Press "Enter" to skip to content

Alabama Introduces Consumer Privacy Act With A Twist

Alabama data privacyOn Feb. 21, Alabama Rep. Craig Lipscomb introduced House Bill 216 which would create the Alabama Consumer Privacy Act.  The legislation is similar to the California Consumer Privacy Act but has far broader application.

Applicability (the “Twist”)

The Act would apply to any business, or entity controlled by the business and sharing common branding, that:

  1. Is for-profit;
  2. Does business in Alabama;
  3. Collects consumers’ personal information (PI); and
  4. Determines the purposes and means of processing consumers’ PI.

Unlike the California Consumer Privacy Act or the Virginia Consumer Data Protection Act, or most privacy legislation introduced in other states, this Act has no thresholds based on annual gross revenue, revenue attributable to the sale of PI, or the amount of PI collected.  Thus, it sweeps in small businesses and companies that do little business in Alabama.

Consumer Rights

The legislation would afford consumers the right to:

  1. Know the categories of PI collected, the categories of sources, the business or commercial purposes for collection, the categories of third parties with whom PI was shared or sold, and the specific pieces of PI collected;
  2. Delete PI that the business collected from the consumer; and
  3. Opt out of the sale of PI.

Exemptions

Among other things, the Act would not apply to PI protected by the Health Insurance Portability and Availability Act, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and the data privacy and security regulations adopted pursuant to those federal acts.

Enforcement

The legislation allows a consumer to recover damages “in an amount as determined by the court” if their “nonencrypted or nonredacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s failure to implement and maintain reasonable personal information security procedures.”

Prior to initiating a lawsuit, a consumer must provide a 30-day cure notice to a business, unless the action is “solely for actual pecuniary damages.”

Additionally, any violation of the Act would be considered a violation of Alabama’s Deceptive Trade Practices Act, Ala. Code § 8-19-1, et seq., which allows the Attorney General to investigate complaints and issue injunctions.  Additionally, consumers who have suffered monetary damages may receive the greater of their actual damages or $100, or up to three times actual damages depending on the nature of the violation and conduct of the business.

Rulemaking

The legislation tasks the Attorney General with rulemaking, beginning no later than Oct. 1, 2022, with solicitation of “broad public commentary.”

Impression

This bill is worth keeping an eye on due to its broad application, particularly with respect to small businesses.

For more information and insight from Maurice Wutscher on data privacy and security laws and legislation, visit https://mauricewutscher.com/data-privacy-and-security/.

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, and is focused on advising clients with respect to federal and state consumer financial protection laws and data privacy and security, and he is a Certified Information Privacy Professional though the International Association of Privacy Professionals. He also brings to the table experience as a litigator, chief compliance and ethics officer, director of legislative affairs, federal lobbyist, and administrative hearings officer. Eric earned his Juris Doctor from Washington University School of Law, and his Bachelor of Business Administration from Southern Methodist University. He is a member of the International Association of Privacy Professionals, the Receivables Management Association International (RMAI), and ACA International. He is admitted to practice law in Texas and Missouri and in the U.S. District Courts for the Northern, Southern, Eastern, and Western Districts of Texas. For more information, see https://mauricewutscher.com/attorneys/eric-rosenkoetter/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.