Can I use third-party email marketing tools that collect personal information in Georgia? What are the requirements?

Using Third-Party Email Marketing Tools in Georgia

Georgia has several rules and regulations that govern the use and protection of personal information. While there is no specific document that directly addresses the use of third-party email marketing tools that collect personal information, businesses must comply with Georgia laws and regulations related to the protection of personal information.

To ensure compliance with Georgia laws and regulations, it is recommended that businesses using third-party email marketing tools that collect personal information take the following steps:

1. Implement Reasonable Security Procedures and Practices: Under GACO 10-1-944, businesses are required to implement and maintain reasonable security procedures and practices, including administrative, physical, and technical safeguards, appropriate to the nature of the data and the purposes for which the data will be used, to protect the information or documents collected to comply with the requirements of this article from unauthorized use, disclosure, access, destruction, or modification.
2. Provide Notice of Unauthorized Access to Personal Information: Under GARR Rule 80-14-1-.05 and GARR Rule 80-3-1-.04, businesses are required to provide notice to the Department of any unauthorized access to personal information. In addition, businesses that satisfy the definition of an information broker are required to provide notice to Georgia residents in the event of a data breach that results in access or likely access to unencrypted personal information. ^[2.1]
3. Comply with Change Management Requirements: Under GACO 50-29-3, businesses are required to provide a written business case for every information technology project that exceeds $1 million in value. In addition, businesses are required to provide for a change management plan and resources necessary for plan execution for projects that exceed $1 million in value, projects that directly involve two or more state agencies, or service delivery changes in existing programs that significantly change existing business processes. ^[4.1]
4. Information Security Safeguards for Consumer Financial Information: All licensees shall create and maintain an information security program to safeguard the nonpublic personal information of customers to the extent required by 16 C.F.R. Part 314 (the “Safeguards Rule”). As part of its regulatory oversight, the Department shall review, to the extent applicable, licensee’s information security programs, risk assessments, incident response plans, and other required elements of the Safeguards Rule. ^[1.2]

Therefore, businesses using third-party email marketing tools that collect personal information in Georgia must comply with the above-mentioned requirements to ensure the protection of personal information.

Source(s):

• [2.1] Notice of Unauthorized Access to Personal Information
• [4.1] [Effective January 1, 2023] Required information from high-volume third-party sellers; suspension for noncompliance; verification by online marketplace.
• [1.2] Information Security Safeguards for Consumer Financial Information

Jurisdiction

Georgia, Georgia

• Privacy