HB366 Alabama 2024 Session

Summary

Primary Sponsor

Chris SellsRepresentative

Republican

Session

Regular Session 2024

Title

Consumer protection, further provides for data breaches

Summary

HB366 would create a new crime by making a data breach that exposes sensitive personal data, precise location data, and proprietary network information illegal when the entity lacked reasonable security.

What This Bill Does

It expands the data breach law by defining key terms (breach, covered entity, data in electronic form, precise location data, proprietary network information, sensitive PII, etc.) and sets out what counts as a breach. It then says a covered entity commits an unlawful trade practice if such a breach occurs and the entity did not have reasonable security measures in place. The bill also adds an effective date of October 1, 2024 and states the measure is exempt from certain local-expenditure requirements because it creates a new crime or amends an existing one.

Who It Affects

• Covered entities (businesses, government entities, nonprofits, or other organizations that collect or use sensitive personal data) would face new unlawful-trade-practice liability if they suffer a qualifying breach without reasonable security.
• Alabama residents whose sensitive data, precise location data, or proprietary network information is breached would be potential victims and may be affected by the new enforcement and remedies.

Key Provisions

• Amends Section 8-38-2 to define terms used in the data breach context: breach, covered entity, data in electronic form, government entity, individual, precise location data, and proprietary network information, as well as sensitive personally identifying information with a detailed list of data elements.
• Adds Section 8-38-13 establishing that a covered entity commits an unlawful trade practice under the Alabama Deceptive Trade Practices Act if a breach includes sensitive PII, precise location data, and proprietary network information and the entity did not have reasonable security measures in place (per Section 8-38-3).
• Provides exclusions and clarifications about what counts as breach data (e.g., certain public records and encrypted or secured data under specific conditions).
• Defines third-party agents as entities contracted to handle or access sensitive PII in connection with providing services to a covered entity.
• Effective date set for October 1, 2024, and the bill is explicitly excluded from certain constitutional local-expenditure rules because it creates a new crime or amends an existing crime.

AI-generated summary using openai/gpt-5-nano on Feb 22, 2026. May contain errors — refer to the official bill text for accuracy.

Subjects

Consumer Protection