Georgia (US) - Sectoral Privacy Overview
Article I, Section I, Paragraph I of the Constitution of the State of Georgia ('the Constitution') reads: 'No person shall be deprived of life, liberty, or property except by a due process of law.'
The Supreme Court of Georgia ('the Supreme Court') has long held that Georgia citizens have a 'liberty of privacy' founded in 'ancient law' and preserved by this constitutional provision (see, e.g., Pavesich v. New England Life Ins., 122 Ga. 190, 50 S.E. 68 (1905); Powell v. State, 270 Ga. 327, 510 S.E.2d 18 (1998)).
Four common law privacy torts
Georgia courts recognize four torts based upon the right to privacy: (1) intrusion upon seclusion; (2) public disclosure of private facts; (3) false light; and (4) appropriation of likeness.
- Intrusion upon seclusion:
- This tort involves an unreasonable and highly offensive intrusion upon another's seclusion. Georgia courts have long recognized forms of invasion consisting of intrusion upon physical solitude, or seclusion analogous to a trespass in plaintiff's home or other quarters, such as a hotel room. Georgia courts now extend the principle beyond physical intrusion to include prying and intrusions into private concerns (Anderson v. Mergenhagen, 283 Ga. App. 546, 642 S.E.2d 105 (2007), citing Summers v. Bailey, 55 F.3d 1564, 1566 (11th Cir.1995)).
- Public disclosure of private facts:
- Requires a plaintiff to prove: (1) the disclosure of private facts was a public disclosure; the facts disclosed to the public must be private, secluded, or secret facts, and not public ones; and
- the matter made public was offensive and objectionable to a reasonable person of ordinary sensibilities under the circumstances (Haughton v. Canning, 287 Ga. App. 28, 650 S.E.2d 718 (2007)).
- False light:
- To establish a false light invasion of privacy claim, a plaintiff must show ‘the existence of false publicity depicting her as something or someone which she is not, and must demonstrate that the false light in which she was placed would be highly offensive to a reasonable person' (Torrance v. Morris Pub. Grp. LLC, 281 Ga. App. 563, 565, 636 S.E.2d 740, 742 (2006)).
- Appropriation of likeness:
- Unlike a claim based on intrusion upon seclusion, public disclosure of private facts, or false light, an appropriation of likeness claim does not require the invasion of something secret, secluded or private pertaining to a plaintiff, nor does it involve falsity; instead, the tort consists of the appropriation, for a defendant's benefits, uses, or advantages, of a plaintiff's name or likeness (Bullard v. MRA Holding, LLC, 292 Ga. 748, 740 S.E.2d 622 (2013)).
Georgia, like the US as a whole, has many privacy laws but most are industry-specific. Three key generally applicable privacy laws are discussed below.
Georgia's Personal Identity Protection Act ('PIPA') under §§10-1-911 et seq. of the Official Code of Georgia Annotated ('Ga. Code Ann.') requires any individual or business to notify consumers when a data breach occurs (Ga. Code Ann. §10-1-911 to §10-1-912). PIPA defines 'breach of the security of a system' and details when such a breach would require notification to consumers. The statute also defines 'personal information' as (Ga. Code Ann. §10-1-911(6)):
- 'an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
- social security number;
- driver's license number or state identification card number;
- account number, credit card number, or debit card number, if circumstances exist wherein such a number could be used without additional identifying information, access codes, or passwords;
- account passwords or personal identification numbers or other access codes; or
- any of the items contained in subparagraphs above when not in connection with the individual's first name or first initial and last name, if the information compromised would be sufficient to perform or attempt to perform identity theft against the person whose information was compromised.'
Note that 'personal information' does not include publicly available information lawfully made available to the general public from federal, state, or local government records (Ga. Code Ann. §10-1-911(6)). PIPA also provides rights to consumers who wish to place a security freeze on their credit report (Ga. Code Ann. §§10-1-913 - 914.1).
PIPA became effective in 2005 and the Office of the Attorney General ('OAG') enforces it, although there is no requirement to notify the Attorney General ('AG') of a breach affecting Georgia residents regardless of the size of the breach. For telecommunications companies, there are separate notification procedures in the event of a breach involving telephone records concerning Georgia residents, namely the Telephone Records Privacy Protection Act under Ga. Code Ann. §§46-5-210 et seq.
