June 2023

1. Right to Privacy/ Constitutional Protection

The Constitution of Alabama does not explicitly recognize a right to privacy. However, it does contain provisions that would protect any right to privacy of an Alabama citizen from being deprived by foreign law. Article I, §13.50(b)(7) of the Alabama Constitution, known as the 'American and Alabama Laws for Alabama Courts Amendments', declares it the public policy of the State of Alabama to 'protect its citizens from the application of foreign laws when the application of foreign law will result in the violation of a right guaranteed by the Alabama Constitution or of the Constitution of the United States, including, but not limited to, due process, freedom of religion, speech, assembly, or press, or any right of privacy or marriage.' 

Also, regarding constitutional privacy rights, Article 23 of Chapter 9 of Title 41 of the Code of Alabama ('Ala. Code') the creation of the Alabama Justice Information Commission ('AJIC') and addresses the AJIC's collection, dissemination, and so on, of criminal data. The AJIC is authorized with certain powers and duties as to the collection, dissemination, and so on, of criminal and offender data (see §41-9-621 of Division 2 of Article 23 of Chapter 9 of Title 41 of the Ala. Code). Under Ala. Code §41-9-594, the chair of the AJIC/ALEA is instructed to appoint a Privacy and Security Committee, that may adopt rules and policies in this regard. 

This authority is tempered, however, by Ala. Code §41-9-642 states the following: 

'Nothing in [Article 23] shall be construed to give authority to any person, agency or corporation or other legal entity to invade the privacy of any citizen as defined by the constitution, the Legislature or the courts other than to the extent provided in [Article 23]. Disclosure of criminal histories or other information that may directly or otherwise lead to the identification of the individual to whom such information pertains may not be made to any person, agency, corporation or other legal entity that has neither the 'need to know' nor the 'right to know' as determined by the commission pursuant to Ala. Code §41-9-594.' 

With regard to Fourth Amendment constitutional rights, in 2015, the U.S. Court of Appeals for the Eleventh Circuit ruled that law officers do not need a warrant to obtain a suspect's mobile location records. In United States v. Davis, law officers used mobile locations to track and convict Quartavious Davis of armed robbery. Davis appealed, arguing that law enforcement violated his Fourth Amendment rights by tracking his mobile without a warrant. However, the Court said that: 

• law enforcement obtaining a court order under the Stored Communications Act for the production of cell phone carrier's business records was not a search; and 
• even if it was a search, obtaining such records without a warrant was reasonable. 

Specifically, the Eleventh Circuit Court ruled that Davis had no reasonable expectation of privacy in business records made, kept, and owned by the carrier (not Davis); so, at most, Davis could assert only a diminished expectation of privacy, which was one of the factors making a warrantless search or seizure reasonable (see United States v. Davis, 785 F.3d 498, 517 (11th Cir. 2015) (en banc)). Further, the Court ruled that any intrusion on Davis' alleged privacy expectation was minimal because: 

• there was no overhearing or recording of any conversations; and 
• there is no GPS real-time tracking of precise movement of a person or vehicle.

As a result, law enforcement officers in Alabama, Georgia, and Florida may obtain warrantless mobile records from a carrier. It should be noted that other Circuit Courts have taken different positions (see for example Marcus Zanders v. State of Indiana, 73 N.E.3d 178 (Ind. 2017)).

2. Key Privacy Laws

Common Law Rights against Invasion of Privacy

Under Alabama law, a defendant may be alleged to have invaded a plaintiff's privacy in four distinct ways: 

• intrusion upon another's physical solitude or seclusion; 
• publicity as to private information about another which violates ordinary decency; 
• placing another in a false, though not necessarily defamatory, position in the public eye; and 
• appropriation of some element of another's personality for commercial use.

As discussed above, the fourth type of invasion of privacy, a commercial appropriation claim, was the basis for the Stored Communications Act, which was intended to supersede Alabama case law regarding commercial appropriation invasion of privacy to the extent such case law is inconsistent with the Stored Communications Act. However, this case law remains important for the guidance it may provide in interpreting the Stored Communications Act; also, it is unknown how courts will treat the relationship between the Stored Communications Act and commercial appropriation case law. Additionally, while the Stored Communications Act is intended to impact the commercial appropriation form of invasion of privacy, the same comments to the Stored Communications Act explicitly state that it 'does not preempt any other form of the common law right of privacy'. 

Alabama courts have described an invasion of privacy as occurring when the defendant "intrudes upon a plaintiff's physical solitude or seclusion or wrongfully intrudes into private activities in a manner that would outrage, or cause mental suffering, shame, or humiliation to, a person of ordinary sensibilities" (Doe v. Roe, 638 So.2d 826 (Ala. 1994)).

