Alabama Enacts Consumer Data Privacy Law

Alabama recently enacted a comprehensive consumer data privacy law, the Alabama Personal Data Protection Act (the Act), following many other states that have enacted similar laws in recent years.  The Act will become effective on May 1, 2027.

Scope

The Act applies to persons conducting business in Alabama or producing a product or service targeted to Alabama residents and either: (i) except for the sole purpose of completing a payment, controls or processes more than 25,000 consumers’ data; or (ii) sells personal data and derives more than 25% of its gross revenue from those sales.  “Personal data” is defined as “any information that is linked or reasonably linkable to an identified or identifiable individual,” but excludes “deidentified data or publicly available information.”

The Act does not apply to certain entities, including, among others, (i) financial institutions and affiliates governed by or personal data handled in accordance with Title V of the Gramm-Leach-Bliley Act; (ii) financial institutions and affiliates governed by the privacy provisions, 15 U.S.C. chapter 94; (iii) higher education institutions and affiliates; (iv) political organizations; (v) nonprofits with less than 100 employees, if the nonprofit does not sell personal data; (vi) business with fewer than 500 employees, if the business does not sell personal data; and (vii) covered entities and business associates as defined by 45 C.F.R. 160.130 established by HIPAA.  Also, certain kinds of data are exempt, such as protected health information under HIPAA, patient and health-related records, and personal information related to credit, if the credit-related activity is regulated by and authorized under the Fair Credit Reporting Act.

Consumer Rights

The Act grants consumers certain rights with respect to their personal data.  Consumers may request, and a controller must comply with an authenticated request regarding the following: (i) confirmation of whether the controller is processing the consumer’s personal data and access to that data; (ii) correction of inaccuracies; (iii) deletion of the personal data; (iv) a copy of the personal data provided by the consumer in a portable and, if feasible, readily usable format for the data to be transmitted to another controller; and (v) an opt-out of any processing for targeted advertising, certain profiling, or sale of the consumer’s personal data.

The controller must reply to a consumer’s request within 45 days of receipt, but can extend this time once by 45 days, if reasonably necessary and the consumer is informed of the extension and reason for the extension within the original 45-day time period.  Responses to a consumer’s reasonable requests are required to be provided for free once a year.

Notice Requirements and Other Obligations

Controllers must provide a privacy notice to consumers including the following: (i) the categories of personal data processed; (ii) the purpose for processing the personal data; (iii) how to exercise their consumer rights, including an active email address for contacting the controller and a link or contact for opting-out; and (iv) if the controller shares information with third parties, the categories of the third parties and the categories of the personal data shared.

The Act also imposes other requirements, including specific requirements for contracts between controllers and processors.

Penalties and Enforcement

There is no private right of action in the Act.  The Act provides for a notice and cure period when the Attorney General alleges violations of the Act.