The Alabama Personal Data Protection Act, as outlined in bill HB351 Engrossed, aims to enhance consumer rights regarding personal data by establishing clear definitions and obligations for data controllers and processors. The bill introduces new terms such as "biometric data," "sensitive data," and "dark pattern," while emphasizing the necessity of consumer consent for data processing. It also sets regulations for the handling of deidentified data and defines what constitutes a sale of personal data, including various exceptions. The act seeks to empower consumers with rights to confirm data processing, correct inaccuracies, request deletion, and opt out of targeted advertising and data sales, while requiring controllers to respond to consumer requests within 45 days.

Additionally, the bill outlines the responsibilities of data processors and controllers, mandating contracts that specify data processing instructions and ensuring confidentiality. It emphasizes the need for transparency in data practices and prohibits discrimination against consumers who opt out of data processing. The enforcement mechanism is established through the Attorney General, who can issue notices of violation and impose civil penalties for non-compliance. The act is set to take effect on May 1, 2027, and aims to provide a comprehensive framework for data privacy and protection in Alabama, ensuring consumers have greater control over their personal information.

Statutes affected:
Introduced: 10A-1-1
Engrossed: 10A-1-1