Alabama Biometric Privacy Laws: Collection, Consent & Penalties (2026)

Alabama does not have a standalone biometric privacy law. Unlike Illinois, Texas, and Washington, the state has not enacted legislation that specifically regulates how private businesses collect, store, use, or share biometric identifiers such as fingerprints, facial geometry, or iris scans.

What Alabama does have is a breach notification law that includes biometric data in its definition of protected sensitive personally identifying information. This protection is limited compared to states with dedicated biometric statutes, but it creates real obligations for businesses that handle biometric data in Alabama.

This guide explains the current legal framework, what protections exist, where the gaps are, and what may change.

For broader context on Alabama''s overall privacy framework, see the parent guide to [Alabama Data Privacy Laws](/us-laws/data-privacy-laws/alabama-data-privacy-laws).

How Alabama Defines Biometric Data

Alabama''s Data Breach Notification Act defines biometric data under Ala. Code 8-38-2 as data generated by electronic measurements of an individual''s unique physical characteristics used to authenticate or ascertain the individual''s identity. Examples listed in the statute include fingerprints, voiceprints, and retina or iris images.

This definition is narrower than what states like Illinois use. It only covers biometric data used for authentication or identity verification purposes. Biometric data collected for other uses, such as surveillance cameras using facial recognition to analyze foot traffic, may fall outside this definition.

The law also requires that the biometric data be paired with an individual''s first name (or first initial) and last name to qualify as protected "sensitive personally identifying information."

Alabama Data Breach Notification Act of 2018 (Ala. Code 8-38-1 et seq.)

Alabama''s primary biometric protection comes from the Data Breach Notification Act of 2018, signed into law as Acts 2018-396. This law was among the last state breach notification laws enacted in the United States. Alabama and South Dakota were the final two states to adopt breach notification requirements.

What the Law Requires

Any covered entity that acquires or uses sensitive personally identifying information of Alabama residents must follow several requirements under this law.

Reasonable security measures. Covered entities must implement and maintain reasonable security measures to protect sensitive personally identifying information against a breach of security (Ala. Code 8-38-3).

Good faith investigation. After discovering or being notified of a breach, a covered entity must conduct a good faith and prompt investigation to determine the likelihood that the information has been or will be misused.

Individual notification within 45 days. If a breach compromises biometric data combined with an individual''s name and is reasonably likely to cause substantial harm, the entity must notify affected Alabama residents as expeditiously as possible but no later than 45 days after the determination that a breach occurred (Ala. Code 8-38-5).

Attorney General notification. If the breach affects more than 1,000 individuals, the entity must also notify the Alabama Attorney General within 45 days.

Third-party agent notification. Third-party agents that maintain data on behalf of a covered entity must notify the covered entity within 10 days of discovering a breach.

Penalties for Non-Compliance

A covered entity that fails to comply with notification requirements faces penalties under Ala. Code 8-38-9.

Civil penalties can reach up to $5,000 per day for each consecutive day that the entity fails to take reasonable action to comply with the notification requirements. The total civil penalty is capped at $500,000 per breach.

A violation of the Act constitutes an unlawful trade practice under the Alabama Deceptive Trade Practices Act (Ala. Code 8-19-1 et seq.).

The Alabama Attorney General holds exclusive authority to bring enforcement actions for civil penalties and to pursue damages on behalf of named individuals. Recovery in such actions is limited to actual damages plus reasonable attorney fees and costs.

No Private Right of Action

Alabama''s breach notification law does not create a private cause of action. Individuals cannot sue a covered entity directly under this statute for failing to provide timely notification. Only the Attorney General can bring enforcement actions.

This is a significant distinction from states like Illinois, where BIPA grants individuals the right to sue and recover statutory damages of $1,000 to $5,000 per violation.

Exemptions

The law includes several exemptions. Information that has been encrypted, secured, or modified by any method or technology that removes personally identifying elements or renders the information unusable is excluded from the definition of sensitive personally identifying information.

