Alabama Becomes 21st State to Enact a Comprehensive Consumer Data Privacy Law

Alabama Gov. Kay Ivey signed into law House Bill 351 on April 16, making Alabama the 21st state to enact a comprehensive consumer data privacy law following California, Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, Tennessee, Montana, Texas, Oregon, Delaware, New Jersey, New Hampshire, Kentucky, Nebraska, Maryland, Minnesota, Rhode Island, and Oklahoma.  The Act will go into effect May 1, 2027.

APPLICABILITY

The Act applies to persons that conduct business in Alabama or persons that produce products or services that are targeted to residents of Alabama and that meet either of the following qualifications:

1. Control or process the personal data of more than 25,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.
2. Derive more than 25 percent of gross revenue from the sale of personal data, regardless of the number of consumers whose data the person controls or processes.

EXEMPTIONS

Exemptions include, in part:

1. A financial institution or an affiliate of a financial institution governed by, or personal data collected, processed, sold, or disclosed in accordance with Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 seq.;
2. A political subdivision of Alabama;
3. A two-year or four-year institution of higher education, including affiliates of a two-year or four-year institution of higher education;
4. Protected health information under the privacy regulations of the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and related regulations;
5. A covered entity or business associate as defined in the HIPAA privacy regulations;
6. Persons or entities governed by the Alabama Securities Act or Monetary Transmission Act;
7. A political action committee, political party, or principal campaign committee;
8. A nonprofit entity with less than 100 employees, provided the entity does not engage in the sale of personal data;
9. The collection, maintenance, disclosure, sale, communication, or use of any personal information to the extent that such activity is regulated by and authorized under the Fair Credit Reporting Act;
10. Personal data collected, processed, sold, or disclosed in relation to price, route, or service, as these terms are used in the federal Airline Deregulation Act of 1978 by an air carrier subject to the act.

CONSUMER RIGHTS

Consumers have the right to:

1. Confirm whether a controller, processor, or a third party acting on a controller’s behalf is processing their personal data and accessing the data;
2. Correct inaccuracies in the consumer’s personal data;
3. Direct a controller to delete the consumer’s personal data;
4. Obtain a copy of the personal data previously provided by the consumer to a controller;
5. Opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated significant decisions concerning the consumer.

SENSITIVE DATA

A controller may not process sensitive data concerning a consumer other than a known child without obtaining that consumer’s consent or, in the case of the processing of personal data concerning a known child, without processing the data in accordance with the federal Children’s Online Privacy Protection Act of 1998.

“Sensitive data” is personal data that includes any of the following:

1. Data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, information about an individual’s sex life, sexual orientation, or citizenship or immigration status.
2. The processing of genetic or biometric data for the purpose of uniquely identifying an individual.
3. Personal data collected from a known child.
4. Precise geolocation data.

CONTRACT REQUIREMENTS

A contract between a controller and a processor must govern the processor’s data processing obligations and:

1. Clearly set forth instructions for processing data;
2. Clearly set forth the nature and purpose of the processing;
3. Clearly set forth the type of data subject to processing;
4. Clearly set forth the duration of processing;
5. Clearly set forth the rights and obligations of both parties;
6. Ensure that each processor of personal data is subject to a duty of confidentiality with respect to the personal data;
7. Require each processor to:
   1. Delete or return all personal data to the controller as requested at the end of the provision of services at the controller’s direction, unless retention of the personal data is required or permitted by law or the contract;
   2. Make available to the controller all information in the processor’s possession necessary to demonstrate the processor’s compliance with the obligations of this act upon the reasonable request of the controller; and
   3. Obligate any subcontractor processing personal data to meet the obligations of the processor with respect to the personal data.

ENFORCEMENT

The Attorney General has authority to enforce the Act and may seek a civil penalty  not to exceed $15,000 per violation. The Act provides a 45-day cure provision.

IMPRESSION

The Act is sensible legislation that balances the rights of consumers with the impact on businesses.  Notably, it contains more exemptions than some other laws, does not specifically require risk assessments, and has a civil penalty that is among the highest.  The Act follows the pattern of many post-California comprehensive data privacy laws and should not present overly burdensome compliance challenges for those that must comply with one or more of the other comprehensive consumer data privacy laws.

^{Photo: Leonid Andronov/stock.adobe.com}