Georgia Data Privacy Laws: Breach Notification & Consumer Rights (2026)

Georgia does not have a comprehensive consumer data privacy law. Unlike states such as California, Virginia, and Colorado that have enacted broad data protection statutes, Georgia relies on a patchwork of sector-specific laws and its data breach notification statute to protect residents' personal information.

This guide covers every Georgia law that touches data privacy, from the state's breach notification requirements under O.C.G.A. § 10-1-912 to the Computer Systems Protection Act, insurance data regulations, student data protections, and the federal laws that fill the gaps.

Georgia's Data Breach Notification Law (O.C.G.A. § 10-1-910 Through 10-1-912)

The Georgia Personal Identity Protection Act, originally enacted in 2005 and expanded in 2007, is the state's primary data privacy statute. It requires businesses and government agencies to notify Georgia residents when their personal information has been compromised in a data breach.

The law applies to any "information broker" or "data collector" that maintains computerized data containing personal information of Georgia residents. This broad definition covers most businesses that store customer data electronically.

What Qualifies as Protected Personal Information?

Under O.C.G.A. § 10-1-911, "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when the name or data elements are not encrypted or redacted:

• Social Security number
• Driver's license number or state identification card number
• Financial account number, credit card number, or debit card number, combined with any required security code, access code, or password that would permit access to the account
• Account passwords or personal identification numbers (PINs) or other access codes
• Any of the above data elements when not combined with the individual's name, if the information compromised would be sufficient to perform or attempt to perform identity theft

The definition explicitly excludes information that is lawfully available to the general public from federal, state, or local government records.

Notification Requirements

When a breach occurs, the law imposes several specific obligations on the entity that maintained the data.

Timing. Notice must be provided "in the most expedient time possible and without unreasonable delay." Georgia does not impose a specific deadline measured in days, unlike some states that require notification within 30 or 60 days. The only permitted delay is when a law enforcement agency determines that notification would compromise an ongoing criminal investigation.

Methods of Notice. The law permits notification through:

• Written notice sent to the affected individual
• Electronic notice, if consistent with the provisions of the federal Electronic Signatures in Global and National Commerce Act (E-Sign Act)

Substitute Notice. An entity may use substitute notice if it can demonstrate that:

• The cost of providing direct notice would exceed $50,000
• The affected class of individuals exceeds 100,000 persons
• The entity does not have sufficient contact information to provide direct notice

Substitute notice consists of notification through major statewide media outlets.

Large-Scale Breach Requirements

When a breach affects more than 10,000 Georgia residents at one time, the entity must also notify all nationwide consumer reporting agencies. This notification must include the timing, distribution, and content of the notices sent to affected individuals.

Third-Party Data Holders

Any person or business that maintains personal information on behalf of another entity must notify that entity within 24 hours of discovering a breach. This provision ensures that companies using third-party data processors receive prompt notice even when they do not directly control the compromised system.

Enforcement

The Georgia Attorney General's Consumer Protection Division enforces the breach notification law. Violations are treated as unfair or deceptive acts under the Georgia Fair Business Practices Act (O.C.G.A. § 10-1-390 et seq.). There is no private right of action, meaning individual consumers cannot sue a company directly for failing to provide breach notification.

Georgia Computer Systems Protection Act (O.C.G.A. § 16-9-90 et seq.)

The Computer Systems Protection Act provides criminal penalties for unauthorized access to computer systems and data. While primarily a criminal statute, it has direct implications for data privacy because it punishes unauthorized access to personal information stored on computers.

Criminal Offenses

The Act establishes four major felony offenses:

Computer Theft (O.C.G.A. § 16-9-93(a)). Using a computer or computer network with the intent to take or appropriate the property of another, including data and computer programs.

Computer Trespass (O.C.G.A. § 16-9-93(b)). Unauthorized access to a computer or computer network with the intent to delete, alter, damage, or take data or computer programs, or to introduce a computer contaminant.

Computer Invasion of Privacy (O.C.G.A. § 16-9-93(c)). Using a computer or computer network with the intent to examine any employment, medical, salary, credit, or other financial or personal data relating to another person without authorization.

