HB283INTRODUCED
Page 0
HB283
ZUVVKWR-1
By Representatives Shaw, Brown, Lipscomb, Moore (P), Lomax
RFD: Commerce and Small Business
First Read: 13-Feb-25
1
2
3
4
5 ZUVVKWR-1 02/03/2025 THR (L)THR 2024-3028
Page 1
First Read: 13-Feb-25
SYNOPSIS:
This bill would authorize a consumer to confirm
whether a controller is processing any of the
consumer's personal data, correct any inaccuracies in
the consumer's personal data, direct a controller to
delete the consumer's personal data, obtain a copy of
the consumer's personal data, and opt out of the
processing of the consumer's data.
This bill would require a controller to
establish a secure and reliable method for a consumer
to exercise the consumer's rights and to establish an
appeals process.
This bill would authorize a consumer to
designate an authorized agent to exercise the
consumer's rights.
This bill would regulate the manner in which a
controller may process consumer data.
This bill would also regulate the processing of
deidentified data.
A BILL
TO BE ENTITLED
AN ACT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28 HB283 INTRODUCED
Page 2
AN ACT
Relating to data privacy; to authorize a consumer to
take certain actions regarding the consumer's personal data;
to regulate the manner in which a controller may process
personal data; and to regulate the processing of deidentified
data.
BE IT ENACTED BY THE LEGISLATURE OF ALABAMA:
Section 1. For the purposes of this act, the following
terms have the following meanings:
(1) AFFILIATE. A legal entity that shares common
branding with another legal entity or that controls, is
controlled by, or is under common control with another legal
entity.
(2) AUTHENTICATE. To use reasonable methods to
determine that a request to exercise any of the consumer
rights afforded under Section 4 is being made by, or on behalf
of, a consumer who is entitled to exercise those consumer
rights with respect to the consumer's personal data at issue.
(3) BIOMETRIC DATA. Data generated by automatic
measurements of an individual's biological characteristics
that are used to identify a specific individual, including,
but not limited to, a fingerprint, voiceprint, retina, or
iris. The term does not include any of the following:
a. A digital or physical photograph.
b. An audio or video recording.
c. Any data generated from a. or b.
(4) CHILD. An individual under 13 years of age.
(5) CONSENT. A clear affirmative act signifying a
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56 HB283 INTRODUCED
Page 3
(5) CONSENT. A clear affirmative act signifying a
consumer's freely given, specific, informed, and unambiguous
agreement to allow the processing of personal data relating to
the consumer, including, but not limited to, a written
statement or a statement by electronic means. The term does
not include any of the following:
a. Acceptance of a general or broad term of use or
similar document that contains descriptions of personal data
processing along with other unrelated information.
b. Hovering over, muting, pausing, or closing a given
piece of content.
c. An agreement obtained using dark patterns.
(6) CONSUMER. An individual who is a resident of this
state. The term does not include an individual acting in a
commercial or employment context or as an employee, owner,
director, officer, or contractor of a company, partnership,
sole proprietorship, nonprofit, or government agency whose
communications or transactions with the controller occur
solely within the context of that individual's role with the
company, partnership, sole proprietorship, nonprofit, or
government agency.
(7) CONTROL. Any of the following:
a. Ownership of or the power to vote more than 50
percent of the outstanding shares of any class of voting
security of a company.
b. Control in any manner over the election of a
majority of the directors or of individuals exercising similar
functions.
c. The power to exercise controlling influence over the
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84 HB283 INTRODUCED
Page 4
c. The power to exercise controlling influence over the
management of a company.
(8) CONTROLLER. An individual or legal entity that,
alone or jointly with others, determines the purposes and
means of processing personal data.
(9) DARK PATTERN. A user interface designed or
manipulated with the effect of substantially subverting or
impairing user autonomy, decision-making, or choice.
(10) DEIDENTIFIED DATA. Data that cannot be used to
reasonably infer information about or otherwise be linked to
an identified or identifiable individual or a device linked to
an identified or identifiable individual if the controller
that possesses the data does all of the following:
a. Takes reasonable measures to ensure that the data
cannot be associated with an individual.
b. Publicly commits to process the data in a
deidentified fashion only and to not attempt to reidentify the
data.
c. Contractually obligates any recipients of the data
to satisfy the criteria set forth in Section 10(a) and (b).
(11) IDENTIFIABLE INDIVIDUAL. An individual who can be
readily identified, directly or indirectly.
(12) NONPROFIT ENTITY. As defined in Section
10A-1-1.03, Code of Alabama 1975.
(13) PERSONAL DATA. Any information that is linked or
reasonably linkable to an identified or identifiable
individual. The term does not include deidentified data or
publicly available information.
