open-agreements 0.7.7 → 0.8.0

package/skills/legal-explainers/data-privacy-law-explainer/content/alabama.md

@@ -0,0 +1,211 @@
+---
+jurisdiction: "Alabama"
+slug: alabama
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-11"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/alabama
+license: CC BY 4.0
+stale: false
+---
+
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/alabama · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+
+# Alabama Consumer Privacy Law[^about]
+
+Alabama's Personal Data Protection Act (Act No. 2026-552) takes effect May 1, 2027, reaching businesses that handle data on more than 25,000 consumers; until then the 2018 breach-notification act, the ADTPA, and federal law govern.
+
+
+## At a glance
+
+| Question | Alabama |
+| --- | --- |
+| **Law coverage** | No comprehensive law |
+| **Summary** | Alabama's new Personal Data Protection Act takes effect May 1, 2027 with an unusually low consumer-count trigger but a sweeping under-500-employee exemption; until then, compliance means the 2018 Data Breach Notification Act, the Deceptive Trade Practices Act, and the federal overlay. |
+| **Main law** | Alabama Personal Data Protection Act, Ala. Act No. 2026-552 (HB 351, effective May 1, 2027 — not yet codified); operative today, the Alabama Data Breach Notification Act of 2018, Ala. Code §§ 8-38-1 to 8-38-12, enforced through the Alabama Deceptive Trade Practices Act |
+| **Privacy policy required?** | Yes from May 1, 2027 — a reasonably accurate, clear, and meaningful privacy notice with six statutorily listed items; outside sector-specific Alabama privacy statutes, no generally applicable Alabama consumer-privacy statute fixes privacy-policy contents today, but a policy that misstates practices is actionable under FTC Act § 5 and the ADTPA |
+| **Who does it cover?** | From May 1, 2027 — businesses operating in Alabama (or targeting Alabama residents) that control or process personal data of more than 25,000 consumers or derive more than 25% of gross revenue from selling personal data; businesses with fewer than 500 employees (nonprofits under 100) are exempt unless they sell personal data |
+| **Can consumers sue?** | Limited path |
+| **Privacy policy rule** | No state policy checklist |
+| **Consent for sensitive data?** | No special rule |
+| **Browser opt-out signals?** | Not required |
+| **Lawsuit detail** | The APDPA contains no express private right of action and authorizes Attorney General enforcement after notice and cure; the breach act expressly states that a violation does not establish a private cause of action; the ADTPA carries only a narrow individual remedy with a statutory class-action bar |
+| **Who enforces it?** | Alabama Attorney General |
+| **Future effective law** | Alabama Personal Data Protection Act, effective 2027-05-01 (Law coverage: Comprehensive law; Privacy policy rule: Policy contents fixed by law; Consent for sensitive data?: Consent required first) — Current buckets stay on Alabama's breach-notification and ADTPA baseline until the APDPA takes effect. |
+
+## Which privacy laws apply to your business in Alabama? {#which-privacy-laws-apply}
+
+**Short answer.** Two regimes, on a timeline. Alabama has enacted a comprehensive consumer-privacy statute — the Alabama Personal Data Protection Act [^apdpa-short-title] — but it does not take effect until May 1, 2027 [^apdpa-effective-date]. Until that date, the state laws that govern data handling day to day are the Alabama Data Breach Notification Act of 2018 [^breach-act-title] and the Alabama Deceptive Trade Practices Act, supplemented by the federal overlay.
+
+The APDPA is currently citable as the session law, Ala. Act No. 2026-552. Two structural points shape everything below. First, the enrolled act text staged here does not include an express rulemaking provision, so its interpretive gaps are likely to be filled by amendment, enforcement positions, or litigation. Second, the APDPA layers on top of — it does not replace — the breach-notification act, which has been in force since 2018 and continues to supply Alabama's data-security and incident-response duties.
+
+For the period before May 1, 2027, an Alabama-facing privacy program looks like a no-comprehensive-statute state: the breach act sets the security and notification duties, the Deceptive Trade Practices Act reaches false or misleading privacy statements, and the rest rides federal law — FTC Act § 5 for deceptive or unfair practices generally, the Gramm-Leach-Bliley Act for financial institutions, HIPAA for covered health entities, and COPPA for services directed to children under 13. A program built to that overlay now upgrades, rather than restarts, when the APDPA arrives.
+
+## Will Alabama's new privacy law apply to your business? {#does-apdpa-apply}
+
+**Short answer.** Starting May 1, 2027 — only if you clear an unusual two-part gate. The APDPA applies to persons that conduct business in Alabama or target products or services to its residents and that either control or process the personal data of more than 25,000 consumers (excluding data processed solely to complete a payment transaction) or derive more than 25 percent of gross revenue from the sale of personal data [^apdpa-thresholds]. But an entity-level exemption then removes any business with fewer than 500 employees — and any nonprofit with fewer than 100 — provided it does not engage in the sale of personal data [^apdpa-small-business].
+
+The 25,000-consumer trigger is unusually low, and the revenue prong has no dollar floor — more than a quarter of gross revenue from data sales is enough regardless of how few consumers are involved. What pulls in the opposite direction is the unusual employee-count exemption: a company holding data on many Alabamians is still exempt if it has fewer than 500 employees and does not sell personal data. Note the condition — any sale of personal data, as the act defines it, forfeits the exemption entirely; there is no de minimis allowance. The definition of sale is narrower than ordinary disclosure because it excludes disclosures to processors, consumer-directed disclosures, affiliate transfers, M&A transfers, analytics services, and marketing services provided solely to the controller [^apdpa-sale-def].
+
+Coverage is also narrowed by the act's definitions and exemption lists. A consumer is an Alabama resident acting outside a commercial or employment context, so employee and business-to-business data are off the table [^apdpa-consumer-def]. The familiar regulated-entity carve-outs also appear: financial institutions and data governed by the Gramm-Leach-Bliley Act and HIPAA covered entities and business associates are exempt at the entity level [^apdpa-regulated-exemptions], alongside government bodies, higher-education institutions, and data already regulated by FCRA, FERPA, the Driver's Privacy Protection Act, and similar federal regimes.
+
+## What must your Alabama privacy policy contain? {#privacy-policy-contents}
+
+**Short answer.** From May 1, 2027, the APDPA prescribes the contents directly: a covered controller must provide a reasonably accurate, clear, and meaningful privacy notice listing the categories of personal data processed, the purpose for processing, the categories of data shared with third parties, the categories of those third parties, an active email address or other contact mechanism, and how consumers may exercise their rights — including a link or contact information for the opt-out method [^apdpa-notice-contents]. Outside sector-specific Alabama privacy statutes, no generally applicable Alabama consumer-privacy statute fixes privacy-policy contents today, but a policy that misstates your practices is a deceptive practice under FTC Act § 5 [^fed-ftc5-deceptive] and is reachable under the ADTPA's catch-all prohibition [^adtpa-catchall].
+
+For a template policy aimed at the APDPA, treat the six-item list as a checklist that must appear on the face of the document. Three further notice-adjacent duties travel with it. If you sell personal data to third parties or process it for targeted advertising, you must clearly and conspicuously disclose that processing and how a consumer can opt out of it [^apdpa-sale-disclosure]. The notice must also establish and describe one or more secure and reliable means for consumers to submit rights requests, suited to how consumers normally interact with you [^apdpa-request-methods]. And the website itself must carry a clear and conspicuous link to a page where a consumer can directly opt out of targeted advertising or sale — or up-to-date contact information for submitting the opt-out request [^apdpa-optout-link].
+
+Compared with other states' notice lists, Alabama's is lean: there is no required retention-period disclosure, no required description of an appeal process (the act creates none), and no fixed sale-of-sensitive-data notice sentence. Until the act takes effect, the operative drafting rule is the consistency rule — under FTC Act § 5 and the ADTPA, the enforceable obligation is that the published policy match actual practice — so a policy built now to the six-item APDPA list both satisfies today's truthfulness standard and is aligned with the APDPA notice list when the act arrives.
+
+## What must your contracts with data vendors say? {#vendor-contracts}
+
+**Short answer.** From May 1, 2027, a written contract between the controller and each processor must govern the processor's data processing obligations — the APDPA makes a data processing agreement a statutory requirement [^apdpa-dpa-required]. Today, the breach act already pushes in the same direction: a covered entity's reasonable security measures include retaining service providers that are contractually required to maintain appropriate safeguards for sensitive personally identifying information [^breach-vendor-safeguards].
+
+The APDPA contract must be binding and clearly set out the processing instructions, the nature and purpose of processing, the type of data, the duration, and both parties' rights and obligations. It must also commit the processor to a duty of confidentiality, to delete or return all personal data at the controller's direction at the end of the engagement, to make available the information needed to demonstrate compliance on the controller's reasonable request, and to bind any subcontractor to the same processor obligations [^apdpa-dpa-terms]. Many multi-state DPA templates can be adapted to these elements after checking the Alabama-specific list.
+
+One genuine departure deserves emphasis: the staged APDPA text contains no express data-protection-assessment requirement. Nothing in the staged text requires a documented risk assessment before targeted advertising, selling data, processing sensitive data, or profiling. The processor contract, not an assessment file, is the act's named compliance artifact. Where a federal regime applies, it adds its own contracting layer regardless of state law: the GLBA Safeguards Rule requires financial institutions to bind service providers by contract to implement and maintain safeguards [^fed-glba-safeguards], and HIPAA requires a business-associate agreement before protected health information is shared [^fed-hipaa-baa].
