Alabama Data Privacy Laws: Breach Notification & Consumer Rights (2026)

Alabama does not have a comprehensive consumer data privacy law like California, Colorado, or Virginia. The state's primary data protection statute is the Alabama Data Breach Notification Act of 2018, codified at Ala. Code 8-38-1 through 8-38-12. Alabama was the last state in the nation to pass a breach notification law, and the statute took effect on June 1, 2018.

This guide covers every aspect of Alabama's data privacy framework: the Data Breach Notification Act and its requirements, security measures obligations, enforcement and penalties, identity theft protections, the role of the Alabama Deceptive Trade Practices Act, federal exemptions, and the pending comprehensive privacy bill working its way through the Alabama Legislature.

The Alabama Data Breach Notification Act of 2018

Governor Kay Ivey signed Senate Bill 318 on March 28, 2018, making Alabama the 50th state to enact a data breach notification law. The bill passed unanimously in both chambers: 101-0 in the Alabama House and 30-0 in the Senate. It was championed by Attorney General Steve Marshall, who had pushed for the legislation as a consumer protection priority.

The Act applies to any "covered entity," which includes any person, sole proprietorship, partnership, government entity, corporation, nonprofit, trust, estate, cooperative association, or other business entity that acquires or uses sensitive personally identifying information. Third-party agents who maintain, store, or process data on behalf of covered entities are also subject to the law.

What Is Sensitive Personally Identifying Information?

Under Ala. Code 8-38-2, the Act protects "sensitive personally identifying information," defined as an Alabama resident's first name or first initial and last name combined with one or more of the following data elements:

Data Element	Description
Social Security number	A non-truncated Social Security number
Government-issued ID	Driver's license number, state ID number, passport number, military ID number, or other unique government-issued identification number
Financial account data	Financial account number, credit card number, or debit card number combined with any security code, access code, password, expiration date, or PIN needed to access the account or conduct a transaction
Medical information	Any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
Health insurance information	An individual's health insurance policy number, subscriber identification number, or any unique identifier used by a health insurer
Username or email credentials	A username or email address combined with a password or security question and answer that would permit access to an online account affiliated with the covered entity

The law excludes information that has been truncated, encrypted, secured, or modified by any other method or technology that removes elements identifying an individual or renders the information unusable. However, if the encryption key or security credential has itself been breached, the exemption does not apply.

What Constitutes a Breach?

A "breach of security" or "breach" is the unauthorized acquisition of data in electronic form containing sensitive personally identifying information. Acquisition over a period of time by the same entity or person constitutes one breach. Good-faith acquisition by an employee or agent of a covered entity does not constitute a breach, as long as the information is not used for an unauthorized purpose or subject to further unauthorized disclosure.

Reasonable Security Measures

Alabama's breach notification law goes beyond simple notification requirements. Section 8-38-3 requires covered entities to implement and maintain "reasonable security measures" to protect sensitive personally identifying information.

Required Security Components

Reasonable security measures must take into account all of the following factors:

• Employee designation: Appoint one or more employees to coordinate security measures and protect against breaches. An owner or manager may designate himself or herself for this role.

• Risk identification: Identify internal and external risks of a breach of security.

• Safeguard adoption: Adopt appropriate information safeguards to address identified risks and regularly assess the effectiveness of those safeguards.

• Service provider oversight: Retain service providers that are contractually required to maintain appropriate safeguards for sensitive personally identifying information.

• Ongoing evaluation: Evaluate and adjust security measures to account for changes in circumstances affecting the security of the information.

• Management reporting: Keep management, including the board of directors (if any), appropriately informed of the overall security status.

These requirements place Alabama among the states that mandate proactive data security practices, not just reactive breach notification.

Investigation Requirements

When a covered entity determines that a breach has or may have occurred, Section 8-38-4 requires a good-faith and prompt investigation. The investigation must accomplish two things.

First, the entity must identify any sensitive personally identifying information that may have been involved, determine the individuals affected, and assess whether the information has been acquired by an unauthorized person and is reasonably likely to cause substantial harm.

Second, the entity must identify and implement measures to restore the security and confidentiality of the compromised systems and data.

The "Substantial Harm" Standard

Alabama uses a "substantial harm" threshold. Notification is not required if, after a good-faith and prompt investigation, the covered entity determines that the breach is not reasonably likely to cause substantial harm to affected individuals. This determination must be documented in writing and maintained for at least five years.

This is a notable distinction from some states that require notification for any unauthorized access to personal information regardless of likely harm.

