Although there have been a few bills introduced over the past few years (including one introduced in 2025), there is no comprehensive state privacy law in Alabama.  The key relevant legislation is therefore Alabama’s Alabama Data Breach Notification Act of 2018 (Ala Code 8-38-1, et seq., or the “Act”), which governs the breach notification obligations of entities that acquire or use sensitive personally identifying information of Alabama residents. 

The Act protects sensitive personally identifying information, which is defined as an Alabama resident’s first name or first initial and last name in combination with one or more of the following data points:
•    a non-truncated Social Security number or tax identification number;
•    a non-truncated driver’s license number, state-issued identification card number, passport number, military identification number, or other unique identification number issued on a government document used to verify an individual;
•    a financial account number, including a bank account number, credit card number, or debit card number, in combination with any security code, access code, password, expiration date, or PIN that is necessary to access the financial account or to conduct a transaction that will credit or debit the account;
•    any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;
•    an individuals health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual; or 
•    a user name or email address, in combination with a password or security question and answer that would permit access to an online account affiliated with the covered entity that is reasonably likely to contain or, is used to obtain sensitive personally identifying information
Sensitive personally identifying information does not include information that has been made publicly available by federal, state, or local government records or widely distributed media, or information that has been truncated, encrypted, secured, or modified by any other method of technology that renders the information unusable, including encryption of the data, document, or device containing the sensitive personally identifying information, unless the covered entity knows or has reason to know that the encryption key or security credential that could render the personally identifying information readable or useable has been breached together with the information. 
A “breach of security” or “breach” is defined as “the unauthorized acquisition of data in electronic form containing sensitive personally identifying information.  Acquisition occurring over a period of time committed by the same entity constitutes one breach. This does not include: (a) good faith acquisition of sensitive personally identifying information by an employee or agent of a covered entity, unless the information is used for a purpose unrelated to the business or subject to further unauthorized use; (b) the release of a public record not otherwise subject to confidentiality or nondisclosure requirements; or (c) any lawful investigative, protective, or intelligence activity of a law enforcement or intelligence agency of the state, or a political subdivision of the state. 
“Data in electronic form” means any data stored electronically or digitally on any computer system or other database, including, but not limited to, recordable tapes and other mass storage devices. 

Covered entities and third-party agents who acquire or use sensitive personally identifying information are subject to the Act.
“Covered Entity” means a person, sole proprietorship, partnership, government entity, corporation, nonprofit, trust, estate, cooperative association, or other business entity that acquires or uses sensitive personally identifying information.
“Third-Party Agent” is an entity that has been contracted to maintain, store, process, or is otherwise permitted to access sensitive personally identifying information in connection with providing services to a covered entity. 

In addition to the breach notification obligations, the Act also requires each covered entity and third-party agent to implement and maintain “reasonable security measures” to protect sensitive personally identifying information against a breach of security. It defines “reasonable security measures” to mean security measures “practicable for the covered entity … to implement and maintain” and offers a list of considerations to be taken into account. (See Ala. Code 8-38-3). These considerations include:  i) designation of an employee(s) to coordinate the covered entity’s security program; ii) identification of internal and external risks of a breach of security; iii) adoption of appropriate information safeguards to address identified risks of a breach of security and assessment of the effectiveness of such safeguards; iv) retention of service providers, if any, that are contractually required to maintain appropriate safeguards for sensitive personally identifying information; v) evaluation and adjustment of security measures to account for changes in circumstances affecting the security of sensitive personally identifying information; and vi) keeping the management of the covered entity, including its board of directors, if any, appropriately informed of the overall status of its security measures. 
If the entity determines a breach has or may have occurred, it must conduct a “good faith and prompt investigation” including a number of factors. (See Ala. Code 8-38-4).  If the entity determines that notice is not required, it shall document its determination in writing and maintain those records for no less than 5 years. However, (as described below), enforcement authority is limited to a covered entity’s noncompliance with the notification obligations, and not to implementation of security measures. 

