Menu

Privacy Bill Essentials: Alabama Consumer Privacy Act

April 12, 2021
Hinshaw Privacy & Cyber Bytes

Alabama has introduced a comprehensive privacy bill called the Alabama Consumer Privacy Act (ACPA). Similar to the California Consumer Privacy Act and other recently proposed state laws, the ACPA provides consumers with greater control over their personal information.

However, the ACPA is unique in that it has no minimum revenue threshold and is broadly applicable, including small businesses and companies that do business in Alabama.

To whom would it apply?

The ACPA would apply to any business, or entity controlled by the business and sharing common branding that:

The bill defines a "consumer" as an individual who is an Alabama resident, however identified, including by any unique identifier.

The ACPA does not provide any minimum thresholds based on the amount of personal information collected, revenue attributable to the sale of personal information, or annual gross revenue.

What type of information would it cover?

The bill defines personal information to include identifiers of a consumer or household (e.g. name, alias, email address), characteristics of protected classifications under state or federal law, biometric information, medical information, geolocation data, professional/employment-related information, non-publicly available education information, and commercial information.

What rights would it create?

The bill would give consumers who submit a verifiable request the right to:

What obligations would it impose?

Under the bill, businesses would be required to provide two or more designated methods for consumers to submit requests for information: at minimum, a toll-free telephone number and, if the business has a website or mobile application, a submission portal. Businesses are required to maintain a privacy policy that includes:

The business is required to disclose the information to the consumer within 45 days of receiving the request.

How would it be enforced?

The law would be enforced through a private right of action. A consumer may recover damages in an amount determined by the court if "nonencrypted or nonredacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business's failure to implement and maintain reasonable personal information security procedures."

Before filing suit, the consumer must provide the business with a 30 days' written cure notice unless the action is only seeking actual pecuniary damages.

Any violation of the ACPA by a business, service provider, or other person would be considered a violation of the Deceptive Trade Practices Act, Ala. Code Section § 8-19-1, et seq.

When does it go into effect?

Although there is currently no effective date, the Attorney General is required, beginning no later than Oct. 1, 2022, to solicit broad public commentary and adopt rules to further the purposes of the ACPA.

Where does it stand?

On February 2, 2021, the ACPA was submitted to the House Technology and Research Committee.