Alabama set to add variation to US state privacy patchwork

Alabama is on its way to joining the U.S. comprehensive state privacy law ranks. House Bill 351, the Alabama Personal Data Protection Act, cleared the state legislature 7 April in relatively seamless fashion, as no lawmaker voted against the bill in any roll call votes taken in the House or Senate.

If the bill is enacted by the governor, it will take effect 1 May 2027. Alabama joins Oklahoma in passing a bill this year and will mark the 21st state to enact a comprehensive statute.

Recent additions to the state patchwork aligned with previously enacted legislation, leaving few compliance questions. However, Alabama's bill raises some novelties that businesses will be required to consider.

The bill applies to businesses that control or process the data of more than 25,000 Alabama residents or those that derive 25% of their revenue from data sales involving any number of data subjects. There are notable business exemptions, particularly around what constitutes a "sale," while the definition of minors only covers children under age 13. A non-sunsetting 45-day cure provision is also included along with exclusive attorney general enforcement.

"HB 351 is the product of two years of hard work to create a common-sense framework that protects consumers while also remaining friendly to those who do business in our state," state Rep. Mike Shaw, R-Ala., told the IAPP. "As someone with more than 30 years as a technology professional in a regulated environment, my goal with HB 351 was to create a practical, workable law that protects the people of Alabama in the most responsible way possible."

In addition to his elected position, Shaw has spent two decades as the senior vice president and chief technology officer of Mutual Savings Credit Union. State lawmakers had not attempted to pass a comprehensive framework since 2021 before Shaw kickstarted a new initiative last year.

Coverage thresholds

The bill's coverage thresholds represent some of the most nuanced applicability standards among all comprehensive state laws.

Alabama is just the second state to land on a minimum processing threshold of 25,000 data subjects, which is the lowest across states. But in terms of applicability versus state population, a covered entity would need to process data on approximately 4.8% of state residents, making the threshold among the hardest to achieve.

The sale threshold is unique in that no other state stipulates the law applies when any number of individuals' data is sold. Most states attach the 25% revenue to sales of data belonging to more than 25,000 individuals.

Shaw said he consulted the attorney general's office and other interested parties while arriving at thresholds that would address multiple state interests.

"This bill was all about balance: Balancing Alabamians' rights with the burden of regulation," he said. "Balancing the need for enforcement with fairness. In this case we are balancing what other states are doing with the unique needs of Alabama."

Polsinelli Shareholder Starr Drum, CIPP/E, CIPM, FIP, noted small businesses with fewer than 500 employees and nonprofits with fewer than 100 employees are exempt unless they sell personal data. There is also an exemption for defined political organizations, a provision that has proven to be a sticking point in Maine's comprehensive privacy debate.

'Sale' exemptions

Statutory exemptions vary between states, but a handful of Alabama's proposed exemptions for what constitutes a sale of data are not found anywhere else. Specifically exemptions for disclosure or transfer of data for the purposes of "providing analytics services" or "providing marketing services solely to the controller."

Both exemptions raise potential ambiguity in compliance, depending on how businesses might interpret their analytics and marketing practices.

"Sale is more narrowly defined than in some comparable laws since the valuable consideration in exchange for personal data component only encompasses situations where third parties are not restricted in subsequent uses of the personal data," Drum said. "This is something businesses should be mindful of during contracting."

Rep. Shaw's consultations on the sale definition yielded questions and concerns regardless of the approach. He said the "cash-only" characterization was "too narrow and subject to loopholes," but valuable consideration "had its own set of issues."

"We tried to thread the needle a bit and find something that was broad enough to allow legitimate relationships with important partners without rendering large parts of the bill useless," he added, noting other states' approaches are "being tested in the wild."

Minors' data

Children's privacy provisions in the bill are on par with other states following the Children's Online Privacy Protection Act's definition of a child.

A number of state legislatures have begun taking steps beyond COPPA to treat children's data as sensitive under their comprehensive laws. Notably, Colorado, Connecticut and Virginia have amended their laws in recent years to enhance children's protections.

Alabama has other children's online safety legislation in place with the recent passage of the state's App Store Accountability Act. The age verification law, which also requires verifiable parental consent, applies to minors under age 18.

Shaw said the definition of minors wasn't discussed at length; however, he said there needs to be further conversation and coordination moving forward about aligning laws to a common age group.

"In general, I'd want to avoid creating different age standards for different regulations, so expanding age would likely be part of a larger discussion," he said.