(14) PRECISE GEOLOCATION DATA. Information derived from
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112 HB283 INTRODUCED
Page 5
(14) PRECISE GEOLOCATION DATA. Information derived from
technology, including, but not limited to, global positioning
system level latitude and longitude coordinates, which
directly identifies the specific location of an individual
with precision and accuracy within a radius of 1,750 feet. The
term does not include the content of communications or any
data generated by or connected to advanced utility metering
infrastructure systems or equipment for use by a utility.
(15) PROCESS. Any operation or set of operations,
whether by manual or automated means, performed on personal
data or on sets of personal data, including, but not limited
to, the collection, use, storage, disclosure, analysis,
deletion, or modification of personal data.
(16) PROCESSOR. An individual or legal entity that
processes personal data on behalf of a controller.
(17) PROFILING. Any form of automated processing
performed on personal data to evaluate, analyze, or predict
personal aspects related to an identified or identifiable
individual's economic situation, health, personal preferences,
interests, reliability, behavior, location, or movements.
(18) PSEUDONYMOUS DATA. Personal data that cannot be
attributed to a specific individual without the use of
additional information, provided the additional information is
kept separately and is subject to appropriate technical and
organizational measures to ensure that the personal data is
not attributable to an identified or identifiable individual.
(19) PUBLICLY AVAILABLE INFORMATION. Either of the
following:
a. Information that is lawfully made available through
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140 HB283 INTRODUCED
Page 6
a. Information that is lawfully made available through
federal, state, or local government records or widely
distributed media.
b. Information that a controller has a reasonable basis
to believe a consumer has lawfully made available to the
public.
(20) SALE OF PERSONAL DATA. The exchange of personal
data for monetary or other valuable consideration by a
controller to a third party. The term does not include any of
the following:
a. The disclosure of personal data to a processor that
processes the personal data on behalf of the controller.
b. The disclosure of personal data to a third party for
the purposes of providing a product or service requested by
the consumer.
c. The disclosure or transfer of personal data to an
affiliate of the controller.
d. The disclosure of personal data in which the
consumer directs the controller to disclose the personal data
or intentionally uses the controller to interact with a third
party.
e. The disclosure of personal data that the consumer
intentionally made available to the public via a channel of
mass media and did not restrict to a specific audience.
f. The disclosure or transfer of personal data to a
third party as an asset that is part of a merger, acquisition,
bankruptcy, or other transaction, or a proposed merger,
acquisition, bankruptcy, or other transaction in which the
third party assumes control of all or part of the controller's
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168 HB283 INTRODUCED
Page 7
third party assumes control of all or part of the controller's
assets.
(21) SENSITIVE DATA. Personal data that includes any of
the following:
a. Data revealing racial or ethnic origin, religious
beliefs, a mental or physical health condition or diagnosis,
information about an individual's sex life, sexual
orientation, or citizenship or immigration status.
b. The processing of genetic or biometric data for the
purpose of uniquely identifying an individual.
c. Personal data collected from a known child.
d. Precise geolocation data.
(22) SIGNIFICANT DECISION. A decision made by a
controller that results in the controller's provision or
denial of financial or lending services, housing, insurance,
education enrollment or opportunity, criminal justice,
employment opportunity, health care service, or access to
necessities such as food or water.
(23) TARGETED ADVERTISING. Displaying advertisements to
a consumer in which the advertisement is selected based on
personal data obtained or inferred from that consumer's
activities over time and across nonaffiliated Internet
websites or online applications to predict the consumer's
preferences or interests. The term does not include any of the
following:
a. Advertisements based on activities within a
controller's own Internet websites or online applications.
b. Advertisements based on the context of a consumer's
current search query or visit to any Internet website or
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196 HB283 INTRODUCED
Page 8
current search query or visit to any Internet website or
online application.
c. Advertisements directed to a consumer in response to
the consumer's request for information or feedback.
d. Processing personal data solely to measure or report
advertising frequency, performance, or reach.
(24) THIRD PARTY. An individual or legal entity other
than a consumer, controller, processor, or an affiliate of the
controller or processor.
(25) TRADE SECRET. As defined in Section 8-27-2, Code
of Alabama 1975.
Section 2. The provisions of this act apply to persons
that conduct business in this state or persons that produce
products or services that are targeted to residents of this
state and that meet either of the following qualifications:
(1) Control or process the personal data of more than
50,000 consumers, excluding personal data controlled or
processes solely for the purpose of completing a payment
transaction.
(2) Control or process the personal data of more than
25,000 consumers and derive more than 25 percent of gross
revenue from the sale of personal data.
Section 3. (a) This act shall not apply to any of the
following:
(1) A political subdivision of the state.
(2) A nonprofit organization.
(3) A 2-year or 4-year institution of higher education.