Computer Forgery (O.C.G.A. § 16-9-93(d)). Using a computer or computer network to create, alter, or delete data in a manner that would constitute forgery under Georgia law.

Penalties

A conviction for computer theft, computer trespass, computer invasion of privacy, or computer forgery carries a maximum fine of $50,000 and up to 15 years in prison, or both.

The Act also establishes the offense of Computer Password Disclosure, which is a misdemeanor carrying a maximum fine of $5,000 and up to one year in jail.

Civil Remedies

Victims of computer crimes can file civil lawsuits. Any person whose property or person is injured by a violation of the Act may sue and recover damages, including lost profits and expenses incurred as a result of the violation. The statute of limitations for civil claims is four years from the date the violation is discovered or should have been discovered through reasonable diligence.

Insurance Data Privacy Regulations

Georgia regulates the collection, use, and disclosure of personal information in insurance transactions through GAC 120-2-87, issued by the Office of the Commissioner of Insurance.

These regulations implement Chapter 39 of Title 33 of the Official Code of Georgia Annotated and carry out the state's responsibilities under Title V of the federal Gramm-Leach-Bliley Act (GLBA).

Who Is Covered?

The regulations apply to:

• All insurance institutions operating in Georgia
• Insurance agents and producers
• Insurance support organizations
• Unauthorized insurers who place business through licensed excess line brokers
• Any other persons or entities licensed, authorized, or registered under the Georgia Insurance Code

Key Requirements

Covered entities must:

• Provide privacy notices to consumers explaining what personal information is collected and how it is shared
• Allow consumers to opt out of certain information-sharing practices with nonaffiliated third parties
• Implement safeguards to protect the security and confidentiality of customer information
• Restrict access to customer information to employees and agents who need it for legitimate business purposes

NAIC Model Law Status

As of 2025, Georgia has not adopted the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law (Model #668), which would impose more specific cybersecurity requirements on insurers. Georgia is listed as having "no current activity" toward adoption of the model law.

Student Data Privacy

Georgia enacted the Student Data Privacy, Accessibility, and Transparency Act (O.C.G.A. § 20-2-661 through 20-2-667), effective July 1, 2016, to protect the personal information of K-12 students.

Key Protections

The law requires:

• Chief Privacy Officer. The Georgia Department of Education must designate a senior staff member as the agency's chief privacy officer, responsible for establishing and maintaining policies to protect student data.

• Collection Restrictions. Schools and districts cannot collect student data related to political affiliations, religious beliefs, or certain economic information without specific authorization.

• Juvenile Records Protection. The law restricts reporting of student data pertaining to juvenile delinquency records, criminal records, and medical or health records.

• Operator Requirements. Companies that operate websites, apps, or online services used by schools must comply with data management requirements when they collect student data.

• Parental Rights. Parents have the right to inspect and review their child's education records maintained by schools or school districts.

This state law works alongside the federal Family Educational Rights and Privacy Act (FERPA), which has protected student education records since 1974.

Health Information Privacy

Georgia does not have a state-specific health data privacy law that goes beyond federal protections. The state relies primarily on the federal Health Insurance Portability and Accountability Act (HIPAA) to govern the privacy and security of protected health information.

However, Georgia does have specific statutes governing medical records access:

• O.C.G.A. § 31-33-2 requires physicians to provide patients with copies of their medical records upon request.
• O.C.G.A. § 31-33-3 sets the fees that physicians may charge for copying and mailing patient records, with annual adjustments based on the medical component of the Consumer Price Index.

Under Georgia law, medical records are the property of the healthcare provider, not the patient. Patients have a right to access and obtain copies, but they do not own the physical or digital records themselves.

The Georgia Department of Community Health publishes HIPAA privacy notices for state-administered health programs.

Workplace and Employee Data Privacy

Georgia does not have a comprehensive employee data privacy statute. Workplace monitoring and surveillance are governed by a combination of the state's one-party consent wiretapping law and general common law privacy principles.