Financial institutions that comply with the Gramm-Leach-Bliley Act and entities that comply with HIPAA are deemed in compliance with Alabama''s security requirements.

What Alabama Law Does Not Cover

Alabama''s existing laws leave significant gaps in biometric privacy protection.

No general consent requirement. Alabama does not require businesses or employers to obtain consent before collecting biometric data from adults. An employer can implement fingerprint time clocks or facial recognition systems without notifying employees or getting their approval.

No retention or destruction timelines. The state does not mandate specific retention schedules or destruction timelines for biometric data held by private entities.

No restrictions on biometric data sales. Alabama does not prohibit or restrict the sale or sharing of biometric data with third parties.

No private right of action for collection practices. There is no state law allowing individuals to sue because a company collected their fingerprints or facial scans without consent.

No law enforcement restrictions. Alabama has not enacted limits on government or law enforcement use of facial recognition or other biometric surveillance technologies.

Employer Use of Biometric Data in Alabama

Alabama has no state law that restricts employers from collecting biometric data from employees. Companies operating in Alabama that use fingerprint scanners for timekeeping, facial recognition for building access, or other biometric systems are not required by state law to:

• Provide written notice before collecting biometric data
• Obtain employee consent
• Establish data retention or destruction policies
• Limit sharing of employee biometric data with vendors or third parties

This stands in sharp contrast to Illinois, where employers face statutory damages of $1,000 to $5,000 per violation of the Biometric Information Privacy Act.

That said, employers should still implement reasonable security measures for biometric data. If a breach occurs that exposes employee biometric data alongside names, the employer must comply with the 45-day notification requirement or face penalties up to $500,000.

Pending Legislation

Alabama has seen legislative activity that could expand biometric protections.

SB272 (2026 Regular Session). This bill, introduced by Senator Orr, proposes amendments to Alabama''s data protection framework. As of March 2026, SB272 has been engrossed but has not been signed into law.

HB283 (2025 Regular Session). This bill proposed the Alabama Personal Data Protection Act, which would have created a comprehensive consumer privacy framework. The bill was introduced but did not advance into law.

Neither bill has been enacted. If a comprehensive privacy law passes in Alabama, it could bring the state closer to frameworks adopted by states like Colorado, Connecticut, and Virginia, which classify biometric data as sensitive information requiring affirmative consent.

Federal Protections That Apply in Alabama

Because Alabama lacks a comprehensive biometric privacy law, federal statutes provide additional protections for residents.

Section 5 of the FTC Act allows the Federal Trade Commission to take enforcement action against companies engaged in unfair or deceptive practices involving biometric data, including failures to secure biometric information.

HIPAA protects biometric data collected or used by covered healthcare entities and their business associates under the Privacy Rule.

COPPA requires parental consent before collecting biometric data from children under 13, enforced by the FTC.

How Alabama Compares to Other States

Alabama falls into a lower tier of states for biometric privacy protection. While the inclusion of biometric data in the breach notification law is meaningful, the state lacks the collection-level protections found in more protective states.

• Illinois has the strongest biometric law in the nation (BIPA), with a private right of action and statutory damages of $1,000 to $5,000 per violation
• Texas and Washington have biometric-specific statutes enforced by their attorneys general
• States with comprehensive privacy laws (Colorado, Connecticut, Virginia) classify biometric data as sensitive and require opt-in consent
• Alabama protects biometric data only through breach notification and general unfair trade practices enforcement

More Alabama Laws

• Alabama Data Privacy Laws
• Alabama Recording Laws
• Alabama Recording Laws
• Alabama Recording Laws
• Alabama Recording Laws
• Alabama Recording Laws
• Alabama Whistleblower Laws
• Alabama Child Support Laws

This article provides general legal information about Alabama biometric privacy laws. It is not legal advice. Laws and regulations change frequently, and this content may not reflect the most recent developments. Consult a qualified attorney licensed in Alabama for advice about your specific situation.