In a landmark decision, the Georgia Supreme Court has expanded the Georgia Open Records Act (the Act) to include private businesses and contractors working with state and local government entities. The ruling in Milliron v. Antonakakis clarifies that public records held by nongovernment entities are subject to the same transparency requirements as government agencies. Consequently, businesses in sectors like construction, IT, health care, and consulting must navigate the Act’s complexities to avoid liability. This article explores the court’s decision and offers practical steps for compliance. For more insights, listen to our latest Regulatory Podcast episode, “Unveiling the Impact: How Georgia’s Open Records Act Affects Private Businesses.”

On January 16, New Jersey became the first state this year to enact a comprehensive privacy law, S332, which applies to businesses conducting operations in the state or targeting its residents. As noted in this article by our privacy team, similar to other state comprehensive privacy laws, S322 grants consumers the right to confirm, correct, delete, obtain a copy of their personal data, and opt out of its processing for targeted advertising, sale, or profiling. Controllers and processors are obligated to limit data collection, establish security practices, and provide a privacy notice. They are also required to conduct a data protection assessment for processing activities that pose a heightened risk of harm to consumers. The New Jersey Attorney General’s Office has exclusive authority to enforce violations, treating them as “unlawful practices” under the New Jersey Consumer Fraud Act. The law takes effect on January 16, 2025, with an 18-month grace period for organizations to correct violations before enforcement actions are taken.