Employer Surveillance Rights

Georgia employers generally have broad rights to monitor employees in the workplace:

• Video surveillance is permitted in common areas such as offices and lobbies. Surveillance in private areas like restrooms and locker rooms is prohibited.
• Hidden cameras are allowed as long as the monitoring serves a legitimate business purpose and is not placed in areas where employees have a reasonable expectation of privacy.
• Audio recording falls under Georgia's one-party consent law (O.C.G.A. § 16-11-62). An employer may record a conversation if at least one participant consents, but recording conversations without any participant's consent is a criminal offense.

Employee Remedies

Employees who believe their employer has violated their privacy rights through unlawful surveillance may file civil lawsuits seeking damages, including compensation for emotional distress.

Failed Comprehensive Privacy Legislation

Georgia has attempted to pass comprehensive consumer data privacy legislation in two consecutive legislative sessions. Both bills followed a model similar to the Virginia Consumer Data Protection Act but failed to become law.

SB 473: Georgia Consumer Privacy Protection Act (2024)

The Georgia Consumer Privacy Protection Act (SB 473) passed the Georgia Senate on February 27, 2024, by a vote of 37-15. The House Technology and Infrastructure Innovation Committee gave it a favorable report on March 20, 2024, but the full House never voted on it before the legislature adjourned in late March.

Key provisions of SB 473 included:

• Applied to entities exceeding $25 million in annual revenue that either processed data of at least 175,000 Georgia residents, or processed data of at least 25,000 residents while deriving more than 50% of gross revenue from data sales
• Created consumer rights to access, correct, delete, and obtain copies of personal data
• Established opt-out rights for the sale of personal data and targeted advertising
• Provided an affirmative defense for entities whose privacy programs conformed to the NIST Privacy Framework
• Enforcement limited to the Attorney General with civil penalties and a Consumer Privacy Fund
• No private right of action for individual consumers

The Electronic Privacy Information Center (EPIC) assigned SB 473 a score of 8 out of 100, characterizing it as one of the weakest proposed privacy laws in the country.

SB 111: Georgia Consumer Privacy Protection Act (2025)

SB 111 was a revised version of the previous year's bill. It passed the Georgia Senate on March 3, 2025, by a vote of 53-2 and crossed to the House before the March 6 crossover deadline.

However, the House withdrew and recommitted the bill on March 27, 2025. The legislation died for a second time when the General Assembly adjourned on April 4, 2025.

Key provisions of SB 111 included:

• Similar applicability thresholds: $25 million revenue and either 175,000 residents' data processed or 25,000 residents with 50%+ revenue from data sales
• Civil penalties of up to $7,500 per violation
• A 60-day cure period allowing businesses to fix violations before penalties applied
• An affirmative defense for entities complying with the NIST Privacy Framework

The ACLU of Georgia criticized SB 111 as "the worst consumer protection act in the country," arguing that the high applicability thresholds and business-friendly provisions offered inadequate protection for Georgia residents.

Why These Bills Failed

The legislative pattern reflects a sustained tension in the Georgia General Assembly. A Republican-majority Senate has consistently supported a business-friendly privacy framework modeled after Virginia's approach, while the House has been unwilling to pass legislation in that form. Consumer advocacy groups have argued that both bills prioritized industry interests over meaningful consumer protections.

As of March 2026, Georgia remains one of the states without comprehensive consumer data privacy legislation.

Protecting Georgia's Children on Social Media Act (SB 351)

Although not a traditional data privacy law, the Protecting Georgia's Children on Social Media Act (SB 351), signed into law in 2024, has significant data privacy implications.

The law requires social media platforms to:

• Use "commercially reasonable efforts" to verify the age of users
• Treat any user whose age cannot be verified as a minor
• Obtain parental consent before allowing children under 16 to create accounts

A federal judge temporarily blocked the law on June 26, 2025, just days before its July 1, 2025 effective date. U.S. District Judge Amy Totenberg ruled that the law likely violates the First Amendment, citing "enormous burdens imposed on the First Amendment rights of children, adults, and social media platforms."

The state appealed to the Eleventh Circuit Court of Appeals. A hearing on the appeal took place on March 10, 2026, in Jacksonville, Florida. The case remains pending as of this writing.

