Alabama Consumer Privacy Law

Primary law

Alabama enacted a comprehensive consumer-privacy statute named the Alabama Personal Data Protection Act.

Section 1. This act shall be known as the Alabama Personal Data Protection Act.

See Ala. Act No. 2026-552, § 1.

Primary law

The Alabama Personal Data Protection Act does not take effect until May 1, 2027.

Section 12. This act shall become effective on May 1, 2027.

See Ala. Act No. 2026-552, § 12.

Primary law

Alabama's operative data-security statute today is the Alabama Data Breach Notification Act of 2018, codified at chapter 38 of Title 8.

This chapter may be cited and shall be known as the Alabama Data Breach Notification Act of 2018.

See Ala. Code § 8-38-1.

Primary law

The APDPA applies to persons doing business in Alabama or targeting its residents that control or process personal data of more than 25,000 consumers, or that derive more than 25 percent of gross revenue from the sale of personal data.

Section 3. The provisions of this act apply to persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state and that meet either of the following qualifications: (1) Control or process the personal data of more than 25,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction. (2) Derive more than 25 percent of gross revenue from the sale of personal data, regardless of the number of consumers whose data the person controls or processes.

See Ala. Act No. 2026-552, § 3.

Primary law

Businesses with fewer than 500 employees, and nonprofits with fewer than 100 employees, are exempt from the APDPA provided they do not engage in the sale of personal data.

A business, including an organization cooperatively organized under Chapter 6 of Title 37, Code of Alabama 1975, or an entity that is an instrumentality of a municipal corporation, with fewer than 500 employees, provided the business does not engage in the sale of personal data. (8) A nonprofit entity, as defined in Section 10A-1-1.03, Code of Alabama 1975, with less than 100 employees, provided the entity does not engage in the sale of personal data.

See Ala. Act No. 2026-552, § 4(a)(7)-(8).

Primary law

Sale of personal data is an exchange for monetary consideration, or other valuable consideration with material benefit and unrestricted downstream use, and excludes processor disclosures, requested products or services, affiliate transfers, consumer-directed disclosures, public disclosures by the consumer, M&A transfers, analytics services, and marketing services solely to the controller.

(20) SALE OF PERSONAL DATA. The exchange of personal data for monetary consideration by a controller to a third party, or for other valuable consideration by a controller to a third party where the controller receives a material benefit and the third party is not restricted in its subsequent uses of the personal data. The term does not include any of the following: a. The disclosure of personal data to a processor that processes the personal data on behalf of the controller. b. The disclosure of personal data to a third party for the purposes of providing a product or service requested by the consumer. c. The disclosure or transfer of personal data to an affiliate of the controller. d. The disclosure of personal data in which the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party. e. The disclosure of personal data that the consumer intentionally made available to the public via a channel of mass media and did not restrict to a specific audience. f. The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction, or a proposed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets. g. The disclosure or transfer of personal data to a third party for the purposes of providing analytics services. h. The disclosure or transfer of personal data to a third party for the purposes of providing marketing services solely to the controller.

See Ala. Act No. 2026-552, § 2(20).

Primary law

A consumer under the APDPA is an Alabama resident, excluding individuals acting in a commercial or employment context — so employee and B2B data are outside the act.

CONSUMER. An individual who is a resident of this state. The term does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency whose communications or transactions with the controller occur solely within the context of that individual's role with the company, partnership, sole proprietorship, nonprofit, or government agency.

See Ala. Act No. 2026-552, § 2(6).

Primary law

GLBA-governed financial institutions and their data, and HIPAA covered entities and business associates, are exempt from the APDPA at the entity level.

A financial institution or an affiliate of a financial institution governed by, or personal data collected, processed, sold, or disclosed in accordance with Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et. seq. (6) A covered entity or business associate as defined in the privacy regulations of 45 C.F.R. § 160.103.

See Ala. Act No. 2026-552, § 4(a)(5)-(6).

Primary law

A controller must provide a reasonably accurate, clear, and meaningful privacy notice containing six listed items: data categories, purposes, third-party sharing categories, third-party categories, a contact mechanism, and how consumers exercise their rights.