+
+## What rights will Alabama consumers have, and how fast must you respond? {#consumer-rights}
+
+**Short answer.** From May 1, 2027, an Alabama consumer can require a covered controller to confirm and access processing of their personal data, correct inaccuracies, delete their data, obtain a portable copy, and opt out of targeted advertising, the sale of their data, and profiling in furtherance of solely automated significant decisions [^apdpa-rights]. The controller must respond within 45 days of receiving the request and may take one 45-day extension when reasonably necessary, with notice and the reason given inside the initial window [^apdpa-response-clock].
+
+Responses are free of charge once per consumer in any 12-month period; for manifestly unfounded, excessive, technically infeasible, or repetitive requests the controller may charge a reasonable fee or decline to act, and bears the burden of demonstrating that character on inquiry by an enforcement authority [^apdpa-request-fees]. The access and portability rights each carry a trade-secret carve-out, and parents, guardians, and conservators may exercise rights on a known child's or protected consumer's behalf [^apdpa-representative-rights]. The rights themselves cannot be contracted away: any contract provision that purports to waive or limit a consumer's rights under the act is void and unenforceable as contrary to public policy [^apdpa-anti-waiver].
+
+Two things the act does not contain are worth stating plainly. The APDPA requires a controller that declines a request to give the consumer its justification within 45 days, but the staged text does not include an appeal mechanism or require the privacy notice to describe one [^apdpa-refusal-response]. And because the enrolled act text staged here does not include an express rulemaking provision, there is no regulator who can add one by rule. The profiling opt-out is also narrower than it may first appear: it reaches only solely automated processing, and only for a closed list of significant decisions such as credit, housing, insurance, education, criminal justice, employment opportunity, health care, and basic necessities [^apdpa-significant-decision].
+
+> [!NOTE]
+> **Practice note.**
+>
+> Open statutory question — universal opt-out preference signals. The act's only treatment of browser- or device-level opt-out signals is a conflict rule: when a consumer's opt-out decision sent through an opt-out preference signal conflicts with an existing controller-specific setting or loyalty-program participation, the controller shall comply with the signal [^apdpa-optout-signal]. One reading takes that command as presupposing a duty to process such signals; the other observes that no provision affirmatively requires controllers to recognize universal signals, the act specifies no technical standard or phase-in, and no agency has rulemaking power to supply one. The text supports both readings, and commentary on the act splits the same way. Until the Attorney General or a court resolves it, a conservative posture treats widely adopted signals as valid opt-outs of targeted advertising and sale.
+
+## Will you need consent to use sensitive data? {#sensitive-data-consent}
+
+**Short answer.** Yes. From May 1, 2027, a covered controller may not process a consumer's sensitive data without that consumer's consent — and for a known child, processing must comply with the federal Children's Online Privacy Protection Act [^apdpa-sensitive-optin]. Sensitive data covers data revealing racial or ethnic origin, religious beliefs, health conditions or diagnoses, sex life, sexual orientation, or citizenship or immigration status; genetic or biometric data processed to uniquely identify a person; personal data collected from a known child; and precise geolocation data [^apdpa-sensitive-def].
+
+The consent bar is deliberately high: consent means a clear affirmative act signifying a freely given, specific, informed, and unambiguous agreement, and it expressly excludes acceptance of broad terms of use, hovering, muting, or pausing content, and agreements obtained through dark patterns [^apdpa-consent-def]. Consent must also be revocable through a mechanism at least as easy as the one used to give it [^apdpa-consent-revocation]. Teenagers get a separate protection: a controller with actual knowledge that a consumer is at least 13 but younger than 16 may not process that consumer's personal data for targeted advertising or sell it without consent [^apdpa-teen-rule]. Controllers that comply with COPPA's verifiable parental-consent requirements are deemed compliant with the act's parental-consent obligations, so an existing COPPA program carries over [^apdpa-coppa-safe-harbor].
+
+## When must you notify people of a data breach in Alabama? {#breach-notification}
+
+**Short answer.** This duty is in force now, and it survives the APDPA. A covered entity that determines that sensitive personally identifying information has been acquired (or is reasonably believed to have been acquired) by an unauthorized person, and is reasonably likely to cause substantial harm, must notify each affected individual [^breach-notice-trigger]. The notice must go out as expeditiously as possible and, in any event, within 45 days of the entity's determination or of notice from a third-party agent [^breach-45-days]. If more than 1,000 individuals must be notified, the entity must also give written notice to the Attorney General [^breach-ag-notice].
+
+The breach act also imposes Alabama's standing security duty: every covered entity and third-party agent must implement and maintain reasonable security measures to protect sensitive personally identifying information [^breach-security-duty] — including designating a security coordinator, identifying risks, adopting safeguards, and keeping management informed. Vendors are on their own clock: a third-party agent that experiences a breach in a system it maintains must notify the covered entity as expeditiously as possible and no later than 10 days after determining the breach occurred [^breach-vendor-clock]. And when more than 1,000 individuals are notified at one time, the entity must also notify the nationwide consumer reporting agencies [^breach-cra-notice].
+
+Some operating details matter for the incident-response plan. Sensitive personally identifying information is a name combined with elements like a non-truncated Social Security number, government ID number, financial account number with its access code, medical or health-insurance information, or online-account credentials — and properly encrypted or truncated data is excluded unless the key was also compromised [^breach-spii-def]. The individual notice must include at minimum the breach date or date range, a description of the information involved, the remediation actions taken, steps the individual can take against identity theft, and contact information [^breach-notice-contents]. Substitute notice (website posting plus media) is allowed when direct notice would cost over $500,000, contact information is lacking, or more than 100,000 people are affected [^breach-substitute-notice]. If you determine notice is not required, document that determination and keep it for at least five years [^breach-no-notice-record].
+
+## Can a consumer sue your business under Alabama privacy law? {#consumer-lawsuit}
+
+**Short answer.** The APDPA contains no express private right of action; its enforcement section authorizes Attorney General enforcement after notice and cure. Only if the controller fails to correct the violation within 45 days may the Attorney General sue for an injunction, with a civil penalty of up to $15,000 per violation [^apdpa-enforcement]. The breach act is clearer: it routes its violations into the Deceptive Trade Practices Act with the Attorney General holding exclusive authority to seek civil penalties [^breach-adtpa-routing], and it states expressly that a violation does not establish a private cause of action [^breach-no-pra].
+
+The APDPA's cure right is unusually strong: it never sunsets, and after a controller corrects the noticed violation within the 45-day window and gives the Attorney General an express written statement that the violations are corrected and will not recur, no APDPA enforcement action may be initiated against the controller under Section 11 [^apdpa-enforcement]. That makes Alabama exposure regulatory and, in the first instance, correctable. Note also that the notice-and-cure text speaks only of controllers; how it applies to processors is an open question the act does not address.
+
+The breach act has real penalty teeth despite the no-private-action rule: knowing violations of its notice provisions draw ADTPA penalties capped at $500,000 per breach [^breach-500k-cap], and a separate provision adds up to $5,000 per day for each consecutive day an entity fails to take reasonable action to comply with the notice duties [^breach-per-day]. The ADTPA itself does carry a limited private remedy — a consumer who suffers monetary damage from an unlawful trade practice may recover actual damages or $100, whichever is greater, with discretionary trebling [^adtpa-private-remedy] — but it is individual-only: the statute bars class actions as a substantive limitation [^adtpa-class-bar], and it requires a 15-day pre-suit demand [^adtpa-demand]. Expect that narrow route to stay closed for APDPA claims as well: where the Legislature wants ADTPA treatment it cross-references the ADTPA expressly, as the breach act does, and the APDPA contains no such cross-reference — it gives the enforcement role to the Attorney General instead.
