Georgia Biometric Privacy Laws: Collection, Consent & Penalties (2026)
Georgia is one of the majority of U.S. states that has not enacted a dedicated biometric privacy law. Residents who use fingerprint scanners at work, submit to facial recognition at public venues, or provide biometric data to apps and devices have limited state-level legal protections governing how that data is collected, stored, shared, or destroyed.
This guide explains what Georgia law currently does and does not cover when it comes to biometric information, which pending legislation could change the landscape, and what federal protections fill the gap in the meantime.
For broader context on Georgia's overall privacy framework, see the parent guide to [Georgia Data Privacy Laws](/us-laws/data-privacy-laws/georgia-data-privacy-laws).
What Counts as Biometric Data
Biometric data includes unique physical or behavioral characteristics used to identify an individual. Common examples include fingerprints, facial geometry (used in facial recognition), iris and retina scans, voiceprints, palm prints, and gait analysis.
States with dedicated biometric privacy laws, such as Illinois (BIPA) and Texas (CUBI), define these identifiers in statute and regulate how entities handle them. Georgia has not taken this step.
Georgia's Current Legal Framework
Personal Identity Protection Act (O.C.G.A. 10-1-910 et seq.)
Georgia's primary data protection law is the Personal Identity Protection Act, enacted in 2005 and amended in 2007. This law requires businesses and data brokers to notify Georgia residents when a security breach compromises their personal information.
However, the statute defines "personal information" under O.C.G.A. 10-1-911 as an individual's name combined with one or more of the following:
- Social Security number
- Driver's license or state ID number
- Financial account, credit card, or debit card numbers (with access codes)
- Account passwords or PINs
Biometric data such as fingerprints, facial scans, and voiceprints are not included in this definition. A breach involving only biometric records would not trigger notification obligations under current Georgia law.
Fair Business Practices Act (O.C.G.A. 10-1-390 et seq.)
Georgia's Fair Business Practices Act prohibits unfair and deceptive trade practices. While the statute does not mention biometric data specifically, a business that made false promises about how it handles biometric information could theoretically face enforcement action under this law.
The Georgia Attorney General enforces the FBPA. There is no private right of action that would allow individual consumers to sue for biometric data misuse under this statute alone.
No Employer-Specific Biometric Rules
Georgia does not restrict employers from collecting fingerprints, facial scans, or other biometric data from employees. Businesses that use biometric time clocks, fingerprint-based access controls, or facial recognition for security purposes are not required by state law to:
- Obtain written consent before collecting biometric data
- Disclose how biometric data will be stored or used
- Establish retention schedules or destruction timelines
- Limit sharing of biometric data with third parties
This stands in sharp contrast to states like Illinois, where the Biometric Information Privacy Act requires informed written consent and imposes statutory damages of $1,000 to $5,000 per violation.
Pending Legislation: Georgia Consumer Privacy Protection Act
The most significant potential change for biometric privacy in Georgia is the Georgia Consumer Privacy Protection Act (SB 111), introduced in the 2025-2026 legislative session.
What SB 111 Would Do for Biometric Data
The bill classifies biometric data processed for the purpose of uniquely identifying an individual as "sensitive data." If enacted, the law would:
- Require businesses to obtain explicit consumer consent before processing biometric data
- Mandate clear notices when a business sells or shares sensitive data, including biometric information
- Require data protection assessments for activities involving sensitive data processing
- Authorize the Georgia Attorney General to seek civil penalties of up to $7,500 per violation, with treble damages for knowing or willful violations
Current Status
SB 111 passed the Georgia Senate on March 3, 2025, by a vote of 53-2. The House withdrew and recommitted the bill in March 2025, and it did not advance before the session adjourned in April 2025. As of March 2026, the bill has been placed on the House General Calendar and could see floor action during the second year of the 2025-2026 session.
Even if SB 111 passes, the ACLU of Georgia has criticized the bill for high applicability thresholds. The law would only apply to entities that exceed $25 million in annual revenue and process personal information of at least 175,000 Georgia residents, or 25,000 residents if the entity derives more than 50% of revenue from selling personal data.
The bill also would not create a private right of action. Only the Attorney General could bring enforcement actions.
Federal Protections That Apply in Georgia
Because Georgia lacks a state biometric privacy law, federal statutes provide the primary legal guardrails for biometric data.
Section 5 of the FTC Act allows the Federal Trade Commission to bring enforcement actions against companies engaged in unfair or deceptive practices involving biometric data. The FTC has taken action against companies for deceptive facial recognition practices and inadequate data security.
HIPAA protects biometric data when it is collected or used by covered healthcare entities and their business associates. Fingerprint or facial recognition data used in a healthcare setting falls under HIPAA's Privacy Rule.
FERPA restricts how educational institutions handle student biometric data. Schools that use fingerprint-based lunch payment systems or facial recognition must comply with FERPA's privacy requirements.
COPPA imposes strict requirements on the collection of biometric data from children under 13, including parental consent requirements enforced by the FTC.
How Georgia Compares to Other States
Georgia falls into the least protective tier of states for biometric privacy. For comparison:
- Illinois has the strongest biometric law in the country (BIPA), with a private right of action and statutory damages of $1,000 to $5,000 per violation
- Texas and Washington have biometric-specific statutes enforced by their attorneys general
- States with comprehensive privacy laws (like Colorado, Connecticut, and Virginia) classify biometric data as sensitive and require consent for processing
- Georgia has no biometric-specific protections and no comprehensive privacy law currently in effect
More Georgia Laws
- Georgia Data Privacy Laws
- Georgia Whistleblower Laws
- Georgia Sexting Laws
- Georgia Recording Laws
- Georgia Recording Laws
- Georgia Recording Laws
- Georgia Dog Bite Laws
- Georgia Recording Laws
This article provides general legal information about Georgia biometric privacy laws. It is not legal advice. Laws and regulations change frequently, and this content may not reflect the most recent developments. Consult a qualified attorney licensed in Georgia for advice about your specific situation.
Sources and References
- Georgia Personal Identity Protection Act breach notification requirements(law.justia.com)
- O.C.G.A. 10-1-911 definitions of personal information(law.justia.com)
- Georgia Fair Business Practices Act(law.justia.com)
- Georgia Consumer Privacy Protection Act (SB 111) bill page(legis.ga.gov).gov
- SB 111 full bill text(legis.ga.gov).gov
- ACLU of Georgia report on SB 111(acluga.org)
- FTC Act Section 5 enforcement authority(ftc.gov).gov
- HIPAA Privacy Rule(hhs.gov).gov
- FERPA privacy requirements(ed.gov).gov
- COPPA rule on children online privacy(ftc.gov).gov
- Illinois Biometric Information Privacy Act(ilga.gov).gov