A controller shall provide consumers with a reasonably accurate, clear, and meaningful privacy notice that includes all of the following: (1) The categories of personal data processed by the controller. (2) The purpose for processing personal data. (3) The categories of personal data that the controller shares with third parties, if any. (4) The categories of third parties, if any, with which the controller shares personal data. (5) An active email address or other mechanism that the consumer may use to contact the controller. (6) How consumers may exercise their consumer rights, including a link or contact information for availing themselves of the opt-out method provided in Section 6.

See Ala. Act No. 2026-552, § 7(d).

Primary law

A controller that sells personal data or processes it for targeted advertising must clearly and conspicuously disclose the processing and how a consumer may opt out of it.

If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose the processing, as well as the way a consumer may exercise the right to opt out of the processing.

See Ala. Act No. 2026-552, § 7(c).

Primary law

The privacy notice must establish and describe one or more secure and reliable means for consumers to submit requests to exercise their rights.

A controller shall establish and describe in a privacy notice one or more secure and reliable means for consumers to submit a request to exercise their consumer rights, as established under Section 5, pursuant to this act considering the ways in which consumers normally interact with the controller, the need for secure and reliable communication of consumer requests, and the ability of the controller to authenticate the identity of the consumer or authorized agent making the request.

See Ala. Act No. 2026-552, § 7(e)(1).

Primary law

A controller must provide a clear and conspicuous website link to a page that lets a consumer directly opt out of targeted advertising or sale, or up-to-date contact information for submitting the opt-out request.

A controller must allow a consumer to opt-out by providing a clear and conspicuous link on the controller's Internet website to an Internet web page that enables a consumer directly to opt out of any processing of the consumer's personal data for the purposes of targeted advertising or sale of the consumer's personal data, or provides up-to-date contact information for a consumer to submit the opt-out request.

See Ala. Act No. 2026-552, § 6(b).

Primary law

Section 5 of the FTC Act declares unfair or deceptive acts or practices in or affecting commerce unlawful, which reaches a privacy policy that misstates a business's actual data practices.

Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.

See 15 U.S.C. § 45(a)(1).

Primary law

The ADTPA's catch-all makes any other unconscionable, false, misleading, or deceptive act or practice in trade or commerce unlawful — the state-law hook for privacy-policy misstatements today.

Engaging in any other unconscionable, false, misleading, or deceptive act or practice in the conduct of trade or commerce.

See Ala. Code § 8-19-5(27).

Primary law

Processing performed by a processor on a controller's behalf must be governed by a contract between the controller and the processor.

A contract between a controller and a processor shall govern the processor's data processing obligations with respect to processing performed on behalf of the controller.

See Ala. Act No. 2026-552, § 8(b)(1).

Primary law

The processor contract must be binding; set processing instructions, nature and purpose, data type, duration, and parties' rights and obligations; and require confidentiality, deletion or return at the engagement's end, compliance information on request, and flow-down processor obligations.

(2) The contract shall: a. Be binding; b. Clearly set forth instructions for processing data; c. Clearly set forth the nature and purpose of the processing; d. Clearly set forth the type of data subject to processing; e. Clearly set forth the duration of processing; and f. Clearly set forth the rights and obligations of both parties. (3) The contract, taking into account the nature of the processing, the relationship between the parties, and other factors, shall also require the processor to: a. Ensure that each processor of personal data is subject to a duty of confidentiality with respect to the personal data; b. Delete or return all personal data to the controller as requested at the end of the provision of services at the controller's direction, unless retention of the personal data is required or permitted by law or the contract; c. Make available to the controller all information in the processor's possession necessary to demonstrate the processor's compliance with the obligations of this act upon the reasonable request of the controller; and d. Obligate any subcontractor processing personal data to meet the obligations of the processor with respect to the personal data.

See Ala. Act No. 2026-552, § 8(b)(2)-(3).

Primary law

Under the breach act in force today, reasonable security measures include retaining service providers that are contractually required to maintain appropriate safeguards for sensitive personally identifying information.