(4) A national securities association that is
registered under 15 U.S.C. § 780.
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224 HB283 INTRODUCED
Page 9
registered under 15 U.S.C. § 780.
(5) A financial institution or an affiliate of a
financial institution governed by 15 U.S.C. Chapter 94.
(6) Personal data collected, processed, sold, or
disclosed in accordance with 15 U.S.C. Chapter 94.
(7) A covered entity or business associate as defined
in the privacy regulations of 45 C.F.R. § 160.13.
(b) This act shall not apply to any of the following
information or data:
(1) Protected health information under the privacy
regulations of the federal Health Insurance Portability and
Accountability Act of 1996.
(2) Patient-identifying information for the purposes of
42 U.S.C. § 290dd2.
(3) Identifiable private information for the purposes
of 45 C.F.R. Part 46.
(4) Identifiable private information that is otherwise
collected as part of human subjects research pursuant to the
good clinical practice guidelines issued by the International
Council for Harmonisation of Technical Requirements for
Pharmaceuticals for Human Use.
(5) The protection of human subjects under 21 C.F.R.
Parts 6, 50, and 56, or personal data used or shared in
research as defined in the federal Health Insurance
Portability and Accountability Act of 1996 and 45 C.F.R. §
164.501, that is conducted in accordance with applicable law.
(6) Information or documents created for the purposes
of the federal Health Care Quality Improvement Act of 1986.
(7) Patient safety work products for the purposes of
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252 HB283 INTRODUCED
Page 10
(7) Patient safety work products for the purposes of
the federal Patient Safety and Quality Improvement Act of
2005.
(8) Information derived from any of the health care
related information listed in this subsection which is
deidentified in accordance with the requirements for
deidentification pursuant to the privacy regulations of the
federal Health Insurance Portability and Accountability Act of
1996.
(9) Information derived from any of the health care
related information listed in this subsection which is
included in a limited data set as described in 45 C.F.R. §
164.514(e), to the extent that the information is used,
disclosed, and maintained in a manner specified in 45 C.F.R. §
164.514(e).
(10) Information originating from and intermingled to
be indistinguishable with or information treated in the same
manner as information exempt under this subsection which is
maintained by a covered entity or business associate as
defined in the privacy regulations of the federal Health
Insurance Portability and Accountability Act of 1996 or a
program or qualified service organization as specified in 42
U.S.C. § 290dd-2.
(11) Information used for public health activities and
purposes as authorized by the federal Health Insurance
Portability and Accountability Act of 1996, community health
activities, and population health activities.
(12) The collection, maintenance, disclosure, sale,
communication, or use of any personal information bearing on a
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280 HB283 INTRODUCED
Page 11
communication, or use of any personal information bearing on a
consumer's credit worthiness, credit standing, credit
capacity, character, general reputation, personal
characteristics, or mode of living by a consumer reporting
agency, furnisher, or user that provides information for use
in a consumer report and by a user of a consumer report, but
only to the extent that the activity is regulated by and
authorized under the federal Fair Credit Reporting Act.
(13) Personal data collected, processed, sold, or
disclosed in compliance with the federal Driver's Privacy
Protection Act of 1994.
(14) Personal data regulated by the federal Family
Educational Rights and Privacy Act of 1974.
(15) Personal data collected, processed, sold, or
disclosed in compliance with the federal Farm Credit Act of
1971.
(16) Data processed or maintained by an individual
applying to, employed by, or acting as an agent or independent
contractor of a controller, processor, or third party to the
extent that the data is collected and used within the context
of that role.
(17) Data processed or maintained as the emergency
contact information of an individual under this act and used
for emergency contact purposes.
(18) Data processed or maintained that is necessary to
retain to administer benefits for another individual relating
to the individual who is the subject of the information under
this section and is used for the purposes of administering the
benefits.
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308 HB283 INTRODUCED
Page 12
benefits.
(19) Personal data collected, processed, sold, or
disclosed in relation to price, route, or service, as these
terms are used in the federal Airline Deregulation Act of 1978
by an air carrier subject to the act.
(20) Data or information collected or processed to
comply with or in accordance with state law.
(c) Controllers and processors that comply with the
verifiable parental consent requirements of the federal
Children's Online Privacy Protection Act of 1998 are compliant
with any obligation to obtain parental consent pursuant to
this act.
Section 4. (a) A consumer has the affirmative right to
do all of the following:
(1) Confirm whether a controller is processing the
consumer's personal data and accessing any of the consumer's
personal data under the control of the controller, unless
confirmation or access would require the controller to reveal
a trade secret.
(2) Correct inaccuracies in the consumer's personal
data, considering the nature of the personal data and the
purposes of the processing of the consumer's personal data.