The Court of Appeals of Georgia has determined, and the Supreme Court has affirmed, that PIPA does not create a duty to safeguard and protect the personal information of others. Instead, PIPA merely creates a duty to notify affected persons of a data breach (McConnell v. Dep't of Labor, 345 Ga. App. 669, 679, 814 S.E.2d 790, 799 (2018), cert. granted (Nov. 15, 2018), aff'd, 305 Ga. 812, 828 S.E.2d 352 (2019); see also Collins v. Athens Orthopedic Clinic, P.A., 307 Ga. 555, 562, 837 S.E.2d 310, 315–16 (2019) (reversing Court of Appeals and allowing negligence claim against the breached entity to proceed because the plaintiff breach victims had shown injury in the form of increased risk of identity theft, but that this 'easier showing of injury may well be offset by a more difficult showing of breach of duty')).
Following Collins, the Eleventh Circuit has applied Georgia's traditional negligence law in assessing whether a breached party failed in its duty to notify affected customers (See, e.g., Ramirez v. Paradies Shops, LLC, 69 F.4th 1213, 1219 (11th Cir. 2023)).
Freedom of Information
As a general rule, all public records in Georgia are open for personal inspection and copying by any person (see Georgia Open Records Act ('the Open Records Act') under Ga. Code Ann. §50-18-71(a)). A 'public record' is defined as 'all documents, papers, letters, maps, books, tapes, photographs, computer-based or generated information, data, data fields, or similar material prepared and maintained or received by an agency or by a private person or entity in the performance of a service or function for or on behalf of an agency or when such documents have been transferred to a private person or entity by an agency for storage or future governmental use' (Ga. Code Ann. §50-18-70(b)(2)).
There are, however, numerous exceptions to this general rule found in §50-18-72 of the Open Records Act. For instance, that statute sets out that public disclosure shall not be required for records that are medical, 'the disclosure of which would be an invasion of personal privacy' (Ga. Code Ann. §50-18-72(a)(2)). Additionally, records related to confidential evaluations prepared in connection with the appointment or hiring of a public officer or employee are protected from disclosure (Ga. Code Ann. §50-18-72(a)(7)). In contrast, records 'consisting of material obtained in investigations related to the suspension, firing, or investigation of complaints against public officers or employees' are only protected for disclosure until ten days after those materials have been 'presented to the agency or an officer for action or the investigation is otherwise concluded or terminated' (Ga. Code Ann. §50-18-72(a)(8)).
Identity fraud is not only a criminal felony in Georgia but can also subject an individual to civil penalties. A person commits identity fraud when they willfully and fraudulently (Ga. Code Ann. §16-9-121(a)):
- without authorization or consent, use or possess with intent to fraudulently use identifying information concerning a person;
- use identifying information of an individual under 18 years old over whom they exercise custodial authority;
- use or possess with intent to fraudulently use identifying information concerning a deceased individual;
- create, use, or possess with intent to fraudulently use any counterfeit or fictitious identifying information concerning a fictitious person with the intent to use such counterfeit or fictitious identification information for the purpose of committing or facilitating the commission of a crime or fraud on another person; or
- without authorization or consent, create, use, or possess with intent to fraudulently use any counterfeit or fictitious identifying information concerning a real person with the intent to use such counterfeit or fictitious identification information for the purpose of committing or facilitating the commission of a crime or fraud on another person.
'Identifying information' is broadly defined and includes, but is not limited to, the following (Ga. Code Ann. §16-9-120(5)):
- current or former names;
- social security numbers;
- driver's license numbers;
- checking account numbers;
- savings account numbers;
- credit and other financial transaction card numbers;
- debit card numbers;
- personal identification numbers;
- electronic identification numbers;
- digital or electronic signatures;
- medical identification numbers;
- birth dates;
- mother's maiden name;
- selected personal identification numbers;
- tax identification numbers;
- state identification card numbers issued by state departments;
- veteran and military medical identification numbers; and
- any other numbers or information that can be used to access a person's or entity's resources or health care records.