Retention of service providers, if any, that are contractually required to maintain appropriate safeguards for sensitive personally identifying information.

See Ala. Code § 8-38-3(b)(4).

Primary law

The GLBA Safeguards Rule requires a financial institution to oversee its service providers, including by requiring them by contract to implement and maintain appropriate safeguards for customer information.

Requiring your service providers by contract to implement and maintain such safeguards

See 16 C.F.R. § 314.4(f)(2).

Primary law

HIPAA requires a written business-associate contract that establishes the permitted uses and disclosures of protected health information and binds the business associate to safeguard it.

A contract between the covered entity and a business associate must

See 45 C.F.R. § 164.504(e)(2).

Primary law

Consumers may confirm and access processing, correct, delete, obtain a portable copy, and opt out of targeted advertising, sale, and profiling in furtherance of solely automated significant decisions.

A controller shall comply with an authenticated request to do any of the following: (1) Confirm whether a controller, or a processor or third party acting on a controller's behalf, is processing the consumer's personal data and accessing any of the consumer's personal data under the control of the controller, unless confirmation or access would require the controller to reveal a trade secret. (2) Correct inaccuracies in the consumer's personal data, considering the nature of the personal data and the purposes of the processing of the consumer's personal data. (3) Direct a controller to delete the consumer's personal data. (4) Obtain a copy of the consumer's personal data previously provided by the consumer to a controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the personal data to another controller without hindrance when the processing is carried out by automated means, unless the provision of the data would require the controller to reveal a trade secret. (5) Opt out of the processing of the consumer's personal data for any of the following purposes: a. Targeted advertising. b. The sale of the consumer's personal data. c. Profiling in furtherance of solely automated significant decisions concerning the consumer.

See Ala. Act No. 2026-552, § 5(a).

Primary law

A controller must respond to a rights request within 45 days and may extend once by 45 days when reasonably necessary, with notice and the reason inside the initial period.

A controller shall respond to a consumer's request within 45 days of receipt of the request. b. A controller may extend the response period by 45 additional days, when reasonably necessary considering the complexity and number of the consumer's requests, by notifying the consumer of the extension and the reason for the extension within the initial 45-day response period.

See Ala. Act No. 2026-552, § 5(d)(1).

Primary law

Responses are free once per consumer per 12-month period; for manifestly unfounded, excessive, technically infeasible, or repetitive requests the controller may charge a reasonable fee or decline to act, and bears the burden of demonstrating that character on inquiry by an enforcement authority.

Information provided in response to a consumer request must be provided by a controller, free of charge, once for each consumer during any 12-month period. If a consumer's requests are manifestly unfounded, excessive, technically infeasible, or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with a request or decline to act on a request. Upon inquiry by an enforcement authority, the controller bears the burden of demonstrating the manifestly unfounded, excessive, technically infeasible, or repetitive nature of a request.

See Ala. Act No. 2026-552, § 5(d)(3).

Primary law

A parent or legal guardian may exercise rights for a known child, and a guardian or conservator may exercise rights for a consumer.

(c)(1) A parent or legal guardian of a known child may exercise the consumer's rights on behalf of the known child regarding the processing of personal data. (2) A guardian or conservator of a consumer may exercise the consumer's rights on behalf of the consumer regarding the processing of personal data.

See Ala. Act No. 2026-552, § 5(c).

Primary law

If a controller declines to act on a request, it must inform the consumer of the justification within 45 days; the staged APDPA text does not include an appeal mechanism.

If a controller declines to act regarding a consumer's request, the controller shall inform the consumer of the justification for declining to act within 45 days of receipt of the request.

See Ala. Act No. 2026-552, § 5(d)(2).

Primary law

A significant decision is one that results in the provision or denial of credit or lending, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunity, health care service, or access to basic necessities.

(22) SIGNIFICANT DECISION. A decision made by a controller that results in the provision or denial by the controller of credit or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunity, health care service, or access to basic necessities such as food or water.

See Ala. Act No. 2026-552, § 2(22).

