​​Alabama Personal Data Protection Act (HB 283) – 2025 Update
Alabama is making strides in the data privacy space with the house passing HB 283, the Alabama Personal Data Protection Act. As of April 29, 2025, the bill is still making its way through the state senate.
What’s in the Bill?
Here’s a breakdown of what HB 283 proposes:
- Consumer Rights: The bill grants consumers key rights over their personal data, including:
- Access to their personal data and information about its processing.
- The ability to correct inaccurate data.
- The right to delete personal data.
- Data portability to move their data across platforms.
- The ability to opt out of personal data processing for things like targeted advertising.
- Access to their personal data and information about its processing.
- Obligations for Businesses: Businesses (referred to as “controllers”) will have to:
- Implement secure methods for consumers to exercise their rights.
- Provide privacy notices that clearly outline how consumer data is used and shared.
- Ensure data security to protect consumers’ personal information.
- Implement secure methods for consumers to exercise their rights.
- Enforcement: The Alabama Attorney General will have the authority to enforce the provisions of the law, including penalties for non-compliance.
- Exemptions: Certain exemptions apply, including those related to de-identified data and situations where data is required for legal processes.
What’s Next?
The bill is currently in the Alabama Senate’s Fiscal Responsibility and Economic Development Committee. With the legislative session wrapping up on May 15, 2025, we’ll be watching closely to see if HB 283 passes through the Senate. If it does, we could see new data privacy protections go into effect by October 1, 2025.
As of April 2025, Alabama has not yet proposed a comprehensive Alabama consumer privacy act or an Alabama Online Privacy Act.
On the debating table now is a narrower Alabama data privacy law named SB59, also referred to as The Personal Privacy Protection Act. The bill aims to protect the privacy of members, supporters, volunteers, or donors of a nonprofit organization.
It is important to note that under existing law, a public agency is not prohibited from disclosing certain personal information that identifies a person as a member, supporter, volunteer, or donor of a 501(c) nonprofit organization.
The bill would prohibit a public agency from disclosing personal information or requiring its disclosure, except as required by law. In addition, the bill would provide for civil and criminal penalties for violations.
Interestingly, Alabama’s constitution prohibits a general law whose purpose or effect would be to require a new or increased expenditure of local funds from becoming effective with regard to a local governmental entity without enactment by a ⅔ vote unless
- it comes within one of a number of specified exceptions
- it is approved by the affected entity
- the Legislature appropriates funds, or provides a local source of revenue, to the entity for the purpose.
In reality, this bill would require a new or increased expenditure of local funds within the meaning of the amendment. However, the bill does not require approval of a local governmental entity or enactment by a 2/3 vote to become effective because the bill defines a new crime or
amends the definition of an existing crime, as explained in the state constitution.
SB 59 relates to the disclosure of certain personal information and is titled The Personal
Privacy Protection Act. Let’s run through the contents of the bill.
Definition of Terms
Nonprofit Organization
An entity that is exempt from federal income tax under Section 501(c) of the IRS or is a nonprofit business entity recognized under state law.
Personal Information
Any list, record, register, registry, roll, roster, or other compilation of data of any kind that directly or indirectly identifies a person as a member, supporter, volunteer, or donor of financial or nonfinancial support to any nonprofit organization.
Public Agency
Any department, agency, office, commission, board, division, or other entity of this state, or
of any political subdivision of this state.
Requirements for Public Agencies
A public agency shall not do any of the following:
- Require any person or nonprofit organization to provide the public agency with personal information or otherwise compel the release of personal information.
- Release, publicize, or otherwise publicly disclose personal information in its possession.
- Request or require a current or prospective contractor or grantee of the public agency to provide a list of nonprofit organizations to which the current or prospective contractor or grantee has provided financial or nonfinancial support.
Exemptions
- Any report or disclosure required by The Fair Campaign Practices Act, Chapter 5 of Title 17, Code of Alabama 1975, or any successor provisions thereto.
- Any lawful warrant for personal information issued by a court of competent jurisdiction.
- Any lawful request for discovery of personal information in litigation if all written conditions are met.
- Admission of personal information as relevant evidence before a court of competent jurisdiction; however, no court shall publicly reveal personal information absent a specific finding of good cause.
- A release of personal information by any public agency if the information had previously been voluntarily released to the public either by the person to which it pertains or by a nonprofit organization to which the person is a donor.
- The keeping of filings, certificates, and other public records that disclose the identity of any director, officer, registered agent, or incorporator of a nonprofit organization in any report or disclosure required by law to be filed with the Secretary of State, except that information that directly identifies a person as a donor of financial support to a nonprofit organization, shall not be collected or disclosed.
- Disclosure of personal information derived from a donation to a nonprofit organization affiliated with a public agency as required by law, if the person has not previously requested anonymity from the nonprofit organization.
Conclusion
This act, if passed, will become effective on the first day of the third month following its passage and approval by the Governor, or its otherwise becoming law.