Alabama 2024 Regular Session

Alabama Senate Bill SB213 Compare Versions

Only one version of the bill is available at this time.

Old	New	Differences
1	1	SB213INTRODUCED
2	2	Page 0
3	3	SB213
4	4	RRIDNMM-1
5	5	By Senators Orr, Allen
6	6	RFD: Fiscal Responsibility and Economic Development
7	7	First Read: 06-Mar-24
8	8	1
9	9	2
10	10	3
11	11	4
12	12	5 RRIDNMM-1 03/06/2024 ZAK (L)cr 2024-402
13	13	Page 1
14	14	First Read: 06-Mar-24
15	15	SYNOPSIS:
16	16	Existing law provides for the confidentiality of
17	17	certain personal information in certain contexts.
18	18	This bill would provide that brokers of
19	19	individual consumers' data must notify consumers of
20	20	certain information on their website.
21	21	This bill would provide that data brokers must
22	22	register with the Secretary of State.
23	23	This bill would provide that data brokers must
24	24	protect consumers' data through specified security
25	25	measures.
26	26	This bill would require the Secretary of State
27	27	to adopt rules and procedures to implement and
28	28	administer the requirements of this bill.
29	29	This bill would provide civil penalties for data
30	30	brokers that violate these notification or registration
31	31	requirements.
32	32	This bill would provide that violations of the
33	33	duty to protect consumers' data through specified
34	34	security measures by data brokers constitute violations
35	35	of the Deceptive Trade Practices Act.
36	36	This bill would provide certain persons and
37	37	information to which the requirements of this bill do
38	38	not apply.
39	39	Section 111.05 of the Constitution of Alabama of
40	40	1
41	41	2
42	42	3
43	43	4
44	44	5
45	45	6
46	46	7
47	47	8
48	48	9
49	49	10
50	50	11
51	51	12
52	52	13
53	53	14
54	54	15
55	55	16
56	56	17
57	57	18
58	58	19
59	59	20
60	60	21
61	61	22
62	62	23
63	63	24
64	64	25
65	65	26
66	66	27
67	67	28 SB213 INTRODUCED
68	68	Page 2
69	69	Section 111.05 of the Constitution of Alabama of
70	70	2022, prohibits a general law whose purpose or effect
71	71	would be to require a new or increased expenditure of
72	72	local funds from becoming effective with regard to a
73	73	local governmental entity without enactment by a 2/3
74	74	vote unless: it comes within one of a number of
75	75	specified exceptions; it is approved by the affected
76	76	entity; or the Legislature appropriates funds, or
77	77	provides a local source of revenue, to the entity for
78	78	the purpose.
79	79	The purpose or effect of this bill would be to
80	80	require a new or increased expenditure of local funds
81	81	within the meaning of the section. However, the bill
82	82	does not require approval of a local governmental
83	83	entity or enactment by a 2/3 vote to become effective
84	84	because it comes within one of the specified exceptions
85	85	contained in the section.
86	86	A BILL
87	87	TO BE ENTITLED
88	88	AN ACT
89	89	Relating to data privacy; to require consumer data
90	90	brokers to publicly state certain information; to require data
91	91	brokers to register with the Secretary of State; to require
92	92	that data brokers protect data using specified security
93	93	measures; to provide civil and criminal penalties for
94	94	violations; to provide persons and information to which these
95	95	29
96	96	30
97	97	31
98	98	32
99	99	33
100	100	34
101	101	35
102	102	36
103	103	37
104	104	38
105	105	39
106	106	40
107	107	41
108	108	42
109	109	43
110	110	44
111	111	45
112	112	46
113	113	47
114	114	48
115	115	49
116	116	50
117	117	51
118	118	52
119	119	53
120	120	54
121	121	55
122	122	56 SB213 INTRODUCED
123	123	Page 3
124	124	violations; to provide persons and information to which these
125	125	requirements do not apply; and in connection therewith would
126	126	have as its purpose or effect the requirement of a new or
127	127	increased expenditure of local funds within the meaning of
128	128	Section 111.05 of the Constitution of Alabama of 2022.
129	129	BE IT ENACTED BY THE LEGISLATURE OF ALABAMA:
130	130	Section 1. For the purposes of this act, the following
131	131	terms have the following meanings:
132	132	(1) BIOMETRIC DATA. Data generated by automatic
133	133	measurements of an individual's biological patterns or
134	134	characteristics, including fingerprint, voiceprint, retina or
135	135	iris scan, information pertaining to an individual's DNA, or
136	136	another unique biological pattern or characteristic that is
137	137	used to identify a specific individual.