Primary law

Contract provisions that purport to waive or limit a consumer's rights under the act are void and unenforceable as contrary to public policy.

Any provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer's consumer rights as established under this act shall be deemed contrary to public policy and shall be void and unenforceable.

See Ala. Act No. 2026-552, § 7(f).

Primary law

The act's only opt-out preference signal provision is a conflict rule: when a signal conflicts with a controller-specific setting or loyalty-program participation, the controller shall comply with the signal — it never separately mandates processing signals.

If a consumer's decision to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of personal data, through an opt-out preference signal sent in accordance with this section conflicts with the consumer's existing controller-specific privacy setting or voluntary participation in a controller's bona fide loyalty, rewards, premium features, discounts, or club card program, the controller shall comply with the consumer's opt-out preference signal but may notify the consumer of the conflict and provide the choice to confirm controller-specific privacy settings or participation in such a program.

See Ala. Act No. 2026-552, § 6(c)(1).

Primary law

A controller may not process sensitive data without the consumer's consent, and must process a known child's data in accordance with COPPA.

(b) A controller may not do any of the following: (1) Except as provided in this act, process personal data for purposes that are not reasonably necessary to or compatible with the disclosed purposes for which the personal data is processed as disclosed by the controller. (2) Process sensitive data concerning a consumer other than a known child without obtaining that consumer's consent or, in the case of the processing of personal data concerning a known child, without processing the data in accordance with the federal Children's Online Privacy Protection Act of 1998, 15 U.S.C. § 6501 et seq.

See Ala. Act No. 2026-552, § 7(b)(1)-(2).

Primary law

Sensitive data means data revealing protected characteristics, genetic or biometric data processed for unique identification, personal data collected from a known child, and precise geolocation data.

SENSITIVE DATA. Personal data that includes any of the following: a. Data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, information about an individual's sex life, sexual orientation, or citizenship or immigration status. b. The processing of genetic or biometric data for the purpose of uniquely identifying an individual. c. Personal data collected from a known child. d. Precise geolocation data.

See Ala. Act No. 2026-552, § 2(21).

Primary law

Consent requires a clear affirmative act signifying freely given, specific, informed, and unambiguous agreement, and excludes broad terms-of-use acceptance, hover or pause actions, and dark-pattern agreements.

CONSENT. A clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer, including, but not limited to, a written statement or a statement by electronic means. The term does not include any of the following: a. Acceptance of a general or broad term of use or similar document that contains descriptions of personal data processing along with other unrelated information. b. Hovering over, muting, or pausing a given piece of content. c. An agreement obtained using dark patterns.

See Ala. Act No. 2026-552, § 2(5).

Primary law

A controller with actual knowledge that a consumer is at least 13 but under 16 may not process that consumer's data for targeted advertising or sell it without consent.

(b) A controller may not do any of the following: (1) Except as provided in this act, process personal data for purposes that are not reasonably necessary to or compatible with the disclosed purposes for which the personal data is processed as disclosed by the controller. (2) Process sensitive data concerning a consumer other than a known child without obtaining that consumer's consent or, in the case of the processing of personal data concerning a known child, without processing the data in accordance with the federal Children's Online Privacy Protection Act of 1998, 15 U.S.C. § 6501 et seq. (3) Process personal data in violation of the laws of this state or federal laws that prohibit unlawful discrimination against consumers. (4) Process the personal data of a consumer for the purposes of targeted advertising or sell a consumer's personal data without the consumer's consent under circumstances in which a controller has actual knowledge that the consumer is at least 13 years of age but younger than 16 years of age.

See Ala. Act No. 2026-552, § 7(b)(4).

Primary law

A controller must provide an effective consent-revocation mechanism that is at least as easy as the mechanism used to provide consent, and must stop processing after revocation within the statutory period.

(3) Provide an effective mechanism for a consumer to revoke the consumer's consent under this act that is at least as easy as the mechanism by which the consumer provided the consumer's consent and, on revocation of the consent, cease to further process the personal data as soon as practicable, but no later than 45 days after complying with the consumer's opt-out request consistent with this act.