+
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-11. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Alabama. This article synthesizes Alabama primary law and is not legal advice from a Alabama-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+
+[^apdpa-short-title]: **Ala. Act No. 2026-552, § 1 (APDPA short title)** — "Section 1. This act shall be known as the Alabama Personal Data Protection Act." *Ala. Act No. 2026-552, § 1.* <https://alison.legislature.state.al.us/files/pdf/SearchableInstruments/2026RS/HB351-enr.pdf>
+
+[^apdpa-effective-date]: **Ala. Act No. 2026-552, § 12 (effective date)** — "Section 12. This act shall become effective on May 1, 2027." *Ala. Act No. 2026-552, § 12.* <https://alison.legislature.state.al.us/files/pdf/SearchableInstruments/2026RS/HB351-enr.pdf>
+
+[^breach-act-title]: **Ala. Code § 8-38-1 (Data Breach Notification Act short title)** — "This chapter may be cited and shall be known as the Alabama Data Breach Notification Act of 2018." *Ala. Code § 8-38-1.* <https://alison.legislature.state.al.us/code-of-alabama/8-38-1>
+
+[^apdpa-thresholds]: **Ala. Act No. 2026-552, § 3 (applicability thresholds)** — "Section 3. The provisions of this act apply to persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state and that meet either of the following qualifications: (1) Control or process the personal data of more than 25,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction. (2) Derive more than 25 percent of gross revenue from the sale of personal data, regardless of the number of consumers whose data the person controls or processes." *Ala. Act No. 2026-552, § 3.* <https://alison.legislature.state.al.us/files/pdf/SearchableInstruments/2026RS/HB351-enr.pdf>
+
+[^apdpa-small-business]: **Ala. Act No. 2026-552, § 4(a)(7)-(8) (employee-count exemptions)** — "A business, including an organization cooperatively organized under Chapter 6 of Title 37, Code of Alabama 1975, or an entity that is an instrumentality of a municipal corporation, with fewer than 500 employees, provided the business does not engage in the sale of personal data. (8) A nonprofit entity, as defined in Section 10A-1-1.03, Code of Alabama 1975, with less than 100 employees, provided the entity does not engage in the sale of personal data." *Ala. Act No. 2026-552, § 4(a)(7)-(8).* <https://alison.legislature.state.al.us/files/pdf/SearchableInstruments/2026RS/HB351-enr.pdf>
+
+[^apdpa-sale-def]: **Ala. Act No. 2026-552, § 2(20) (sale of personal data definition)** — "(20) SALE OF PERSONAL DATA. The exchange of personal data for monetary consideration by a controller to a third party, or for other valuable consideration by a controller to a third party where the controller receives a material benefit and the third party is not restricted in its subsequent uses of the personal data. The term does not include any of the following: a. The disclosure of personal data to a processor that processes the personal data on behalf of the controller. b. The disclosure of personal data to a third party for the purposes of providing a product or service requested by the consumer. c. The disclosure or transfer of personal data to an affiliate of the controller. d. The disclosure of personal data in which the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party. e. The disclosure of personal data that the consumer intentionally made available to the public via a channel of mass media and did not restrict to a specific audience. f. The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction, or a proposed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets. g. The disclosure or transfer of personal data to a third party for the purposes of providing analytics services. h. The disclosure or transfer of personal data to a third party for the purposes of providing marketing services solely to the controller." *Ala. Act No. 2026-552, § 2(20).* <https://alison.legislature.state.al.us/files/pdf/SearchableInstruments/2026RS/HB351-enr.pdf>
+
+[^apdpa-consumer-def]: **Ala. Act No. 2026-552, § 2(6) (consumer definition)** — "CONSUMER. An individual who is a resident of this state. The term does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency whose communications or transactions with the controller occur solely within the context of that individual's role with the company, partnership, sole proprietorship, nonprofit, or government agency." *Ala. Act No. 2026-552, § 2(6).* <https://alison.legislature.state.al.us/files/pdf/SearchableInstruments/2026RS/HB351-enr.pdf>
+
+[^apdpa-regulated-exemptions]: **Ala. Act No. 2026-552, § 4(a)(5)-(6) (GLBA and HIPAA exemptions)** — "A financial institution or an affiliate of a financial institution governed by, or personal data collected, processed, sold, or disclosed in accordance with Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et. seq. (6) A covered entity or business associate as defined in the privacy regulations of 45 C.F.R. § 160.103." *Ala. Act No. 2026-552, § 4(a)(5)-(6).* <https://alison.legislature.state.al.us/files/pdf/SearchableInstruments/2026RS/HB351-enr.pdf>
+
+[^apdpa-notice-contents]: **Ala. Act No. 2026-552, § 7(d) (privacy-notice contents)** — "A controller shall provide consumers with a reasonably accurate, clear, and meaningful privacy notice that includes all of the following: (1) The categories of personal data processed by the controller. (2) The purpose for processing personal data. (3) The categories of personal data that the controller shares with third parties, if any. (4) The categories of third parties, if any, with which the controller shares personal data. (5) An active email address or other mechanism that the consumer may use to contact the controller. (6) How consumers may exercise their consumer rights, including a link or contact information for availing themselves of the opt-out method provided in Section 6." *Ala. Act No. 2026-552, § 7(d).* <https://alison.legislature.state.al.us/files/pdf/SearchableInstruments/2026RS/HB351-enr.pdf>
+
+[^fed-ftc5-deceptive]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* <https://www.law.cornell.edu/uscode/text/15/45#:~:text=Unfair%20methods%20of%20competition%20in,commerce%2C%20are%20hereby%20declared%20unlawful.>
+
+[^adtpa-catchall]: **Ala. Code § 8-19-5(27) (ADTPA catch-all)** — "Engaging in any other unconscionable, false, misleading, or deceptive act or practice in the conduct of trade or commerce." *Ala. Code § 8-19-5(27).* <https://alison.legislature.state.al.us/code-of-alabama/8-19-5>
+
+[^apdpa-sale-disclosure]: **Ala. Act No. 2026-552, § 7(c) (sale and targeted-advertising disclosure)** — "If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose the processing, as well as the way a consumer may exercise the right to opt out of the processing." *Ala. Act No. 2026-552, § 7(c).* <https://alison.legislature.state.al.us/files/pdf/SearchableInstruments/2026RS/HB351-enr.pdf>
+
+[^apdpa-request-methods]: **Ala. Act No. 2026-552, § 7(e)(1) (request methods described in the notice)** — "A controller shall establish and describe in a privacy notice one or more secure and reliable means for consumers to submit a request to exercise their consumer rights, as established under Section 5, pursuant to this act considering the ways in which consumers normally interact with the controller, the need for secure and reliable communication of consumer requests, and the ability of the controller to authenticate the identity of the consumer or authorized agent making the request." *Ala. Act No. 2026-552, § 7(e)(1).* <https://alison.legislature.state.al.us/files/pdf/SearchableInstruments/2026RS/HB351-enr.pdf>
+
+[^apdpa-optout-link]: **Ala. Act No. 2026-552, § 6(b) (website opt-out link)** — "A controller must allow a consumer to opt-out by providing a clear and conspicuous link on the controller's Internet website to an Internet web page that enables a consumer directly to opt out of any processing of the consumer's personal data for the purposes of targeted advertising or sale of the consumer's personal data, or provides up-to-date contact information for a consumer to submit the opt-out request." *Ala. Act No. 2026-552, § 6(b).* <https://alison.legislature.state.al.us/files/pdf/SearchableInstruments/2026RS/HB351-enr.pdf>
+
+[^apdpa-dpa-required]: **Ala. Act No. 2026-552, § 8(b)(1) (processor contract required)** — "A contract between a controller and a processor shall govern the processor's data processing obligations with respect to processing performed on behalf of the controller." *Ala. Act No. 2026-552, § 8(b)(1).* <https://alison.legislature.state.al.us/files/pdf/SearchableInstruments/2026RS/HB351-enr.pdf>
+
+[^breach-vendor-safeguards]: **Ala. Code § 8-38-3(b)(4) (service providers contractually bound)** — "Retention of service providers, if any, that are contractually required to maintain appropriate safeguards for sensitive personally identifying information." *Ala. Code § 8-38-3(b)(4).* <https://alison.legislature.state.al.us/code-of-alabama/8-38-3>
+
+[^apdpa-dpa-terms]: **Ala. Act No. 2026-552, § 8(b)(2)-(3) (required processor contract terms)** — "(2) The contract shall: a. Be binding; b. Clearly set forth instructions for processing data; c. Clearly set forth the nature and purpose of the processing; d. Clearly set forth the type of data subject to processing; e. Clearly set forth the duration of processing; and f. Clearly set forth the rights and obligations of both parties. (3) The contract, taking into account the nature of the processing, the relationship between the parties, and other factors, shall also require the processor to: a. Ensure that each processor of personal data is subject to a duty of confidentiality with respect to the personal data; b. Delete or return all personal data to the controller as requested at the end of the provision of services at the controller's direction, unless retention of the personal data is required or permitted by law or the contract; c. Make available to the controller all information in the processor's possession necessary to demonstrate the processor's compliance with the obligations of this act upon the reasonable request of the controller; and d. Obligate any subcontractor processing personal data to meet the obligations of the processor with respect to the personal data." *Ala. Act No. 2026-552, § 8(b)(2)-(3).* <https://alison.legislature.state.al.us/files/pdf/SearchableInstruments/2026RS/HB351-enr.pdf>
+
+[^fed-glba-safeguards]: **GLBA Safeguards Rule** — "Requiring your service providers by contract to implement and maintain such safeguards" *16 C.F.R. § 314.4(f)(2).* <https://www.law.cornell.edu/cfr/text/16/314.4#:~:text=Requiring%20your%20service%20providers%20by,implement%20and%20maintain%20such%20safeguards>
+
+[^fed-hipaa-baa]: **HIPAA Business Associate Contracts** — "A contract between the covered entity and a business associate must" *45 C.F.R. § 164.504(e)(2).* <https://www.law.cornell.edu/cfr/text/45/164.504#:~:text=A%20contract%20between%20the%20covered,and%20a%20business%20associate%20must>
+
+[^apdpa-rights]: **Ala. Act No. 2026-552, § 5(a) (consumer rights)** — "A controller shall comply with an authenticated request to do any of the following: (1) Confirm whether a controller, or a processor or third party acting on a controller's behalf, is processing the consumer's personal data and accessing any of the consumer's personal data under the control of the controller, unless confirmation or access would require the controller to reveal a trade secret. (2) Correct inaccuracies in the consumer's personal data, considering the nature of the personal data and the purposes of the processing of the consumer's personal data. (3) Direct a controller to delete the consumer's personal data. (4) Obtain a copy of the consumer's personal data previously provided by the consumer to a controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the personal data to another controller without hindrance when the processing is carried out by automated means, unless the provision of the data would require the controller to reveal a trade secret. (5) Opt out of the processing of the consumer's personal data for any of the following purposes: a. Targeted advertising. b. The sale of the consumer's personal data. c. Profiling in furtherance of solely automated significant decisions concerning the consumer." *Ala. Act No. 2026-552, § 5(a).* <https://alison.legislature.state.al.us/files/pdf/SearchableInstruments/2026RS/HB351-enr.pdf>