(3) Direct a controller to delete the consumer's
personal data.
(4) Obtain a copy of the consumer's personal data
previously provided by the consumer to a controller in a
portable and, to the extent technically feasible, readily
usable format that allows the consumer to transmit the
personal data to another controller without hindrance when the
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336 HB283 INTRODUCED
Page 13
personal data to another controller without hindrance when the
processing is carried out by automated means, unless the
provision of the data would require the controller to reveal a
trade secret.
(5) Opt out of the processing of the consumer's
personal data for any of the following purposes:
a. Targeted advertising.
b. The sale of the consumer's personal data, except as
provided in Section 6.
c. Profiling in furtherance of solely automated
decisions that produce legal or similarly significant effects
concerning the consumer.
(b) A controller shall establish a secure and reliable
method for a consumer to exercise rights established by this
section and shall describe the method in the controller's
privacy notice.
(c)(1) A consumer may designate an authorized agent in
accordance with Section 5 to exercise the consumer's rights
established by this section.
(2) A parent or legal guardian of a known child may
exercise the consumer's rights on behalf of the known child
regarding the processing of personal data.
(3) A guardian or conservator of a consumer may
exercise the consumer's rights on behalf of the consumer
regarding the processing of personal data.
(d) Except as otherwise provided in this act, a
controller shall comply with a request by a consumer to
exercise the consumer's rights authorized by this section as
follows:
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364 HB283 INTRODUCED
Page 14
follows:
(1)a. A controller shall respond to a consumer's
request within 45 days of receipt of the request.
b. A controller may extend the response period by 45
additional days, when reasonably necessary considering the
complexity and number of the consumer's requests, by notifying
the consumer of the extension and the reason for the extension
within the initial 45-day response period.
(2) If a controller declines to act regarding a
consumer's request, the controller shall inform the consumer
of the justification for declining to act within 45 days of
receipt of the request. The notification must also inform the
consumer of the controller's process for appealing the
decision.
(3) Information provided in response to a consumer
request must be provided by a controller, free of charge, once
for each consumer during any 12-month period. If a consumer's
requests are manifestly unfounded, excessive, technically
infeasible, or repetitive, the controller may charge the
consumer a reasonable fee to cover the administrative costs of
complying with a request or decline to act on a request. The
controller bears the burden of demonstrating the manifestly
unfounded, excessive, technically infeasible, or repetitive
nature of a request.
(4) If a controller is unable to authenticate a
consumer's request using commercially reasonable efforts, the
controller shall not be required to comply with a request to
initiate an action pursuant to this section and shall provide
notice to the consumer that the controller is unable to
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392 HB283 INTRODUCED
Page 15
notice to the consumer that the controller is unable to
authenticate the request until the consumer provides
additional information reasonably necessary to authenticate
the consumer and the request. A controller is not required to
authenticate an opt-out request, but a controller may deny an
opt-out request if the controller has a good faith,
reasonable, and documented belief that the request is
fraudulent. If a controller denies an opt-out request because
the controller believes the request is fraudulent, the
controller shall send notice to the person who made the
request disclosing that the controller believes the request is
fraudulent and that the controller may not comply with the
request.
(5) A controller that has obtained personal data about
a consumer from a source other than the consumer is in
compliance with a consumer's request to delete the consumer's
data if the controller has done either of the following:
a. Retained a record of the deletion request and the
minimum data necessary for the purpose of ensuring the
consumer's personal data remains deleted from the controller's
records and refrains from using the retained data for any
other purpose.
b. Opted the consumer out of the processing of the
consumer's personal data for any purpose except for those
exempted pursuant to this act.
(e) A controller shall establish a process for a
consumer to appeal the controller's refusal to act on a
consumer's request. The appeal process must be conspicuously
available. Within 60 days of receipt of an appeal, a
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420 HB283 INTRODUCED
Page 16
available. Within 60 days of receipt of an appeal, a
controller shall inform the consumer in writing of any action
taken or not taken in response to the appeal, including a
written explanation of the reason for the decision. If the
appeal is denied, the controller shall provide the consumer
with a method through which the consumer may contact the
Attorney General to submit a complaint.
Section 5. (a) A consumer may designate another person
to serve as the consumer's authorized agent and act on the
consumer's behalf to opt out of the processing of the
consumer's personal data for one or more of the purposes
specified in Section 4. The consumer may designate an
authorized agent by way of technology, including, but not
limited to, an Internet link, browser setting, browser
extension, or global device setting indicating a consumer's
intent to opt out of such processing.
(b) A controller shall comply with an opt-out request
received from an authorized agent if the controller is able to
verify, with commercially reasonable effort, the identity of
the consumer and the authorized agent's authority to act on
the consumer's behalf.
