Georgia Data Privacy Laws: Breach Notification & Consumer Rights (2026)

Georgia enacted its first comprehensive consumer data privacy law when Governor Kemp signed Senate Bill 111 (Act 462) on May 11, 2026, giving residents rights to access, correct, and delete their personal data. The state's breach notification statute, O.C.G.A. Section 10-1-912, separately requires prompt notice after any data breach.

Georgia's data privacy landscape changed significantly in the spring of 2026. After two consecutive years of failure in the state legislature, Governor Brian Kemp signed Senate Bill 111, the Georgia Consumer Privacy Protection Act, into law on May 11, 2026 (Act 462). Georgia became the latest state to join the growing number of jurisdictions with a comprehensive consumer data privacy statute.

The new law gives Georgia residents rights over their personal data that did not previously exist at the state level: the right to access, correct, delete, and opt out of the sale of their information and its use for targeted advertising. It also places obligations on businesses that meet specific revenue and data-processing thresholds. However, consumer advocacy groups including EPIC and the ACLU of Georgia criticized SB 111 as one of the weakest privacy laws in the country, citing high applicability thresholds, a 60-day cure period before penalties can be imposed, and no private right of action.

Before SB 111, Georgia residents relied on the state's data breach notification law, sector-specific statutes, and federal protections for privacy coverage. Those laws remain in force and important for millions of Georgians whose data is held by entities that fall below SB 111's applicability thresholds.

This guide covers SB 111 in full, along with the breach notification statute, the Computer Systems Protection Act, student data protections, the AI chatbot disclosure law, the social media age verification law currently in federal court, and the federal overlay that applies to all Georgia residents.

Georgia Consumer Privacy Protection Act (SB 111, Act 462, Signed May 11, 2026)

The Georgia Consumer Privacy Protection Act enacts Article 35 of Title 10 of the Official Code of Georgia Annotated. Governor Kemp signed the bill on May 11, 2026. The House passed the legislation 162-1 on March 31, 2026, and the Senate agreed to the House substitute on April 2, 2026.

SB 111 follows the Virginia Consumer Data Protection Act (VCDPA) model used by many other states. Consumer advocates at EPIC gave it a score of 6 out of 100, citing inadequate thresholds and weak enforcement mechanisms.

Applicability Thresholds

SB 111 applies to entities that conduct business in Georgia or produce products or services targeted to Georgia residents, AND that meet one of the following thresholds:

• Control or process personal data of at least 175,000 Georgia residents per calendar year, OR
• Control or process personal data of at least 25,000 Georgia residents per calendar year AND derive more than 50% of gross annual revenue from the sale of personal data

The law also requires that the entity exceed $25 million in annual gross revenue. Georgia's thresholds are substantially higher than those in states like California and Maryland, which means many mid-size businesses that would be covered under other state laws will fall outside SB 111's scope in Georgia.

Exempt Sectors and Data Types

SB 111 contains broad exemptions consistent with other Virginia-model laws. The following entities and data types are generally exempt:

• Government entities and their contractors
• Financial institutions and data subject to the Gramm-Leach-Bliley Act (GLBA)
• Covered entities and business associates subject to HIPAA
• Nonprofit organizations
• Institutions of higher education
• Data subject to the Fair Credit Reporting Act (FCRA)
• Employee and contractor data processed in a human resources context

Consumer Rights

Georgia residents have the following rights under SB 111, exercised by submitting a verified request to a covered controller:

• Right to access: Confirm whether a controller processes your personal data and obtain a copy of it.
• Right to correct: Correct inaccurate personal data maintained about you.
• Right to delete: Request deletion of personal data you provided or that the controller collected about you.
• Right to portability: Obtain a copy of your personal data in a portable, readily usable format.
• Right to opt out of targeted advertising: Opt out of the processing of your personal data for purposes of targeted advertising.
• Right to opt out of data sales: Opt out of the sale of your personal data.
• Right to opt out of profiling: Opt out of profiling in furtherance of decisions that produce legal or similarly significant effects.

Controllers must respond to verified consumer requests within 45 days, with a permitted 45-day extension when reasonably necessary.

Sensitive Data

SB 111 defines sensitive data broadly. It includes personal data that reveals racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or immigration status, genetic or biometric data processed for the purpose of uniquely identifying a natural person, precise geolocation data, personal data of a known child, and data concerning online activities tracked over time and across unaffiliated websites or services.

Controllers must obtain the consumer's consent before processing sensitive data.

Children's Data

SB 111 prohibits controllers from processing personal data of a minor for purposes of targeted advertising or the sale of personal data. The law also requires affirmative consent before processing the sensitive data of a minor.

