Georgia’s Privacy Landscape: Operating Without a Comprehensive Framework

As comprehensive data privacy laws proliferate across the United States, Georgia has not enacted one, despite sustained legislative efforts in the 2024 and 2025 sessions that continue in 2026. Georgia’s most ambitious privacy law, the Protecting Georgia’s Children on Social Media Act (SB 351), was signed into law in 2024 but later blocked by a federal court just days before its July 2025 effective date. Meanwhile, Georgia’s courts have been developing common law doctrine imposing data protection obligations on organisations in the absence of a statute requiring them.

While Georgia has no omnibus consumer privacy statute, organisations operating in the state are not without obligations. The state’s breach notification law applies; evolving common law duties are being established through litigation; federal sectoral regimes govern healthcare, financial and educational data; and the state attorney general’s (AG) office has maintained an active enforcement posture. For practitioners advising clients with Georgia operations, this convergence of legislative inaction and legal developments across all three branches of government creates a compliance environment that is more demanding than it might initially appear. This article examines the key developments: the repeated failure of comprehensive consumer privacy legislation, the constitutional litigation over children’s social media, a landmark common law data breach ruling, the courts’ first encounter with AI-generated legal fabrication, and the state AG’s enforcement activity.

Comprehensive privacy legislation: two sessions, no law

Georgia remains one of the largest states by population and economic output, yet lacks a comprehensive consumer data privacy statute. The General Assembly advanced such legislation in each of the past two annual sessions, each time falling short in a pattern reflecting sustained tension between a Republican-majority Senate committed to a business-friendly framework modelled after Virginia’s, and a House unwilling to pass it in that form.

SB 473 (2024)

The Georgia Consumer Privacy Protection Act (SB 473) passed the Senate on 27 February 2024, by a vote of 37–15 and was favourably reported by the House Technology and Infrastructure Innovation Committee on 20 March 2024. The legislature adjourned in late March without a House floor vote, however, and the bill died without becoming law.

SB 473 drew sustained criticism from consumer advocates. The Electronic Privacy Information Center (EPIC) assigned it an “F” grade, and the American Civil Liberties Union (ACLU) of Georgia characterised it as protecting technology companies rather than Georgia residents. The critiques focused on high applicability thresholds limiting coverage, enforcement that was limited to the AG with no private right of action, and provisions that arguably favoured data industry interests over consumer rights. The bill would have applied to entities exceeding USD25 million in annual revenue that either (i) processed data of at least 175,000 Georgia residents, or (ii) processed data of at least 25,000 residents while deriving more than 50% of gross revenue from data sales. Civil penalties ran up to USD7,500 per violation with a 60-day cure period. A notable affirmative defence applied to entities whose privacy programmes conformed to the National Institute of Standards and Technology (NIST) Privacy Framework. Whether NIST alignment would carry persuasive weight in a common law negligence action is a separate and open question. Like other Virginia-model bills, SB 473 excluded employment and business-to-business data from its “consumer” definition, a significant limitation for employers and commercial data operators.

SB 111 (2025)

The 2025 session brought Senate Bill 111, a substantially similar measure. It passed the Senate on 3 March 2025, by 53–2 and crossed to the House before the 6 March crossover deadline. EPIC again assigned a failing grade; the ACLU of Georgia told a House committee the legislature would be “voting in favour of the worst consumer protection act in the country”. The House withdrew and recommitted the bill on 27 March 2025, and comprehensive privacy legislation died a second time when the General Assembly adjourned on 4 April 2025. Whether sponsors will revive SB 111, negotiate amendments or introduce a successor measure is among the most closely watched questions in Georgia privacy law in this first quarter of 2026.