(c) An opt-out method must do both of the following:
(1) Provide a clear and conspicuous link on the
controller's Internet website to an Internet web page that
enables a consumer or an agent of the consumer to opt out of
the targeted advertising or sale of the consumer's personal
data.
(2) By no later than January 1, 2026, allow a consumer
or an agent of the consumer to opt out of any processing of
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448 HB283 INTRODUCED
Page 17
or an agent of the consumer to opt out of any processing of
the consumer's personal data for the purposes of targeted
advertising, or any sale of such personal data through an
opt-out preference signal sent with the consumer's consent, to
the controller by a platform, technology, or mechanism that
does all of the following:
a. May not unfairly disadvantage another controller.
b. May not make use of a default setting, but require
the consumer to make an affirmative, freely given, and
unambiguous choice to opt out of any processing of a
customer's personal data pursuant to this act.
c. Must be consumer friendly and easy to use by the
average consumer.
d. Must be consistent with any federal or state law or
regulation.
e. Must allow the controller to accurately determine
whether the consumer is a resident of the state and whether
the consumer has made a legitimate request to opt out of any
sale of a consumer's personal data or targeted advertising.
(d)(1) If a consumer's decision to opt out of any
processing of the consumer's personal data for the purposes of
targeted advertising, or any sale of personal data, through an
opt-out preference signal sent in accordance with this section
conflicts with the consumer's existing controller-specific
privacy setting or voluntary participation in a controller's
bona fide loyalty, rewards, premium features, discounts, or
club card program, the controller shall comply with the
consumer's opt-out preference signal but may notify the
consumer of the conflict and provide the choice to confirm
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476 HB283 INTRODUCED
Page 18
consumer of the conflict and provide the choice to confirm
controller-specific privacy settings or participation in such
a program.
(2) If a controller responds to consumer opt-out
requests received in accordance with this section by informing
the consumer of a charge for the use of any product or
service, the controller shall present the terms of any
financial incentive offered pursuant to this section for the
retention, use, sale, or sharing of the consumer's personal
data.
Section 6. (a) A controller shall do all of the
following:
(1) Limit the collection of personal data to what is
adequate, relevant, and reasonably necessary in relation to
the purposes for which the personal data is processed, as
disclosed to the consumer.
(2) Establish, implement, and maintain reasonable
administrative, technical, and physical data security
practices to protect the confidentiality, integrity, and
accessibility of personal data appropriate to the volume and
nature of the personal data at issue.
(3) Provide an effective mechanism for a consumer to
revoke the consumer's consent under this act that is at least
as easy as the mechanism by which the consumer provided the
consumer's consent and, on revocation of the consent, cease to
process the personal data as soon as practicable, but within
45 days of receipt of the request.
(b) A controller may not do any of the following:
(1) Except as provided in this act, process personal
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504 HB283 INTRODUCED
Page 19
(1) Except as provided in this act, process personal
data for purposes that are not reasonably necessary to or
compatible with the disclosed purposes for which the personal
data is processed as disclosed to the consumer unless the
controller obtains the consumer's consent.
(2) Process sensitive data concerning a consumer
without obtaining the consumer's consent or, in the case of
the processing of sensitive data concerning a known child,
without processing the sensitive data in accordance with the
federal Children's Online Privacy Protection Act of 1998.
(3) Process personal data in violation of the laws of
this state or federal laws that prohibit unlawful
discrimination against consumers.
(4) Process the personal data of a consumer for the
purposes of targeted advertising or sell a consumer's personal
data without the consumer's consent under circumstances in
which a controller has actual knowledge that the consumer is
at least 13 years of age but younger than 16 years of age.
(5) Discriminate against a consumer for exercising any
of the consumer rights contained in this act, including
denying goods or services, charging different prices or rates
for goods or services, or providing a different level of
quality of goods or services to the consumer.
(c) Nothing in subsections (a) or (b) may be construed
to require a controller to provide a product or service that
requires the personal data of a consumer that the controller
does not collect or maintain or prohibit a controller from
offering a different price, rate, level, quality, or selection
of goods or services to a consumer, including offering goods
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532 HB283 INTRODUCED
Page 20
of goods or services to a consumer, including offering goods
or services for no fee, if the consumer has exercised his or
her right to opt out pursuant to this act or the offering is
in connection with a consumer's voluntary participation in a
bona fide loyalty, rewards, premium features, discounts, or
club card program.
(d) If a controller sells personal data to third
parties or processes personal data for targeted advertising,
the controller shall clearly and conspicuously disclose the
processing, as well as the way a consumer may exercise the
right to opt out of the processing.
(e) A controller shall provide consumers with a
reasonably accurate, clear, and meaningful privacy notice that
includes all of the following:
(1) The categories of personal data processed by the
controller.