+
+[^apdpa-response-clock]: **Ala. Act No. 2026-552, § 5(d)(1) (45-day response; one extension)** — "A controller shall respond to a consumer's request within 45 days of receipt of the request. b. A controller may extend the response period by 45 additional days, when reasonably necessary considering the complexity and number of the consumer's requests, by notifying the consumer of the extension and the reason for the extension within the initial 45-day response period." *Ala. Act No. 2026-552, § 5(d)(1).* <https://alison.legislature.state.al.us/files/pdf/SearchableInstruments/2026RS/HB351-enr.pdf>
+
+[^apdpa-request-fees]: **Ala. Act No. 2026-552, § 5(d)(3) (free responses; fee for abusive requests)** — "Information provided in response to a consumer request must be provided by a controller, free of charge, once for each consumer during any 12-month period. If a consumer's requests are manifestly unfounded, excessive, technically infeasible, or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with a request or decline to act on a request. Upon inquiry by an enforcement authority, the controller bears the burden of demonstrating the manifestly unfounded, excessive, technically infeasible, or repetitive nature of a request." *Ala. Act No. 2026-552, § 5(d)(3).* <https://alison.legislature.state.al.us/files/pdf/SearchableInstruments/2026RS/HB351-enr.pdf>
+
+[^apdpa-representative-rights]: **Ala. Act No. 2026-552, § 5(c) (representative exercise of rights)** — "(c)(1) A parent or legal guardian of a known child may exercise the consumer's rights on behalf of the known child regarding the processing of personal data. (2) A guardian or conservator of a consumer may exercise the consumer's rights on behalf of the consumer regarding the processing of personal data." *Ala. Act No. 2026-552, § 5(c).* <https://alison.legislature.state.al.us/files/pdf/SearchableInstruments/2026RS/HB351-enr.pdf>
+
+[^apdpa-anti-waiver]: **Ala. Act No. 2026-552, § 7(f) (anti-waiver)** — "Any provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer's consumer rights as established under this act shall be deemed contrary to public policy and shall be void and unenforceable." *Ala. Act No. 2026-552, § 7(f).* <https://alison.legislature.state.al.us/files/pdf/SearchableInstruments/2026RS/HB351-enr.pdf>
+
+[^apdpa-refusal-response]: **Ala. Act No. 2026-552, § 5(d)(2) (refusal response)** — "If a controller declines to act regarding a consumer's request, the controller shall inform the consumer of the justification for declining to act within 45 days of receipt of the request." *Ala. Act No. 2026-552, § 5(d)(2).* <https://alison.legislature.state.al.us/files/pdf/SearchableInstruments/2026RS/HB351-enr.pdf>
+
+[^apdpa-significant-decision]: **Ala. Act No. 2026-552, § 2(22) (significant decision definition)** — "(22) SIGNIFICANT DECISION. A decision made by a controller that results in the provision or denial by the controller of credit or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunity, health care service, or access to basic necessities such as food or water." *Ala. Act No. 2026-552, § 2(22).* <https://alison.legislature.state.al.us/files/pdf/SearchableInstruments/2026RS/HB351-enr.pdf>
+
+[^apdpa-optout-signal]: **Ala. Act No. 2026-552, § 6(c)(1) (opt-out preference signal conflict rule)** — "If a consumer's decision to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of personal data, through an opt-out preference signal sent in accordance with this section conflicts with the consumer's existing controller-specific privacy setting or voluntary participation in a controller's bona fide loyalty, rewards, premium features, discounts, or club card program, the controller shall comply with the consumer's opt-out preference signal but may notify the consumer of the conflict and provide the choice to confirm controller-specific privacy settings or participation in such a program." *Ala. Act No. 2026-552, § 6(c)(1).* <https://alison.legislature.state.al.us/files/pdf/SearchableInstruments/2026RS/HB351-enr.pdf>
+
+[^apdpa-sensitive-optin]: **Ala. Act No. 2026-552, § 7(b)(1)-(2) (sensitive-data consent)** — "(b) A controller may not do any of the following: (1) Except as provided in this act, process personal data for purposes that are not reasonably necessary to or compatible with the disclosed purposes for which the personal data is processed as disclosed by the controller. (2) Process sensitive data concerning a consumer other than a known child without obtaining that consumer's consent or, in the case of the processing of personal data concerning a known child, without processing the data in accordance with the federal Children's Online Privacy Protection Act of 1998, 15 U.S.C. § 6501 et seq." *Ala. Act No. 2026-552, § 7(b)(1)-(2).* <https://alison.legislature.state.al.us/files/pdf/SearchableInstruments/2026RS/HB351-enr.pdf>
+
+[^apdpa-sensitive-def]: **Ala. Act No. 2026-552, § 2(21) (sensitive-data definition)** — "SENSITIVE DATA. Personal data that includes any of the following: a. Data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, information about an individual's sex life, sexual orientation, or citizenship or immigration status. b. The processing of genetic or biometric data for the purpose of uniquely identifying an individual. c. Personal data collected from a known child. d. Precise geolocation data." *Ala. Act No. 2026-552, § 2(21).* <https://alison.legislature.state.al.us/files/pdf/SearchableInstruments/2026RS/HB351-enr.pdf>
+
+[^apdpa-consent-def]: **Ala. Act No. 2026-552, § 2(5) (consent definition)** — "CONSENT. A clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer, including, but not limited to, a written statement or a statement by electronic means. The term does not include any of the following: a. Acceptance of a general or broad term of use or similar document that contains descriptions of personal data processing along with other unrelated information. b. Hovering over, muting, or pausing a given piece of content. c. An agreement obtained using dark patterns." *Ala. Act No. 2026-552, § 2(5).* <https://alison.legislature.state.al.us/files/pdf/SearchableInstruments/2026RS/HB351-enr.pdf>
+
+[^apdpa-consent-revocation]: **Ala. Act No. 2026-552, § 7(a)(3) (consent revocation)** — "(3) Provide an effective mechanism for a consumer to revoke the consumer's consent under this act that is at least as easy as the mechanism by which the consumer provided the consumer's consent and, on revocation of the consent, cease to further process the personal data as soon as practicable, but no later than 45 days after complying with the consumer's opt-out request consistent with this act." *Ala. Act No. 2026-552, § 7(a)(3).* <https://alison.legislature.state.al.us/files/pdf/SearchableInstruments/2026RS/HB351-enr.pdf>
+
+[^apdpa-teen-rule]: **Ala. Act No. 2026-552, § 7(b)(4) (13-to-15-year-olds)** — "(b) A controller may not do any of the following: (1) Except as provided in this act, process personal data for purposes that are not reasonably necessary to or compatible with the disclosed purposes for which the personal data is processed as disclosed by the controller. (2) Process sensitive data concerning a consumer other than a known child without obtaining that consumer's consent or, in the case of the processing of personal data concerning a known child, without processing the data in accordance with the federal Children's Online Privacy Protection Act of 1998, 15 U.S.C. § 6501 et seq. (3) Process personal data in violation of the laws of this state or federal laws that prohibit unlawful discrimination against consumers. (4) Process the personal data of a consumer for the purposes of targeted advertising or sell a consumer's personal data without the consumer's consent under circumstances in which a controller has actual knowledge that the consumer is at least 13 years of age but younger than 16 years of age." *Ala. Act No. 2026-552, § 7(b)(4).* <https://alison.legislature.state.al.us/files/pdf/SearchableInstruments/2026RS/HB351-enr.pdf>
+
+[^apdpa-coppa-safe-harbor]: **Ala. Act No. 2026-552, § 4(c) (COPPA parental-consent compliance)** — "(c) Controllers and processors that comply with the verifiable parental consent requirements of the federal Children's Online Privacy Protection Act of 1998 are compliant with any obligation to obtain parental consent pursuant to this act." *Ala. Act No. 2026-552, § 4(c).* <https://alison.legislature.state.al.us/files/pdf/SearchableInstruments/2026RS/HB351-enr.pdf>
+
+[^breach-notice-trigger]: **Ala. Code § 8-38-5(a) (individual-notice trigger)** — "A covered entity that is not a third-party agent that determines under Section 8-38-4 that, as a result of a breach of security, sensitive personally identifying information has been acquired or is reasonably believed to have been acquired by an unauthorized person, and is reasonably likely to cause substantial harm to the individuals to whom the information relates, shall give notice of the breach to each individual." *Ala. Code § 8-38-5(a).* <https://alison.legislature.state.al.us/code-of-alabama/8-38-5>
+
+[^breach-45-days]: **Ala. Code § 8-38-5(b) (45-day individual-notice clock)** — "(b) Notice to individuals under subsection (a) shall be made as expeditiously as possible and without unreasonable delay, taking into account the time necessary to allow the covered entity to conduct an investigation in accordance with Section 8-38-4. Except as provided in subsection (c), the covered entity shall provide notice within 45 days of the covered entity's receipt of notice from a third-party agent that a breach has occurred or upon the covered entity's determination that a breach has occurred and is reasonably likely to cause substantial harm to the individuals to whom the information relates." *Ala. Code § 8-38-5(b).* <https://alison.legislature.state.al.us/code-of-alabama/8-38-5>
+
+[^breach-ag-notice]: **Ala. Code § 8-38-6(a) (Attorney General notice over 1,000)** — "If the number of individuals a covered entity is required to notify under Section 8-38-5 exceeds 1,000, the entity shall provide written notice of the breach to the Attorney General as expeditiously as possible and without unreasonable delay." *Ala. Code § 8-38-6(a).* <https://alison.legislature.state.al.us/code-of-alabama/8-38-6>
+
+[^breach-security-duty]: **Ala. Code § 8-38-3(a)-(b) (reasonable security measures)** — "(a) Each covered entity and third-party agent shall implement and maintain reasonable security measures to protect sensitive personally identifying information against a breach of security. (b) Reasonable security measures means security measures practicable for the covered entity subject to subsection (c), to implement and maintain, including consideration of all of the following: (1) Designation of an employee or employees to coordinate the covered entity's security measures to protect against a breach of security. An owner or manager may designate himself or herself. (2) Identification of internal and external risks of a breach of security. (3) Adoption of appropriate information safeguards to address identified risks of a breach of security and assess the effectiveness of such safeguards. (4) Retention of service providers, if any, that are contractually required to maintain appropriate safeguards for sensitive personally identifying information. (5) Evaluation and adjustment of security measures to account for changes in circumstances affecting the security of sensitive personally identifying information. (6) Keeping the management of the covered entity, including its board of directors, if any, appropriately informed of the overall status of its security measures; provided, however, that the management of a government entity subject to this subdivision may be appropriately informed of the status of its security measures through a properly convened executive session under the Open Meetings Act pursuant to Section 36-25A-7." *Ala. Code § 8-38-3(a)-(b).* <https://alison.legislature.state.al.us/code-of-alabama/8-38-3>