Implications for organisations

These failures do not leave organisations without data protection obligations in Georgia. The state’s breach notification statute applies; Georgia courts are actively developing common law data protection standards; and federal sectoral regimes – the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), the Family Educational Rights and Privacy Act apply regardless of the state-law void. Multistate businesses must implement consumer rights mechanisms for California, Virginia, Colorado and other regulated states regardless of Georgia’s posture. The structure of any 2026 successor legislation will shape compliance obligations for healthcare systems, insurers and banks. The critical question is scope: will lawmakers exempt HIPAA-covered entities and GLBA-regulated financial institutions from the statute entirely, or will they adopt narrower carve-outs that protect only regulated data while leaving other AI-related activities subject to the new law? Organisations in those sectors should track the exemption architecture closely.

SB 351 and the Constitutional battle over children’s social media

While comprehensive privacy legislation stalled, Georgia enacted one of the nation’s most significant children’s online safety statutes. Governor Brian Kemp signed SB 351 (the Protecting Georgia’s Children on Social Media Act of 2024) on 23 April 2024, to be effective 1 July 2025. The law requires social media platforms to make commercially reasonable efforts to verify the age of account holders and to refuse account services to minors without parental consent. On advertising and data collection, the law is specific: platforms may not display advertising in a minor’s account based on personal information (with age and location as the sole permitted exceptions) and must limit collection and use of personal information from minor accounts to what is adequate, relevant and reasonably necessary for disclosed purposes.

The law also imposes K–12 school obligations on two tracks. Local governing bodies were required to adopt acceptable-use policies covering student access to obscene materials and content harmful to minors on school equipment by 1 October 2025, and adopt separate social media policies prohibiting student access to social media platforms on school-owned equipment (except under supervised educational use) by 1 April 2026. The State Board of Education could withhold state funding from non-compliant governing bodies. A separate civil liability provision creates damages exposure for commercial entities that distribute material harmful to minors on public websites without performing reasonable age verification, with fines up to USD10,000 per violation; internet service providers, cloud service providers and news-gathering organisations are exempt. Enforcement of the platform-facing requirements rests exclusively with the AG, who may seek damages of up to USD2,500 per violation following a 90-day cure period; there is no private right of action.

The preliminary injunction

On 26 June 2025, just five days before SB 351’s implementation date, Judge Amy Totenberg of the Northern District of Georgia granted a motion for a preliminary injunction blocking enforcement of the law’s core platform provisions (NetChoice v Carr, 789 F. Supp. 3d 1200 (N.D. Ga. 2025)). The case has emerged as a leading decision on the constitutionality of state social media age restrictions. NetChoice, whose members include major online platforms, has challenged similar laws across the country; only Tennessee’s survived a preliminary injunction motion, and only on irreparable harm grounds rather than First Amendment merits.

Judge Totenberg held that SB 351 was unconstitutional on its face. The law’s “primary downfall”, she wrote, was that it created a content-based restriction by distinguishing between platforms hosting user-generated content and those publishing provider-generated content, applying its requirements to the former while exempting the latter. The court’s illustrations are pointed: SB 351 would apply to a user posting news on X but not to the New York Times posting to its own liveblog; it would cover the Georgia Bulldogs Reddit forum but not Barstool Sports. That asymmetry triggered strict scrutiny, which the law failed. The court further found that the law burdened anonymous speech for all Georgians by conditioning access to major digital public forums on the provision of government identification, and that the age verification requirements created an independent chilling effect by forcing collection and storage of sensitive personal information (notably, while the act requires deletion of parental consent data after verification, no comparable deletion obligation applies to the broader age verification data collected from users). “Because of the enormous burdens imposed on the First Amendment rights of children, adults, and social media platforms”, Judge Totenberg wrote, “even the state’s serious interest here cannot justify SB 351 under the First Amendment’s rigorous standards”. The court was explicit that the deficiency was one of constitutional tailoring, not legislative purpose. District court proceedings have been administratively closed pending the interlocutory appeal, which Georgia filed on 17 July 2025.

