On Feb. 21, Alabama Rep. Craig Lipscomb introduced House Bill 216 which would create the Alabama Consumer Privacy Act. The legislation is similar to the California Consumer Privacy Act but has far broader application.
Applicability (the “Twist”)
The Act would apply to any business, or entity controlled by the business and sharing common branding, that:
- Is for-profit;
- Does business in Alabama;
- Collects consumers’ personal information (PI); and
- Determines the purposes and means of processing consumers’ PI.
Unlike the California Consumer Privacy Act or the Virginia Consumer Data Protection Act, or most privacy legislation introduced in other states, this Act has no thresholds based on annual gross revenue, revenue attributable to the sale of PI, or the amount of PI collected. Thus, it sweeps in small businesses and companies that do little business in Alabama.
The legislation would afford consumers the right to:
- Know the categories of PI collected, the categories of sources, the business or commercial purposes for collection, the categories of third parties with whom PI was shared or sold, and the specific pieces of PI collected;
- Delete PI that the business collected from the consumer; and
- Opt out of the sale of PI.
Among other things, the Act would not apply to PI protected by the Health Insurance Portability and Availability Act, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and the data privacy and security regulations adopted pursuant to those federal acts.
The legislation allows a consumer to recover damages “in an amount as determined by the court” if their “nonencrypted or nonredacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s failure to implement and maintain reasonable personal information security procedures.”
Prior to initiating a lawsuit, a consumer must provide a 30-day cure notice to a business, unless the action is “solely for actual pecuniary damages.”
Additionally, any violation of the Act would be considered a violation of Alabama’s Deceptive Trade Practices Act, Ala. Code § 8-19-1, et seq., which allows the Attorney General to investigate complaints and issue injunctions. Additionally, consumers who have suffered monetary damages may receive the greater of their actual damages or $100, or up to three times actual damages depending on the nature of the violation and conduct of the business.
The legislation tasks the Attorney General with rulemaking, beginning no later than Oct. 1, 2022, with solicitation of “broad public commentary.”
This bill is worth keeping an eye on due to its broad application, particularly with respect to small businesses.
For more information and insight from Maurice Wutscher on data privacy and security laws and legislation, visit https://mauricewutscher.com/data-privacy-and-security/.