Controller and Processor Obligations

Controllers under SB 111 must:

• Provide consumers with a reasonably accessible privacy notice describing the categories of data collected, the purposes for processing, how consumers can exercise their rights, and the categories of data shared with third parties.
• Limit data collection to what is adequate, relevant, and reasonably necessary for the disclosed purposes.
• Establish reasonable administrative, technical, and physical security practices appropriate to the volume and nature of personal data processed.
• Conduct data protection assessments for high-risk processing activities including targeted advertising, sale of personal data, profiling with significant effects, processing sensitive data, and processing activities that present a heightened risk of harm.
• Execute data processing agreements with processors that establish the processor's instructions and obligations.

Processors must process data only on documented instructions from the controller and must assist controllers in meeting their security and consumer-rights obligations.

Enforcement and Penalties

The Georgia Attorney General has exclusive authority to enforce SB 111. There is no private right of action, meaning individual consumers cannot sue covered businesses under the statute.

Before bringing an enforcement action, the AG must give the controller or processor a 60-day cure period to remedy the violation. After the cure period, the AG may seek:

• Civil penalties of up to $7,500 per violation
• Injunctive relief

Funds collected in penalty actions are directed to the state's general fund.

What SB 111 Does Not Require

SB 111 does not require:

• A Universal Opt-Out Mechanism (UOOM) or Global Privacy Control (GPC) recognition
• A dedicated privacy agency (the AG enforces)
• Data minimization as an independent standalone requirement beyond what is reasonably necessary for disclosed purposes

This places Georgia's law toward the less protective end of the spectrum compared to California (CPRA), Oregon (OCPA), and Maryland (MODPA).

Georgia's Data Breach Notification Law (O.C.G.A. Section 10-1-910 Through 10-1-912)

The Georgia Personal Identity Protection Act, originally enacted in 2005 and expanded in 2007, remains an important complement to SB 111. It applies to all data collectors and information brokers that maintain computerized personal information on Georgia residents, regardless of whether they meet SB 111's applicability thresholds.

What Qualifies as Protected Personal Information?

Under O.C.G.A. Section 10-1-911, personal information means an individual's first name or first initial and last name combined with any one or more of the following unencrypted or unredacted elements:

• Social Security number
• Driver's license number or state identification card number
• Financial account number, credit card number, or debit card number, combined with any required security code or password
• Account passwords or PINs

The definition excludes information lawfully available to the general public from government records.

Notification Requirements

When a breach occurs, the data holder must notify affected Georgia residents in the most expedient time possible and without unreasonable delay. Georgia does not impose a specific deadline measured in calendar days, distinguishing it from states that require notification within 30, 45, or 72 hours. The only permitted delay is when a law enforcement agency determines notification would compromise an active criminal investigation.

The law permits written notice by mail or electronic notice consistent with the federal E-Sign Act. If direct notification is too costly or the entity lacks contact information (cost exceeding $50,000, affected class exceeding 100,000, or insufficient contact data), substitute notice through major statewide media outlets is permitted.

Large-Scale Breach Reporting

When a breach affects more than 10,000 Georgia residents at one time, the entity must also notify all three nationwide consumer reporting agencies. This notification must include the timing, distribution, and content of the notices sent to affected individuals.

Third-Party Data Processor Notice

Any person or business that maintains personal information on behalf of another entity must notify that entity within 24 hours of discovering a breach. This rule protects companies that outsource data storage or processing.

Enforcement

The Georgia Attorney General's Consumer Protection Division enforces the breach notification law. Violations are treated as unfair or deceptive acts under the Georgia Fair Business Practices Act (O.C.G.A. Section 10-1-390 et seq.). There is no private right of action.

In 2024, AG Chris Carr's Consumer Protection Division secured nearly $80 million total for Georgia taxpayers and consumers through enforcement across multiple consumer protection statutes.

Georgia Computer Systems Protection Act (O.C.G.A. Section 16-9-90 et seq.)

The Computer Systems Protection Act provides criminal penalties for unauthorized access to computer systems and personal data. It functions alongside SB 111 and the breach notification law, adding criminal liability to civil enforcement.

Criminal Offenses

The Act establishes four major felony offenses under O.C.G.A. Section 16-9-93:

Computer Theft (Section 16-9-93(a)): Using a computer with intent to take or appropriate property of another, including data and programs.

Computer Trespass (Section 16-9-93(b)): Unauthorized access to a computer with intent to delete, alter, damage, or destroy data, or to introduce a contaminant.

Computer Invasion of Privacy (Section 16-9-93(c)): Using a computer with intent to examine employment, medical, salary, credit, or other financial or personal data relating to another person without authorization.

