The Latest Legal Developments and Data Protection Challenges in the State of Georgia

Data privacy and cybersecurity have become increasingly critical issues for governments, businesses, and individuals alike. As the digital landscape continues to evolve, Georgia has begun taking steps to address these challenges through legislative measures and practical responses to significant cybersecurity incidents. The Georgia Consumer Privacy Protection Act (SB 473) and the Protecting Georgia’s Children on Social Media Act reflect the state’s efforts to regulate data privacy and protect its residents, albeit with an approach that some argue is overdue compared to other states like California and Virginia. Meanwhile, high-profile cybersecurity incidents in 2024, including ransomware attacks on Fulton County and the University System of Georgia, as well as attempted breaches of election systems, underscore the urgent need for robust cybersecurity measures and the importance of securing both public and private digital infrastructure. This article explores Georgia’s legislative developments, the complexities of compliance with new laws, and the lessons learned from recent cybersecurity threats.

Legislative developments in Georgia

In response to the growing concerns surrounding data privacy and the digital safety of its residents, Georgia has introduced key legislative measures aimed at addressing these challenges. The Georgia Consumer Privacy Protection Act (SB 473) and the Protecting Georgia’s Children on Social Media Act represent the state’s efforts to establish a regulatory framework that balances consumer protection with business compliance. While these bills signal progress, they also bring complexities in terms of implementation and enforcement, particularly as Georgia works to align with privacy regulations already enacted in other states. Understanding the scope and impact of these laws is crucial for businesses and individuals as they navigate the evolving landscape of data governance and online safety.

Georgia Consumer Privacy Protection Act (SB 473)

The Georgia Consumer Privacy Protection Act (SB 473) marks Georgia’s entry into the realm of comprehensive data privacy legislation. While other states like California, Virginia, and Colorado have already implemented robust privacy laws, Georgia’s approach reflects an effort to catch up with these established frameworks. The Act was passed by the Senate on 27 February 2024, favourably reported from House Committee on 20 March 2024, and is ready for floor consideration in the 2025–2026 Regular Session. The Act, effective 1 July 2026 if adopted, aims to balance consumer rights with business obligations but faces scrutiny for its broad exemptions and delayed implementation. Businesses operating in Georgia must prepare to navigate the complexities of determining compliance obligations under this new law while addressing the growing demands for enhanced data privacy protections from consumers and regulators alike.

The Georgia Consumer Privacy Protection Act is designed to safeguard the personal data of state residents. Modeled after existing privacy laws like the California Consumer Privacy Act (CCPA) and Virginia Consumer Data Protection Act (VCDPA), SB 473 outlines the responsibilities of businesses (controllers and processors) while affording consumers greater control over their personal information.

Under the Act, businesses must adhere to standards for transparency, data security, and consumer rights. It applies to companies conducting business in Georgia that exceed USD25 million in annual revenue and that either:

• control or process the personal data of at least 25,000 consumers, deriving more than 50% of their gross revenue from the sale of personal information; or
• process personal data for at least 175,000 consumers annually.

One of the notable challenges posed by the Georgia Consumer Privacy Protection Act is navigating the numerous exemptions it establishes, which create ambiguity around which entities must comply. The Act excludes a wide range of organisations and data types, including financial institutions governed by the Gramm-Leach-Bliley Act, healthcare entities covered under HIPAA, non-profit organisations, and institutions of higher education. Additionally, data regulated under federal laws like the Family Educational Rights and Privacy Act (FERPA) and the Fair Credit Reporting Act (FCRA) is also exempt. Determining whether an entity qualifies for these exemptions, particularly when operations span multiple jurisdictions or involve diverse data types, will require detailed legal and operational analysis. For businesses, understanding whether they fall within the Act’s scope will necessitate close examination of their data processing activities, the nature of their business, and their regulatory landscape, further underscoring the need for clear guidance and compliance strategies.

The Act provides Georgia residents with a suite of rights over their personal information, empowering them to:

• confirm whether their data is being processed;
• access and correct inaccuracies in their personal data;
• request the deletion of personal information;
• obtain a copy of their data in a portable format; and
• opt out of the sale of their personal information, targeted advertising, and profiling activities.

Controllers are required to respond to authenticated consumer requests within 45 days, with a possible 45-day extension for complex inquiries. Businesses must also offer an appeals process for denied requests, with further recourse to the Georgia Attorney General if necessary.