138	138	(2) CHILD. An individual younger than 13 years of age.
139	139	(3) COLLECT. In the context of data, means to obtain,
140	140	receive, access, or otherwise acquire data by any means,
141	141	including by purchasing or renting the data.
142	142	(4) DATA BROKER. A business entity whose principal
143	143	source of revenue is derived from the collecting,
144	144	processing, or transferring of personal data that the entity
145	145	did not collect directly from the individual linked or
146	146	linkable to the data.
147	147	(5) DE-IDENTIFIED DATA. Data that cannot reasonably be
148	148	linked to an identified or identifiable individual or to a
149	149	device linked to that individual.
150	150	(6) EMPLOYEE. An individual who is a director, officer,
151	151	staff member, trainee, volunteer, or intern of an employer or
152	152	an individual working as an independent contractor for an
153	153	57
154	154	58
155	155	59
156	156	60
157	157	61
158	158	62
159	159	63
160	160	64
161	161	65
162	162	66
163	163	67
164	164	68
165	165	69
166	166	70
167	167	71
168	168	72
169	169	73
170	170	74
171	171	75
172	172	76
173	173	77
174	174	78
175	175	79
176	176	80
177	177	81
178	178	82
179	179	83
180	180	84 SB213 INTRODUCED
181	181	Page 4
182	182	an individual working as an independent contractor for an
183	183	employer, regardless of whether the individual is paid,
184	184	unpaid, or employed on a temporary basis. The term does not
185	185	include an individual contractor who is a service provider.
186	186	(7) EMPLOYEE DATA. Information collected, processed, or
187	187	transferred by an employer if the information satisfies both
188	188	of the following:
189	189	a. Is related to any of the following:
190	190	1. A job applicant and was collected during the course
191	191	of the hiring and application process.
192	192	2. An employee who is acting in a professional capacity
193	193	for the employer, including the employee's business contact
194	194	information such as the employee's name, position, title,
195	195	business telephone number, business address, or business
196	196	e-mail address.
197	197	3. An employee's emergency contact information.
198	198	4. An employee or the employee's spouse, dependent,
199	199	covered family member, or beneficiary.
200	200	b. Was collected, processed, or transferred solely for
201	201	any of the following:
202	202	1. A purpose relating to the status of an individual
203	203	described by subparagraph a.1. as a current or former job
204	204	applicant of the employer.
205	205	2. A purpose relating to the professional
206	206	activities of an employee described by subparagraph a.2. on
207	207	behalf of the employer.
208	208	3. The purpose of having an emergency contact on file
209	209	for an employee described by subparagraph a.3. and for
210	210	transferring the information in case of an emergency.
211	211	85
212	212	86
213	213	87
214	214	88
215	215	89
216	216	90
217	217	91
218	218	92
219	219	93
220	220	94
221	221	95
222	222	96
223	223	97
224	224	98
225	225	99
226	226	100
227	227	101
228	228	102
229	229	103
230	230	104
231	231	105
232	232	106
233	233	107
234	234	108
235	235	109
236	236	110
237	237	111
238	238	112 SB213 INTRODUCED
239	239	Page 5
240	240	transferring the information in case of an emergency.
241	241	4. The purpose of administering benefits
242	242	to which an employee described by subparagraph a.4. is
243	243	entitled or to which another individual described by that
244	244	paragraph is entitled on the basis of the employee's position
245	245	with the employer.
246	246	(8) GENETIC DATA. Any data, regardless of
247	247	format, concerning an individual's genetic characteristics.
248	248	The term includes raw sequence data derived from sequencing
249	249	all or a portion of an individual's extracted DNA and
250	250	genotypic and phenotypic information obtained from analyzing
251	251	an individual's raw sequence data.
252	252	(9) KNOWN CHILD. A child under circumstances where a
253	253	data broker has actual knowledge of, or willfully disregards
254	254	obtaining actual knowledge of, the child's age.
255	255	(10) PERSONAL DATA. Any information, including
256	256	sensitive data, that is linked or reasonably linkable to a
257	257	identified or identifiable individual. The term includes
258	258	pseudonymous data when the information is used by a controller
259	259	or processor in conjunction with additional information that
260	260	reasonably links the information to an identified or
261	261	identifiable individual. The term does not include
262	262	de-identified data, employee data, or publicly available
263	263	information.
