HB470 Alabama 2025 Session

Summary

Primary Sponsor

Prince ChestnutRepresentative

Democrat

Session

2025 Regular Session

Title

Consumer protection, protection of personally identifiable information further provided for, civil and criminal liability established

Summary

HB470 would create a comprehensive data privacy law to protect personally identifiable information held by state and federal agencies, require training and vendor safeguards, and establish an oversight board with penalties for violations.

What This Bill Does

It establishes the Government Information Privacy Protection Act to shield personally identifiable information from unauthorized sharing and set up legal safeguards. It requires annual privacy training for state employees who handle PII and imposes civil, criminal, and felony penalties for violations. It sets rules for how state agencies share data with federal agencies and requires notices and documentation, while prohibiting improper data handling by contractors and vendors and keeping disclosures as public records. It also creates an Independent Privacy Oversight Board to monitor compliance and report to the Legislature, with enforcement authority given to the Attorney General.

Who It Affects

• State employees who handle personally identifiable information: must complete annual privacy training and can face civil or criminal penalties for violations.
• State agencies: restricted in sharing PII with federal agencies and required to provide notices and retain records of disclosures.
• Federal agencies: restricted in handling PII from state agencies and must receive specific disclosures and assurances before data use.
• Vendors/contractors handling PII: must meet security requirements, cannot share data beyond contract, and may be barred if they fail safeguards or have violations.
• Public/data subjects: certain disclosures and records related to PII sharing become public records.

Key Provisions

• Creates the Government Information Privacy Protection Act with definitions for federal and state agencies, PII, third parties, and vendors, plus penalties and an oversight mechanism.
• Section 4 imposes disclosure restrictions: federal agencies cannot access PII from a state agency without written notice to the supplying agency and the affected individuals; state agencies cannot transfer PII to federal agencies without a written, detailed statement of use, anticipated sharing, security measures, and retention; documents become public records.
• Section 5 requires annual privacy training for state employees who handle PII, covering privacy law, data security practices, misuse reporting, and consequences of noncompliance.
• Section 6 sets vendor standards: state agencies cannot contract with vendors lacking certain security ratings or with recent data protection violations; vendors must not share PII beyond contract terms, and disclosures are recorded as public records.
• Section 7 establishes penalties: civil liability up to $50,000 per violation for individuals; Class A misdemeanor with up to $100,000 per violation for agency employees; Class D felony with up to $500,000 per violation for patterns or practices of violations.
• Section 8 gives the Attorney General exclusive enforcement authority.
• Section 9 creates an Independent Privacy Oversight Board with members appointed by key legislative leaders, requiring relevant experience and annual reporting to the Legislature starting 2026.
• Section 10 sets October 1, 2025, as the act’s effective date.

AI-generated summary using openai/gpt-5-nano on Feb 22, 2026. May contain errors — refer to the official bill text for accuracy.

Subjects

Consumer Protection