Although normally, there is no invasion of privacy in a public place (see for example, Schifano v. Greene County Greyhound Park, Inc., 624 So.2d 178 (Ala. 1993), stating that the fact that the plaintiffs were attending a greyhound park and sitting in public seating when their photograph was taken "negated any claim of solitude or seclusion on the part of the plaintiffs or intrusion into their affairs and concerns")), at least one Alabama court has held that an invasion of privacy may occur in a public place, for example, if that person is photographed in a way that is embarrassing to a person of ordinary sensibilities, at least if the situation occurs accidentally (see Daily Times Democrat v. Graham, 162 So.2d 474 (Ala. 1964), affirming a judgment for invasion of privacy against a newspaper which published a photograph taken of a woman when her dress was accidentally blown into the air at a local fair)). 

The third form of invasion of privacy, a false light claim, occurs when (see Schifano, supra): 

• the defendant "gives publicity to a matter concerning [the plaintiff] that places the [plaintiff] before the public in a false light"; 
• the false light "would be highly offensive to a reasonable person"; and 
• the defendant "had knowledge of or acted in reckless disregard as to the falsity of the publicized matter and the false light in which [the plaintiff] would be placed".

Lastly, the fourth type of invasion of privacy, a commercial appropriation claim, exists when 'publicity is given for the purpose of appropriating to the defendant's benefit the commercial or other values associated with [the plaintiff's] name or likeness' (see Schifano, holding that the use of a photograph of the plaintiffs sitting in a reserved section of a greyhound park in an advertising brochure for the park was not a commercial appropriation because there was "no unique quality or value in [the plaintiffs'] likenesses that would result in commercial profit to the [park] simply from using a photograph that included them - unidentified and seated in a group"; see also Minnifield v. Ashcraft, reversing a grant of summary judgment for the owner of a tattoo parlor who submitted photographs of the plaintiff's tattoo to a magazine, along with his name and the name of his business, as it was reasonable to infer that the owner sought a commercial benefit). 

Importantly for news outlets, there is a general exception to the right of privacy for matters of legitimate public interest. Alabama courts have held that a plaintiff's right to privacy does not prevent "the broadcast of matters of legitimate public interest" due to the "interest of the public in being informed" (see Minnifield; Doe, holding that the adoptive father of three children could not prevent the distribution of a novel based on the murder of the children's natural mother under the intrusion, unwarranted publicity, and commercial appropriation forms of invasion of privacy because the events surrounding the murder were a matter of public interest; Daily Times Democrat, stating that a claim for invasion of privacy "does not exist in the dissemination of news and news events nor in the discussion of events of the life of a person in whom the public has a rightful interest"). Thus, the jurisprudence in this area may provide greater comfort that, when there is a public interest in the use of a person's image, a release will not be required for such use by a news outlet. 

However, news outlets must exercise more care as to the false light form of invasion of privacy, as the exception for matters of legitimate public interest is limited for such claims. In Doe, it was stated that "the mere fact that a person is a public character or a legitimate subject of news comment does not justify misleading publicity or misrepresentation" (see Doe, at 829).

Thus, when presenting news stories, it is important to ensure that the photographs used do not create a false or misleading representation. Additionally, news outlets must also exercise care if the particular photographs used are arguably not matters of legitimate public interest themselves or may be viewed as too embarrassing, as discussed above. One court has stated that "there must be yet some undefined limits of common decency as to what can be published about anyone" and "a photograph of indecent exposure, for example, can never be legitimate news" (see Daily Times Democrat, dismissing a newspaper's argument that its publication of a photograph of a woman whose dress was inadvertently blown up at a local fair was a matter of legitimate news of interest to the public because used in connection with an article about the fair). 

Alabama Right of Publicity Act 

Until August 2015, Alabama did not recognize the right of publicity, although it did recognize a common law invasion of privacy tort for the unauthorized appropriation of personality, name, or likeness for the commercial use or benefit of a defendant. On 18 May 2015, Alabama's Governor signed into law the Alabama Right of Publicity Act ('the Publicity Act'), under §§6-5-770 to 6-5-774 of Article 39 of Chapter 5 of Title 6 of the Ala. Code, which became effective on 1 August 2015. 

The Publicity Act provides broad rights for those individuals (living or dead) with a qualifying Alabama connection. Unique features of the Publicity Act include, among other things: 

• a descendible right lasting 55 years after death; 
• claims that reach unauthorized 'non-profit' use; 
• specific free speech protections; 
• a unique 'fair use' defense that gives broad public interest protections to sporting event broadcasting; 
• a unique 'first sale' defense; 
• a statute of limitations with extensions allowed if the wrongful act is not discovered within the two-year statute of limitations; and 
• a choice of statutory damages in lieu of monetary damages. 