See Ala. Act No. 2026-552, § 7(a)(3).

Primary law

Controllers and processors that comply with COPPA's verifiable parental-consent requirements are compliant with APDPA parental-consent obligations.

(c) Controllers and processors that comply with the verifiable parental consent requirements of the federal Children's Online Privacy Protection Act of 1998 are compliant with any obligation to obtain parental consent pursuant to this act.

See Ala. Act No. 2026-552, § 4(c).

Primary law

Individual notice is owed when sensitive personally identifying information has been or is reasonably believed to have been acquired by an unauthorized person and is reasonably likely to cause substantial harm.

A covered entity that is not a third-party agent that determines under Section 8-38-4 that, as a result of a breach of security, sensitive personally identifying information has been acquired or is reasonably believed to have been acquired by an unauthorized person, and is reasonably likely to cause substantial harm to the individuals to whom the information relates, shall give notice of the breach to each individual.

See Ala. Code § 8-38-5(a).

Primary law

Individual notice must be made as expeditiously as possible and without unreasonable delay, and within 45 days of the covered entity's determination that a breach occurred or of its receipt of notice from a third-party agent.

(b) Notice to individuals under subsection (a) shall be made as expeditiously as possible and without unreasonable delay, taking into account the time necessary to allow the covered entity to conduct an investigation in accordance with Section 8-38-4. Except as provided in subsection (c), the covered entity shall provide notice within 45 days of the covered entity's receipt of notice from a third-party agent that a breach has occurred or upon the covered entity's determination that a breach has occurred and is reasonably likely to cause substantial harm to the individuals to whom the information relates.

See Ala. Code § 8-38-5(b).

Primary law

When more than 1,000 individuals must be notified, the covered entity must give written notice of the breach to the Attorney General.

If the number of individuals a covered entity is required to notify under Section 8-38-5 exceeds 1,000, the entity shall provide written notice of the breach to the Attorney General as expeditiously as possible and without unreasonable delay.

See Ala. Code § 8-38-6(a).

Primary law

Every covered entity and third-party agent must implement and maintain reasonable security measures to protect sensitive personally identifying information, considering security coordination, risk identification, safeguards, service-provider contracts, ongoing adjustment, and management reporting.

(a) Each covered entity and third-party agent shall implement and maintain reasonable security measures to protect sensitive personally identifying information against a breach of security. (b) Reasonable security measures means security measures practicable for the covered entity subject to subsection (c), to implement and maintain, including consideration of all of the following: (1) Designation of an employee or employees to coordinate the covered entity's security measures to protect against a breach of security. An owner or manager may designate himself or herself. (2) Identification of internal and external risks of a breach of security. (3) Adoption of appropriate information safeguards to address identified risks of a breach of security and assess the effectiveness of such safeguards. (4) Retention of service providers, if any, that are contractually required to maintain appropriate safeguards for sensitive personally identifying information. (5) Evaluation and adjustment of security measures to account for changes in circumstances affecting the security of sensitive personally identifying information. (6) Keeping the management of the covered entity, including its board of directors, if any, appropriately informed of the overall status of its security measures; provided, however, that the management of a government entity subject to this subdivision may be appropriately informed of the status of its security measures through a properly convened executive session under the Open Meetings Act pursuant to Section 36-25A-7.

See Ala. Code § 8-38-3(a)-(b).

Primary law

Sensitive personally identifying information includes an Alabama resident's name combined with specified identifiers, financial credentials, medical or health-insurance information, or online-account credentials, and excludes public, truncated, encrypted, secured, or otherwise unusable data unless the key or credential was also breached.