264	264	(11) PRECISE GEOLOCATION DATA. Information
265	265	accessed on a device or technology that shows the past or
266	266	present physical location of an individual or the individual's
267	267	device with sufficient precision to identify street-level
268	268	location information of the individual or device in a range of
269	269	113
270	270	114
271	271	115
272	272	116
273	273	117
274	274	118
275	275	119
276	276	120
277	277	121
278	278	122
279	279	123
280	280	124
281	281	125
282	282	126
283	283	127
284	284	128
285	285	129
286	286	130
287	287	131
288	288	132
289	289	133
290	290	134
291	291	135
292	292	136
293	293	137
294	294	138
295	295	139
296	296	140 SB213 INTRODUCED
297	297	Page 6
298	298	location information of the individual or device in a range of
299	299	not more than 1,850 feet. The term does not include location
300	300	information regarding an individual or device identifiable or
301	301	derived solely from the visual content of a legally obtained
302	302	image, including the location of a device that captured the
303	303	image.
304	304	(12) PROCESS. In the context of data, an
305	305	operation or set of operations performed, whether by manual or
306	306	automated means, on personal data or on sets of personal data,
307	307	such as the collection, use, storage, disclosure, analysis,
308	308	deletion, or modification of personal data.
309	309	(13) PUBLICLY AVAILABLE INFORMATION. Information to
310	310	which any of the following apply:
311	311	a. Is lawfully made available through governmental
312	312	records.
313	313	b. A business has a reasonable basis to believe
314	314	is lawfully available to the general public through widely
315	315	distributed media.
316	316	c. Is lawfully made available by a consumer, or
317	317	by an individual to whom a consumer has disclosed the
318	318	information, unless the consumer has restricted access to the
319	319	information to a specific audience.
320	320	(14) SENSITIVE DATA.
321	321	a. A government-issued identifier not required by law
322	322	to be publicly available, including any of the following:
323	323	1. A Social Security number.
324	324	2. A passport number.
325	325	3. A driver license number.
326	326	b. Information that describes or reveals an
327	327	141
328	328	142
329	329	143
330	330	144
331	331	145
332	332	146
333	333	147
334	334	148
335	335	149
336	336	150
337	337	151
338	338	152
339	339	153
340	340	154
341	341	155
342	342	156
343	343	157
344	344	158
345	345	159
346	346	160
347	347	161
348	348	162
349	349	163
350	350	164
351	351	165
352	352	166
353	353	167
354	354	168 SB213 INTRODUCED
355	355	Page 7
356	356	b. Information that describes or reveals an
357	357	individual's mental or physical health diagnosis, condition,
358	358	or treatment.
359	359	c. An individual's financial information, except the
360	360	last four digits of a debit or credit card number, including
361	361	any of the following:
362	362	1. A financial account number.
363	363	2. A credit or debit card number.
364	364	3. Information that describes or reveals the income
365	365	level or bank account balances of the individual.
366	366	d. Biometric data.
367	367	e. Genetic data.
368	368	f. Precise geolocation data.
369	369	g. An individual's private communication, and that if
370	370	made using a device, is not made using a device provided by
371	371	the individual's employer that provides conspicuous notice to
372	372	the individual that the employer may access communication made
373	373	using the device. These communications include, unless the
374	374	data broker is the sender or an intended recipient of the
375	375	communication, all of the following:
376	376	1. The individual's voicemails, e-mails, texts, direct
377	377	messages, or mail.
378	378	2. Information that identifies the parties involved in
379	379	the communications.
380	380	3. Information that relates to the transmission of the
381	381	communications, including telephone numbers called, telephone
382	382	numbers from which calls were placed, the time calls were
383	383	made, call duration, and location information of the parties
384	384	to the call.
385	385	169
386	386	170
387	387	171
388	388	172
389	389	173
390	390	174
391	391	175
392	392	176
393	393	177
394	394	178
395	395	179
396	396	180
397	397	181
398	398	182
399	399	183
400	400	184
401	401	185
402	402	186
403	403	187
404	404	188
405	405	189
406	406	190
407	407	191
408	408	192
409	409	193
410	410	194
411	411	195
412	412	196 SB213 INTRODUCED
413	413	Page 8
414	414	to the call.
415	415	h. A log-in credential, security code, or access code
416	416	for an account or device.
417	417	i. Information identifying the sexual behavior of the
418	418	individual in a manner inconsistent with the individual's
419	419	reasonable expectation regarding the collection, processing,
420	420	or transfer of the information.
421	421	j. Calendar information, address book information,
422	422	phone or text logs, photos, audio recordings, or videos that
423	423	are both:
424	424	1. Maintained for private use by an individual and
425	425	stored on the individual's device or in another location.
426	426	2. Not communicated using a device provided by the
427	427	individual's employer unless the employee was provided
428	428	conspicuous notice that the employer may access communication
429	429	made using the device.
