Press "Enter" to skip to content
Alabama data privacy

Alabama Introduces Consumer Privacy Act With A Twist

Published March 30, 2021 by Eric Rosenkoetter

Alabama data privacyOn Feb. 21, Alabama Rep. Craig Lipscomb introduced House Bill 216 which would create the Alabama Consumer Privacy Act.  The legislation is similar to the California Consumer Privacy Act but has far broader application.

Applicability (the “Twist”)

The Act would apply to any business, or entity controlled by the business and sharing common branding, that:

  1. Is for-profit;
  2. Does business in Alabama;
  3. Collects consumers’ personal information (PI); and
  4. Determines the purposes and means of processing consumers’ PI.

Unlike the California Consumer Privacy Act or the Virginia Consumer Data Protection Act, or most privacy legislation introduced in other states, this Act has no thresholds based on annual gross revenue, revenue attributable to the sale of PI, or the amount of PI collected.  Thus, it sweeps in small businesses and companies that do little business in Alabama.

Consumer Rights

The legislation would afford consumers the right to:

  1. Know the categories of PI collected, the categories of sources, the business or commercial purposes for collection, the categories of third parties with whom PI was shared or sold, and the specific pieces of PI collected;
  2. Delete PI that the business collected from the consumer; and
  3. Opt out of the sale of PI.

Exemptions

Among other things, the Act would not apply to PI protected by the Health Insurance Portability and Availability Act, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and the data privacy and security regulations adopted pursuant to those federal acts.

Enforcement

The legislation allows a consumer to recover damages “in an amount as determined by the court” if their “nonencrypted or nonredacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s failure to implement and maintain reasonable personal information security procedures.”

Prior to initiating a lawsuit, a consumer must provide a 30-day cure notice to a business, unless the action is “solely for actual pecuniary damages.”

Additionally, any violation of the Act would be considered a violation of Alabama’s Deceptive Trade Practices Act, Ala. Code § 8-19-1, et seq., which allows the Attorney General to investigate complaints and issue injunctions.  Additionally, consumers who have suffered monetary damages may receive the greater of their actual damages or $100, or up to three times actual damages depending on the nature of the violation and conduct of the business.

Rulemaking

The legislation tasks the Attorney General with rulemaking, beginning no later than Oct. 1, 2022, with solicitation of “broad public commentary.”

Impression

This bill is worth keeping an eye on due to its broad application, particularly with respect to small businesses.

For more information and insight from Maurice Wutscher on data privacy and security laws and legislation, visit https://mauricewutscher.com/data-privacy-and-security/.

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, where he provides counsel to businesses and consumer financial services firms nationwide. For many years, he has focused his practice on various aspects of financial services law. As a litigation attorney, he has conducted every aspect of the litigation process, including countless depositions, motion proceedings, bench and jury trials, and appeals in various courts. In addition, he has significant experience as a compliance and transactional attorney, providing strategic, business growth, legislative, compliance and regulatory advice to national corporations and trade associations. For example, he has drafted consumer contracts and disclosures designed to state-specific statutory requirements, and developed “Best Practices” guides and state-by-state compliance grids, for national financial services companies. He also conducted research and crafted a metrics report for a national trade association with analysis designed to counter the claims of advocacy groups. Eric’s experience also includes working for a national corporation as Executive Counsel, Chief Compliance and Ethics Officer, and Director of Legislative Affairs, and as a federal lobbyist and Director of Government and Public Affairs for a national financial services trade association. In the government sector, Eric presided over approximately 6,000 state administrative hearings, served as a staff attorney for the Missouri Senate, and handled litigation in 33 counties as a regional managing attorney. Eric frequently speaks to audiences on topics relevant to the financial services industry including regulatory compliance, data privacy law and related advocacy initiatives. For more information, see https://mauricewutscher.com/attorneys/eric-rosenkoetter/

Published in Data Privacy and Security

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.