(6) SENSITIVE PERSONALLY IDENTIFYING INFORMATION. a. Except as provided in paragraph b., an Alabama resident's first name or first initial and last name in combination with one or more of the following with respect to the same Alabama resident: 1. A non-truncated Social Security number or tax identification number. 2. A non-truncated driver's license number, state-issued identification card number, passport number, military identification number, or other unique identification number issued on a government document used to verify the identity of a specific individual. 3. A financial account number, including a bank account number, credit card number, or debit card number, in combination with any security code, access code, password, expiration date, or PIN, that is necessary to access the financial account or to conduct a transaction that will credit or debit the financial account. 4. Any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional. 5. An individual's health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual. 6. A user name or email address, in combination with a password or security question and answer that would permit access to an online account affiliated with the covered entity that is reasonably likely to contain or is used to obtain sensitive personally identifying information. b. The term does not include either of the following: 1. Information about an individual which has been lawfully made public by a federal, state, or local government record or a widely distributed media. 2. Information that is truncated, encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable, including encryption of the data, document, or device containing the sensitive personally identifying information, unless the covered entity knows or has reason to know that the encryption key or security credential that could render the personally identifying information readable or useable has been breached together with the information.

See Ala. Code § 8-38-2(6).

Primary law

Individual breach notice must include the breach date or date range, a description of the information acquired, remediation actions, identity-theft protection steps, and contact information.

(d) Except as provided by subsection (e), notice to an affected individual under this section shall be given in writing, sent to the mailing address of the individual in the records of the covered entity, or by email notice sent to the email address of the individual in the records of the covered entity. The notice shall include, at a minimum, all of the following: (1) The date, estimated date, or estimated date range of the breach. (2) A description of the sensitive personally identifying information that was acquired by an unauthorized person as part of the breach. (3) A general description of the actions taken by a covered entity to restore the security and confidentiality of the personal information involved in the breach. (4) A general description of steps an affected individual can take to protect himself or herself from identity theft. (5) Information that the individual can use to contact the covered entity to inquire about the breach.

See Ala. Code § 8-38-5(d).

Primary law

Substitute notice is permitted when direct notice is infeasible due to excessive cost, insufficient contact information, or more than 100,000 affected individuals, and ordinarily requires website and media notice.

(e)(1) A covered entity required to provide notice to any individual under this section may provide substitute notice in lieu of direct notice, if direct notice is not feasible due to any of the following: a. Excessive cost. The term includes either of the following: 1. Excessive cost to the covered entity relative to the resources of the covered entity. 2. The cost to the covered entity exceeds five hundred thousand dollars ($500,000). b. Lack of sufficient contact information for the individual required to be notified. c. The affected individuals exceed 100,000 persons. (2) a. Substitute notice shall include both of the following: 1. A conspicuous notice on the Internet website of the covered entity, if the covered entity maintains a website, for a period of 30 days. 2. Notice in print and in broadcast media, including major media in urban and rural areas where the affected individuals reside. b. An alternative form of substitute notice may be used with the approval of the Attorney General.

See Ala. Code § 8-38-5(e).

Primary law

If a covered entity determines notice is not required, it must document the determination and maintain records for at least five years.

(f) If a covered entity determines that notice is not required under this section, the entity shall document the determination in writing and maintain records concerning the determination for no less than five years.

See Ala. Code § 8-38-5(f).

Primary law

A third-party agent that experiences a breach must notify the covered entity no later than 10 days after determining the breach occurred or having reason to believe it occurred.

In the event a third-party agent has experienced a breach of security in the system maintained by the agent, the agent shall notify the covered entity of the breach of security as expeditiously as possible and without unreasonable delay, but no later than 10 days following the determination of the breach of security or reason to believe the breach occurred.

See Ala. Code § 8-38-8.

Primary law

When more than 1,000 individuals are notified at a single time, the entity must also notify the nationwide consumer reporting agencies of the timing, distribution, and content of the notices.

If a covered entity discovers circumstances requiring notice under Section 8-38-5 of more than 1,000 individuals at a single time, the entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in the Fair Credit Reporting Act, 15 U.S.C. §1681a, of the timing, distribution, and content of the notices.

See Ala. Code § 8-38-7.

Primary law

The Attorney General enforces the APDPA after a mandatory notice of violation; an uncured violation supports an injunction action with penalties up to $15,000 per violation, and a timely cure plus written statement bars any action.

