SB213 Alabama 2024 Session

Summary

Primary Sponsor

Arthur OrrSenator

Republican

Session

Regular Session 2024

Title

Data privacy; required notifications, registration, and security methods for consumer data brokers provided

Summary

SB213 would regulate data brokers in Alabama by requiring public notices, mandatory registration, strong security measures, and penalties for violations to protect consumer data.

What This Bill Does

It requires data brokers to publicly disclose certain information on their websites and to register with the Secretary of State by January 1, 2025, including details about their data practices and breach history; registrations must be renewed annually for a $300 fee. It directs the Secretary of State to maintain a searchable central registry of registered brokers and to adopt implementing rules. It also mandates brokers to develop and maintain a comprehensive information security program with safeguards, training, third-party oversight, breach response, and encryption, with violations potentially triggering civil penalties and treating security breaches as Deceptive Trade Practices Act violations. The bill creates civil penalties, funds administration through a Consumer Privacy Protection Fund, outlines certain data exemptions, and sets deadlines and effective dates for implementation and operation.

Who It Affects

• Data brokers operating in Alabama: must register, publicly disclose information, implement security measures, and face penalties for violations.
• Alabama residents and consumers: gain public notices about data practices and enhanced protections and oversight through a state registry.

Key Provisions

• Public notice: Data brokers must post a conspicuous, clear notice on their website identifying themselves as data brokers and ensuring accessibility for the general public.
• Registration with SOS: Brokers must register by January 1, 2025, paying a $300 fee, and provide: legal name, contact information, description of data categories processed/transferred, whether they use purchaser credentialing, and disclosures about known-child data and breach history; registration must be renewed annually for $300.
• Central registry: The Secretary of State must maintain a searchable registry with each broker’s registration details and allow individuals to search for brokers.
• Security program requirements: Brokers must implement a comprehensive information security program with administrative, technical, and physical safeguards, risk assessments, employee training, third-party oversight, breach incident response, and ongoing monitoring and upgrades.
• Penalties and fund: Civil penalties for notification/registration violations; penalties up to $100 per day and up to $10,000 per year for a single broker; penalties go into the Consumer Privacy Protection Fund for administering the act.
• Exemptions: The act does not apply to de-identified data under certain safeguards, employee data, publicly available information, or data handled by certain government or federally regulated entities; data collected before January 1, 2025 is exempt from the act.
• Effective dates: The act becomes effective October 1, 2024.

AI-generated summary using openai/gpt-5-nano on Feb 22, 2026. May contain errors — refer to the official bill text for accuracy.

Subjects

Consumer Protection