Under the Publicity Act, a person or entity who uses or causes the use of the indicia of identity of a person, on or in products, goods, merchandise, or services enter into commerce in this state, for purposes of advertising or selling, or soliciting purchases of, products, goods, merchandise, or services, or for purposes of fund-raising or solicitation of donations, or for false endorsement, without consent shall be liable under this article to that person, or to a holder of that person's rights (Ala. Code §6-5-772(a)). Liability may be found regardless of whether the use is for profit or not for profit (Ala. Code §6-5-772(b)). 

Notably, nothing in the Publicity Act shall allow for abridgment of free speech rights under the US or Alabama Constitution. It is also fair use if the use of the indicia of identity is in connection with a news, public affairs, or public interest account, political speech, or a political campaign, live or pre-recorded broadcast or streaming of a sporting event or photos, clips, or highlights included in broadcasts or streaming of sports news or talk shows, or documentaries, or any advertising or promotion of the same (public interest work), or is part of an artistic or expressive work, such as a live performance, work of art, literary work, theatrical work, musical work, audio-visual work, motion picture, film, television program, radio program or the like (artistic work), or any advertising or promotion of the same, unless the claimant proves, subject to Ala. Code §6-5-773(a), that the use in an artistic work is such a replica as to constitute a copy of the person's indicia of identity for the purposes of trade (Ala. Code §6-5-773). 

With respect to advertising and promotion of public interest works and artistic works, except for the advertising or promotion of a public interest work itself as otherwise permitted, it shall not be deemed fair use if the claimant proves that their indicia of identity has been directly connected to and affirmatively used in a commercial manner to advertise, promote, or endorse a product, good, or service (Ala. Code §6-5-772(b)). 

The commercial use of a person's indicia of identity in a commercial medium does not constitute a violation if the material containing the commercial use is authorized by the person or the person's authorized representative or agent for commercial sponsorship or paid advertising (Ala. Code §6-5-772(d)). 

It is not a fair use and is a violation if a person's indicia of identity is used, without such person's permission, in a manner stating or implying that such person has endorsed or supports a candidate for public office (Ala. Code §6-5-772(e)). 

Those who lawfully obtain authorized products containing indicia of identity are not liable under Ala. Code §6-5-772 for their resale of such products (Ala. Code §6-5-772(f)). 

Any action brought shall be commenced within two years from the act or omission giving rise to the claim. If the cause of action is not discovered and could not reasonably have been discovered within that time period, then the action may be commenced within six months from the date of such discovery or the date of discovery of facts that would reasonably lead to such discovery, whichever is earlier. In no event may the action be commenced more than four years after the act or omission giving rise to the claim (Ala. Code §6-5-772(g)). 

Damages may include (Ala. Code §6-5-774): 

• statutory damages of $5,000 per action or compensatory damages, including the defendant's profits derived from such use, to be elected by the plaintiff;
• any other damages available under Alabama law, including punitive damages - an election of statutory damages does not preclude recovery of punitive damages if such damages are available under Alabama law; and
• a violation of the Publicity Act is deemed to constitute a rebuttable presumption of irreparable harm for the purposes of injunctive relief. 

Alabama Data Breach Notification Act

On March 28, 2018, the Alabama Data Breach Notification Act of 2018 ('the Breach Act'), under §8-38-1 et seq. of Chapter 38 of Title 8 of the Ala. Code was signed into law, making Alabama round out the roster of 50 states with data breach notification laws. The new law became effective on June 1, 2018, and applies both to private covered entities as well as the state, a county or municipality, or an instrumentality of the same and its third-party agents. Below is a more detailed summary of the Breach Act. 

The Breach Act defines a 'security breach' as the unauthorized acquisition of data in electronic form containing sensitive personally identifying information ('Sensitive PII'). As is typical, a breach does not include either: 

• good faith acquisitions by employees or agents unless used for unrelated purposes; 
• the release of public records not otherwise subject to confidentiality or nondisclosure requirements; or 
• any lawful investigative, protection, or intelligence activities by a state law enforcement or intelligence agency. 

Notification requirements 

Notification to individuals. If a covered entity determines that an unauthorized acquisition of Sensitive PII has or is reasonably believed to have occurred, and is reasonably likely to cause substantial harm, it shall notify affected individuals as expeditiously as possible and without unreasonable delay, but no later than 45 days after the determination of both a breach and a likelihood of substantial harm. A federal or state law enforcement agency may request delayed notification if it may interfere with an investigation. If an entity determines that notice is not required, it shall document the determination and maintain the documentation for at least five years. 