The appeal and Free Speech Coalition v Paxton

The day after Judge Totenberg’s ruling, the US Supreme Court decided Free Speech Coalition, Inc. v Paxton, 606 U.S. 461 (2025), upholding Texas’s age-verification law for websites whose content is predominantly sexually explicit material harmful to minors under intermediate scrutiny. Paxton, however, does not map cleanly onto SB 351. The Texas law targeted sites where more than one-third of content is sexually explicit material already categorically unprotected as to minors and was specifically structured to require age verification without retention of users’ identifying information. SB 351 regulates broad-based social media platforms hosting constitutionally protected speech across an unlimited range of subjects. Whether Paxton’s intermediate scrutiny framework extends to general-purpose social media regulation is a question the Supreme Court specifically declined to resolve. Legal commentators are divided, making the US Court of Appeals for the Eleventh Circuit’s decision genuinely uncertain and nationally significant.

Pending the appeal, SB 351’s platform-facing requirements remain unenforceable. Social media companies should audit age-assurance capabilities and monitor the docket closely, as a reversal could impose substantial obligations on short notice. The school-level obligations present a different picture: tied to state funding compliance rather than First Amendment platform restrictions, those requirements have been advancing on a separate compliance track. The 1 October 2025 acceptable-use policy deadline has passed; school districts should now be focused on the 1 April 2026, social media policy deadline, which remains operative regardless of the platform injunction’s status. School district counsel should not assume the Eleventh Circuit appeal relieves district obligations under SB 351’s K–12 provisions.

Data breach liability: common law takes shape

The most consequential Georgia privacy ruling of 2025 came in October, when the Court of Appeals decided Bland v Urology of Greater Atlanta, LLC, 377 Ga. App. 177 (Ga. Ct. App. 2025), the first Georgia appellate decision to recognise a common law duty of care to protect personally identifiable information against foreseeable cybersecurity risks.

The case arose from a breach at a Georgia medical practice. Plaintiffs filed a putative class action alleging negligence, breach of implied contract, and related claims after their personal information (including Social Security numbers, dates of birth, addresses and health insurance details) was exfiltrated and appeared for sale on the dark web. The trial court dismissed the complaint in full. Presiding Judge Christopher McFadden, writing for a unanimous panel, reversed on the negligence, implied contract and implied covenant claims while affirming dismissal with prejudice of the unjust enrichment claim on the ground that plaintiffs failed to allege the defendant received any benefit from their personal information. On the duty-of-care question (a matter of first impression for Georgia appellate courts), the panel looked to the Eleventh Circuit’s analysis in Ramirez v The Paradies Shops, 69 F.4th 1213 (11th Cir. 2023) (persuasive, not binding), concluding that the foreseeability of medical identity theft, combined with the defendant’s ability to prevent the breach through reasonable measures, established a duty at the pleading stage.

On injury, the court held that plaintiffs adequately alleged harm by claiming their personally identifiable information had been stolen and offered for sale on the dark web, and that an imminent fraud risk followed, aligning Georgia state doctrine with Ramirez’s standing analysis, which treated imminent misuse of stolen data as sufficient injury. Bland did not definitively resolve the standing issue where data was accessed but not yet demonstrably misused; that argument remains available to defendants as the doctrine develops. The implied contract holding adds a second avenue for plaintiffs: the exchange of personal information as a condition of receiving services or employment creates contractual obligations to protect that information.

Bland changes the litigation risk calculus for Georgia organisations holding significant volumes of sensitive personal information (particularly healthcare providers) by applying traditional tort foreseeability principles to data breach liability for the first time at the Georgia appellate level. The decision provides no guidance on which security measures will satisfy the duty at the merits stage, leaving organisations to calibrate investments against data sensitivity, breach likelihood and evolving industry standards. Counsel should review incident response plans, cybersecurity documentation and data governance practices accordingly. Post-Bland, the breach notification framework and common law liability require integrated analysis: a breach triggering statutory notification obligations will generate facts directly relevant to negligence and implied contract claims, and organisations should not manage these exposures in separate tracks.

