Alabama has introduced a comprehensive privacy bill called the Alabama Consumer Privacy Act (ACPA). Similar to the California Consumer Privacy Act and other recently proposed state laws, the ACPA provides consumers with greater control over their personal information.
However, the ACPA is unique in that it has no minimum revenue threshold and is broadly applicable, including small businesses and companies that do business in Alabama.
The ACPA would apply to any business, or entity controlled by the business and sharing common branding that:
The bill defines a "consumer" as an individual who is an Alabama resident, however identified, including by any unique identifier.
The ACPA does not provide any minimum thresholds based on the amount of personal information collected, revenue attributable to the sale of personal information, or annual gross revenue.
The bill defines personal information to include identifiers of a consumer or household (e.g. name, alias, email address), characteristics of protected classifications under state or federal law, biometric information, medical information, geolocation data, professional/employment-related information, non-publicly available education information, and commercial information.
The bill would give consumers who submit a verifiable request the right to:
The business is required to disclose the information to the consumer within 45 days of receiving the request.
The law would be enforced through a private right of action. A consumer may recover damages in an amount determined by the court if "nonencrypted or nonredacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business's failure to implement and maintain reasonable personal information security procedures."
Before filing suit, the consumer must provide the business with a 30 days' written cure notice unless the action is only seeking actual pecuniary damages.
Any violation of the ACPA by a business, service provider, or other person would be considered a violation of the Deceptive Trade Practices Act, Ala. Code Section § 8-19-1, et seq.
Although there is currently no effective date, the Attorney General is required, beginning no later than Oct. 1, 2022, to solicit broad public commentary and adopt rules to further the purposes of the ACPA.
On February 2, 2021, the ACPA was submitted to the House Technology and Research Committee.