The Alabama Personal Data Protection Act (HB283 Engrossed) aims to enhance consumer rights regarding personal data and establish regulations for how data controllers and processors handle such information. The bill introduces new definitions, including "controller," "processor," "sensitive data," and "dark pattern," which clarify the roles of entities involved in data processing. It grants consumers rights to authenticate requests about their personal data, mandates clear consent for data processing, and outlines conditions for deidentifying data. The act also regulates the sale of personal data, emphasizing the protection of sensitive information, and sets obligations for controllers to ensure data security and transparency in their practices.

Key provisions include the establishment of consumer rights to request confirmation, correction, deletion, and opt-out options for targeted advertising and data sales. The bill specifies that controllers must respond to consumer requests within a designated timeframe and allows for parental consent regarding children's data. Notably, the bill deletes previous language allowing for private causes of action, instead granting exclusive enforcement authority to the Attorney General, who can impose fines for violations. The act will take effect on July 1, 2026, and aims to empower consumers while providing clear guidelines for data processing and privacy.

Statutes affected:
Introduced: 10A-1-1
Engrossed: 10A-1-1