+
+[^breach-vendor-clock]: **Ala. Code § 8-38-8 (third-party agent 10-day notice)** — "In the event a third-party agent has experienced a breach of security in the system maintained by the agent, the agent shall notify the covered entity of the breach of security as expeditiously as possible and without unreasonable delay, but no later than 10 days following the determination of the breach of security or reason to believe the breach occurred." *Ala. Code § 8-38-8.* <https://alison.legislature.state.al.us/code-of-alabama/8-38-8>
+
+[^breach-cra-notice]: **Ala. Code § 8-38-7 (consumer reporting agency notice)** — "If a covered entity discovers circumstances requiring notice under Section 8-38-5 of more than 1,000 individuals at a single time, the entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in the Fair Credit Reporting Act, 15 U.S.C. §1681a, of the timing, distribution, and content of the notices." *Ala. Code § 8-38-7.* <https://alison.legislature.state.al.us/code-of-alabama/8-38-7>
+
+[^breach-spii-def]: **Ala. Code § 8-38-2(6) (sensitive personally identifying information)** — "(6) SENSITIVE PERSONALLY IDENTIFYING INFORMATION. a. Except as provided in paragraph b., an Alabama resident's first name or first initial and last name in combination with one or more of the following with respect to the same Alabama resident: 1. A non-truncated Social Security number or tax identification number. 2. A non-truncated driver's license number, state-issued identification card number, passport number, military identification number, or other unique identification number issued on a government document used to verify the identity of a specific individual. 3. A financial account number, including a bank account number, credit card number, or debit card number, in combination with any security code, access code, password, expiration date, or PIN, that is necessary to access the financial account or to conduct a transaction that will credit or debit the financial account. 4. Any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional. 5. An individual's health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual. 6. A user name or email address, in combination with a password or security question and answer that would permit access to an online account affiliated with the covered entity that is reasonably likely to contain or is used to obtain sensitive personally identifying information. b. The term does not include either of the following: 1. Information about an individual which has been lawfully made public by a federal, state, or local government record or a widely distributed media. 2. Information that is truncated, encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable, including encryption of the data, document, or device containing the sensitive personally identifying information, unless the covered entity knows or has reason to know that the encryption key or security credential that could render the personally identifying information readable or useable has been breached together with the information." *Ala. Code § 8-38-2(6).* <https://alison.legislature.state.al.us/code-of-alabama/8-38-2>
+
+[^breach-notice-contents]: **Ala. Code § 8-38-5(d) (individual-notice contents)** — "(d) Except as provided by subsection (e), notice to an affected individual under this section shall be given in writing, sent to the mailing address of the individual in the records of the covered entity, or by email notice sent to the email address of the individual in the records of the covered entity. The notice shall include, at a minimum, all of the following: (1) The date, estimated date, or estimated date range of the breach. (2) A description of the sensitive personally identifying information that was acquired by an unauthorized person as part of the breach. (3) A general description of the actions taken by a covered entity to restore the security and confidentiality of the personal information involved in the breach. (4) A general description of steps an affected individual can take to protect himself or herself from identity theft. (5) Information that the individual can use to contact the covered entity to inquire about the breach." *Ala. Code § 8-38-5(d).* <https://alison.legislature.state.al.us/code-of-alabama/8-38-5>
+
+[^breach-substitute-notice]: **Ala. Code § 8-38-5(e) (substitute notice)** — "(e)(1) A covered entity required to provide notice to any individual under this section may provide substitute notice in lieu of direct notice, if direct notice is not feasible due to any of the following: a. Excessive cost. The term includes either of the following: 1. Excessive cost to the covered entity relative to the resources of the covered entity. 2. The cost to the covered entity exceeds five hundred thousand dollars ($500,000). b. Lack of sufficient contact information for the individual required to be notified. c. The affected individuals exceed 100,000 persons. (2) a. Substitute notice shall include both of the following: 1. A conspicuous notice on the Internet website of the covered entity, if the covered entity maintains a website, for a period of 30 days. 2. Notice in print and in broadcast media, including major media in urban and rural areas where the affected individuals reside. b. An alternative form of substitute notice may be used with the approval of the Attorney General." *Ala. Code § 8-38-5(e).* <https://alison.legislature.state.al.us/code-of-alabama/8-38-5>
+
+[^breach-no-notice-record]: **Ala. Code § 8-38-5(f) (no-notice documentation)** — "(f) If a covered entity determines that notice is not required under this section, the entity shall document the determination in writing and maintain records concerning the determination for no less than five years." *Ala. Code § 8-38-5(f).* <https://alison.legislature.state.al.us/code-of-alabama/8-38-5>
+
+[^apdpa-enforcement]: **Ala. Act No. 2026-552, § 11 (AG enforcement; 45-day cure; $15,000 penalty)** — "Section 11. (a) The Attorney General may enforce violations of this act. (b)(1) The Attorney General, prior to initiating any action for a violation of any provision of this act, shall issue a notice of violation to the controller. (2) If the controller fails to correct the violation within 45 days after receipt of the notice of violation, the Attorney General may bring an action for an injunction pursuant to this section. Upon a finding that the controller has violated this act and failed to correct the violation as required by this section, the court may assess a civil penalty of not more than fifteen thousand dollars ($15,000) per violation. (3) If within the 45-day period the controller corrects the noticed violation and provides the Attorney General an express written statement that the alleged violations have been corrected and that no such further violations will occur, no action may be initiated against the controller." *Ala. Act No. 2026-552, § 11.* <https://alison.legislature.state.al.us/files/pdf/SearchableInstruments/2026RS/HB351-enr.pdf>
+
+[^breach-adtpa-routing]: **Ala. Code § 8-38-9(a) (breach violations routed to the ADTPA)** — "A violation of the notification provisions of this chapter is an unlawful trade practice under the Alabama Deceptive Trade Practices Act, Chapter 19 of this title, but does not constitute a criminal offense under Section 8-19-12. The Attorney General shall have the exclusive authority to bring an action for civil penalties under this chapter." *Ala. Code § 8-38-9(a).* <https://alison.legislature.state.al.us/code-of-alabama/8-38-9>
+
+[^breach-no-pra]: **Ala. Code § 8-38-9(a)(1) (no private cause of action)** — "A violation of this chapter does not establish a private cause of action under Section 8-19-10. Nothing in this chapter may otherwise be construed to affect any right a person may have at common law, by statute, or otherwise." *Ala. Code § 8-38-9(a)(1).* <https://alison.legislature.state.al.us/code-of-alabama/8-38-9>
+
+[^breach-500k-cap]: **Ala. Code § 8-38-9(a)(2) (knowing violations; $500,000 per breach)** — "Any covered entity or third-party agent who is knowingly engaging in or has knowingly engaged in a violation of the notification provisions of this chapter is subject to the penalty provisions set out in Section 8-19-11. For the purposes of this chapter, knowingly shall mean willfully or with reckless disregard in failing to comply with the notice requirements of Sections 8-38-5 and 8-38-6. Civil penalties assessed under Section 8-19-11, shall not exceed five hundred thousand dollars ($500,000) per breach." *Ala. Code § 8-38-9(a)(2).* <https://alison.legislature.state.al.us/code-of-alabama/8-38-9>
+
+[^breach-per-day]: **Ala. Code § 8-38-9(b)(1) ($5,000-per-day penalty)** — "Notwithstanding any remedy available under subdivision (2) of subsection (a), a covered entity that violates the notification provisions of this chapter shall be liable for a civil penalty of not more than five thousand dollars ($5,000) per day for each consecutive day that the covered entity fails to take reasonable action to comply with the notice provisions of this chapter." *Ala. Code § 8-38-9(b)(1).* <https://alison.legislature.state.al.us/code-of-alabama/8-38-9>
+
+[^adtpa-private-remedy]: **Ala. Code § 8-19-10(a) (ADTPA limited private remedy)** — "Any person who commits one or more of the acts or practices declared unlawful under this chapter and thereby causes monetary damage to a consumer, and any person who commits one or more of the acts or practices declared unlawful in subdivisions (19) and (20) of Section 8-19-5 and thereby causes monetary damage to another person, shall be liable to each consumer or other person for: (1) Any actual damages sustained by such consumer or person, or the sum of $100, whichever is greater; or (2) Up to three times any actual damages, in the court's discretion." *Ala. Code § 8-19-10(a).* <https://alison.legislature.state.al.us/code-of-alabama/8-19-10>
+
+[^adtpa-class-bar]: **Ala. Code § 8-19-10(f) (statutory class-action bar)** — "A consumer or other person bringing an action under this chapter may not bring an action on behalf of a class. The limitation in this subsection is a substantive limitation and allowing a consumer or other person to bring a class action or other representative action for a violation of this chapter would abridge, enlarge, or modify the substantive rights created by this chapter." *Ala. Code § 8-19-10(f).* <https://alison.legislature.state.al.us/code-of-alabama/8-19-10>
+
+[^adtpa-demand]: **Ala. Code § 8-19-10(e) (15-day pre-suit demand)** — "(e) At least 15 days prior to the filing of any action under this section, a written demand for relief, identifying the claimant and reasonably describing the unfair or deceptive act or practice relied upon and the injury suffered, shall be communicated to any prospective respondent by placing in the United States mail or otherwise." *Ala. Code § 8-19-10(e).* <https://alison.legislature.state.al.us/code-of-alabama/8-19-10>

package/skills/legal-explainers/data-privacy-law-explainer/content/alaska.md

@@ -0,0 +1,155 @@
+---
+jurisdiction: "Alaska"
+slug: alaska
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-11"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/alaska
+license: CC BY 4.0
+stale: false
+---
+
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/alaska · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+
+# Alaska Consumer Privacy Law[^about]
+
+Alaska has no comprehensive consumer-privacy statute. Article 1 of the Personal Information Protection Act (AS 45.48.010–.090) governs breach notice and routes violations into the unfair-trade-practices act with a $500 private-damages cap; the Genetic Privacy Act and the federal overlay fill out the rest of this Alaska privacy note.