Format and content. Written notice can be by mail or email, and must include: 

• the estimated date or date range of the breach; 
• a description of the Sensitive PII acquired; 
• a general description of actions taken to restore the security and confidentiality of the personal information; 
• steps an affected individual can take to protect themselves from identity theft; and 
• contact information for the covered entity in case of inquiries. 

Substitute notice. Substitute notice can be provided if direct notice would cause excessive cost relative to the covered entity's resources, if the affected individuals exceed 100,000 persons, or if there is a lack of sufficient contact information for the required individual to be notified. Costs are deemed excessive automatically if they exceed $500,000. Substitute notice may include both posting on the website for 30 days and using print or broadcast media in the major urban and rural areas where the individuals reside. An alternative form of substitute notice may be approved by the Alabama Attorney General ('AG'). 

Notification to AG. If the affected individuals exceed 1,000, the entity must notify the AG as expeditiously as possible and without unreasonable delay, but no more than 45 days from receiving notice of a breach by a third-party agent or upon determining a breach and substantial likelihood of harm have occurred. The notice must include: 

• an event synopsis; 
• the approximate number of affected individuals in Alabama; 
• any free services being offered by the covered entity to individuals and instructions on how to use them; and 
• contact information for additional inquiries. 

The covered entities may provide supplemental or updated information at any time, and information marked as confidential is not subject to any open records or freedom of information laws. 

Notification to consumer reporting agencies. If the covered entity discovers notice is required to more than 1,000 individuals at a single time, it shall also notify, without unreasonable delay, all consumer reporting agencies. 

Third-party notification. Third-party agents experiencing a breach of a system maintained on behalf of a covered entity shall notify the covered entity as expeditiously as possible and without unreasonable delay, but no later than ten days following the determination (or reason to believe) a breach has occurred. 

Enforcement authority. Violating the notification provisions is an unlawful trade practice under the Alabama Deceptive Trade Practices Act ('ADTPA'), under §8-19-1 et seq. of Chapter 19 of Title 8 of the Ala. Code, and the AG has exclusive authority to bring an action for penalties. There is no private cause of action. The AG also has exclusive authority to bring a class action for damages, but recovery is limited to actual damages plus reasonable attorney’s fees and costs. The AG must submit an annual report. 

Penalties. Any entity knowingly violating the notification provisions is subject to the ADTPA's penalties, which can be up to $2,000/day, up to a cap of $500,000 per breach ('knowingly' means wilfully or with reckless disregard). In addition to these penalties, a covered entity violating the notification provisions shall be liable for a penalty of up to $5,000/day for each day it fails to take reasonable action to comply with the notice provisions. Government entities are subject to the notice requirements, but exempt from penalties, although the AG may bring an action to compel performance or enjoin certain acts. 

Other requirements. While enforcement authority is limited to notification violations, the statute also requires 'reasonable security measures', requires and provides guidance on conducting a 'good faith and prompt investigation' of a breach, and requires covered entities to take reasonable measures to dispose of records containing Sensitive PII. Given the limited enforcement authority, it is unclear how these provisions might be enforced, except potentially to determine if a notification violation was made wilfully or with reckless disregard.

3. Health Data

At the federal level, of course, healthcare providers (and their business associates) are subject to the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'), including its Security and Privacy Rules under Part 164 of Title 45 of the Code of Federal Regulations ('C.F.R.') and the Breach Notification Rules under the General Administrative Requirements of Part 160 of Title 45 of the C.F.R. ('the HIPAA Rules'), as amended by the Health Information, Technology for Economic and Clinical Health Act of 2009 ('HITECH'). The HIPAA Rules set forth national standards for protecting medical records including the personal health information ('PHI') contained therein. States may enact stronger protections. While Alabama has not enacted a comprehensive privacy law specifically addressing the privacy of health information, there are a few selected state statutes dealing with the confidentiality of health data in certain contexts. 

Health Maintenance Organisations - Confidentiality of medical information 

Alabama insurance statutes regarding health maintenance organizations, under §27-21A-1 et seq. of Chapter 21A of Title 27 of the Ala. Code, contain provisions regarding the confidentiality of medical information. A health maintenance organization is defined as '[a]ny person that undertakes to provide or arrange for basic health care services through an organized system which combines the delivery and financing of health care to enrollees. The organization shall provide physician services directly through physician employees or under contractual arrangements with either individual physicians or a group or groups of physicians. The organization shall provide basic health care services directly or under contractual arrangements. When reasonable and appropriate, the organization may provide physician services and basic health care services through other arrangements. The organization may provide, or arrange for, health care services on a prepayment or other financial basis.' (Ala. Code §27-21A-1(7)). 

