Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.


Did You Know?

  • Limited methods of notification delivery
  • Data owners are responsible for breach reporting and notifications
  • Notification may be required to the consumer reporting agencies
  • Various industries have statutes specifically for them
  • Laws also cover data protection, data disposal, and record retention 

Who Me?


Georgia breach and notification laws may apply if you are a:

  • Data Collector or Information Broker that maintains computerized data that includes PII
  • Person or business that maintains computerized PII data for a data owner

 There are exemptions.

Other state laws, federal laws, industry regulations, and/or out-of-country laws may also apply.

What is PII?


PII relevant to a breach in Georgia include a person's name plus one of the following:

  • Social Security Number
  • Driver license or identification number
  • Account number or credit  or debit card number in combination any security code, access code or password, etc. permitting access to the person's account
  • Any of above items without individual's name, if sufficient for identity theft.



A few relevant statutes from Official Code of Georgia include, but are not limited to:

Title 10. Commerce And Trade  / Chapter 1. Selling And Other Trade Practices / Article 34. Identity Theft / O.C.G.A. § 10.1.910 – 10.1.912


A few relevant statutes include, but are not limited to:

Title 10. Commerce And Trade / Chapter 15. Business Administration / O.C.G.A. § 10.15.1 – 10.15.7

Title 10. Commerce And Trade / Chapter 1. / Article 15. Deceptive Or Unfair Practices / Part 2. / O.C.G.A. § 10-1-393.8. Protection from disclosure of an individual's social security number



Violations may be investigated and prosecuted under the provisions of the Fair Business Practices Act and fined not more than $100.00 for a violation concerning a specific consumer.



When considering reporting requirements, it would include, but not limited to:

  • The combination of personal information breached
  • If the data was computerized
  • If the data was encrypted or redacted
  • If the data included any key or password
  • If it was acquired by an unauthorized person
  • Whether the information breached, even without the name, could be used for identity theft


Vendors must report to GA Data Owners within 24 hours.

In Georgia, the notifications must be made in the most expedient manner possible and without unreasonable delay, unless law enforcement advises the person it will interfere with an investigation.


Requires detailed information and potential provision of services

Notification may be required to the consumer reporting agencies.

Disclosure may only be made by written notice or electronically, with stipulations. A substitute notice, with specific requirements, may be sent if the person demonstrates that the cost of providing the notice would exceed $250,000 or the persons to be notified exceeds 250,000 or they do not have sufficient contact information.

Contact the Privacy Experts at CSR