430	430	k. A photograph, film, video recording, or other
431	431	similar medium that shows the individual or a part of the
432	432	individual nude or wearing undergarments.
433	433	l. Information revealing the video content requested or
434	434	selected by an individual that is neither of the following:
435	435	1. Collected by a provider of broadcast television
436	436	service, cable service, satellite service, streaming media
437	437	service, or other video programming, as that term is defined
438	438	by 47 U.S.C. § 613.
439	439	2. Used solely for transfers for independent video
440	440	measurement.
441	441	m. Information regarding a known child.
442	442	n. Information revealing an individual's racial or
443	443	197
444	444	198
445	445	199
446	446	200
447	447	201
448	448	202
449	449	203
450	450	204
451	451	205
452	452	206
453	453	207
454	454	208
455	455	209
456	456	210
457	457	211
458	458	212
459	459	213
460	460	214
461	461	215
462	462	216
463	463	217
464	464	218
465	465	219
466	466	220
467	467	221
468	468	222
469	469	223
470	470	224 SB213 INTRODUCED
471	471	Page 9
472	472	n. Information revealing an individual's racial or
473	473	ethnic origin, color, religious beliefs, or union membership.
474	474	o. Information identifying an individual's online
475	475	activities over time accessing multiple Internet websites or
476	476	online services.
477	477	p. Information collected, processed, or
478	478	transferred for the purpose of identifying information
479	479	described by this subdivision.
480	480	(15) SERVICE PROVIDER. A person that receives,
481	481	collects, processes, or transfers personal data on behalf of,
482	482	and at the direction of, a business or governmental entity,
483	483	including a business or governmental entity that is another
484	484	service provider, in order for the person to perform a service
485	485	or function with or on behalf of the business or governmental
486	486	entity.
487	487	(16) TRANSFER. In the context of data, to disclose,
488	488	release, share, disseminate, make available, sell, or license
489	489	the data by any means or medium.
490	490	Section 2. (a) Except as provided by subsection (b),
491	491	this act applies to personal data from an individual that is
492	492	collected, transferred, or processed by a data broker.
493	493	(b) This chapter does not apply to any of the following
494	494	data:
495	495	(1) De-identified data, if the data broker does all of
496	496	the following:
497	497	a. Takes reasonable technical measures to ensure that
498	498	the data is not able to be used to identify an individual with
499	499	whom the data is associated.
500	500	b. Publicly commits to both of the following in a clear
501	501	225
502	502	226
503	503	227
504	504	228
505	505	229
506	506	230
507	507	231
508	508	232
509	509	233
510	510	234
511	511	235
512	512	236
513	513	237
514	514	238
515	515	239
516	516	240
517	517	241
518	518	242
519	519	243
520	520	244
521	521	245
522	522	246
523	523	247
524	524	248
525	525	249
526	526	250
527	527	251
528	528	252 SB213 INTRODUCED
529	529	Page 10
530	530	b. Publicly commits to both of the following in a clear
531	531	and conspicuous manner:
532	532	1. To process and transfer the data solely in a
533	533	de-identified form without any reasonable means for
534	534	reidentification.
535	535	2. To not attempt to identify the information to an
536	536	individual with whom the data is associated.
537	537	c. Contractually obligates a person that receives the
538	538	information from the provider to both of the following:
539	539	1. Comply with this subsection with respect to the
540	540	information.
541	541	2. Include those contractual obligations in any
542	542	subsequent transfer of the data to another person.
543	543	(2) Employee data.
544	544	(3) Publicly available information.
545	545	(4) Inferences made exclusively from multiple
546	546	independent sources of publicly available information that
547	547	does not reveal sensitive data with respect to an individual.
548	548	(5) Data subject to Title V of the Gramm-Leach-Bliley
549	549	Act, 15 U.S.C. § 6801, et seq.
550	550	Section 3. (a) Except as provided by subsection (b),
551	551	this act applies only to a data broker that derives either of
552	552	the following within a 12-month period:
553	553	(1) More than 50 percent of the data broker's revenue
554	554	from processing or transferring personal data that the data
555	555	broker did not collect directly from the individuals to whom
556	556	the data pertains.
557	557	(2) Revenue from processing or transferring the
558	558	personal data of more than 50,000 individuals that the data
559	559	253
560	560	254
561	561	255
562	562	256
563	563	257
564	564	258
565	565	259
566	566	260
567	567	261
568	568	262
569	569	263
570	570	264
571	571	265
572	572	266
573	573	267
574	574	268
575	575	269
576	576	270
577	577	271
578	578	272
579	579	273
580	580	274
581	581	275
582	582	276
583	583	277
584	584	278
585	585	279
586	586	280 SB213 INTRODUCED
587	587	Page 11
588	588	personal data of more than 50,000 individuals that the data
589	589	broker did not collect directly from the individuals to whom
590	590	the data pertains.