Under Ala. Code §27-21A-25, any data or information pertaining to the diagnosis, treatment, or health of any enrollee or applicant obtained from such person or from any provider by any health maintenance organization shall be held in confidence and shall not be disclosed to any person except: 

• to the extent that it may be necessary to carry out the purposes of Chapter 21A; or
• upon the express consent of the enrollee or applicant;
• pursuant to statute or court order for the production of evidence or the discovery thereof; or 
• in the event of a claim or litigation between such person and the health maintenance organization wherein such data or information is pertinent. 

A health maintenance organization shall be entitled to claim any statutory privileges against such disclosure which the provider who furnished such information to the health maintenance organization is entitled to claim (Ala. Code § 27-21A-25). 

Telemedicine – Protocols; private practices 

Under Alabama law, a provider that communicates with patients by electronic communications other than telephone or facsimile shall provide patients with written notification of the providers' privacy practices before evaluation or treatment (see §34-22-82(b)(1)(a) of Article 5 of Chapter 22 of Title 34 of the Ala. Code). The notice of privacy practices shall include language that is consistent with federal standards under the HIPAA Rules relating to the privacy of individually identifiable health information (Ala. Code §34-22-82(b)(1)(b)). A provider shall make a good faith effort to obtain the patient's written acknowledgment of the notice (Ala. Code §34-22-82(c)).

Confidentiality of genetic testing

An individual who intentionally releases an identifiable specimen of another individual for any purpose other than that relevant to the proceeding regarding parentage without a court order or the written permission of the individual who furnished the specimen commits a Class A misdemeanor (§26-17-511 of Article 5 of Chapter 17 of Title 26 of the Ala. Code).

4. Financial Data

Alabama Insurance Data Security Law 

On 25 April 2019, the Governor signed into law Senate Bill 54 for the Insurance Data Security Act, which imposes a comprehensive set of data security requirements on persons and entities licensed by the Alabama Department of Insurance and has subsequently been incorporated into the Ala. Code as the Insurance Data Security Act ('IDSA'), located under §27-62-1 et seq. of Chapter 62 of Title 27 of the Ala. Code. IDSA largely adopts the Insurance Data Security Model Law from the National Association of Insurance Commissioners. 

Licensees must develop, implement, and maintain a comprehensive written information security program commensurate with the licensee's size and complexity, the nature and scope of its activities (including its use of third-party services providers), and the sensitivity of the non-public information in its possession, custody, or control. The program must include administrative, technical, and physical safeguards for the protection of non-public information and the licensee's information system. The information security program must be designed to protect the confidentiality and security of non-public information and the security of the information system, protect against any threats or hazards to the security or integrity of the non-public information and the information system, protect against unauthorized access to or use of the non-public information and minimize the likelihood of harm to consumers, and define and periodically re-evaluate a schedule for retention of non-public information and a mechanism for its destruction when no longer needed. 

The licensee must also: 

• designate an employee, affiliate, or vendor to act on behalf of the licensee who is responsible for the program; 
• identify reasonably foreseeable internal or external threats to the unauthorized disclosure or other transmissions of non-public information; 
• assess the likelihood and potential damage of these threats; 
• assess the sufficiency of the policies, procedures, information systems, and other safeguards in place to manage these threats, including consideration of threats in each relevant area, including: 
  • employee training and management; 
  • information systems, including information classification, governance, and other issues; and 
  • detecting, preventing, and responding to attacks, instructions, or other system failures; and 
• implement information safeguards to manage the identified threats and, no less than annually, assess the effectiveness of the controls, systems, and procedures of the safeguards. 

Based on the licensee's risk assessment, the licensee must design the program to mitigate identified risks and identify and implement appropriate security measures, including data and device management, restrictions of physical access, encryption, secure development practices, audit trails, and other measures. The statute lists a number of security measures that may be deemed appropriate to implement upon the licensee's determination. The licensee must provide personnel with training updated to reflect risks identified by the licensee in the risk assessment. 

Additionally, cybersecurity risks must be included in the enterprise risk management process, including updated information regarding emerging threats or vulnerabilities, awareness, training, etc. Licensees must also require executive management or its delegates to report in writing annually on the overall status of the information security program, material matters related to the program, addressing issues such as risk assessment, risk management and control decisions, third-party service provider arrangements, results of testing, cybersecurity events or violations and the responses of management thereto, and recommendations for changes in the information security program. 

Finally, a licensee must also exercise due diligence in selecting a third-party service provider, requiring them to implement appropriate administrative, technical, and physical measures to protect and secure information systems and non-public information that are accessible to, or held by, the third-party services provider. 