With respect to civil liability for identity fraud, the OAG can initiate proceedings to prosecute identity fraud, and businesses and consumers can bring civil suits to obtain equitable relief and recover general and punitive damages (Ga. Code Ann. §16-9-127, 16-9-129, 16-9-130(a)). A consumer can bring a suit in their individual capacity or as a class action and can obtain treble damages and punitive damages if the violation was intentional (Ga. Code Ann. §16-9-130(a), (b)). Once the complaint is filed, the plaintiff must serve the AG with a copy of the initial complaint (and any amended complaint) within 20 days of filing (Ga. Code Ann. §16-9-130(e)).
Georgia has several statutes addressing the confidentiality of medical records and the circumstances in which those records can be protected from subpoena. Those statutes can be found in Ga. Code Ann. §24-12-1 and 2. Notably, confidential raw medical research data is generally not subject to subpoena in Georgia (Ga. Code Ann. §24-12-2(c)).
Additionally, patients/residents of long-term-care facilities have a specific, statutory right to privacy detailed in Ga. Code Ann. §31-8-114, within the 'Bill of Rights for Residents of Long-Term Care Facilities,' including the 'right to receive confidential treatment of the resident's personal and medical records.'
Health insurers who obtain medical records are subject to statutory restrictions on releasing that information without the patient's consent (Ga. Code Ann. §33-24-59.4).
In 2019, Georgia created the Georgia Data Analytics Center ('GDAC') as a warehouse of information about people receiving services from state agencies, including healthcare services. The GDAC is required to adopt and publish policies and procedures regarding privacy and data security that comply with federal and state privacy and security statutes and regulations, including the federal Health Insurance Portability and Accountability Act of 1996 ('HIPAA').
Other than the identity theft provision of the Ga. Code Ann. (discussed above), Georgia does not have any key laws that provide statutory protections regarding financial data.
Georgia does not have any laws that provide statutory protections regarding data collected by private companies during the employment process. Notably, there is the Employment Security Law ('ESL') under Ga. Code Ann. §§34-8-1 et seq. Within the ESL, the Department of Labor has defined a 'right to privacy and confidentiality' regarding employment records maintained by that agency, specifically as that right is in tension with the public's right to free access of public records (as discussed above (Ga. Code Ann. §34-8-120(b)).
Georgia does not have any key laws that regulate online privacy and online behavioral advertising across industries.
The Student Data Privacy, Accessibility, and Transparency Act ('SDPAT'), however, protects and regulates access to K-12 and postsecondary student data (Ga. Code Ann. §§20-2-660 et seq.).
The SDPAT defines 'operator' as any entity other than the department, local boards of education, the Georgia Student Finance Commission, or schools to the extent that the entity (Ga. Code Ann. §20-2-662(8)):
- operates an internet website, online service, online application, or mobile application with actual knowledge that the website, service, or application is used for K-12 school purposes and was designed and marketed for K-12 school purposes to the extent that it is operating in that capacity; and
- collects, maintains, or uses student personally identifiable information in a digital or electronic format.
'Student data' includes data descriptive of a student, such as first and last name and date of birth, as well as 'emails, text messages, documents, search activity, photos, voice recordings, and geolocation information' (Ga. Code Ann. §20-2-662(12)(A)(i), (v), (xiv)). 'Targeted advertising' means 'presenting advertisements to a student where the advertisement is selected based on information obtained or inferred from that student's online behavior, usage of applications, or student data', but does not include advertising to a student at an online location based upon that student's current visit to that location or single search query without collection and retention of a student's online activities over time (Ga. Code Ann. §20-2-662(14)).