Third-Party Agent Obligations

If a third-party agent experiences a breach involving data it maintains on behalf of a covered entity, the agent must notify the covered entity as expeditiously as possible and without unreasonable delay, but no later than 10 days after determining that a breach has occurred or having reason to believe one occurred.

Notification Requirements

The Act establishes a three-tier notification framework based on the number of individuals affected.

Notice to Individuals (Section 8-38-5)

Covered entities must notify affected Alabama residents as expeditiously as possible and without unreasonable delay, and within 45 days of discovering that a breach has occurred and is reasonably likely to cause substantial harm.

Methods of Notice

Notice may be provided through:

• Written notice sent to the individual's address in the covered entity's records
• Electronic notice sent to the individual's email address in the covered entity's records

Required Content of Notice

The written notice to affected individuals must include:

• The date, estimated date, or estimated date range of the breach
• A description of the sensitive personally identifying information that was acquired by an unauthorized person
• A general description of the actions taken by the covered entity to restore security and confidentiality
• Any services being offered or scheduled to be offered, without charge, to affected individuals (such as credit monitoring), along with instructions on how to use them
• The name, address, telephone number, and email address of an employee or agent from whom additional information may be obtained

Substitute Notice

A covered entity may provide substitute notice instead of direct notice if direct notice is not feasible due to:

• Excessive cost (exceeding $500,000)
• Lack of sufficient contact information
• The number of affected individuals exceeding 100,000

Substitute notice requires a conspicuous posting on the covered entity's website for 30 days, plus notice in print and broadcast media covering urban and rural areas where affected individuals reside. An alternative form of substitute notice may also be used with Attorney General approval.

Notice to the Attorney General (Section 8-38-6)

If the breach affects more than 1,000 individuals, the covered entity must provide written notice to the Alabama Attorney General within 45 days. This notice must include a synopsis of the events surrounding the breach and the approximate number of individuals in the state who were affected.

The Attorney General maintains a breach notification reporting portal where entities can submit the required information.

Notice to Consumer Reporting Agencies (Section 8-38-7)

If a breach requires notification of more than 1,000 individuals at a single time, the covered entity must also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in the Fair Credit Reporting Act. The notice must include the timing, distribution, and content of the notices sent to individuals.

Law Enforcement Delay

Notification may be delayed if a law enforcement agency determines that notification will impede a criminal investigation or jeopardize national or homeland security. The delay lasts as long as law enforcement determines it is necessary. Once law enforcement determines notification will no longer impede the investigation, the covered entity must send notice within 45 days.

Penalties for Violations

The Alabama Attorney General has exclusive enforcement authority under the Act. Section 8-38-9 establishes penalties for entities that fail to comply with the notification requirements.

Penalty Structure

Violation	Penalty
Failure to notify per day	Up to $5,000 per consecutive day of noncompliance
Maximum per breach	$500,000 total per breach
Enforcement authority	Alabama Attorney General (exclusive)
Deceptive trade practices penalties	Additional penalties under Ala. Code 8-19-11

The Act provides that violations are also subject to enforcement under the Alabama Deceptive Trade Practices Act (Ala. Code 8-19-1 et seq.), which gives the Attorney General additional tools including injunctive relief and the ability to investigate consumer complaints.

There is no private right of action under the Data Breach Notification Act. Individual consumers cannot file lawsuits directly under this statute, though they may have recourse under other state or federal laws.

Enforcement in Practice

Alabama has participated in significant multistate data breach enforcement actions. In October 2023, Attorney General Steve Marshall announced Alabama's participation in a $49.5 million multistate settlement with Blackbaud, a cloud software company whose 2020 data breach exposed sensitive information of millions of consumers nationwide. Alabama received $1.6 million from the settlement. The case alleged that Blackbaud failed to implement reasonable data security programs and did not provide its customers with timely, complete, or accurate information about the breach.

Record Disposal Requirements

Section 8-38-10 requires covered entities and third-party agents to take reasonable measures to dispose of records containing sensitive personally identifying information when those records are no longer needed for applicable law, regulations, or business purposes.

Disposal must include shredding, erasing, or otherwise modifying the personal information to make it unreadable or undecipherable through any reasonable means consistent with industry standards. This applies to both paper and electronic records.