Disclosure of customer financial records

A bank shall disclose financial records of its customers pursuant to a lawful subpoena, summons, warrant, or court order issued by or at the request of any state agency, political subdivision, instrumentality, or officer or employee thereof and served upon the bank. No bank, director, officer, employee, or agent thereof shall be held civilly or criminally responsible for disclosure of financial records pursuant to a subpoena, summons, warrant, or court order which on its face appears to have been issued upon lawful authority (§5-5A-43 of Chapter 5A of Title 5 of the Ala. Code).

5. Employment Data

Many employers may be obligated to keep certain employee data confidential under an array of federal laws, such as the Americans with Disabilities Act of 1990 ('ADA'), HIPAA, the Genetic Information Nondiscrimination Act of 2008 ('GINA'), the Family and Medical Leave Act of 1993 ('FMLA'), or various workers' compensation laws. These laws all impose very strict rules for handling health-related information obtained through medical examinations and inquiries. Medical and benefits records should be kept separate from personnel files and may be revealed with the employee's written permission only to certain individuals on a legitimate 'need-to-know' basis as defined by specific statutes. For example, this information might include records such as: insurance and benefit enrolment forms and claims information, medical exam information, workers' compensation records, FMLA leave certification and medical documentation and information (including leave dates), records regarding reasonable accommodations, doctor's notes, or drug test results/physical results. 

Under Alabama's Workers Compensation Act, located under Chapter 5 of Title 25 of the Ala. Code, information received by the employer through drug testing or rehabilitation programs is required to be confidential (Ala. Code. §25-5-339).

6. Online Privacy

There are several federal rules and regulations governing online privacy and online behavioral advertising. For example, the Children's Online Privacy Protection Act of 1998 ('COPPA') and implementing Federal Trade Commission ('FTC') regulations primarily place parents in control over what information is collected from their young children online and are designed to protect children under the age of 13 while accounting for the dynamic nature of the internet (see for example the FTC guidance on Complying with COPPA: Frequently Asked Questions).

While there are no rules in Alabama specifically governing online privacy and behavioral advertising, businesses in Alabama need to be aware of the federal rules around such activities as well as other foreign or US state jurisdictions containing consumer protections that can apply extraterritorially to Alabama businesses to the extent their activities are directed towards consumers in those jurisdictions. For example, the EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') applies to the activities of US businesses (Article 3(2) of the GDPR):

• offer goods and services to EU residents located in the EU; or
• monitor the behavior of EU residents located in the EU.

Similarly, California's Online Privacy Protection Act of 2003 applies to any person or entity that owns or operates a commercial website or online service that collects and maintains personally identifiable information from a California consumer who uses or visits said website. Similarly, the California Consumer Privacy Act of 2018 ('CCPA') as amended by the California Privacy Rights Act of 2020 ('CPRA'), also applies extraterritorially to most organizations doing business in California that meet certain revenue or data collection thresholds. Nevada also has a statute that requires website operators to offer an opt-out right to Nevada consumers from the 'sale' of certain information. Both the GDPR and the CCPA contain requirements regarding online privacy, children's data, as well as cookies and other online tracking behavior, that would apply to Alabama businesses that find themselves within the scope of those laws and regulations. As of April 2023, similar comprehensive state laws with limited extraterritorial applicability have been passed in Colorado, Virginia, Utah, Connecticut, and Iowa, with similar bills having been introduced in numerous other states. 

7. Unsolicited Commercial Communication

There are several federal privacy regulatory regimes around unsolicited emails and telephone calls, such as the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 ('the CAN-SPAM Act'), the Telemarketing Sales Rule ('TSR'), and the Telephone Consumer Protection Act of 1991 ('TCPA'). The CAN-SPAM Act and the Telemarketing Sales Rule are regulated and enforced by the FTC, while the TCPA is regulated and enforced by the Federal Communications Commission ('FCC').

Finally, with respect to all forms and methods of commercial solicitations, the ADTPA would apply in most cases. This law sets forth 26 separate deceptive trade practices acts and has a catchall that provides for redress for 'engaging in any other unconscionable, false, misleading or deceptive act or practice in the conduct of trade or commerce (Ala. Code § 8-19-5). It allows a private right of action and provides that someone who commits the act will be responsible for monetary damages to another person for any actual damages sustained by such consumer or person, or the sum of $100, whichever is greater, or up to three times any actual damages, in the court's discretion (Ala. Code §8-19-10).

The law also provides that, in a successful action to enforce this law, the costs of the action together with reasonable attorney's fees will be paid (Ala. Code §8-19-10).