Among other restrictions, operators are precluded from engaging in the following activities without explicit written consent from a student's parent or guardian or, where the student is an 'eligible student' (meaning they have reached 18 years of age or is attending a postsecondary institution), the student themselves (Ga. Code Ann. §20-2-666(a)(1)-(4)):
- use student data to engage in behaviorally targeted advertising on the operator's site, service, or application or target advertising on any other site, service, or application when the targeting of the advertising is based upon any student data and state-assigned student identifiers or other persistent unique identifiers that the operator has acquired because of the use of such operator's site, service, or application;
- use information, including state-assigned student identifiers or other persistent unique identifiers, created, or gathered by the operator's site, service, or application, to amass a profile about a student except in furtherance of K-12 school purposes. For purposes of Ga. Code Ann. §20-2-666(a), 'amass a profile' does not include collection and retention of account records or information that remains under the control of the student, parent, or local board of education;
- sell a student's data; this prohibition does not apply to the purchase, merger, or another type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of Ga. Code Ann. §20-2-666(a) with respect to previously acquired student data that is subject to Ga. Code Ann. §20-2-666; or
- disclose student personally identifiable data without explicit written or electronic consent from a student over the age of 13 or a student's parent or guardian, given in response to clear and conspicuous notice of the activity, unless the disclosure is made:
- in furtherance of the K-12 school purposes of the site, service, or application; provided, however, that the recipient of the student data disclosed:
- shall not further disclose the student data unless done to allow or improve the operability and functionality within that student's classroom or school; and
- is legally required to comply with the requirements of this article and not use the student information in violation of this article;
- to ensure legal or regulatory compliance or protect against liability;
- to respond to or participate in the judicial process;
- to protect the security or integrity of the entity's website, service, or application;
- to protect the safety of users or others or the security of the site;
- to a service provider, provided that the operator contractually:
- prohibits the service provider from using any student data for any purpose other than providing the contracted service to, or on behalf of, the operator;
- requires the service provider to implement and maintain reasonable security procedures and practices as provided in Ga. Code Ann. §20-2-666(b); or
- requires such service providers to impose the same restrictions as in this paragraph on its own service providers; and
- for an educational, public health, or employment purpose requested by the student's parent or guardian, provided that the information is not used or further disclosed for any purpose.
- in furtherance of the K-12 school purposes of the site, service, or application; provided, however, that the recipient of the student data disclosed:
Moreover, operators must implement and maintain reasonable security procedures and practices to protect student data from unauthorized access, destruction, use, modification, or disclosure (Ga. Code Ann. §20-2-666(b)(1)). Operators must also delete student data within a reasonable timeframe, not to exceed 45 days, if the school or local board of education requests the deletion of data under the control of the school or local board of education (Ga. Code Ann. §20-2-666(b)(2)).
Georgia's Fair Business Practices Act ('FBPA') generally prohibits all unfair acts and practices by businesses but specifically regulates telemarketing in two sections: Ga. Code Ann. §§10-1-393.5 and 10-1-393.6.
Ga. Code Ann. §10-1-393.5 prohibits any person engaged in 'telemarketing', 'activity involving or using a computer or home network', or 'home repair work or home improvement work' from (Ga. Code Ann. §10-1-393.5(b)):
- employing any device, scheme, or artifice to defraud a person, organization, or entity;
- engaging in any act, practice, or course of business that operates or would operate as a fraud or deceit upon a person, organization, or entity; or
- committing any offense involving theft as defined in Ga. Code Ann.
Ga. Code Ann. §10-1-393.6 prohibits any person from requesting certain fee advances and payments, including (Ga. Code Ann. §10-1-393.6(b)):
- in connection with a telemarketing transaction, request a fee in advance to remove derogatory information from or improve a person's credit history or credit record;
- request or receive payment in advance from a person to recover, or otherwise aid in the return of, money or any other item lost by the consumer in a prior telemarketing transaction; provided, however, that Ga. Code Ann. §10-1-393.6(b)) shall not apply to goods or services provided to a person by a licensed attorney; or
- in connection with a telemarketing transaction, procure the services of any professional delivery, courier, or another pickup service to obtain immediate receipt or possession of a consumer's payment, unless the goods are delivered with the opportunity to inspect before any payment is collected.
In both sections above, 'telemarketing' has the same definition as used in the Federal Trade Commission's Telemarketing Sales Rule of 1995 ('TSR'), except the Georgia statutes include intrastate as well as interstate commerce (Ga. Code Ann. §§10-1-393.5(a) and 10-1-393.6(a)).