591	591	(b) This chapter does not apply to any of the
592	592	following:
593	593	(1) A service provider, including a service provider
594	594	that engages in the business of processing employee data for a
595	595	third-party employer for the sole purpose of providing
596	596	benefits to the third-party employer's employees.
597	597	(2) A person that collects personal data from another
598	598	person to which the person is related by common ownership or
599	599	corporate control, provided a reasonable consumer would expect
600	600	the persons to share data.
601	601	(3) A federal, state, tribal, territorial, or local
602	602	governmental entity, including a body, authority, board,
603	603	bureau, commission, district, agency, or political subdivision
604	604	of a governmental entity.
605	605	(4) An entity that serves as a congressionally
606	606	designated nonprofit, national resource center, or
607	607	clearinghouse to provide assistance to victims, families,
608	608	child-serving professionals, and the general public on missing
609	609	and exploited children issues.
610	610	(5) A consumer reporting agency or other entity that
611	611	furnishes information for inclusion in a consumer credit
612	612	report or obtains a consumer credit report, but only to the
613	613	extent the entity engages in activity regulated or authorized
614	614	by the Fair Credit Reporting Act, 15 U.S.C. § 1681, et seq.,
615	615	including the collection, maintenance, disclosure, sale,
616	616	communication, or use of any personal information bearing on a
617	617	281
618	618	282
619	619	283
620	620	284
621	621	285
622	622	286
623	623	287
624	624	288
625	625	289
626	626	290
627	627	291
628	628	292
629	629	293
630	630	294
631	631	295
632	632	296
633	633	297
634	634	298
635	635	299
636	636	300
637	637	301
638	638	302
639	639	303
640	640	304
641	641	305
642	642	306
643	643	307
644	644	308 SB213 INTRODUCED
645	645	Page 12
646	646	communication, or use of any personal information bearing on a
647	647	consumer's creditworthiness, credit standing, credit capacity,
648	648	character, general reputation, personal characteristics, or
649	649	mode of living.
650	650	(6) A financial institution subject to Title V of the
651	651	Gramm-Leach-Bliley Act, 15 U.S.C. § 6801, et seq.
652	652	Section 4. A data broker that maintains an Internet
653	653	website or mobile application shall post a conspicuous notice
654	654	on the website or application that complies with all of the
655	655	following:
656	656	(1) States that the entity maintaining the website or
657	657	application is a data broker.
658	658	(2) Is clear, not misleading, and readily accessible
659	659	by the general public, including individuals with a
660	660	disability.
661	661	(3) Contains language provided by rule of the Secretary
662	662	of State for inclusion in the notice.
663	663	Section 5. (a) To conduct business in this state, a
664	664	data broker that is subject to this act shall register by
665	665	January 1, 2025, with the Secretary of State by filing a
666	666	registration certificate and paying a registration fee of
667	667	three hundred dollars ($300).
668	668	(b) The registration certificate must include all of
669	669	the following:
670	670	(1) The legal name of the data broker.
671	671	(2) A contact individual and the primary physical
672	672	address, e-mail address, telephone number, and Internet
673	673	website address for the data broker.
674	674	(3) A description of the categories of data the data
675	675	309
676	676	310
677	677	311
678	678	312
679	679	313
680	680	314
681	681	315
682	682	316
683	683	317
684	684	318
685	685	319
686	686	320
687	687	321
688	688	322
689	689	323
690	690	324
691	691	325
692	692	326
693	693	327
694	694	328
695	695	329
696	696	330
697	697	331
698	698	332
699	699	333
700	700	334
701	701	335
702	702	336 SB213 INTRODUCED
703	703	Page 13
704	704	(3) A description of the categories of data the data
705	705	broker processes and transfers.
706	706	(4) A statement of whether or not the data broker
707	707	implements a purchaser credentialing process.
708	708	(5) If the data broker has actual knowledge that the
709	709	data broker possesses personal data of a known child, both of
710	710	the following:
711	711	a. A statement detailing the data collection practices,
712	712	databases, sales activities, and opt-out policies that are
713	713	applicable to the personal data of a known child.
714	714	b. A statement as to how the data broker complies with
715	715	applicable federal and state law regarding the collection,
716	716	use, or disclosure of personal data from and about a child on
717	717	the Internet.
718	718	(6) The number of security breaches the data broker has
719	719	experienced during the year immediately preceding the year in
720	720	which the registration is filed and, if known, the total
721	721	number of consumers affected by each breach.