Section 11. (a) The Attorney General may enforce violations of this act. (b)(1) The Attorney General, prior to initiating any action for a violation of any provision of this act, shall issue a notice of violation to the controller. (2) If the controller fails to correct the violation within 45 days after receipt of the notice of violation, the Attorney General may bring an action for an injunction pursuant to this section. Upon a finding that the controller has violated this act and failed to correct the violation as required by this section, the court may assess a civil penalty of not more than fifteen thousand dollars ($15,000) per violation. (3) If within the 45-day period the controller corrects the noticed violation and provides the Attorney General an express written statement that the alleged violations have been corrected and that no such further violations will occur, no action may be initiated against the controller.

See Ala. Act No. 2026-552, § 11.

Primary law

A violation of the breach act's notification provisions is an unlawful trade practice under the ADTPA, and the Attorney General has exclusive authority to bring an action for civil penalties.

A violation of the notification provisions of this chapter is an unlawful trade practice under the Alabama Deceptive Trade Practices Act, Chapter 19 of this title, but does not constitute a criminal offense under Section 8-19-12. The Attorney General shall have the exclusive authority to bring an action for civil penalties under this chapter.

See Ala. Code § 8-38-9(a).

Primary law

The breach act expressly states that a violation does not establish a private cause of action under the ADTPA's private-remedy section.

A violation of this chapter does not establish a private cause of action under Section 8-19-10. Nothing in this chapter may otherwise be construed to affect any right a person may have at common law, by statute, or otherwise.

See Ala. Code § 8-38-9(a)(1).

Primary law

Knowing violations of the breach act's notice provisions draw ADTPA penalties capped at $500,000 per breach.

Any covered entity or third-party agent who is knowingly engaging in or has knowingly engaged in a violation of the notification provisions of this chapter is subject to the penalty provisions set out in Section 8-19-11. For the purposes of this chapter, knowingly shall mean willfully or with reckless disregard in failing to comply with the notice requirements of Sections 8-38-5 and 8-38-6. Civil penalties assessed under Section 8-19-11, shall not exceed five hundred thousand dollars ($500,000) per breach.

See Ala. Code § 8-38-9(a)(2).

Primary law

A covered entity that violates the notification provisions is liable for up to $5,000 per day for each consecutive day it fails to take reasonable action to comply.

Notwithstanding any remedy available under subdivision (2) of subsection (a), a covered entity that violates the notification provisions of this chapter shall be liable for a civil penalty of not more than five thousand dollars ($5,000) per day for each consecutive day that the covered entity fails to take reasonable action to comply with the notice provisions of this chapter.

See Ala. Code § 8-38-9(b)(1).

Primary law

A consumer who suffers monetary damage from an unlawful trade practice may recover actual damages or $100, whichever is greater, with treble damages in the court's discretion.

Any person who commits one or more of the acts or practices declared unlawful under this chapter and thereby causes monetary damage to a consumer, and any person who commits one or more of the acts or practices declared unlawful in subdivisions (19) and (20) of Section 8-19-5 and thereby causes monetary damage to another person, shall be liable to each consumer or other person for: (1) Any actual damages sustained by such consumer or person, or the sum of $100, whichever is greater; or (2) Up to three times any actual damages, in the court's discretion.

See Ala. Code § 8-19-10(a).

Primary law

The ADTPA bars consumers from bringing class actions, and the statute frames the bar as a substantive limitation.

A consumer or other person bringing an action under this chapter may not bring an action on behalf of a class. The limitation in this subsection is a substantive limitation and allowing a consumer or other person to bring a class action or other representative action for a violation of this chapter would abridge, enlarge, or modify the substantive rights created by this chapter.

See Ala. Code § 8-19-10(f).

Primary law

At least 15 days before filing an ADTPA private action, the claimant must communicate a written demand for relief identifying the claimant and reasonably describing the practice and injury.

(e) At least 15 days prior to the filing of any action under this section, a written demand for relief, identifying the claimant and reasonably describing the unfair or deceptive act or practice relied upon and the injury suffered, shall be communicated to any prospective respondent by placing in the United States mail or otherwise.

See Ala. Code § 8-19-10(e).