Citizen Portal
Sign In

House enacts Alabama Personal Data Protection Act; exempts regulated health, financial records

3086700 · April 22, 2025

Loading...

AI-Generated Content: All content on this page was generated by AI to highlight key points from the meeting. For complete details and context, we recommend watching the full video. so we can fix them.

Summary

The House adopted the Alabama Personal Data Protection Act (HB 283), introducing consumer rights over personal data and setting state-level obligations for controllers and processors while carving out federally regulated categories such as HIPAA-covered health records and GLBA-regulated financial data.

The Alabama House passed House Bill 283 on April 22, adopting a substitute that establishes a state-level personal data protection framework for consumers, including rights to access, correct, delete and opt out of certain data processing.

Sponsor Representative Jeremy Shaw said, “Right now, federal government doesn't recognize our rights over our data. So 19 other states have had to pass a law like this.” The floor substitute largely tracks other state privacy statutes: it applies to controllers that process data for more than 50,000 consumers or that derive 25% of gross revenue from the sale of personal data, and it enumerates consumer rights including correction, deletion, data portability and opt-outs for targeted advertising and sales of personal data.

The substitute defines key terms (controller, processor, sensitive data, de‑identified and pseudonymous data), requires privacy notices, and sets technical and organizational security obligations for controllers and processors. The bill includes many carve-outs: health information covered by HIPAA, student records governed by FERPA, financial data governed by GLBA, certain public records, and other federally regulated categories — some exemptions pivot on whether the data are de‑identified.

A central enforcement role is given to the attorney general; the bill allows the AG to pursue civil penalties of up to $10,000 per violation if entities do not cure violations within a 60‑day notice period. The act explicitly precludes a private right of action.

Supporters framed the bill as bringing state-level consumer protections in the absence of federal privacy law; critics argued the Legislature should not duplicate federal schemes or should narrow exemptions. Representative Hall and other members questioned specific definitions and implementation timelines. The bill is scheduled to take effect July 1, 2026, giving state agencies and covered entities time to adapt.

Key elements adopted on the floor include a requirement that controllers maintain a clear, prominent opt‑out mechanism for targeted advertising and a provision allowing parents to exercise rights for known children under age 13 (COPPA alignment). The attorney general’s office will publish guidance and the bill requires controllers to authenticate consumer requests using commercially reasonable means.