722	722	(c) The registration certificate may include any
723	723	additional information or explanation the data broker chooses
724	724	to provide to the Secretary of State concerning the data
725	725	broker's data collection practices.
726	726	(d) A registration certificate expires on the first
727	727	anniversary of its date of issuance and every year thereafter.
728	728	A data broker may renew a registration certificate by filing a
729	729	renewal application, in the form prescribed by the Secretary
730	730	of State, and paying a renewal fee of three hundred dollars
731	731	($300).
732	732	Section 6. (a) The Secretary of State shall establish
733	733	337
734	734	338
735	735	339
736	736	340
737	737	341
738	738	342
739	739	343
740	740	344
741	741	345
742	742	346
743	743	347
744	744	348
745	745	349
746	746	350
747	747	351
748	748	352
749	749	353
750	750	354
751	751	355
752	752	356
753	753	357
754	754	358
755	755	359
756	756	360
757	757	361
758	758	362
759	759	363
760	760	364 SB213 INTRODUCED
761	761	Page 14
762	762	Section 6. (a) The Secretary of State shall establish
763	763	and maintain, on its Internet website, a searchable, central
764	764	registry of data brokers registered pursuant to Section 5.
765	765	(b) The registry must include both of the following:
766	766	(1) A search feature that allows an individual
767	767	searching the registry to identify a specific data broker.
768	768	(2) For each data broker, the information filed under
769	769	Section 5(b).
770	770	Section 7. (a) A data broker conducting business in
771	771	this state has a duty to protect personal data held by the
772	772	data broker in accordance with this section.
773	773	(b) A data broker shall develop, implement, and
774	774	maintain a comprehensive information security program that is
775	775	written in one or more readily accessible parts and employs
776	776	administrative, technical, and physical safeguards that are
777	777	appropriate for:
778	778	(1) The data broker's size, scope, and type of
779	779	business;
780	780	(2) The amount of resources available to the data
781	781	broker;
782	782	(3) The amount of data stored by the data broker; and
783	783	(4) The need for security and confidentiality of the
784	784	personal data stored by the data broker.
785	785	(c) The comprehensive information security program
786	786	required by this section must:
787	787	(1) Incorporate safeguards that are consistent with the
788	788	safeguards for protection of personal data and information of
789	789	a similar character under state or federal laws and rules
790	790	applicable to the data broker;
791	791	365
792	792	366
793	793	367
794	794	368
795	795	369
796	796	370
797	797	371
798	798	372
799	799	373
800	800	374
801	801	375
802	802	376
803	803	377
804	804	378
805	805	379
806	806	380
807	807	381
808	808	382
809	809	383
810	810	384
811	811	385
812	812	386
813	813	387
814	814	388
815	815	389
816	816	390
817	817	391
818	818	392 SB213 INTRODUCED
819	819	Page 15
820	820	applicable to the data broker;
821	821	(2) Include the designation of one or more employees of
822	822	the data broker to maintain the program;
823	823	(3) Require the identification and assessment of
824	824	reasonably foreseeable internal and external risks to the
825	825	security, confidentiality, and integrity of any electronic,
826	826	paper, or other record containing personal data, and the
827	827	establishment of a process for evaluating and improving, as
828	828	necessary, the effectiveness of the current safeguards for
829	829	limiting those risks, including:
830	830	a. Requiring ongoing employee and contractor education
831	831	and training, including education and training for temporary
832	832	employees and contractors of the data broker, on the proper
833	833	use of security procedures and protocols and the importance of
834	834	personal data security;
835	835	b. Mandating employee compliance with policies and
836	836	procedures established under the program; and
837	837	c. Providing a means for detecting and preventing
838	838	security system failures;
839	839	(4) Include security policies for the data broker's
840	840	employees relating to the storage, access, and transportation
841	841	of records containing personal data outside of the broker's
842	842	physical business premises;
843	843	(5) Provide disciplinary measures for violations of a
844	844	policy or procedure established under the program;
845	845	(6) Include measures for preventing a terminated
846	846	employee from accessing records containing personal data;
847	847	(7) Provide policies for the supervision of third-party
848	848	service providers that include:
849	849	393
850	850	394
851	851	395
852	852	396
853	853	397
854	854	398
855	855	399
856	856	400
857	857	401
858	858	402
859	859	403
860	860	404
861	861	405
862	862	406
863	863	407
864	864	408
865	865	409
866	866	410
867	867	411
868	868	412
869	869	413
870	870	414
871	871	415
872	872	416
873	873	417
874	874	418
875	875	419
876	876	420 SB213 INTRODUCED
877	877	Page 16
878	878	service providers that include:
879	879	a. Taking reasonable steps to select and retain
880	880	third-party service providers that are capable of maintaining
881	881	appropriate security measures to protect personal data
