Ask Reggi Your Question Now
Can I collect personal information from participants in Georgia? What are the requirements?
Collecting Personal Information from Participants in Georgia
To collect personal information from participants in Georgia, you must comply with the Information Security Safeguards for Consumer Financial Information as required by GARR Rule 80-14-1-.06. This rule mandates that all licensees create and maintain an information security program to safeguard the nonpublic personal information of customers to the extent required by 16 C.F.R. Part 314 (the “Safeguards Rule”). Additionally, if you experience an information security incident involving unauthorized access to personal information, you must provide notice to the Department of Georgia [1.1][1.2].
If you are an information broker, you are required to provide notice to Georgia residents in the event of a data breach that results in access or likely access to unencrypted personal information. In this case, a duplicate of the notification must be submitted to the Department [1.1].
Furthermore, if you are collecting personal information that includes telephone records, you must comply with GACO 46-5-214. This code section requires telecommunications companies to provide notice to Georgia residents immediately following discovery or notification of a breach of a telephone record if such breach is reasonably likely to cause quantifiable harm to the Georgia resident. The notice must be made in the most expedient manner possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the telephone record. If you maintain your own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this Code section, you shall be deemed to be in compliance with the notification requirements of this Code section if you notify the individuals who are the subject of the notice in accordance with your policies in the event of a breach of the security of the system [2.1].
Therefore, to collect personal information from participants in Georgia, you must have an information security program in place, comply with the notification requirements in the event of a data breach, and comply with the requirements of GACO 46-5-214 if you are collecting telephone records.
Source(s):
- [1.1] Notice of Unauthorized Access to Personal Information
- [2.1] Action in event of telephone record security breach; notification to Georgia residents; law enforcement exception; violations shall be unfair or deceptive practice in consumer transactions.
- [1.2] Information Security Safeguards for Consumer Financial Information
Jurisdiction
Georgia, Georgia