The governor of Alabama recently signed House Bill 351, which establishes a consumer data privacy law for the state. The law takes effect May 1, 2027.
To whom does the law apply?
The law applies to controllers that conduct business in Alabama or produce products or services targeted to Alabama residents, if they either:
(1) control or process the personal data of more than 25,000 consumers, excluding data processed solely to complete a payment transaction, or
(2) derive more than 25 percent of gross revenue from the sale of personal data.
The Act does not apply to various entities, including political subdivisions and certain public bodies, institutions of higher education, certain securities associations, certain financial institutions and GLBA-regulated data, HIPAA covered entities and business associates, certain small businesses with fewer than 500 employees that do not sell personal data, certain nonprofits with fewer than 100 employees that do not sell personal data, certain regulated entities under specified Alabama statutes, certain political organizations and data sellers serving them, and certain electric providers.
Who is protected by the law?
The law protects “consumers,” defined as individuals who are residents of Alabama. It excludes individuals acting in a commercial or employment context.
The law also specifically allows a parent or legal guardian to exercise rights on behalf of a known child, and a guardian or conservator to exercise rights on behalf of a consumer.
What data is protected by the law?
The law protects “personal data,” defined as information that is linked or reasonably linkable to an identified or identifiable individual. It excludes deidentified data and publicly available information.
The defines “sensitive data” to include: data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, information about an individual’s sex life, sexual orientation, or citizenship or immigration status; genetic or biometric data processed for uniquely identifying an individual; personal data collected from a known child; and precise geolocation data.
What are the rights of consumers?
Under the law, consumers may require a controller to do the following:
- Confirm whether the controller, processor, or third party acting on the controller’s behalf is processing the consumer’s personal data and access that data;
- Correct inaccuracies;
- Delete personal data;
- Provide a portable and, where technically feasible, readily usable copy of personal data previously provided by the consumer; and
- Allow the consumer to opt out of processing for targeted advertising, sale of personal data, and profiling in furtherance of solely automated significant decisions.
A controller must respond to a consumer request within 45 days, subject to a possible 45-day extension when reasonably necessary and must explain if it declines to act.
Controllers must allow opt-out requests through a clear and conspicuous link on the controller’s website to a webpage that enables the consumer directly to opt out of targeted advertising or the sale of personal data, or to provide up-to-date contact information for submitting the opt-out request.
What obligations do controllers have?
Controllers must:
- Limit collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed purposes;
- Establish, implement, and maintain reasonable administrative, technical, and physical data security practices; and
- Provide an effective mechanism for consumers to revoke consent that is at least as easy as the method used to provide consent.
Controllers may not process personal data for purposes that are not reasonably necessary to or compatible with disclosed purposes, process sensitive data without consent (or, for known children, outside COPPA-compliant processing), process data in violation of discrimination laws, or process personal data for targeted advertising or sell personal data without consent where the controller has actual knowledge that the consumer is at least 13 and younger than 16.
Controllers may not deny goods or services, charge different prices or rates, or provide a different level of quality because a consumer opted out, although the law allows certain loyalty and reward programs.
Controllers must establish and describe in the privacy notice one or more secure and reliable means for consumers to submit requests to exercise their rights and may not require consumers to create a new account to do so, though they may require the use of an existing account.
Controllers also have obligations regarding deidentified and pseudonymous data, including taking measures to ensure deidentified data cannot reasonably be associated with an individual, refraining from reidentifying deidentified data, contractually obligating recipients of deidentified data to comply with the statutory requirements, and exercising reasonable oversight over disclosures of pseudonymous or deidentified data.
How is the law enforced?
The Alabama Attorney General may enforce violations of the Act.
Before initiating an action, the Attorney General must issue a notice of violation to the controller. If the controller fails to correct the violation within 45 days after receipt of the notice, the Attorney General may bring an action for an injunction.
If the court finds a violation and failure to cure, it may assess a civil penalty of up to $15,000 per violation. If the controller cures within the 45-day period and provides an express written statement that the violations have been corrected and will not recur, no action may be initiated.
If you have questions about Alabama’s new privacy law or related issues, please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.