(2) The purpose for processing personal data.
(3) The categories of personal data that the controller
shares with third parties, if any.
(4) The categories of third parties, if any, with which
the controller shares personal data.
(5) An active email address or other mechanism that the
consumer may use to contact the controller.
(6) How consumers may exercise their consumer rights,
including a consumer may appeal a controller's decision
regarding the consumer's request.
(f)(1) A controller shall establish and describe in a
privacy notice one or more secure and reliable means for
consumers to submit a request to exercise their consumer
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560 HB283 INTRODUCED
Page 21
consumers to submit a request to exercise their consumer
rights pursuant to this act considering the ways in which
consumers normally interact with the controller, the need for
secure and reliable communication of consumer requests, and
the ability of the controller to verify the identity of the
consumer making the request.
(2) A controller may not require a consumer to create a
new account to exercise consumer rights but may require a
consumer to use an existing account.
Section 7. (a) A processor shall adhere to the
instructions of a controller and shall assist the controller
in meeting the controller's obligations under this act,
including, but not limited to, all of the following:
(1) Considering the nature of processing and the
information available to the processor by appropriate
technical and organizational measures as much as reasonably
practicable to fulfill the controller's obligation to respond
to consumer rights requests.
(2) Considering the nature of processing and the
information available to the processor by assisting the
controller in meeting the controller's obligations in relation
to the security of processing the personal data and in
relation to the notification of a breach of security of the
system of the processor to meet the controller's obligations.
(3) Providing necessary information to enable the
controller to conduct and document data protection
assessments.
(b) A contract between a controller and a processor
must govern the processor's data processing procedures with
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588 HB283 INTRODUCED
Page 22
must govern the processor's data processing procedures with
respect to processing performed on behalf of the controller.
The contract must be binding and clearly set forth
instructions for processing data, the nature and purpose of
processing, the type of data subject to processing, the
duration of processing, and the rights and obligations of both
parties. The contract must also require that the processor do
all of the following:
(1) Ensure that each person processing personal data is
subject to a duty of confidentiality with respect to the
personal data.
(2) At the controller's direction, delete or return all
personal data to the controller as requested at the end of the
provision of services, unless retention of the personal data
is required by law.
(3) Upon the reasonable request of the controller, make
available to the controller all information in the processor's
possession necessary to demonstrate the processor's compliance
with the obligations in this act.
(4) Engage any subcontractor pursuant to a written
contract that requires the subcontractor to meet the
obligations of the processor with respect to the personal
data.
(5) Allow and cooperate with reasonable assessments by
the controller or the controller's designated assessor, or the
processor may arrange for a qualified and independent assessor
to assess the processor's policies and technical and
organizational measures in support of the obligations under
this act using an appropriate and accepted control standard or
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616 HB283 INTRODUCED
Page 23
this act using an appropriate and accepted control standard or
framework and assessment procedure for the assessments. The
processor shall provide a report of the assessment to the
controller on request.
(c) Nothing in this section may be construed to relieve
a controller or processor from the liabilities imposed on the
controller or processor by virtue of the controller's or
processor's role in the processing relationship as described
in this act.
(d) Determining whether a person is acting as a
controller or processor with respect to a specific processing
of data is a fact-based determination that depends on the
following context in which personal data is to be processed:
(1) A person who is not limited in the processing of
personal data pursuant to a controller's instructions or who
fails to adhere to a controller's instructions is a controller
and not a processor with respect to a specific processing of
data.
(2) A processor that continues to adhere to a
controller's instructions with respect to a specific
processing of personal data remains a processor.
(3) If a processor begins, alone or jointly with
others, determining the purposes and means of the processing
of personal data, the processor is a controller with respect
to the processing and may be subject to an enforcement action
under this act.
Section 8. (a) A controller shall conduct and document
a data protection assessment for each of the controller's
processing activities that presents a heightened risk of harm
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644 HB283 INTRODUCED
Page 24
processing activities that presents a heightened risk of harm
to a consumer. For the purposes of this section, processing
that presents risk of harm to a consumer includes, but is not
limited to, all of the following:
(1) The processing of personal data for the purposes of
targeted advertising.
(2) The sale of personal data.
(3) The processing of personal data for the purposes of
profiling in which the profiling presents a reasonably
foreseeable risk of any of the following:
a. Unfair or deceptive treatment of or unlawful
disparate impact on consumers.
b. Financial, physical, or reputational injury to
consumers.
c. A physical or other form of intrusion on the
solitude or seclusion or the private affairs or concerns of
consumers in which the intrusion would be offensive to a
reasonable person.
d. Other substantial injury to consumers.
(4) The processing of sensitive data.
