GA SB473

Applies to businesses with over $25 million in revenue that either control/process personal information of at least 175,000 consumers annually, or control/process data of at least 25,000 consumers while deriving more than 50% of gross revenue from selling personal information

Grants Georgia consumers the right to access, correct, delete, and obtain portable copies of their personal data, as well as opt out of data sales, targeted advertising, and profiling that produces legal or similarly significant effects

Requires controllers to obtain consumer consent before processing sensitive data (racial/ethnic origin, health diagnoses, biometric data, precise geolocation, data from known children under 13) and to conduct documented data protection assessments for high-risk processing activities

Enforcement is exclusively through the Attorney General, who must provide a 60-day cure period before initiating action; courts may impose civil penalties up to $7,500 per violation, with treble damages for willful or knowing violations

Provides an affirmative defense for controllers/processors that maintain a written privacy policy reasonably conforming to the NIST privacy framework, and preempts all local government regulation of personal data processing; effective July 1, 2026