Telephone Solicitations

Telephone solicitations in Alabama are regulated by the Alabama Telemarketing Act under §8-19A-1 et seq. of Chapter 19A of Title 8 of the Ala. Code, and the Telephone Solicitations Act under §8-19C-1 et seq. of Chapter 19C of Title 8 of the Ala. Code, which prohibit an entity from making or causing to be made any telephone solicitation to a subscriber on the Do Not Call database. Among other restrictions, a person or entity making a telephone solicitation to an Alabama resident must identify themselves, and cannot knowingly block or circumvent the resident's Caller ID service (Ala. Code §8-19C-5 and Ala. Code §8-19A-12). Effective 14 August 2003, the Alabama Public Service Commission, which has limited jurisdiction over telecommunications companies, adopted the National Do Not Call Registry and merged its register with the national list administered by the FTC.

While the FTC's Do Not Call Registry is designed to tell telemarketers what numbers not to call, it does not and cannot block calls, nor can it stop calls from scammers who ignore the National Do Not Call Registry. It also allows political calls, charitable calls, debt collection calls, purely informational calls, and surveys, so long as such calls do not also include a sale pitch. Companies that illegally call numbers on the National Do Not Call Registry or place an illegal robocall can be fined up to $42,530 per call.

Email Marketing

37 states have laws regulating unsolicited email advertising. The majority of these address commercial or fraudulent electronic mail; others apply to unsolicited 'bulk' email. Most state anti-spam laws prohibit misrepresenting or falsifying the origin of or the routing information on messages; using an internet address of a third party without permission; or including misleading information in the subject line of a message. Some states also prohibit the sale or distribution of software that is designed solely to falsify or forge the point of origin of or the routing information on email messages.

Most other aspects of such state laws would be pre-empted by the CAN-SPAM Act, which pre-empts any state law that 'expressly regulates the use of electronic mail to send commercial messages, except to the extent that any such statute, regulation, or rule prohibits falsity or deception in any portion of a commercial electronic mail message or information attached thereto.' The CAN-SPAM Act prohibits fraudulent and deceptive commercial e-mail messages and requires senders to include information allowing recipients to opt-out of receiving further messages. FTC rules implementing the CAN-SPAM Act also includes rules around emails containing sexually oriented material.

To date, Alabama has not joined the 37 states in enacting its own state law addressing unsolicited email marketing.

8. Privacy Policies

No particular Alabama law generally requires all businesses to have a privacy policy. In some specific contexts, however, Alabama law does point to the privacy policy requirements of certain entities. For example:

• in establishing the Jefferson County pension board, Alabama statute describes the duties of the general administration of the plan as including: 'to establish a privacy policy for the protection of a members' personal information, subject to applicable law' (see §45-37-123.33(b)(3) of Chapter 37 of Title 45 of the Ala. Code); and
• IDSA (discussed above) directs the licensee, in response to a cybersecurity event, to provide as directed by the commissioner a copy of the privacy policy of the licensee and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event (Ala. Code §27-62-6(b)(12)).

That being said, Alabama businesses in certain regulated industries (such as healthcare or financial institutions) may be required to have privacy policies by their applicable federal or other regulatory requirements (such as HIPAA or the Gramm-Leach-Bliley Act of 1999). In drafting a privacy policy, businesses should strive to be clear, transparent, easy to read, conspicuous, and above all, accurate. If a company's practices are not consistent with its published privacy policy, it risks potential liability and exposure under Section 5 of the FTC Act of 1914 regarding 'unfair or deceptive acts or practices in or affecting commerce' or the ADTPA.

9. Data Disposal/Cybersecurity/Data Security

See the discussions above regarding the Breach Act and the IDSA.

10. Other Specific Jurisdictional Requirements

Laws Addressing Biometric Data

Some states have enacted laws addressing the privacy of biometric data. Perhaps the most well-known is the Illinois Biometric Information Privacy Act ('BIPA'), which provides for a private right of action. Five other states (Arkansas, California, New York, Texas, and Washington) have now passed their own biometric statutes or expanded existing laws to include biometric identifiers (e.g. CCPA). These five states, however, either do not address the private right of action or expressly allow enforcement by the state attorneys general.

Alabama has not passed any such express biometric privacy law. However, the IDSA includes 'biometric records' within its definition of 'non-public information', and thus requires protection of such information from a data security perspective (Ala. Code §27-62-3(11)). Although biometric records are also discussed elsewhere within the Alabama Code, it is not in the context of privacy (i.e. immigration, professional licensure, background checks, etc.).