(b)(1) Data protection assessments conducted pursuant
to subsection (a) must identify and weigh the benefits that
may flow, directly or indirectly, from the processing to the
controller, the consumer, other stakeholders, and the public
against the potential risks to the rights of the consumer
associated with the processing as mitigated by safeguards that
may be employed by the controller to reduce these risks.
(2) The controller shall factor into any data
protection assessment the use of deidentified data and the
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672 HB283 INTRODUCED
Page 25
protection assessment the use of deidentified data and the
reasonable expectations of consumers, as well as the context
of the processing and the relationship between the controller
and the consumer whose personal data will be processed.
(c)(1) The Attorney General may require that a
controller disclose any data protection assessment that is
relevant to an investigation conducted by the Attorney
General, and the controller shall make the data protection
assessment available to the Attorney General.
(2) The Attorney General may evaluate the data
protection assessment for compliance with the responsibilities
set forth in this act.
(3) Data protection assessments are confidential and
are exempt from disclosure under Article 3 of Chapter 12 of
Title 36, Code of Alabama 1975.
(4) To the extent any information contained in a data
protection assessment disclosed to the Attorney General
includes information subject to attorney-client privilege or
work product protection, the disclosure may not constitute a
waiver of the privilege or protection.
(d) A single data protection assessment may address a
comparable set of processing operations that include similar
activities.
(e) If a controller conducts a data protection
assessment for the purpose of complying with another
applicable law or regulation, the data protection assessment
must be considered to satisfy the requirements established in
this section if the data protection assessment is reasonably
similar in scope and the effect to the data protection
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700 HB283 INTRODUCED
Page 26
similar in scope and the effect to the data protection
assessment that would otherwise be conducted pursuant to this
section.
(f) Data protection assessment requirements shall apply
to processing activities created or generated after January 1,
2026, and are not retroactive.
Section 9. (a) Any controller in possession of
deidentified data shall do all of the following:
(1) Take reasonable measures to ensure that the
identified data cannot be associated with an individual.
(2) Publicly commit to maintaining and using
deidentified data without attempting to reidentify the
deidentified data.
(3) Contractually obligate any recipients of the
deidentified data to comply with all provisions of this act.
(b) Nothing in this act may be construed to do either
of the following:
(1) Require a controller or processor to reidentify
deidentified data or pseudonymous data.
(2) Maintain data in identifiable form or collect,
obtain, retain, or access any data or technology to be capable
of associating an authenticated consumer request with personal
data.
(c) Nothing in this act may be construed to require a
controller or processor to comply with an authenticated
consumer rights request if the controller:
(1) Is not reasonably capable of associating the
request with the personal data or it would be unreasonably
burdensome for the controller to associate the request with
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728 HB283 INTRODUCED
Page 27
burdensome for the controller to associate the request with
the personal data;
(2) Does not use the personal data to recognize or
respond to the specific consumer who is the subject of the
personal data or associate the personal data with other
personal data about the same specific consumer; and
(3) Does not sell the personal data to any third party
or otherwise voluntarily disclose the personal data to any
third party other than a processor, except as otherwise
permitted in this section.
(d) The rights afforded under Section 4 may not apply
to pseudonymous data in cases in which the controller is able
to demonstrate that any information necessary to identify the
consumer is kept separately and is subject to effective
technical and organizational controls that prevent the
controller from accessing the information.
(e) A controller that discloses pseudonymous data or
deidentified data shall exercise reasonable oversight to
monitor compliance with any contractual commitments to which
the pseudonymous data or deidentified data is subject and
shall take appropriate steps to address any breaches of those
contractual commitments.
Section 10. (a) Nothing in this act may be construed to
restrict a controller's or processor's ability to do any of
the following:
(1) Comply with federal, state, or local ordinances or
regulations.
(2) Comply with a civil, criminal, or regulatory
inquiry, investigation, subpoena, or summons by federal,
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756 HB283 INTRODUCED
Page 28
inquiry, investigation, subpoena, or summons by federal,
state, local, or other government authority.
(3) Cooperate with law enforcement agencies concerning
conduct or activity that the controller or processor
reasonably and in good faith believes may violate federal,
state, or local ordinances, rules, or regulations.
(4) Investigate, establish, exercise, prepare for, or
defend legal claims.
(5) Provide a product or service specifically requested
by a consumer.
(6) Perform under a contract to which a consumer is a
party, including fulfilling the terms of a written warranty.
(7) Take steps at the request of a consumer prior to
entering a contract.
(8) Take immediate steps to protect an interest that is
essential for the life or physical safety of the consumer or
another individual and when the processing cannot be
manifestly based on another legal basis.