The FBPA also prohibits any telemarketer from using 'any part of an electronic record to attempt to induce payment or attempt collection of any payment that the seller or telemarketer claims are due and owing to it pursuant to a telephone conversation or series of telephone conversations with a residential subscriber' (see Ga. Code Ann. §10-1-393(b)(31)(A)).
The FBPA is enforced by the OAG, but it contains a private right of action as well. Only consumers (as opposed to businesses) may file an individual action (as opposed to a class action) under the FBPA, and only where the consumer is alleging a breach of a duty owed to the public in general as opposed to a deceptive or unfair act or practice that occurs in an essentially private transaction (Goodwyn v. Capital One, N.A., 127 F. Supp. 3d 1367, 1377 (M.D. Ga. 2015)).
Prior to filing an individual action under the FBPA, the individual must make a written demand for relief on the prospective defendant 30 days prior to filing the complaint (Ga. Code Ann. §10-1-399(b)). After filing the complaint, the individual must serve the AG with the initial complaint and any amendments within 20 days of filing the complaint (Ga. Code Ann. §10-1-399(g)).
The FBPA also regulates telephone solicitations made on 'ADAD equipment', which is defined as 'any device or system of devices which is used, whether alone or in conjunction with other equipment, for the purpose of automatically selecting or dialing telephone numbers and disseminating pre-recorded messages to the numbers so selected or dialed' (see Ga. Code Ann. §10-1-393.13(a)(1)). A 'telephone solicitation' is defined as (Ga. Code Ann. §10-1-393.13(6)):
- 'any voice communication from a live operator, through the use of ADAD equipment or by other means, over a telephone line or computer network for the purpose of encouraging the purchase or rental of, or investment in, property, goods, or services or donation to any organization, but shall not include communications:
- to any subscriber with that subscriber's prior express invitation or permission;
- by or on behalf of any person or entity with whom a subscriber has a prior or current business or personal relationship; or
- which convey a political message.'
In connection with telephone solicitations (as defined above), at the beginning of the call, the person or entity making the call must state clearly the identity of the person or entity initiating the call; the telephone number displayed on the caller identification service must be a working telephone number capable of receiving incoming calls at the time the call is placed; and the identity of the caller displayed on the caller identification service must accurately reflect the identity of the caller (Ga. Code Ann. §10-1-393.13(b)(1), (3), and (4)). Further, no person or entity making a telephone solicitation 'to the telephone line of a subscriber in this state shall knowingly utilize any method to block or otherwise circumvent such subscriber's use of a caller identification service' (see Ga. Code Ann. §10-1-393(b)(2)).
Interestingly, this provision is an exception to the FBPA's rule prohibiting class action lawsuits. Claims under Ga. Code Ann. §10-1-393.13 may be brought in a representative capacity, and damages shall be the greater of actual damages or $10 per violation (Ga. Code Ann. §10-1-393.13(c)).
Georgia does not have any statutes addressing the implementation of online privacy policies for private businesses.
As discussed above, Georgia's SDPAT requires certain vendors and website operators to implement and maintain reasonable security procedures and practices to protect student data from unauthorized access, destruction, use, modification, or disclosure (Ga. Code Ann. §20-2-666(b)(1)). Those operators must also delete student data within a reasonable timeframe, not to exceed 45 days, if the school or local board of education requests the deletion of data under the control of the school or local board of education (Ga. Code Ann. §20-2-666(b)(2)).
Additionally, each state agency has a duty to submit to the Division of Archives and History of the University System of Georgia a 'recommended retention schedule for each record series in its custody' and 'cause to be made and preserved records containing adequate and proper documentation of the organization, functions, policies, decisions, procedures, and essential transactions of the agency and designed to furnish the information necessary to protect the legal and financial rights of the government and of persons directly affected by the agency's activities' (Ga. Code Ann. §50-18-94(5), (1)). Further, '[a]ny records designated confidential by law shall be so treated by the division in the maintenance, storage, and disposition of such confidential records. These records shall be destroyed in such a manner that they cannot be read, interpreted, or reconstructed' (see Ga. Code Ann. §50-18-95(b)).