Federal Laws That Protect Georgia Residents

Because Georgia lacks a comprehensive state privacy law, federal statutes provide the primary data protection framework for many types of personal information.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA protects the privacy and security of individually identifiable health information held by covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates. Georgia residents' medical data is protected by HIPAA's Privacy Rule and Security Rule.

Gramm-Leach-Bliley Act (GLBA)

The GLBA requires financial institutions to explain their information-sharing practices and to safeguard sensitive data. In Georgia, the insurance industry's compliance with the GLBA is enforced through state regulations (GAC 120-2-87), while banking institutions are regulated by federal agencies.

Family Educational Rights and Privacy Act (FERPA)

FERPA protects the privacy of student education records and gives parents certain rights regarding their children's records. Georgia's Student Data Privacy, Accessibility, and Transparency Act supplements FERPA with additional state-level protections.

Children's Online Privacy Protection Act (COPPA)

COPPA requires operators of commercial websites and online services directed at children under 13 to obtain verifiable parental consent before collecting personal information from children. This federal law applies to all businesses serving Georgia's children online.

Federal Trade Commission Act (Section 5)

The FTC Act prohibits unfair or deceptive trade practices, including misrepresentations about data privacy and security. The Federal Trade Commission has used Section 5 to bring enforcement actions against companies that fail to protect consumer data or that violate their own privacy policies.

How Georgia Compares to Other States

Georgia's data privacy framework is notably less comprehensive than many other states. Here is how it compares on key metrics:

Feature	Georgia	California (CCPA/CPRA)	Virginia (VCDPA)
Comprehensive privacy law	No	Yes	Yes
Consumer right to access data	No	Yes	Yes
Consumer right to delete data	No	Yes	Yes
Right to opt out of data sales	No	Yes	Yes
Breach notification required	Yes	Yes	Yes
Specific notification deadline	No (expedient)	72 hours (AG)	60 days
Private right of action	No	Limited	No
Data protection assessments	No	Yes	Yes

Georgia's breach notification law is functional but lacks the specificity of newer state laws. The absence of a comprehensive privacy statute means Georgia residents have fewer rights over their personal data than residents of the 20+ states that have enacted such laws.

What Georgia Residents Can Do Now

While waiting for the legislature to act, Georgia residents can take several steps to protect their personal data.

Credit Freezes. Georgia residents can freeze their credit files with all three major credit bureaus at no cost. A security freeze prevents new creditors from accessing your credit report, making it harder for identity thieves to open accounts in your name.

Free Credit Reports. Under federal law, every consumer is entitled to one free credit report per year from each of the three major reporting agencies. Georgia residents are entitled to an additional two free credit reports per year from each agency under state law.

Attorney General Complaints. If you believe a company has violated your privacy rights or failed to notify you of a data breach, you can file a complaint with the Georgia Attorney General's Consumer Protection Division.

Opt-Out Tools. Even without a state law requiring it, many companies offer opt-out mechanisms for data sharing and targeted advertising. The Digital Advertising Alliance's opt-out tool and individual company privacy settings can reduce how much of your data is shared.

Looking Ahead: The Future of Data Privacy in Georgia

The repeated failure of comprehensive privacy legislation in the Georgia General Assembly does not mean the effort is over. The pattern of Senate passage followed by House inaction suggests that some form of privacy legislation may eventually succeed, particularly as more states enact their own laws and pressure grows on holdout states.

Key factors to watch:

• Whether the General Assembly introduces a new version of the Georgia Consumer Privacy Protection Act in the 2026 session
• The outcome of the Eleventh Circuit appeal on the Protecting Georgia's Children on Social Media Act
• Any federal comprehensive privacy legislation that would preempt state action
• Growing consumer awareness and advocacy pressure following high-profile data breaches

Until comprehensive legislation passes, Georgia residents must rely on the existing patchwork of breach notification requirements, sector-specific regulations, and federal protections to safeguard their personal data.

More Georgia Laws

• Georgia Car Seat Laws
• Georgia Whistleblower Laws
• Georgia Hit and Run Laws
• Georgia Sexting Laws
• Georgia Recording Laws
• Georgia Lemon Laws
• Georgia Child Support Laws
• Georgia Dog Bite Laws