882	882	consistent with applicable law; and
883	883	b. Requiring third-party service providers, by
884	884	contract, to implement and maintain appropriate security
885	885	measures for personal data;
886	886	(8) Provide reasonable restrictions on physical access
887	887	to records containing personal data, including requiring the
888	888	records containing the data to be stored in a locked facility,
889	889	storage area, or container;
890	890	(9) Include regular monitoring to ensure that the
891	891	program is operating in a manner reasonably calculated to
892	892	prevent unauthorized access to or unauthorized use of personal
893	893	data and, as necessary, upgrading information safeguards to
894	894	limit the risk of unauthorized access to or unauthorized use
895	895	of personal data;
896	896	(10)a. Require the regular review of the scope of the
897	897	program's security measures;
898	898	b. A review of the scope of the program's security
899	899	measures must occur at least annually and anytime there is a
900	900	material change in the data broker's business practices that
901	901	may reasonably affect the security or integrity of records
902	902	containing personal data;
903	903	(11) Require the documentation of responsive actions
904	904	taken in connection with any incident involving a breach of
905	905	security, including a mandatory post-incident review of each
906	906	event and the actions taken, if any, to make changes in
907	907	421
908	908	422
909	909	423
910	910	424
911	911	425
912	912	426
913	913	427
914	914	428
915	915	429
916	916	430
917	917	431
918	918	432
919	919	433
920	920	434
921	921	435
922	922	436
923	923	437
924	924	438
925	925	439
926	926	440
927	927	441
928	928	442
929	929	443
930	930	444
931	931	445
932	932	446
933	933	447
934	934	448 SB213 INTRODUCED
935	935	Page 17
936	936	event and the actions taken, if any, to make changes in
937	937	business practices relating to the protection of personal data
938	938	in response to that event; and
939	939	(12) To the extent feasible, include the following
940	940	procedures and protocols with respect to computer system
941	941	security requirements or procedures and protocols providing a
942	942	higher degree of security, for the protection of personal
943	943	data:
944	944	a. Using secure user authentication protocols that
945	945	include:
946	946	1. Controlling user log-in credentials and other
947	947	identifiers;
948	948	2. Using a reasonably secure method of assigning and
949	949	selecting passwords or using unique identifier technologies,
950	950	which may include biometrics or token devices;
951	951	3. Controlling data security passwords to ensure that
952	952	the passwords are kept in a location and format that do not
953	953	compromise the security of the data the passwords protect;
954	954	4. Restricting access to only active users and active
955	955	user accounts; and
956	956	5. Blocking access to user credentials or
957	957	identification after multiple unsuccessful attempts to gain
958	958	access;
959	959	b. Using secure access control measures that include:
960	960	1. Restricting access to records containing personal
961	961	data to only employees or contractors who need access to the
962	962	personal data to perform their job duties; and
963	963	2. Assigning to each employee or contractor with access
964	964	to a computer containing personal data a unique identification
965	965	449
966	966	450
967	967	451
968	968	452
969	969	453
970	970	454
971	971	455
972	972	456
973	973	457
974	974	458
975	975	459
976	976	460
977	977	461
978	978	462
979	979	463
980	980	464
981	981	465
982	982	466
983	983	467
984	984	468
985	985	469
986	986	470
987	987	471
988	988	472
989	989	473
990	990	474
991	991	475
992	992	476 SB213 INTRODUCED
993	993	Page 18
994	994	to a computer containing personal data a unique identification
995	995	and password, which may not be a vendor-supplied default
996	996	password, or using another protocol reasonably designed to
997	997	maintain the integrity of the security of the access controls
998	998	to personal data;
999	999	c. Encryption of:
1000	1000	1. Transmitted records containing personal data that
1001	1001	will travel across public networks; and
1002	1002	2. Data containing personal data that is transmitted
1003	1003	wirelessly;
1004	1004	d. Reasonable monitoring of systems for unauthorized
1005	1005	use of or access to personal data;
1006	1006	e. Encryption of all personal data stored on laptop
1007	1007	computers or other portable devices;
1008	1008	f. For records containing personal data on a system
1009	1009	that is connected to the Internet, using reasonably current
1010	1010	firewall protection and operating system security patches that
1011	1011	are reasonably designed to maintain the integrity of the
1012	1012	personal data; and
1013	1013	g. Using:
1014	1014	1. A reasonably current version of system security
1015	1015	agent software that must include malware protection and
1016	1016	reasonably current patches and virus definitions; or
1017	1017	2. A version of system security agent software that is
1018	1018	supportable with current patches and virus definitions and is
1019	1019	set to receive the most current security updates on a regular
1020	1020	basis.