The Motor Vehicle Dealer's Day in Court Act ('GDDCA'), which regulates the relationship between automobile franchisors and their franchise dealers, was amended in 2019 to require franchisors to protect consumer data acquired in motor vehicle sales or lease transactions (Ga. Code Ann. §10-1-632). Franchisors 'shall provide a written statement to the dealer upon request describing the established procedures adopted by such franchisor, manufacturer, distributor, or a third party acting on behalf of the franchisor, manufacturer, or distributor that meet or exceed any federal or state requirements to safeguard the consumer data, including, but not limited to, those established in the Gramm-Leach-Bliley Act of 1999' (see Ga. Code Ann. §10-1-632(a)(2)).
Telecommunications companies are prohibited from releasing the telephone records of any end-user with a Georgia address without the express consent of the user, with some exceptions such as law enforcement or some Public Service Commission agreements (Ga. Code Ann. §46-5-211).
The FBPA contains a restriction on an individual's and a business's ability to display, transmit, and use social security numbers (Ga. Code Ann. §10-1-393.8).
There are other statutes establishing the Georgia Public Service Commission's rules surrounding the use of 'ADAD equipment' (see Ga. Code. Ann. §§46-5-23, 24). Specifically, it is prohibited to use ADAD equipment in connection with 'advertising, offering for sale, lease, rental, or as a gift any goods, services or property' or 'for the purpose of conducting polls or soliciting information where' (Ga. Code Ann. §46-5-23(a)(2)):
- consent is not received prior to the initiation of the calls, as specified in (Ga. Code Ann. §46-5-23(a)(3));
- such use is other than between the hours of 8:00 A.M. and 9:00 P.M.;
- the ADAD equipment will operate unattended or is not so designed and equipped with an automatic clock and calendar device that it will not operate unattended, even in the event of power failures;
- such use involves either the random or sequential dialing of telephone numbers;
- the telephone number is required to be stated in Ga. Code Ann. §46-5-23(a)(2))(G) is not one which during normal business hours is promptly answered in person by a person who is an agent of the person on whose behalf the automatic calls are made and who is willing and able to provide information concerning the automatic calls;
- the automatic dialing and recorded message player does not automatically and immediately terminate its connection with any telephone call within ten seconds after the person called fails to give consent for the playing of a recorded message or hangs up their telephone;
- the recorded message fails to clearly state the name and telephone number of the person or organization initiating the call within the first 25 seconds of the call and at the conclusion of the call; or
- such use involves calls to telephone numbers that at the request of the customer have been omitted from the telephone directory published by the local exchange company serving the customer or involves calls to hospitals, nursing homes, fire protection agencies, or law enforcement agencies.
In 2022, the Georgia Senate introduced Senate Bill 394 for the Georgia Computer Data Privacy Act ('the GCDPA'). The proposed legislation models California's Consumer Privacy Act (' CCPA'). Noteworthy provisions of the GCDPA include:
- Consumer consent required for collection of personal information: the GCDPA would prohibit businesses from collecting personal information unless they have provided a notice and obtained the consumer's consent. This is more onerous than the CCPA, which generally permits businesses to collect personal information as long as they provide sufficient notice at or before the point of collection.
- Consumers must 'opt in' to sales of personal information: the GCDPA would prohibit businesses from 'selling' data unless the consumer first opts into the sale. Consumers' opt-in mechanisms would need to be offered by a clear and conspicuous link on the business's website. The GCDPA and CCPA both define 'sale' the same way: 'a transfer for money or other valuable consideration.' In addition, a business that sells personal information would need to provide notice on its website that identifies the specific persons to whom data will be sold, including disclosure of the pro rata value of the consumer's personal information.
- The establishment of a private right of action. Unlike existing state privacy laws, the GCDPA would expressly provide for a private right of action pursuant to which consumers could seek statutory damages. Under most federal and state statutes that provide for statutory damages, a consumer can seek to recover their actual damages or a specified amount of statutory damages, whichever is higher. The GCDPA, however, would provide that consumers can recover their actual damages in addition to statutory damages of up to $2,500 for each violation, or $7,500 for each intentional violation.
- No exemption for employee or business contact information. Unlike the CCPA and the omnibus privacy statutes enacted in Colorado and Virginia, the GCDPA would not contain a general exemption for employee data or business contact information.