Hinshaw Privacy & Cyber Bytes - Insights on Compliance, Best Practices, and Trends

Alabama has introduced a comprehensive privacy bill called the Alabama Consumer Privacy Act (ACPA). Similar to the California Consumer Privacy Act and other recently proposed state laws, the ACPA provides consumers with greater control over their personal information.

However, the ACPA is unique in that it has no minimum revenue threshold and is broadly applicable, including small businesses and companies that do business in Alabama.

To whom would it apply?

The ACPA would apply to any business, or entity controlled by the business and sharing common branding that:

  • Does business in Alabama;
  • Is for-profit;
  • Collects consumers' personal information; and
  • Determines the purposes and means of processing consumers' personal information.

The bill defines a "consumer" as an individual who is an Alabama resident, however identified, including by any unique identifier.

The ACPA does not provide any minimum thresholds based on the amount of personal information collected, revenue attributable to the sale of personal information, or annual gross revenue.

What type of information would it cover?

The bill defines personal information to include identifiers of a consumer or household (e.g. name, alias, email address), characteristics of protected classifications under state or federal law, biometric information, medical information, geolocation data, professional/employment-related information, non-publicly available education information, and commercial information.

What rights would it create?

The bill would give consumers who submit a verifiable request the right to:

  • Know the categories of personal information collected, the categories of sources, the business or commercial purposes for collection, the categories of third parties with whom personal information was shared or sold, and the specific pieces of personal information collected;
  • Delete personal information that the business collected from the consumer; and
  • "Opt out" of the sale of personal information.

What obligations would it impose?

Under the bill, businesses would be required to provide two or more designated methods for consumers to submit requests for information: at minimum, a toll-free telephone number and, if the business has a website or mobile application, a submission portal. Businesses are required to maintain a privacy policy that includes:

  • All Alabama-specific consumer privacy rights, along with a separate "Do Not Sell My Personal Information" link;
  • A description of consumer rights;
  • At least one designated method for submitting requests;
  • Categories of personal information the business has collected about consumers in the preceding 12 months;
  • Categories of personal information the business has sold about consumers in the preceding 12 months;
  • A statement, if applicable, disclosing that the business has not disclosed consumers' personal information for a business purpose in the preceding 12 months;
  • The right to opt-out of the sale or sharing to third-parties; and
  • The right to request deletion of certain personal information.

The business is required to disclose the information to the consumer within 45 days of receiving the request.

How would it be enforced?

The law would be enforced through a private right of action. A consumer may recover damages in an amount determined by the court if "nonencrypted or nonredacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business's failure to implement and maintain reasonable personal information security procedures."

Before filing suit, the consumer must provide the business with a 30 days' written cure notice unless the action is only seeking actual pecuniary damages.

Any violation of the ACPA by a business, service provider, or other person would be considered a violation of the Deceptive Trade Practices Act, Ala. Code Section § 8-19-1, et seq.

When does it go into effect?

Although there is currently no effective date, the Attorney General is required, beginning no later than Oct. 1, 2022, to solicit broad public commentary and adopt rules to further the purposes of the ACPA.

Where does it stand?

On February 2, 2021, the ACPA was submitted to the House Technology and Research Committee.