The Alabama Personal Data Protection Act, encapsulated in bill HB283 Engrossed, aims to enhance consumer rights regarding personal data and establish regulations for data controllers and processors. The bill introduces new definitions such as "controller," "processor," "biometric data," and "sensitive data," clarifying the responsibilities of entities handling personal data. Key provisions include the requirement for clear consumer consent, the establishment of rights for consumers to access, delete, and control their personal data, and the obligation for controllers to protect sensitive data, which encompasses health information, sexual orientation, and precise geolocation. The bill also addresses the use of dark patterns in user interfaces that may manipulate consumer choices and specifies that the sale of personal data does not include certain disclosures made to processors or for providing requested services.

Additionally, the bill outlines specific exemptions for certain entities, such as political subdivisions and educational institutions, and establishes consumer rights to confirm data processing, correct inaccuracies, request deletion, and opt out of targeted advertising. It mandates that controllers provide information in response to consumer requests free of charge once per year, unless requests are excessive. The bill also emphasizes the need for reasonable data security practices and prohibits discrimination against consumers who opt out of data processing. Importantly, the Attorney General is granted exclusive authority to enforce violations of the act, with fines imposed for non-compliance, while clarifying that a violation does not create a private cause of action. The act is set to take effect on July 1, 2026.

Statutes affected:
Introduced: 10A-1-1
Engrossed: 10A-1-1