The Alabama Personal Data Protection Act (HB351) aims to enhance consumer data privacy by establishing specific rights for individuals regarding their personal data. The bill introduces new definitions and obligations for entities handling personal data, including terms like "controller," "processor," "sensitive data," and "dark pattern." It grants consumers the right to consent to data processing through clear and affirmative actions, while outlining the responsibilities of data controllers and processors, particularly concerning sensitive and deidentified data. The act applies to businesses operating in Alabama or targeting Alabama residents, with certain exemptions for political subdivisions, educational institutions, and small businesses that do not sell personal data.

Additionally, the bill mandates that data controllers respond to consumer requests regarding their personal data within 45 days and provides mechanisms for consumers to opt out of data processing for targeted advertising. It emphasizes the need for robust data security practices and prohibits the processing of sensitive data without consent. The Attorney General is designated to enforce the act, with the authority to impose civil penalties for violations. The act is set to take effect on May 1, 2027, and aims to balance consumer privacy rights with the operational needs of businesses handling personal data.

Statutes affected:
Introduced: 10A-1-1
Engrossed: 10A-1-1
Enrolled: 10A-1-1