SB 473 places significant obligations on controllers and processors, including the following.

• Controllers must provide clear privacy notices outlining the categories of personal information processed, the purposes for processing, and how consumers can exercise their rights.
• Businesses must implement reasonable administrative, technical, and physical security measures to protect consumer data, tailored to the sensitivity and volume of the data.
• The Act requires limiting data collection and processing to what is necessary for disclosed purposes.
• Special protections are mandated for sensitive data, including health information, biometric data, and precise geolocation data, requiring explicit consumer consent for processing.

The Georgia Attorney General holds exclusive enforcement authority under SB 473. Businesses have a 60-day cure period to address alleged violations before facing legal action. Civil penalties include fines of up to USD7,500 per violation, with the possibility of treble damages for wilful or knowing violations. Importantly, the Act does not provide a private right of action, limiting enforcement to state authorities.

SB 473 reflects a growing trend toward comprehensive data privacy legislation across the United States. For businesses operating in Georgia, compliance will require proactive measures, including:

• conducting data protection assessments for high-risk activities, such as targeted advertising or the sale of personal data;
• implementing robust data governance frameworks, potentially aligned with the National Institute of Standards and Technology (NIST) privacy framework; and
• training employees on privacy practices and consumer rights to mitigate compliance risks.

Overview of SB 351: Protecting Georgia’s Children on Social Media Act

Signed into law by Governor Brian Kemp on 23 April 2024, the Protecting Georgia’s Children on Social Media Act aims to safeguard minors and promote responsible digital behaviour through measures regulating social media access and content exposure. Effective 1 July 2025, the Act introduces new requirements for social media platforms, public schools, and commercial entities handling content accessible to minors.

The legislation mandates that social media platforms verify the age of users and obtain parental consent for minors under the age of 16 before granting account access. Platforms must also restrict targeted advertising and data collection for minor users to safeguard their privacy and limit harmful content exposure. Additionally, parents are entitled to request detailed information about platform features for censoring or moderating content their children may access.

Public schools in Georgia are also subject to new obligations under the Act. Each local governing body must adopt and enforce a social media policy by 1 April 2025, including measures to block student access to social media platforms via school-owned devices and networks, except under strict educational supervision. Schools must provide transparency to parents regarding their children’s social media activity and include components on online safety and responsible digital citizenship in educational programmes.

The Act further extends liability to commercial entities hosting content deemed harmful to minors. Such entities must implement reasonable age verification processes for access to content classified as harmful under the law. Failure to comply exposes entities to penalties, including fines and liability for damages.

With these measures, the Act seeks to balance advancing technology with the imperative to protect Georgia’s youth from the risks associated with unsupervised social media use, including exposure to harmful content and threats to privacy.

Cybersecurity incidents: key takeaways from 2024

The cybersecurity incidents of 2024 highlighted three critical themes.

• The pressing need for robust and proactive cybersecurity measures to protect sensitive data and ensure operational resilience.
• The importance of securing third-party solutions, as vulnerabilities in external systems can have far-reaching consequences for organisations.
• The persisting and evolving threats to election security, highlighting the necessity of safeguarding democratic processes against cyber-attacks.

Fulton County ransomware attack

In late January 2024, the largest county in Georgia, Fulton County, fell victim to a ransomware attack on government services, impacting 100,000 accounts. LockBit, a Russian-speaking ransomware syndicate, claimed responsibility for the attack that led to the shutdown of critical government services, such as issuing vehicle registrations and marriage licences, processing jail detainees, and even shutting down phone lines. LockBit threatened to release sensitive personal identifying information from residents and materials related to Fulton County’s pending criminal case against Donald Trump unless a ransom payment was made by 29 January 2024.

This attack brought government operations to a halt. County officials were unable to answer phones. Residents could not access property records or court filings. Background checks could not be run using court records. Court operations were severely disrupted.

LockBit claimed to possess sealed court records and released about two dozen files, including records related to a child abuse case, a sealed motion in a murder trial, and the identifies of the jurors serving on a high-profile racketeering case. The release of such sensitive data posed a grave risk to the integrity of Fulton County’s criminal justice system.

