The Alabama Personal Data Protection Act, known as HB283 Engrossed, aims to enhance consumer rights regarding personal data and establish regulations for how businesses, referred to as "controllers" and "processors," handle such data. The bill introduces new definitions, including "sensitive data" and "dark pattern," and mandates that consumers must provide clear consent before their personal data can be processed. It also prohibits the use of dark patterns to manipulate consumer choices and outlines specific categories of sensitive data, such as biometric and geolocation data. The act empowers consumers by granting them rights to authenticate requests, access their data, and opt out of targeted advertising and data sales, while requiring businesses to implement secure methods for consumers to exercise these rights.

Additionally, the bill specifies that controllers must limit data collection to what is necessary, maintain data security, and provide clear privacy notices. It establishes that controllers are not liable for violations if they disclose data to third-party processors without knowledge of potential violations. The Attorney General is granted exclusive authority to enforce the act, with a structured process for addressing violations, including a notice period and potential fines. The act will take effect on July 1, 2026, and does not create a private cause of action for violations. Overall, HB283 seeks to enhance consumer privacy and data protection while delineating the responsibilities of data handlers.

Statutes affected:
Introduced: 10A-1-1
Engrossed: 10A-1-1