Computer Forgery (Section 16-9-93(d)): Using a computer to create, alter, or delete data in a manner that would constitute forgery under Georgia law.

Each of these felony offenses carries a maximum fine of $50,000 and up to 15 years in prison, or both. Computer Password Disclosure is a separate misdemeanor carrying a maximum fine of $5,000 and up to one year in jail.

Civil Remedies

Any person whose property or person is injured by a violation of the Computer Systems Protection Act may file a civil lawsuit. The statute of limitations for civil claims is four years from the date the violation is discovered or should have been discovered through reasonable diligence.

Protecting Georgia's Children on Social Media Act (SB 351, 2024)

The Protecting Georgia's Children on Social Media Act was signed into law in 2024. It requires social media platforms to verify the age of users and obtain parental consent before allowing children under 16 to create accounts.

Federal litigation immediately followed. The industry group NetChoice filed suit arguing the law violates the First Amendment. U.S. District Judge Amy Totenberg issued a preliminary injunction blocking the law on June 26, 2025, just days before its July 1, 2025 effective date. She found the law likely violated the First Amendment rights of children, adults, and platforms.

Georgia AG Chris Carr appealed to the U.S. Court of Appeals for the Eleventh Circuit. Oral arguments took place on March 10, 2026, in Jacksonville, Florida. A three-judge panel pressed NetChoice on standing and whether the lower court moved too quickly to issue a facial injunction. The panel signaled some receptiveness to Georgia's arguments but had not issued a ruling as of this writing. The law remains enjoined pending the appeal.

Georgia AI Chatbot Disclosure Law (SB 540, 2026)

Governor Kemp signed SB 540 into law in May 2026. The Act takes effect July 1, 2027. It requires operators of AI-powered chatbots to disclose, proactively and within the conversation, that the user is communicating with artificial intelligence rather than a human.

Key requirements include:

• Disclosure must appear at the start of every conversation and then every three hours for general users.
• For users who are minors, disclosures must repeat every hour.
• Chatbots must disclose their AI nature when a user sincerely inquires whether they are speaking with a human.
• Chatbots interacting with minors must follow self-harm and suicide response protocols.
• The law applies to major platforms including Meta and Google, with no carve-out for AI embedded in large social media services.

Student Data Privacy

Georgia enacted the Student Data Privacy, Accessibility, and Transparency Act (O.C.G.A. Section 20-2-661 through 20-2-667), effective July 1, 2016, to protect personal information of K-12 students. The law requires the Georgia Department of Education to designate a chief privacy officer, restricts collection of sensitive student data including political affiliations and religious beliefs, imposes data management requirements on education technology operators, and gives parents the right to inspect their children's education records.

These state protections supplement the federal Family Educational Rights and Privacy Act (FERPA), which has governed access to student education records since 1974.

Insurance Data Privacy

Georgia regulates the collection, use, and disclosure of personal information in insurance transactions through Georgia Administrative Code Section 120-2-87, issued by the Office of the Commissioner of Insurance. These regulations implement Title V of the federal Gramm-Leach-Bliley Act (GLBA) and cover insurance institutions, agents, and support organizations operating in Georgia.

Covered entities must provide privacy notices, allow opt-out of certain information sharing with nonaffiliated third parties, and implement safeguards to protect customer information.

Georgia has not adopted the NAIC Insurance Data Security Model Law (Model 668), which would impose more specific cybersecurity requirements on insurers.

Health Information Privacy

Georgia does not have a state health data privacy law that exceeds federal protections. The Health Insurance Portability and Accountability Act (HIPAA) governs protected health information held by covered entities and their business associates. Georgia relies primarily on HIPAA's Privacy Rule and Security Rule.

Georgia does have statutes governing medical records access: O.C.G.A. Section 31-33-2 requires physicians to provide patients with copies of medical records upon request, and Section 31-33-3 sets copying fees with annual CPI adjustments.

Workplace and Employee Data Privacy

Georgia does not have a comprehensive employee data privacy statute. Employer surveillance rights are broad: video monitoring is permitted in common areas, audio recording of business communications is lawful under Georgia's one-party consent standard (O.C.G.A. Section 16-11-62), and employee monitoring of computer use and communications on company systems is generally permitted. SB 111 exempts employee and contractor data processed in a human resources context from its consumer rights provisions.

Federal Laws That Protect Georgia Residents

Federal statutes remain the primary privacy framework for data types or entities that fall outside SB 111's scope.

