How the Georgia Computer Data Privacy Act Is Stricter than the CCPA
Following in the footsteps of the California Consumer Privacy Act (CCPA), the Georgia Assembly introduced a bill called the Georgia Computer Data Privacy Act (GCDPA) on January 26, 2022.
Known as the first omnibus privacy bill in Georgia, the GCDPA has gained a lot of interest from businesses across the country because it’s a lot stricter than the original CCPA (, from which it was modeled. Here’s why.
Stricter Guidelines in the GCDPA
The GCDPA may suggest privacy class actions.
According to one of its sections, “consumers shall have a private cause of action against any person who violates (the GCDPA).” Statutory damages begin at $2,500 for every violation and $7,500 for every intentional violation. This may encourage consumers to file lawsuits even with the vaguest causes.
The GCDPA requires consent to collect data.
With the GCDPA, businesses are not allowed to collect any personal information before the point where they have provided notice and “obtained the consumer’s consent.”
Consent, in this case, is defined as “the act by which a consumer clearly, conspicuously and unambiguously authorizes a specific “act or practice.” This could affect a lot of businesses that collect personal information once a customer visits a website and they might need to think about “consent walls” to comply with the GCDPA.
The GCDPA follows the same “sales” definition as the CCPA.
“Sales” is defined by the GCDPA as “the disclosure of data to a third party for any valuable consideration.” This means that every time a company shares data when engaging or providing a service, it could be deemed a “sale” depending on the evaluation. This includes high-risk merchant accounts and digital marketing.
The GCDPA requires more detailed notices than the CCPA.
This new act requires all businesses to provide a “We Sell Data” notice that provides “the pro-rata value of the consumer’s personal information” and “identifies the specific persons to whom data will be sold.” Unlike California, where the CCPA permits the sale of data without identifying specific recipients (CCPA, 2022), this act focuses on declaring every “data sale” even if no money was involved in the transaction.
The GCDPA requires an “opt-in” to sell data.
The GCDPA prohibits businesses from selling data without the consumer opting into the transaction first; they should be offered a “clear and conspicuous link” on the website.
This means that businesses in Georgia will be required to get opt-ins from consumers before they can market their products digitally, which could be a huge challenge, especially for smaller businesses.
The GCDPA gives consumers the “Right to be Forgotten.”
It is a general right for consumers around the country to be able to ask businesses to delete their data. However, the GCDPA takes this to a whole new level with the “Right to be Forgotten,” which means that “if a company has made a consumer’s personal information public, it has to take all reasonable steps it can to make the data un-public.”
So, if you’re doing business in Georgia, you need to learn all about the GCDPA and how it will affect your business.
Citation
California Consumer Privacy Act (CCPA). (2022, January 27). State of California – Department of Justice – Office of the Attorney General. https://oag.ca.gov/privacy/ccpa