+
+
+## At a glance
+
+| Question | Alaska |
+| --- | --- |
+| **Law coverage** | No comprehensive law |
+| **Summary** | Alaska has not enacted a comprehensive consumer-privacy law, so there are no general data-rights, notice-at-collection, consent, or processor-contract duties under state law. The operative law covered here is Article 1 of the Personal Information Protection Act, which requires breach notice in the most expeditious time possible and makes a violation an unfair trade practice — but caps private damages at $500 of actual economic loss. The Genetic Privacy Act is the sharp edge of Alaska law, conditioning DNA collection on informed written consent and backing that with $5,000 or $100,000 statutory damages. Everything else in this Alaska-facing program note comes from the federal and sectoral overlay — FTC Act § 5, GLBA, HIPAA, and COPPA — so build to those plus the breach statute, and the program upgrades rather than restarts if Alaska enacts an omnibus law later. |
+| **Main law** | Alaska Personal Information Protection Act Article 1, AS 45.48.010–.090 — breach notification plus a deemed unfair-trade-practice enforcement bridge; Alaska has no comprehensive consumer-privacy law |
+| **Privacy policy required?** | No Alaska statute mandates a general consumer privacy policy or fixes its contents; contents are driven by FTC Act § 5 (a policy that misstates practices is deceptive) and by GLBA, HIPAA, and COPPA where the business is in scope |
+| **Who does it cover?** | Any covered person — a person doing business, a governmental agency, or a person with more than 10 employees — that owns or licenses personal information on Alaska residents; no revenue or consumer-volume threshold |
+| **Can consumers sue?** | Limited path |
+| **Privacy policy rule** | No state policy checklist |
+| **Consent for sensitive data?** | Only for certain data types |
+| **Browser opt-out signals?** | Not required |
+| **Lawsuit detail** | Yes, but tightly capped — a breach-notice violation is an unfair trade practice under AS 45.50.471, with private damages limited to actual economic damages not exceeding $500; the Genetic Privacy Act (AS 18.13) separately allows $5,000 or $100,000 statutory damages |
+| **Who enforces it?** | Alaska Attorney General (Department of Law); the Department of Administration enforces breach-notice violations by state agencies |
+
+## Which privacy laws apply to your business in Alaska? {#which-privacy-laws-apply}
+
+**Short answer.** There is no comprehensive Alaska consumer-privacy law. The operative breach-notification statute covered here is Article 1 of the Alaska Personal Information Protection Act (PIPA), which applies to any *covered person* — a person doing business, a governmental agency, or a person with more than 10 employees [^pipa-covered-person] — that owns or licenses personal information on an Alaska resident [^q1-pipa-trigger]. It carries no revenue or consumer-volume threshold, and it governs breach response rather than day-to-day data handling. Alongside it sits the Genetic Privacy Act, which conditions DNA collection, analysis, retention, and disclosure on informed and written consent [^q1-gpa-consent].
+
+Alaska has not enacted an omnibus privacy statute, so its residents do not have general state-law rights to access, delete, correct, or opt out of the sale of their personal data, and businesses are not subject to state notice-at-collection, consent, universal-opt-out, or data-protection-assessment duties. A 2026 bill would have created an omnibus regime of consumer rights and business duties, but no comprehensive Alaska privacy act is in force.
+
+Two other pieces of state law frame this note. The Alaska Constitution is background rather than a private-business checklist here; the source-carded compliance duties below come from statutes and the federal overlay. And the Unfair Trade Practices and Consumer Protection Act (UTPCPA) supplies the enforcement machinery: as developed in the enforcement prong below, a PIPA Article 1 breach-notice violation is deemed an unfair trade practice, though with damages limits unique to the breach-notice article.
+
+The rest of an Alaska-facing privacy program rides the federal and sectoral overlay. Section 5 of the FTC Act reaches deceptive or unfair privacy practices nationwide; the Gramm-Leach-Bliley Act governs financial institutions; HIPAA governs covered health entities and their business associates; the Children's Online Privacy Protection Act governs services directed to children under 13; and CAN-SPAM and the TCPA govern email and SMS marketing. None of those is an Alaska statute, but together with PIPA Article 1 and the Genetic Privacy Act they are what this note treats as the enforceable Alaska-facing privacy program today. If Alaska enacts a comprehensive law in a future session, a program built to this overlay upgrades rather than restarts.
+
+## What must your Alaska privacy policy contain? {#privacy-policy-contents}
+
+**Short answer.** No Alaska statute requires a general consumer privacy policy or fixes what it must say. For most businesses, the policy is governed not by a state checklist but by the rule that whatever you publish has to be true: Section 5 of the FTC Act declares unfair or deceptive practices unlawful [^fed-ftc5-deceptive], and Alaska's UTPCPA reaches misleading conduct and misrepresentations in sales or advertising [^ak-utpcpa-deception]. A policy mismatch can be pursued under those general deceptive-practices theories. Where a sectoral regime applies, that regime supplies the contents instead — a HIPAA covered entity, for example, must give individuals a notice of the uses and disclosures of their protected health information and of their rights and the entity's duties [^fed-hipaa-notice].
+
+In practice the drafting question in Alaska is less what must be included and more does the policy match actual practice. Build the policy from the federal and sectoral overlay: the GLBA privacy-notice rules if you are a financial institution, the HIPAA Notice of Privacy Practices if you are a covered entity or business associate, and a COPPA notice if your service is directed to children under 13. For everyone else, follow best practice — describe the categories of data collected, the purposes, the third parties you share with, and how users exercise any choices you offer — and then honor it, because the enforceable obligation is consistency between the statement and the conduct. One Alaska-specific drafting note: if you collect genetic data of any kind, do not rely on a privacy policy at all — the Genetic Privacy Act requires informed and written consent, and a general disclosure cannot substitute for it, a point developed in the genetic-data prong below. There is no Alaska-mandated policy checklist to cite here, which is itself the point: the contents are overlay-driven, not state-statute-driven.
+
+## What must your contracts with vendors say? {#vendor-contracts}
+
+**Short answer.** Alaska has no omnibus data-processing-agreement requirement — no state statute prescribes controller-to-processor terms, audit rights, deletion clauses, or subprocessor flow-downs for general private-sector contracts. The one Alaska statute that touches the vendor relationship is PIPA: a vendor that maintains personal information on another business's behalf (an *information recipient*) is excused from notifying residents directly, but must immediately notify the business that owns or licensed the data (the *information distributor*) after discovering a breach and cooperate so that business can give the required notices [^pipa-recipient-notify].
+
+Where a federal or sectoral regime is in scope, it supplies the contracting obligations: the GLBA Safeguards Rule requires financial institutions to oversee service providers by contract and to require them to implement appropriate safeguards [^fed-glba-safeguards]; HIPAA requires a business-associate agreement with mandatory data-protection, breach-reporting, and downstream-subcontractor terms before sharing protected health information [^fed-hipaa-baa]. Outside those verticals, the prudent move is to carry the same protections forward as a matter of best practice — processing limited to documented instructions, confidentiality, reasonable security, breach notification back to your business, and return or deletion of data at the end of the engagement — even though no Alaska statute compels them.
+
+PIPA's recipient-distributor mechanics are worth writing into the contract rather than leaving to the statute. The statutory duty runs from the vendor to you *immediately* after discovery, and once you are notified, you must give resident notices as if the breach had happened on your own systems. A well-drafted Alaska vendor clause therefore fixes a short notification window, requires the vendor to share information relevant to the breach (the statute's cooperation duty carves out only confidential business information and trade secrets), and allocates the cost of notice and credit-agency reporting. That is a breach-response duty, not a general DPA mandate — there is no Alaska source to cite for omnibus vendor terms, so the rest of the clause set is overlay- and best-practice-driven.
+
+## When must you notify people of a data breach in Alaska? {#breach-notification}
+
+**Short answer.** After discovering or being notified of a breach, a covered person must disclose it to each Alaska resident whose personal information was subject to the breach [^pipa-trigger]. The notice must be made in the most expeditious time possible and without unreasonable delay — Alaska sets no fixed day count — allowing only the time needed to determine the breach's scope and restore the system's integrity [^pipa-timing], or a delay requested in connection with a criminal investigation [^pipa-le-delay]. There is one exception: notice is not required if, after an appropriate investigation and *written notification to the attorney general*, the covered person determines there is not a reasonable likelihood of harm to consumers — a determination that must be documented and kept for five years [^pipa-harm-exception].