As mentioned above, there is no general state comprehensive privacy law in Alabama at this time. There are various statutes that protect certain classes of people or certain types of documents or information, such as open records laws (subject to exceptions), restrictions on public access to state health department data, and typical common law theories regarding “invasion of privacy”.  
In addition, the Alabama Genetic Data Privacy Act, enacted in 2024, governs the collection, use, maintenance, and confidentiality / disclosure of genetic data by genetic testing companies and their contractors. (See Ala Code 8-43-2). The Personal Privacy Protection Act, which prohibits a public agency from compelling persons or nonprofit organizations from releasing, publicizing, or otherwise publicly disclosing data regarding members, supporters, volunteers, or donors of support to a nonprofit organization. (See Ala. Code 36-37-3 et seq). 
In 2024, the criminal code was also amended to criminalize the “creation, recording, or alteration” of a private image when the depicted individual has not consented and has a reasonably expectation of privacy against such image.  (See Ala. Code 13A-6-2450(A)(2)). (Previously, only distribution of a private image was criminalized.)  Similarly, the voyeurism statute was amended in 2019 to criminalize the photographing or filming  of intimate areas of another person without their knowledge or consent, where the person has a reasonable expectation of privacy, whether in a public or private place. (See Ala. Code 13A-11-40 et seq). 
Finally, in 2024 another bill was passed, the Second Amendment Financial Privacy Act, that prohibits a governmental agency from creating or maintaining a list or registry of privately owned firearms or owners of firearms; prohibits the use of firearms codes in certain circumstances; prohibits a financial institution from declining a payment card transaction relating to a firearm purchase or retailer under certain circumstances, and to provide for civil remedies for violations. (See Ala. Code 5-29-1 et seq.) 

The Act also requires covered entities and third-party agents to take reasonable measures to dispose, or arrange for the disposal, of records containing sensitive personally identifying information within their custody or control when the records are no longer to be retained pursuant to applicable law, regulations, or business needs. Disposal shall include shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any reasonable means consistent with industry standards. 

There is no private right of action under the Act. Enforcement authority is granted exclusively to the Attorney General, and is limited to violations of the notification provisions (See 8-38-9(a)). However, the Act may not be construed to affect any right a person may have under common law, under any other statute, or otherwise. 

No.

If a covered entity determines that, as a result of a breach of security, sensitive personally identifying information has been acquired or is reasonably believed to have been acquired by an unauthorized person, and is reasonably likely to cause substantial harm to the individual to whom the information relates, the covered entity shall give notice of the breach to each individual. Notice shall be provided as expeditiously as possible and without unreasonable delay, taking into account the time necessary to allow the covered entity to conduct an investigation in accordance with Ala Code 8-38-4, but in no event later than 45 days from either receipt of notice of the breach from a third-party agent or from the covered entity’s determination that a breach has occurred and is reasonably likely to cause substantial harm to impacted individuals. 
If the number of Alabama residents a covered entity is required to notify exceeds 1,000, the entity shall provide written notice of the breach to the Alabama Attorney General within 45 days. Written notice can be made from an online portal available on the Attorney General’s website: https://www.alabamaag.gov/data-breach-notification/.  In the event the number of residents exceeds 1,000, the covered entity must also notify the major consumer reporting agencies without unreasonable delay. 
A third-party agent who determines that it has experienced a breach of security in a system maintained by the agent shall notify the covered entity as expeditiously as possible and without unreasonable delay, but no later than 10 days following the determination of the breach of security or reason to believe the breach occurred. 

Pursuant to the Act, the Alabama Attorney General has the exclusive authority to bring an action for civil penalties under the Act.  As stated above, this authority is limited to violations of the notification obligations.  

The Attorney General has the exclusive authority to bring an action for violations of the Act and may bring an action for damages in a representative capacity on behalf of any named individual or individuals. 
Violations are deemed an unlawful trade practices under the Alabama Deceptive Trade Practices Act (Ala. Code Chapter 19), but are not a criminal offense. A covered entity or third-party agent who is knowingly engaged in or has knowingly engaged in a violation of the notification provisions of the Act is subject to penalties assessed underthat Act, not to exceed a maximum of $500,000 per breach.h. 
The Act also imposes a fine of no more than five thousand dollars per day for each consecutive day that the covered entity fails to take reasonable action to comply with the notice provisions of the Act.
The Attorney General may also bring a court action for damages on behalf of the individual or individuals, with recovery limited to actual damages suffered plus reasonable attorney’s fees and costs. 
Government entities are subject to the notice requirements of this Act as well. While they are exempt from any civil penalty, they are subject to injunctive relief. 

While there are no Alabama state specifically targeting marketing in a data privacy sense, entities would generally be subject to the state unfair and deceptive trade practices act regarding deceptive, misleading, or unconscionable practices as well as corollary federal requirements such as Section 5 of the FTC Act prohibiting unfair and deceptive trade practices. To our knowledge, no action has been brought under this state statue for privacy violations related to marketing. 

The Act went into effect on June 1, 2018.  There are no court cases or Alabama Attorney General opinions issued that offer substantive interpretation or comment on this statute. (but see Blahous v. Sarrell Regional Dental Center for Public Health, Inc., 2020 WL 4016246, M.D. AL 2020) (discussing plaintiff standing in context of data breach on other grounds). Regarding a comprehensive state privacy statute, legislation (HB 283) was most recently introduced in 2025 but stalled in committee in the House prior to expiration of the legislative session.