AI in the courts: hallucinations, sanctions and practitioner accountability

Georgia’s courts confronted AI-generated legal hallucinations for the first time in June 2025. In Shahid v Esaam, 376 Ga. App. 145 (Ct. App. June 30, 2025), the Court of Appeals vacated a trial court order and imposed the maximum available sanctions after finding that counsel had submitted briefs containing fabricated case citations likely generated by AI. The trial court’s denial order itself cited two non-existent cases originating in the opposing attorney’s filings. On appeal, that attorney submitted a brief containing 11 additional fabricated citations out of 15 total, including a fictitious 2009 Georgia Supreme Court case cited in support of an attorney’s fees request. The Court of Appeals imposed a USD2,500 sanctions award (the maximum permitted) and vacated the trial court order for relying on non-existent authority.

The court used the occasion to place Georgia’s legal profession on broad notice. Citing US Supreme Court Chief Justice John Roberts’s 2023 Year-End Report on the Federal Judiciary and similar incidents in other jurisdictions, it catalogued the systemic harms: wasted resources for courts and opposing parties, reputational injury to judges whose names appear on fabricated opinions and, most critically, the risk that decisions rest on non-existent law. For privacy and technology practices specifically, Shahid signals that Georgia courts will treat hallucinated citations as sanctionable professional conduct, not harmless error. Practitioners should monitor local circuit rules as Georgia courts may develop formal AI disclosure requirements through additional sanctions decisions, standing orders or court rules. Independent citation verification should be treated as a core professional obligation, not a precautionary option.

Data breach notification: framework and recent incidents

Georgia’s data breach notification statute, the Personal Identity Protection Act, Ga. Code Ann. §§ 10-1-910 et seq., requires information brokers and data collectors to notify affected Georgia residents following discovery of a breach involving unencrypted personal information that was, or is reasonably believed to have been, acquired by an unauthorised person. Notice must be made in the most expedient time possible and without unreasonable delay, consistent with law enforcement needs or measures necessary to determine the scope of the breach and restore the integrity of the data system. Unlike most state breach statutes, Georgia’s imposes no fixed notification deadline.

Two additional provisions warrant particular attention from compliance and incident-response counsel. First, third-party data processors maintaining personal information on behalf of a covered entity must notify the data owner within 24 hours of discovering a breach, a tight window demanding advance planning and contractual clarity in vendor agreements. Second, when notification is required for more than 10,000 Georgia residents at one time, the notifying entity must also notify all nationwide consumer reporting agencies of the timing, distribution and content of the notices without unreasonable delay. One common point of confusion warrants clarification: Georgia’s statute does not impose a “substantial harm” trigger. The notification obligation arises upon unauthorised acquisition of the covered data, without any harm-probability filter; organisations cannot use a harm assessment to avoid notification when covered personal information has been accessed without authorisation.

The Dublin Medical Center breach illustrates the persistent vulnerability of smaller healthcare providers. Suspicious activity was detected on 17 October 2025; forensic investigation confirmed unauthorised access and potential exfiltration of patient data affecting 32,090 patients, as reported to the US Department of Health and Human Services’ Office for Civil Rights. Notification letters began mailing on 17 December 2025, and plaintiffs’ counsel announced class action investigations in January 2026. Following Bland, smaller practices and regional systems with limited cybersecurity resources face the combination of HIPAA enforcement exposure, Georgia breach notification obligations, and expanded common law tort liability, a convergence that makes proactive investment in incident response planning increasingly urgent.

Attorney General Carr: enforcement, advocacy and the FBPA

Georgia AG Chris Carr has maintained an active profile on data privacy and children’s online safety across enforcement, litigation and federal legislative advocacy. On the federal front, Carr joined 31 other attorneys general in a late-2024 letter to congressional leadership urging passage of the Kids Online Safety Act (KOSA). In February 2026, he joined a coalition of 40 state and territorial AGs urging Congress to advance the Senate version of KOSA (S. 1748) while rejecting a House version the coalition viewed as insufficiently protective. That same month, AG Carr’s office opened a civil investigative demand inquiry into Roblox Corporation, seeking information about the platform’s safety practices for minors, illustrating a regulatory strategy visible in AG offices nationally: deploying investigative authority proactively in the absence of comprehensive enforcement statutes.