+
+This is the prong where Alaska imposes a hard statutory duty, so it is the center of any Alaska incident-response plan. A *breach of the security* is the unauthorized acquisition — or reasonable belief of unauthorized acquisition — of personal information that compromises its security, confidentiality, or integrity, whether the data was taken by computer, by photocopy, or by any other method [^pipa-breach-def]. *Personal information* is a resident's name combined with an unencrypted, unredacted data element such as a Social Security number, driver's license or state ID number, account or card number plus any required personal code, or passwords and access codes for financial accounts — and encrypted data still counts if the encryption key was also accessed or acquired [^pipa-personal-info].
+
+Note the unusual shape of Alaska's attorney-general involvement: there is no general duty to report a breach to the attorney general. The written notification runs to the attorney general only when you invoke the no-likelihood-of-harm exception to skip resident notice — so deciding not to notify is itself a regulatory filing, and the statute makes that filing non-public.
+
+Notice may be given by written document to the resident's most recent address, by electronic means where that is the primary channel or e-signature rules are satisfied, or — where notice would cost more than $150,000, the affected class exceeds 300,000 residents, or contact information is insufficient — by the substitute route of email, conspicuous website posting, and notice to major statewide media [^pipa-methods]. If more than 1,000 residents must be notified, the nationwide consumer credit reporting agencies must also be told of the timing, distribution, and content of the notices [^pipa-cra-notice], except for entities subject to the Gramm-Leach-Bliley Act. And none of this can be contracted around: a waiver of the breach-notice article is void and unenforceable [^pipa-waiver].
+
+## Does Alaska have special rules for DNA and genetic data? {#genetic-data}
+
+**Short answer.** Yes — and they are the strictest privacy rules on Alaska's books. Under the Genetic Privacy Act, a person may not collect a DNA sample, perform a DNA analysis, retain a sample or its results, or disclose the results without first obtaining the person's informed and written consent [^gpa-consent]. The statute goes further than consent: a DNA sample and the results of its analysis are the exclusive property of the person sampled or analyzed [^gpa-property]. Violations carry a private right of action with statutory damages of $5,000 — or $100,000 if the violation produced profit or monetary gain [^gpa-pra] — and knowing violations are a class A misdemeanor [^gpa-misdemeanor].
+
+For any business that touches genetic data — direct-to-consumer testing, health and wellness products, research, even workplace testing — this chapter is the dominant Alaska compliance risk, because the exposure scales per violation without proof of actual loss. The consent must be informed and *written*; a general authorization for the release of medical records does not qualify, and a person may revoke or amend consent at any time. The Department of Health may adopt a uniform consent form, and using it confers a liability safe harbor [^gpa-consent-form].
+
+The prohibitions carry a short list of exceptions: DNA work under Alaska's law-enforcement DNA-registration system or comparable laws, law-enforcement identification purposes, paternity determination, newborn screening required by law, and emergency medical treatment [^gpa-exceptions]. Notably absent is any general research or commercial-convenience exception — if the use case is not on the list, the answer is written consent or nothing. The definition of *DNA analysis* is tailored to genetic typing and testing for genetic characteristics, and expressly excludes routine clinical tests such as drug, alcohol, cholesterol, or HIV testing, so ordinary lab work does not trip the statute [^gpa-dna-analysis-def].
+
+## Can a consumer sue your business in Alaska over privacy? {#consumer-lawsuit}
+
+**Short answer.** Yes, but for breach-notice violations the recovery is unusually small. PIPA builds a bridge into Alaska's consumer-protection act: a violation of the breach-notification article by a non-governmental information collector *is* an unfair or deceptive act or practice under the Unfair Trade Practices and Consumer Protection Act [^pipa-udap-bridge]. But the bridge comes with a cap — in a private action over a PIPA violation, damages are limited to actual economic damages, and under the main private-action section they may not exceed $500 [^pipa-damages-cap]. The state's recovery is capped too: in place of ordinary UTPCPA civil penalties, the information collector is liable for up to $500 for each resident who was not notified, with a $50,000 total ceiling [^pipa-ag-penalty]. The exposure that is *not* capped sits in the Genetic Privacy Act, whose private action carries $5,000 or $100,000 statutory damages per violation [^q6-gpa-pra].
+
+The cap is what makes Alaska's enforcement architecture distinctive. In an ordinary UTPCPA case, a person who suffers an ascertainable loss may recover, for each unlawful act, three times actual damages or $500, whichever is greater [^utpa-private-action] — a treble-damages remedy that makes the statute a workhorse for Alaska consumer plaintiffs. PIPA deliberately walls breach-notice claims off from that remedy: the violation is deemed unfair or deceptive [^pipa-udap-bridge], which opens the UTPCPA's procedural doors, but the recoverable damages shrink to actual economic loss with a $500 ceiling [^pipa-damages-cap]. The practical effect is that one-off private suits over a missed breach notice are rarely economic, while the attorney general — whose UTPCPA authority rests on the act's general declaration that unfair or deceptive practices in trade or commerce are unlawful [^utpa-unlawful] — carries the realistic enforcement threat through the per-resident penalty, plus injunctive relief.
+
+Two further doors stay open. First, the UTPCPA separately allows any victim of an unlawful act — whether or not the person suffered actual damages — to seek an injunction against its continuation after written notice to the seller [^utpa-injunction], a remedy the PIPA cap does not erase. Second, the Genetic Privacy Act's private action has no PIPA-style limitation: statutory damages of $5,000 per violation, or $100,000 where the violator profited, accrue on top of actual damages [^q6-gpa-pra], which is why genetic data, not breach response, is where Alaska private-suit exposure concentrates. For violations by state and local agencies, enforcement runs through the Department of Administration rather than the UTPCPA. The durable takeaway: build the incident-response program for the attorney general and the per-resident penalty math, and treat any genetic-data processing as the place where plaintiffs, not regulators, set the price.
+
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-11. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Alaska. This article synthesizes Alaska primary law and is not legal advice from a Alaska-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+
+[^pipa-covered-person]: **AS 45.48.090** — "‘covered person’ means a (A) person doing business; (B) governmental agency; or (C) person with more than 10 employees;" *AS 45.48.090(2).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.48.010&secEnd=45.48.090>
+
+[^q1-pipa-trigger]: **AS 45.48.010** — "If a covered person owns or licenses personal information in any form that includes personal information on a state resident, and a breach of the security of the information system that contains personal information occurs, the covered person shall, after discovering or being notified of the breach, disclose the breach to each state resident whose personal information was subject to the breach." *AS 45.48.010(a).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.48.010&secEnd=45.48.090>
+
+[^q1-gpa-consent]: **AS 18.13.010** — "a person may not collect a DNA sample from a person, perform a DNA analysis on a sample, retain a DNA sample or the results of a DNA analysis, or disclose the results of a DNA analysis unless the person has first obtained the informed and written consent of the person, or the person's legal guardian or authorized representative, for the collection, analysis, retention, or disclosure;" *AS 18.13.010(a)(1).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=18.13.010&secEnd=18.13.100>
+
+[^fed-ftc5-deceptive]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* <https://www.law.cornell.edu/uscode/text/15/45#:~:text=Unfair%20methods%20of%20competition%20in,commerce%2C%20are%20hereby%20declared%20unlawful.>
+
+[^ak-utpcpa-deception]: **AS 45.50.471** — "The terms ‘unfair methods of competition’ and ‘unfair or deceptive acts or practices’ include the following acts" *AS 45.50.471(b)(11)-(12).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.50.471&secEnd=45.50.471>
+
+[^fed-hipaa-notice]: **HIPAA Notice of Privacy Practices** — "an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information" *45 C.F.R. § 164.520.* <https://www.law.cornell.edu/cfr/text/45/164.520#:~:text=an%20individual%20has%20a%20right,respect%20to%20protected%20health%20information>
+
+[^pipa-recipient-notify]: **AS 45.48.070** — "If a breach of the security of the information system containing personal information on a state resident that is maintained by an information recipient occurs, the information recipient is not required to comply with AS 45.48.010 — 45.48.030." *AS 45.48.070(a)-(b).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.48.010&secEnd=45.48.090>
+
+[^fed-glba-safeguards]: **GLBA Safeguards Rule** — "Requiring your service providers by contract to implement and maintain such safeguards" *16 C.F.R. § 314.4(f)(2).* <https://www.law.cornell.edu/cfr/text/16/314.4#:~:text=Requiring%20your%20service%20providers%20by,implement%20and%20maintain%20such%20safeguards>
+
+[^fed-hipaa-baa]: **HIPAA Business Associate Contracts** — "A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410; (D) In accordance with § 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information;" *45 C.F.R. § 164.504(e)(2).* <https://www.law.cornell.edu/cfr/text/45/164.504#:~:text=A%20contract%20between%20the%20covered,with%20respect%20to%20such%20information%3B>
+
+[^pipa-trigger]: **AS 45.48.010** — "If a covered person owns or licenses personal information in any form that includes personal information on a state resident, and a breach of the security of the information system that contains personal information occurs, the covered person shall, after discovering or being notified of the breach, disclose the breach to each state resident whose personal information was subject to the breach." *AS 45.48.010(a).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.48.010&secEnd=45.48.090>
+
+[^pipa-timing]: **AS 45.48.010** — "An information collector shall make the disclosure required by (a) of this section in the most expeditious time possible and without unreasonable delay, except as provided in AS 45.48.020 and as necessary to determine the scope of the breach and restore the reasonable integrity of the information system." *AS 45.48.010(b).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.48.010&secEnd=45.48.090>
+