Federal Exemptions

The Act includes an important exemption under Section 8-38-11. Entities already subject to federal data breach notification requirements are exempt from the Alabama statute, provided they:

• Maintain procedures under applicable federal law
• Provide notice to affected individuals as required by federal law
• Provide a copy of the notice to the Alabama Attorney General when more than 1,000 individuals are affected

This exemption primarily applies to:

• Financial institutions regulated under the Gramm-Leach-Bliley Act (GLBA)
• Healthcare entities subject to the Health Insurance Portability and Accountability Act (HIPAA) breach notification rule

The exemption ensures that entities already meeting federal breach notification standards do not face duplicative state requirements, though they must still report to the Alabama AG when breaches exceed the 1,000-person threshold.

Alabama Consumer Identity Protection Act

In addition to the Data Breach Notification Act, Alabama has criminal protections for identity theft under the Consumer Identity Protection Act (Ala. Code 13A-8-190 through 13A-8-201). This law makes it a crime to knowingly use another person's identifying information without authorization with the intent to defraud.

Identity theft in Alabama is a Class C felony when the value of the financial benefit obtained or attempted exceeds $500. Trafficking in stolen identities, defined as possessing the identifying information of three or more persons with intent to defraud, is also a Class C felony. The Act includes provisions for restitution to victims, court orders to correct records, and blocking false information on credit reports.

Alabama Deceptive Trade Practices Act and Privacy

The Alabama Deceptive Trade Practices Act (Ala. Code 8-19-1 et seq.) serves as a supplementary enforcement mechanism for data privacy violations. While not a dedicated privacy statute, it prohibits deceptive or unconscionable acts in trade or commerce, which can include misleading statements about data security practices or failure to honor privacy commitments.

The Attorney General and district attorneys have authority to investigate complaints, seek restraining orders, and pursue civil penalties under this Act. The Deceptive Trade Practices Act also provides a private right of action for consumers, which the Data Breach Notification Act does not.

The Pending Alabama Personal Data Protection Act (HB 351)

As of March 2026, Alabama is actively considering comprehensive consumer data privacy legislation. House Bill 351, the Alabama Personal Data Protection Act, passed the Alabama House by a unanimous 103-0 vote and is currently pending in the Alabama Senate.

Key Provisions of HB 351

If enacted, the Alabama Personal Data Protection Act would establish:

• Consumer rights: Right to confirm data processing, correct inaccuracies, delete personal data, obtain a copy, and opt out of targeted advertising or data sales
• Business applicability: Applies to entities controlling or processing personal data of 25,000 or more Alabama consumers, or deriving more than 25% of gross revenue from selling personal data
• Small business exemption: Small businesses are exempt, provided they do not sell personal data
• Entity-level exemptions: Financial institutions regulated by GLBA and HIPAA-covered entities are exempt
• Consent for minors: Requires consent for targeted advertising and sale of personal data of consumers ages 13 to 15
• Enforcement: Exclusively by the Alabama Attorney General, with a 45-day right-to-cure period that does not sunset, with penalties up to $15,000 per violation
• Proposed effective date: May 1, 2027

The bill was amended before final House passage to remove provisions related to artificial intelligence. It must pass the Alabama Senate before the legislative session adjourns.

Federal Laws That Apply in Alabama

Because Alabama lacks comprehensive state privacy legislation (pending HB 351), several federal laws fill critical gaps in data protection for Alabama residents.

Key Federal Protections

Federal Law	What It Protects
HIPAA	Health information held by healthcare providers, health plans, and clearinghouses
GLBA	Financial information held by banks, lenders, and insurance companies
FERPA	Student education records
COPPA	Online data collected from children under 13
FCRA	Consumer credit information held by credit reporting agencies
ECPA/SCA	Electronic communications and stored electronic data

Alabama residents rely on this federal framework for many privacy protections that residents of states with comprehensive privacy laws receive under state statute.

How Alabama Compares to Other States

Alabama's data privacy framework is among the more limited in the country. The state has no comprehensive consumer privacy law (though HB 351 may change that), and its breach notification deadline of 45 days is longer than many states.

• Colorado and Florida require notification within 30 days
• California has both a comprehensive privacy law (CCPA/CPRA) and a breach notification statute
• Virginia, Connecticut, and Indiana all have comprehensive privacy laws already in effect

The Data Breach Notification Act's "substantial harm" threshold is also more business-friendly than states that require notification for any unauthorized access. However, the Act's security measures requirements and record disposal obligations are considered reasonably strong compared to states that focus solely on notification.

For data privacy laws in other states, visit our Data Privacy Laws hub.

More Alabama Laws

Explore other Alabama legal topics covered on Recording Law:

• Alabama Recording Laws
• Data Privacy Laws by State

This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney licensed in Alabama for guidance on your specific situation. Laws and regulations may change; verify all information with official state sources.