(9) Prevent, detect, protect against, or respond to
security incidents; identify theft, fraud, harassment,
malicious or deceptive activities, or any illegal activity;
preserve the integrity or security of systems; or investigate,
report, or prosecute those responsible for any of these
actions.
(10) Engage in public or peer-reviewed scientific or
statistical research in the public interest that adheres to
all other applicable ethics and privacy laws and is approved,
monitored, and governed by an institutional review board that
determines or similar independent oversight entities that
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784 HB283 INTRODUCED
Page 29
determines or similar independent oversight entities that
determine all of the following:
a. Whether the deletion of the information is likely to
provide substantial benefits that do not exclusively accrue to
the controller.
b. The expected benefits of the research outweigh the
privacy risks.
c. Whether the controller has implemented reasonable
safeguards to mitigate privacy risks associated with research,
including any risks associated with reidentification.
(11) Assist another controller, processor, or third
party with any of the obligations under this act.
(12) Process personal data for reasons of public
interest in public health, community health, or population
health, but solely to the extent that the processing does both
of the following:
a. Subject to suitable and specific measures to
safeguard the rights of the consumer whose personal data is
being processed.
b. Under the responsibility of a professional subject
to confidentiality obligations under federal, state, or local
law.
(b) The obligations imposed on controllers or
processors under this act may not restrict a controller's or
processor's ability to collect, use, or retain personal data
for internal use to do any of the following:
(1) Conduct internal research to develop, improve, or
repair products, services, or technology.
(2) Effectuate a product recall.
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812 HB283 INTRODUCED
Page 30
(2) Effectuate a product recall.
(3) Identify and repair technical errors that impair
existing or intended functionality.
(4) Perform internal operations that are reasonably
aligned with the expectations of the consumer or reasonably
anticipated based on the consumer's existing relationship with
the controller or are otherwise compatible with processing
data in furtherance of the provision of a product or service
specifically requested by a consumer or the performance of a
contract to which the consumer is a party.
(c) The obligations imposed on controllers or
processors under this act may not apply when compliance by the
controller with this act would violate an evidentiary
privilege under the laws of this state. Nothing in this act
may be construed to prevent a controller or processor from
providing personal data concerning a consumer to a person
covered by an evidentiary privilege under the laws of this
state as part of a privileged communication.
(d)(1) If, at the time a controller or processor
discloses personal data to a processor or third-party
controller in accordance with this act, the controller or
processor did not have actual knowledge that the processor or
third-party controller would violate this act, then the
controller or processor may not be considered to have violated
this act.
(2) A receiving processor or third-party controller
receiving personal data from a disclosing controller or
processor in compliance with this act is likewise not in
violation of this act for the transgressions of the disclosing
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840 HB283 INTRODUCED
Page 31
violation of this act for the transgressions of the disclosing
controller or processor from which the receiving processor or
third-party controller receives the personal data.
(e) Nothing in this act may be construed to do either
of the following:
(1) Impose any obligation on a controller or processor
that adversely effects the rights or freedoms of any person.
(2) Apply to a person's processing of personal data
during the person's personal or household activities.
(f) Personal data processed by a controller pursuant to
this section may be processed to the extent that the
processing is both of the following:
(1) Reasonably necessary and proportionate to the
purposes listed in this section.
(2) Adequate, relevant, and limited to what is
necessary in relation to the specific purposes listed in this
section. The controller or processor must, when applicable,
consider the nature and purpose of the collection, use, or
retention of the personal data collected, used, or retained
pursuant to this section. The personal data must be subject to
reasonable administrative, technical, and physical measures to
protect the confidentiality, integrity, and accessibility of
the personal data and to reduce reasonably foreseeable risks
of harm to consumers relating to the collection, use, or
retention of personal data.
(g) If a controller processes personal data pursuant to
an exemption in this section, the controller bears the burden
of demonstrating that the processing qualifies for the
exemption and complies with the requirements in this section.
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868 HB283 INTRODUCED
Page 32
exemption and complies with the requirements in this section.
(h) Processing personal data for the purposes expressly
identified in this section may not solely make a legal entity
a controller with respect to the processing.
Section 11. (a) The Attorney General has exclusive
authority to enforce violations of this act.
(b)(1) The Attorney General, prior to initiating any
action for a violation of any provision of this act, shall
issue a notice of violation to the controller.
(2) If the controller fails to correct the violation
within 60 days of receipt of the notice of violation, the
Attorney General may bring an action pursuant to this section.
(3) If within the 60-day period the controller corrects
the noticed violation and provides the Attorney General an
express written statement that the alleged violations have
been corrected and that no such further violations will occur,
no action may be initiated against the controller.
(c) Nothing in this act may be construed as providing
the basis for or be subject to a private right of action for
violations of this act or any other law.
Section 12. This act shall become effective on October
1, 2025.
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889