TAKE IT DOWN Act (Pub. L. 119-12, Signed May 19, 2025)

The TAKE IT DOWN Act is a federal law targeting nonconsensual intimate visual depictions (NCII), including AI-generated deepfakes. President Trump signed it into law on May 19, 2025. The criminal prohibition on publishing NCII took effect immediately upon signing.

The platform takedown obligations took effect on May 19, 2026. Covered platforms must now maintain a process for consumers to report NCII and must remove reported content within 48 hours of receiving notice. The FTC enforces these obligations and may seek civil penalties of up to $53,088 per violation. The FTC launched TakeItDown.ftc.gov for consumers to report violations.

HIPAA

HIPAA protects individually identifiable health information held by covered entities (healthcare providers, health plans, clearinghouses) and their business associates. Georgia's healthcare sector is a major HIPAA-regulated industry.

Gramm-Leach-Bliley Act (GLBA)

GLBA requires financial institutions to explain information-sharing practices and safeguard customer data. Georgia's insurance regulator enforces GLBA compliance for insurers through GAC 120-2-87. Federal banking regulators cover banks and credit unions.

Children's Online Privacy Protection Act (COPPA)

COPPA requires operators of websites and online services directed at children under 13 to obtain verifiable parental consent before collecting personal information. The FTC enforces COPPA nationwide and has broad rulemaking authority.

Fair Credit Reporting Act (FCRA)

FCRA governs the collection, use, and disclosure of consumer credit information. Georgia residents have rights under FCRA to access their credit files and dispute inaccurate information. State law provides an additional two free credit reports per year from each major reporting agency, beyond the one federally guaranteed.

FTC Act Section 5

The FTC Act prohibits unfair or deceptive trade practices. The FTC uses Section 5 authority to enforce data security and privacy commitments against companies across all sectors, including against businesses that violate their own privacy policies or fail to maintain adequate data security.

American Privacy Rights Act (APRA)

Congress introduced the American Privacy Rights Act as a bipartisan federal comprehensive privacy bill in 2024. It did not pass the 118th Congress. As of mid-2026, no successor bill has been enacted into law. There is no federal comprehensive consumer privacy law in force.

Practical Compliance Steps for Businesses

Businesses operating in Georgia face a multi-layer compliance environment as of mid-2026.

Assess SB 111 Applicability: Determine whether your revenue ($25M+) and data-processing volumes (175,000 residents, or 25,000 residents with 50%+ revenue from data sales) place you within the statute's scope. Many smaller businesses will not be covered.

Update Privacy Notices: If covered by SB 111, your privacy notice must describe data categories collected, processing purposes, consumer rights, and categories of third-party recipients.

Implement Consumer Request Processes: Establish verified processes to receive and respond to access, correction, deletion, portability, and opt-out requests within 45 days.

Audit Sensitive Data Processing: If you process sensitive categories (health data, biometrics, geolocation, children's data), you need affirmative consent and a data protection assessment.

Review Vendor Contracts: Execute data processing agreements with any processor handling Georgia personal data on your behalf.

Maintain Breach Response Plans: Regardless of SB 111 applicability, all businesses maintaining personal data on Georgia residents must comply with the Personal Identity Protection Act breach notification requirements.

Prepare AI Chatbot Disclosures: If you operate AI chatbots, plan for compliance with SB 540 by July 1, 2027.

TAKE IT DOWN Compliance: If you operate a covered platform, maintain a notice-and-removal process for nonconsensual intimate images.

How Georgia Residents Exercise Their Rights

Under SB 111, Georgia residents can submit requests directly to covered controllers. Privacy notices on covered businesses' websites must include the mechanism for submitting requests. Controllers cannot charge a fee for requests and cannot penalize consumers for exercising their rights.

For breach notification issues, file a complaint with the Georgia Attorney General's Consumer Protection Division at consumer.georgia.gov or call 404-651-8600.

For NCII or deepfake intimate images on platforms, report violations to the FTC at TakeItDown.ftc.gov as of May 19, 2026.

For credit-related privacy issues, contact the Consumer Financial Protection Bureau or file a dispute directly with the three major credit bureaus.

More Georgia Laws

• Georgia AI Meeting Recording Laws
• Georgia Alimony Laws
• Georgia At-Will Employment Laws
• Georgia Car Accident Laws
• Georgia Car Seat Laws
• Georgia Child Custody Laws
• Georgia Child Support Laws
• Georgia Common Law Marriage Laws
• Georgia Deepfake Laws
• Georgia Divorce Laws
• Georgia Dog Bite Laws
• Georgia Emancipation Laws
• Georgia Expungement Laws
• Georgia Hit and Run Laws
• Georgia Landlord-Tenant Laws
• Georgia Lemon Laws