On 19 February 2024, an international law enforcement consortium, including the FBI and the United Kingdom’s National Crime Agency (NCA) thwarted the attack by seizing LockBit’s servers, effectively disrupting LockBit’s operations. LockBit continued to make threats to release data on the dark web but the 29 January and then a later 29 February deadline for the ransom passed with no payment made and no data released. Fulton County refused to pay the ransom, citing taxpayer interests, and officials believe LockBit lost access to the stolen data after the server seizure.

County services were restored on a rolling basis in a process that took nearly two months. During this time, Georgia’s Secretary of State Office limited Fulton County’s access to the state voter registration system to safeguard against potential attacks on election infrastructure. Fulton County has since partnered with cybersecurity experts to secure its systems, remove malware and backdoor vulnerabilities, and prevent future incidents.

LockBit, which claims to have attacked over 2,000 victims worldwide and collected over USD120 million in ransom payments, may have suffered a significant operational setback due to the server seizures. However, whether the syndicate remains a future threat is yet to be determined.

University System of Georgia data breach

In May 2023, the University System of Georgia (USG) became one of over 2,000 organisations impacted by the widespread MOVEit attacks. A year later, in May 2024, USG disclosed that the attack affected approximately 800,000 individuals associated with its 26 public colleges and universities, including current and former students, staff, contractors, and other personnel.

With the help of the Federal Bureau of Investigation (FBI) and Cybersecurity & Infrastructure Security Agency (CISA), USG determined that sensitive personal data, including Social Security numbers, date of birth, bank account information, and Tax IDs, had been accessed by unauthorised actors. USG began notifying affected individuals in April 2024 and published a notice on its website.

The breach was traced to vulnerabilities in the MOVEit Secure File Transfer software, which USG had used to transfer and store sensitive data. Exploiting these vulnerabilities, attackers were able to gain unauthorised access to the files stored on the MOVEit platform. Following the discovery of the breach, USG took steps to block the compromised software and subsequently updated and secured it in accordance with guidance from CISA. To mitigate the impact of the breach, USG offered 12 months of credit monitoring services to those affected by the data breach.

This incident underscores the critical importance of not only securing internal systems but also ensuring that all third-party solutions adhere to the highest security standards. The MOVEit breach highlights how vulnerabilities in vendor software can expose organisations to significant risk, emphasising the need for comprehensive oversight and robust cybersecurity protocols across all aspects of data management.

Cyber-attacks against election offices

In October 2024, the Georgia Secretary of State’s website was targeted by foreign hackers in an apparent attempt to restrict Georgia voters from requesting absentee ballots for the 2024 presidential election.

The attack utilised a technique where thousands of IP addresses from various countries flooded the website with requests, aiming to overwhelm the system and take it offline. While the attack slowed the Georgia Secretary of State’s website, the system successfully thwarted the attack and there was no disruption to voter services. Georgia voters retained the ability to request absentee ballots without interruption.

Earlier in the year, on 15 April 2024, Coffee County’s voter registration server was also attacked, with evidence suggesting it was a ransomware attack. Such attacks typically involve locking access to systems until a ransom is paid.

In response, Coffee County severed its connection with GARViS, Georgia’s voter registration system, to prevent hackers from accessing statewide voter registration information. The connection remained severed for several days, during which operations were restored using isolated backup laptops and cellular networks disconnected from the compromised county system.

These incidents highlight the persistent vulnerabilities and challenges in securing election infrastructure against cyber threats. They follow a series of election security threats from 2022, highlighting the need for ongoing vigilance and investment in robust cybersecurity measures. While Georgia’s systems successfully mitigated these threats, the state is not alone in facing cyber-attacks targeting election integrity.

Conclusion

As Georgia continues to navigate the evolving landscape of data privacy and cybersecurity, the enactment of new legislation and the response to recent cyber incidents underscore the state’s recognition of the critical importance of safeguarding personal information and public systems. The Georgia Consumer Privacy Protection Act (SB 473) and the Protecting Georgia’s Children on Social Media Act represent steps toward establishing a more secure and privacy-conscious environment, yet challenges remain in terms of compliance, enforcement, and adaptation to emerging threats. Meanwhile, the cybersecurity incidents of 2024 serve as a stark reminder of the vulnerabilities that exist within both public and private institutions, emphasising the urgent need for proactive measures and continued investment in robust security frameworks. Moving forward, businesses, government agencies, and stakeholders must work collaboratively to stay ahead of potential threats, ensuring the protection of sensitive data and the resilience of Georgia’s digital infrastructure in an increasingly interconnected world.