A frequently overlooked dimension of Georgia’s enforcement landscape is the AG’s authority under the Georgia Fair Business Practices Act (FBPA), Ga. Code Ann. §§ 10-1-390 et seq., the state’s primary unfair or deceptive acts or practices (UDAP) statute. The FBPA broadly prohibits unfair or deceptive practices in the unregulated consumer marketplace (it does not extend to areas already governed by other state or federal regulatory frameworks) and empowers the AG to investigate, seek injunctive relief, impose civil penalties, and require restitution. Although the UDAP does not expressly address data privacy, AGs in Georgia and nationally have used analogous UDAP authority against entities whose data practices involve misleading privacy disclosures, inadequate security representations or deceptive data-sharing conduct. Organisations that make public commitments about their data practices (through privacy notices, marketing materials or terms of service) and fail to honour them face FBPA exposure in addition to breach notification and common law liability. Privacy counsel should audit external-facing data representations for consistency with actual organisational practices. The combination of SB 351 litigation, multistate coalition advocacy, targeted platform investigations and FBPA enforcement authority constitutes a multifaceted posture unlikely to diminish.

Looking ahead

The 2026 Georgia legislative session presents another opportunity to enact comprehensive consumer privacy legislation. The structural conditions have not fundamentally shifted: the Senate’s institutional commitment to a Virginia-model framework remains strong and the House’s resistance equally persistent. Any path to enactment likely requires targeted amendments to applicability thresholds and consumer rights provisions or a political catalyst (eg, federal action, a high-profile Georgia breach or continued regional competitive pressure) sufficient to break the impasse. Whether sponsors revive SB 111 or introduce a successor measure is itself an early indicator worth watching.

The Eleventh Circuit’s decision in NetChoice v Carr will likely be among the most consequential privacy law developments of 2026 for Georgia and the nation. Reversal, finding that Free Speech Coalition v Paxton’s intermediate scrutiny framework extends to broad-based social media regulation, would activate SB 351’s requirements on relatively short notice. Affirmance would shift attention to whether Georgia’s constitutional defects can be remedied through narrower drafting or whether the challenge is more fundamental. The common law framework established by Bland will continue developing through trial court and appellate decisions; as subsequent cases reach the Court of Appeals, the merits-stage contours of reasonable security, injury and causation will become clearer, with significant consequences for litigation strategy, cybersecurity investment decisions and insurance pricing. The judicial and professional response to AI in legal proceedings, initiated by Shahid, is also likely to develop further through additional sanctions decisions, court rules or advisory opinions; privacy and technology practitioners should treat it as the opening chapter of a longer conversation.

Conclusion

Georgia’s privacy landscape in early 2026 is defined by intersecting legal contests across all three branches of government. The repeated failure of comprehensive legislation, the constitutional battle over SB 351, the emergence of common law breach liability, the judiciary’s first encounter with AI fabrications and the AG’s expansive enforcement posture each demand attention from practitioners advising clients with Georgia operations, and none can be understood in isolation.

The central message for data protection professionals is that the absence of legislation does not mean regulatory relief. Georgia imposes breach notification requirements, evolving common law standards and federal sectoral obligations, and its AG is using existing enforcement tools aggressively in the interim. Georgia’s posture also stands in growing contrast to that of its immediate neighbours: Florida enacted a comprehensive consumer privacy law in 2023, Tennessee enacted one in 2024 and North Carolina is among the states actively advancing comprehensive legislation. As more Southeast states establish statutory frameworks, Georgia businesses will face those obligations across state lines while their home-state framework remains unsettled. Organisations serious about managing their Georgia privacy exposure should invest in proactive programme design now, without waiting for legislative clarity that may not arrive on any predictable schedule.