GCDPA does not provide any exemptions for these companies, which seems to indicate that they also need to obtain consumer ‘consent’ for data processing – but it is unclear how they engage with the consumer to i
  • This is stricter than in California, which generally permits the collection of personal information if notice is given at or before the collection location.

2. GCDPA appears to encourage privacy class actions. GCDPA expressly provides that “[c]Consumers have a private cause of action against anyone who violates them [the GCDPA].” § 10-1-956(c). Consumers can claim actual damages and beyond statutory damages in addition to the actual damage. Statutory damages are $2,500 for “each violation” or $7,500 for each intentional violation.

  • Therefore, the compliance obligations outlined in this article should be read with a view to potential class action lawsuits. For example, if a retailer fails to obtain consumer consent at its credit card payment terminals, it could face statutory damages of $2,500 for each consumer who made a payment.
  • Again, this is stricter than California rules, which only allow private lawsuits when data breaches occur that result in the theft of certain categories of data.

3. GCDPA adopts CCPA’s definition of “revenue”: The GCDPA defines data “sales” as the disclosure of data to a third party in exchange for “valuable consideration”. 10-1-933(c).

  • As in California, this would mean that whenever a company shares data in the course of receiving or providing a service, the service must be evaluated to determine whether it qualifies as a “sale.” From the California experience, examples might include common business services like payment processing or digital analytics or advertising.

4. Opt-in Required to “Sell” Data: The GCDPA prohibits companies from “selling” data unless the consumer first provides an “opt-in”. This must be offered through a “unique and conspicuous link” on the company’s website. 10-1-944(b)(2), (c).

  • If GCDPA were interpreted in the same way as CCPA, it could mean that businesses in Georgia must obtain consumer opt-ins in order to market digitally to their customers.

5. “We Sell Data” notices required, more detailed than in California: To get an opt-in to sell data, a business must tell consumers that:

  • identifies the specific “individuals” to whom data is “sold” and
  • offers “[t]he proportional value of the consumer’s personal information.” 10-1-944(b)(1).

This is a stricter approach than in California. CCPA permits the “sale” of data without identifying specific recipients. Also, the CCPA only requires a data rating when a company offers consumers a “financial incentive” in exchange for their data — which presumably provides a basis for the rating. GCDPA assumes that “data sales” also occur without currency exchange, so companies may need to calculate the “value” of data with little basis for doing so.

6. Not just a right to erasure, but an additional “right to be forgotten”: Like other state data protection laws, the GDPR provides a general right for consumers to ask companies to erase their data.

  • But the GCDPA handles it well, adopting an EU-style “right to be forgotten”. This means that if a business has “made public any consumer’s personal information,” it must “take all reasonable steps” to make that information “non-public.” 10-1-942(d).
  • For example, this may require businesses to contact search engines or social media platforms to “remove” links to consumer information pages.

7. Company research can only be carried out with anonymized data: “Any research” using personal data collected “from a consumer” must only be done using anonymized or aggregated data. 10-1-940(2).

  • This is significantly stricter than the CCPA, which only contains rules to encourage research “in the public interest.” In contrast, the GCDPA would impose anonymization/aggregation requirements all internal company research.
  • This means that core business processes such as product improvement, product development, corporate research and development, or new practices such as AI development may only be able to be performed with de-identified data.

8th. Similar, Anonymous data cannot be recognized without “consumer consent or authorization”..” 10-1-951(a). This may be virtually impossible, as organizations may not know whose data resides in an anonymized dataset – and therefore need to obtain whose consent – until they re-identify the dataset.

  • This rule can also discourage anonymization and privacy research practices — since once data is anonymized, it is “locked” in that state unless all consumers in the dataset give their consent.

9. No carve-outs for B2B data or employee data. Unlike the privacy laws in California, Colorado, and Virginia, GCDPA does not include an exemption for B2B data or employee data.

  • This means companies could face requests from employees to delete data, provide copies of data, or stop “selling” employee data.
  • European workers have had these types of rights under the GDPR for several years. One experience is that they are often used by former employees to conduct pre-trial investigations into their former employer to gather information that can be used in labor disputes.

10. Georgia AG does not have exclusive enforcement powers. The General Terms and Conditions do not specify which government agencies are authorized to enforce them. It only states that Georgia AG can reimburse reasonable costs incurred during enforcement measures. 10-1-956(b). This could mean that a variety of state and local agencies could initiate GCDPA enforcement actions.

The content of this article is intended to provide a general guide to the topic. Professional advice should be sought in relation to your specific circumstances.

POPULAR ARTICLES ABOUT: Data protection from the United States

Top privacy issues in 2022

Kelley Drye & Warren LLP

You’ve probably seen a lot of privacy predictions for 2022 over the past few weeks. Here’s one that reflects the collective thoughts of our diverse privacy team…