1021	1021	(d) A violation of this section by a data broker
1022	1022	constitutes a violation of the Deceptive Trade Practices Act,
1023	1023	477
1024	1024	478
1025	1025	479
1026	1026	480
1027	1027	481
1028	1028	482
1029	1029	483
1030	1030	484
1031	1031	485
1032	1032	486
1033	1033	487
1034	1034	488
1035	1035	489
1036	1036	490
1037	1037	491
1038	1038	492
1039	1039	493
1040	1040	494
1041	1041	495
1042	1042	496
1043	1043	497
1044	1044	498
1045	1045	499
1046	1046	500
1047	1047	501
1048	1048	502
1049	1049	503
1050	1050	504 SB213 INTRODUCED
1051	1051	Page 19
1052	1052	constitutes a violation of the Deceptive Trade Practices Act,
1053	1053	Chapter 19 of Title 8, Code of Alabama 1975, and shall be
1054	1054	subject to the same penalties as provided therein.
1055	1055	Section 8. (a) A data broker that violates Section 4 or
1056	1056	5 shall be assessed the following civil penalties by the
1057	1057	Secretary of State:
1058	1058	(1) One hundred dollars ($100) for each day the entity
1059	1059	is in violation.
1060	1060	(2) The amount of unpaid registration fees for each
1061	1061	year the entity fails to register as required by Section 5.
1062	1062	(b) A civil penalty assessed pursuant to this section
1063	1063	may not exceed ten thousand dollars ($10,000) against a single
1064	1064	data broker during a 12-month period.
1065	1065	(c) The Attorney General may bring an action to recover
1066	1066	any civil penalty assessed under this section and may recover
1067	1067	reasonable attorney fees and court costs incurred in bringing
1068	1068	the action.
1069	1069	(d)(1) All penalties collected pursuant to this act
1070	1070	shall be deposited into the Consumer Privacy Protection Fund
1071	1071	which is created in the State Treasury. The fund shall be
1072	1072	administered by the Secretary of State for the purpose of
1073	1073	implementing and administering this act.
1074	1074	(2) No money shall be withdrawn or expended from this
1075	1075	fund for any purpose unless the monies have been appropriated
1076	1076	by the Legislature and allocated pursuant to this act. Any
1077	1077	monies appropriated shall be budgeted and allocated pursuant
1078	1078	to the Budget Management Act in accordance with Article 4,
1079	1079	commencing with Section 41-4-80 of Chapter 4 of Title 41, Code
1080	1080	of Alabama 1975, and only in the amounts provided by the
1081	1081	505
1082	1082	506
1083	1083	507
1084	1084	508
1085	1085	509
1086	1086	510
1087	1087	511
1088	1088	512
1089	1089	513
1090	1090	514
1091	1091	515
1092	1092	516
1093	1093	517
1094	1094	518
1095	1095	519
1096	1096	520
1097	1097	521
1098	1098	522
1099	1099	523
1100	1100	524
1101	1101	525
1102	1102	526
1103	1103	527
1104	1104	528
1105	1105	529
1106	1106	530
1107	1107	531
1108	1108	532 SB213 INTRODUCED
1109	1109	Page 20
1110	1110	of Alabama 1975, and only in the amounts provided by the
1111	1111	Legislature in the general appropriations act or other
1112	1112	appropriations act.
1113	1113	Section 9. The Secretary of State shall adopt rules as
1114	1114	necessary to implement this act.
1115	1115	Section 10. This act does not apply to the collection,
1116	1116	processing, or transfer of personal data by a data broker
1117	1117	before January 1, 2025.
1118	1118	Section 11. Although this bill would have as its
1119	1119	purpose or effect the requirement of a new or increased
1120	1120	expenditure of local funds, the bill is excluded from further
1121	1121	requirements and application under Section 111.05 of the
1122	1122	Constitution of Alabama of 2022, because the bill defines a
1123	1123	new crime or amends the definition of an existing crime.
1124	1124	Section 12. This act shall become effective on October
1125	1125	1, 2024.
1126	1126	533
1127	1127	534
1128	1128	535
1129	1129	536
1130	1130	537
1131	1131	538
1132	1132	539
1133	1133	540
1134	1134	541
1135	1135	542
1136	1136	543
1137	1137	544
1138	1138	545
1139	1139	546
1140	1140	547