+[^pipa-le-delay]: **AS 45.48.020** — "An information collector may delay disclosing the breach under AS 45.48.010 if an appropriate law enforcement agency determines that disclosing the breach will interfere with a criminal investigation. However, the information collector shall disclose the breach to the state resident in the most expeditious time possible and without unreasonable delay after the law enforcement agency informs the information collector in writing that disclosure of the breach will no longer interfere with the investigation." *AS 45.48.020.* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.48.010&secEnd=45.48.090>
+
+[^pipa-harm-exception]: **AS 45.48.010** — "Notwithstanding (a) of this section, disclosure is not required if, after an appropriate investigation and after written notification to the attorney general of this state, the covered person determines that there is not a reasonable likelihood that harm to the consumers whose personal information has been acquired has resulted or will result from the breach. The determination shall be documented in writing, and the documentation shall be maintained for five years. The notification required by this subsection may not be considered a public record open to inspection by the public." *AS 45.48.010(c).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.48.010&secEnd=45.48.090>
+
+[^pipa-breach-def]: **AS 45.48.090** — "‘breach of the security’ means unauthorized acquisition, or reasonable belief of unauthorized acquisition, of personal information that compromises the security, confidentiality, or integrity of the personal information maintained by the information collector;" *AS 45.48.090(1).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.48.010&secEnd=45.48.090>
+
+[^pipa-personal-info]: **AS 45.48.090** — "‘personal information’ means information in any form on an individual that is not encrypted or redacted, or is encrypted and the encryption key has been accessed or acquired, and that consists of a combination of (A) an individual's name; in this subparagraph, ‘individual's name’ means a combination of an individual's (i) first name or first initial; and (ii) last name; and (B) one or more of the following information elements: (i) the individual's social security number; (ii) the individual's driver's license number or state identification card number; (iii) except as provided in (iv) of this subparagraph, the individual's account number, credit card number, or debit card number; (iv) if an account can only be accessed with a personal code, the number in (iii) of this subparagraph and the personal code; in this sub-subparagraph, ‘personal code’ means a security code, an access code, a personal identification number, or a password; (v) passwords, personal identification numbers, or other access codes for financial accounts." *AS 45.48.090(7).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.48.010&secEnd=45.48.090>
+
+[^pipa-methods]: **AS 45.48.030** — "An information collector shall make the disclosure required by AS 45.48.010 (1) by a written document sent to the most recent address the information collector has for the state resident; (2) by electronic means if the information collector's primary method of communication with the state resident is by electronic means or if making the disclosure by the electronic means is consistent with the provisions regarding electronic records and signatures required for notices legally required to be in writing under 15 U.S.C. 7001 et seq. (Electronic Signatures in Global and National Commerce Act); or (3) if the information collector demonstrates that the cost of providing notice would exceed $150,000, that the affected class of state residents to be notified exceeds 300,000, or that the information collector does not have sufficient contact information to provide notice, by (A) electronic mail if the information collector has an electronic mail address for the state resident; (B) conspicuously posting the disclosure on the Internet website of the information collector if the information collector maintains an Internet website; and (C) providing a notice to major statewide media." *AS 45.48.030.* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.48.010&secEnd=45.48.090>
+
+[^pipa-cra-notice]: **AS 45.48.040** — "If an information collector is required by AS 45.48.010 to notify more than 1,000 state residents of a breach, the information collector shall also notify without unreasonable delay all consumer credit reporting agencies that compile and maintain files on consumers on a nationwide basis and provide the agencies with the timing, distribution, and content of the notices to state residents." *AS 45.48.040(a).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.48.010&secEnd=45.48.090>
+
+[^pipa-waiver]: **AS 45.48.060** — "A waiver of AS 45.48.010 — 45.48.090 is void and unenforceable." *AS 45.48.060.* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.48.010&secEnd=45.48.090>
+
+[^gpa-consent]: **AS 18.13.010** — "a person may not collect a DNA sample from a person, perform a DNA analysis on a sample, retain a DNA sample or the results of a DNA analysis, or disclose the results of a DNA analysis unless the person has first obtained the informed and written consent of the person, or the person's legal guardian or authorized representative, for the collection, analysis, retention, or disclosure;" *AS 18.13.010(a)(1).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=18.13.010&secEnd=18.13.100>
+
+[^gpa-property]: **AS 18.13.010** — "a DNA sample and the results of a DNA analysis performed on the sample are the exclusive property of the person sampled or analyzed." *AS 18.13.010(a)(2).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=18.13.010&secEnd=18.13.100>
+
+[^gpa-pra]: **AS 18.13.020** — "A person may bring a civil action against a person who collects a DNA sample from the person, performs a DNA analysis on a sample, retains a DNA sample or the results of a DNA analysis, or discloses the results of a DNA analysis in violation of this chapter. In addition to the actual damages suffered by the person, a person violating this chapter shall be liable to the person for damages in the amount of $5,000 or, if the violation resulted in profit or monetary gain to the violator, $100,000." *AS 18.13.020.* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=18.13.010&secEnd=18.13.100>
+
+[^gpa-misdemeanor]: **AS 18.13.030** — "A person commits the crime of unlawful DNA collection, analysis, retention, or disclosure if the person knowingly collects a DNA sample from a person, performs a DNA analysis on a sample, retains a DNA sample or the results of a DNA analysis, or discloses the results of a DNA analysis in violation of this chapter" *AS 18.13.030(a), (c).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=18.13.010&secEnd=18.13.100>
+
+[^gpa-consent-form]: **AS 18.13.010** — "A general authorization for the release of medical records or medical information may not be construed as the informed and written consent required by this section. The Department of Health may by regulation adopt a uniform informed and written consent form to assist persons in meeting the requirements of this section. A person using that uniform informed and written consent is exempt from civil or criminal liability for actions taken under the consent form. A person may revoke or amend their informed and written consent at any time." *AS 18.13.010(c).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=18.13.010&secEnd=18.13.100>
+
+[^gpa-exceptions]: **AS 18.13.010** — "The prohibitions of (a) of this section do not apply to DNA samples collected and analyses conducted (1) under AS 44.41.035 or comparable provisions of another jurisdiction; (2) for a law enforcement purpose, including the identification of perpetrators and the investigation of crimes and the identification of missing or unidentified persons or deceased individuals; (3) for determining paternity; (4) to screen newborns as required by state or federal law; (5) for the purpose of emergency medical treatment." *AS 18.13.010(b).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=18.13.010&secEnd=18.13.100>
+
+[^gpa-dna-analysis-def]: **AS 18.13.100** — "‘DNA analysis’ means DNA or genetic typing and testing to determine the presence or absence of genetic characteristics in an individual, including tests of nucleic acids or chromosomes in order to diagnose or identify a genetic characteristic; ‘DNA analysis’ does not include a routine physical measurement, a test for drugs, alcohol, cholesterol, or the human immunodeficiency virus, a chemical, blood, or urine analysis, or any other diagnostic test that is widely accepted and in use in clinical practice;" *AS 18.13.100(2).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=18.13.010&secEnd=18.13.100>
+
+[^pipa-udap-bridge]: **AS 45.48.080** — "If an information collector who is not a governmental agency violates AS 45.48.010 — 45.48.090 with regard to the personal information of a state resident, the violation is an unfair or deceptive act or practice under AS 45.50.471 — 45.50.561." *AS 45.48.080(b).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.48.010&secEnd=45.48.090>
+
+[^pipa-damages-cap]: **AS 45.48.080** — "damages that may be awarded against the information collector under (A) AS 45.50.531 are limited to actual economic damages that do not exceed $500; and (B) AS 45.50.537 are limited to actual economic damages." *AS 45.48.080(b)(2).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.48.010&secEnd=45.48.090>
+
+[^pipa-ag-penalty]: **AS 45.48.080** — "the information collector is not subject to the civil penalties imposed under AS 45.50.551 but is liable to the state for a civil penalty of up to $500 for each state resident who was not notified under AS 45.48.010 — 45.48.090, except that the total civil penalty may not exceed $50,000" *AS 45.48.080(b)(1).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.48.010&secEnd=45.48.090>
+
+[^q6-gpa-pra]: **AS 18.13.020** — "In addition to the actual damages suffered by the person, a person violating this chapter shall be liable to the person for damages in the amount of $5,000 or, if the violation resulted in profit or monetary gain to the violator, $100,000." *AS 18.13.020.* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=18.13.010&secEnd=18.13.100>
+
+[^utpa-private-action]: **AS 45.50.531** — "A person who suffers an ascertainable loss of money or property as a result of another person's act or practice declared unlawful by AS 45.50.471 may bring a civil action to recover for each unlawful act or practice three times the actual damages or $500, whichever is greater." *AS 45.50.531(a).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.50.531&secEnd=45.50.535>
+
+[^utpa-unlawful]: **AS 45.50.471** — "Unfair methods of competition and unfair or deceptive acts or practices in the conduct of trade or commerce are declared to be unlawful." *AS 45.50.471(a).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.50.471&secEnd=45.50.471>
+
+[^utpa-injunction]: **AS 45.50.535** — "Subject to (b) of this section and in addition to any right to bring an action under AS 45.50.531 or other law, any person who was the victim of the unlawful act, whether or not the person suffered actual damages, may bring an action to obtain an injunction prohibiting a seller or lessor from continuing to engage in an act or practice declared unlawful under AS 45.50.471" *AS 45.50.535(a)-(b).* <https://www.akleg.gov/basis/statutes.asp?media=print&secStart=45.50.531&secEnd=45.50.535>