Alabama Public Records Law

Alabama law grants citizens the right to inspect and copy public writings (§36-12-40 of Article 3 of Chapter 12 of Title 36 of the Ala. Code). Pursuant to the statute, every citizen has a right to inspect and take a copy of any public writing of the state, except as otherwise expressly exempted by statute. Exemptions include, among other items (Ala. Code §36-12-40):

• registration and circulation records and information concerning the use of the public, public school, or college and university libraries;
• records concerning security plans, procedures, assessments, measures, or systems, and any other records relating to, or impacting the security or safety of persons, structures, facilities, or other infrastructures, including information concerning critical infrastructure and critical energy infrastructure information, the public disclosure of which could reasonably be expected to be detrimental to the public safety or welfare; and
• records the disclosure of which would otherwise be detrimental to the best interests of the public.

Wiretapping, Eavesdropping, and Criminal Surveillance Statutes

State laws differ when it comes to recording conversations. 'Two party consent' states require that all parties to the communication consent to the recording of a conversation, whereas 'one party consent' states require only one party to the conversation to consent. Alabama is a one-party consent state (see §§13A-11-30(1) and 13A-11-31 of Article 2 of Chapter 11 of Title 13A of the Ala. Code).

 Specifically, without such consent, it would constitute 'criminal eavesdropping' to overhear, record, amplify or transmit any part of the private communication of others without the consent of at least one of the persons engaged in the communication (Ala. Code §§13A-11-30(1) and 13A-11-31). Criminal eavesdropping is a Class A misdemeanor (Ala. Code §13A-11-31(b)).

It is a Class C felony to install an eavesdropping device intentionally in a private place without the permission of the owner and any lessee or tenant of the private place (Ala. Code §13A-11-33). A person commits the Class A misdemeanor of 'criminal possession of an eavesdropping device' if they possess, manufacture, send, or transport any device designed or commonly used for eavesdropping, and either intend to use that device to eavesdrop or know that another person intends to use that device to eavesdrop (Ala. Code §13A-11-34).

A person commits criminal surveillance, a Class B misdemeanor, if they intentionally engage in surveillance while trespassing in a private place (Ala. Code §13A-11-32). It is aggravated criminal surveillance if they intentionally engage in surveillance of an individual in any place where the individual being observed has a reasonable expectation of privacy, without the prior express or implied consent of the individual being observed, for the purpose of sexual gratification (Ala. Code §13A-11-32.1(a)). Aggravated criminal surveillance is a Class A misdemeanor, except if the person has a prior conviction or adjudication under this Section, the offense is a Class C felony (Ala. Code §13A-11-32.1(b)).

A person commits the Class B misdemeanor of 'divulging illegally-obtained information' if they knowingly or recklessly use or divulge information obtained through criminal eavesdropping or criminal surveillance (Ala. Code §13A-11-35).

The statutes contain exemptions for peace officers, employees or agents of communications common carriers engaging in their normal duties, and people relying on good faith on a lawful court order or legislative authorization (Ala. Code §13A-11-36).Any eavesdropping or surveillance device used in the above crimes may be forfeited to the state and may be turned over to law enforcement upon court order (Ala. Code §13A-11-37).

Voyeurism

A person commits voyeurism in the first degree if, for the purpose of arousing or gratifying the sexual desire of any person, they knowingly photograph or film the intimate areas of another person whether through, under, or around clothing, without that person's knowledge and consent and under circumstances where the person has a reasonable expectation of privacy, whether in a public or private place (Ala. Code §13A-11-41(a)). Voyeurism in the first degree is a Class C felony, except if the defendant is 18 years of age or younger at the time of the offence, it is a Class A misdemeanor (Ala. Code §13A-11-41(b)).

A person commits voyeurism in the second degree if they knowingly photograph or film the intimate areas of another person, whether through, under, or around clothing, without that person's knowledge and consent, and under circumstances where the person has a reasonable expectation of privacy, whether in a public or private place (Ala. Code §13A-11-42(a)). Voyeurism in the second degree is a Class A misdemeanor, except if the defendant is 18 years of age or younger on the date of the offense, voyeurism in the second degree is a Class B misdemeanor (Ala. Code §13A-11-42(b)). The statute exempts the viewing, photographing, or filming by personnel of the Department of Corrections or of a local jail or correctional facility for security purposes or during an investigation of alleged misconduct by a person in the custody of the Department of Corrections or the local jail or correctional facility (Ala. Code §13A-11-43(a)). If a person is adjudicated or convicted of voyeurism in either degree, a court may order the destruction of the photograph, film, image, or other recordings; provided that the victim or victim's representative is provided with written notice 90 days before the destruction is to occur. Except as prohibited by state or federal law, the victim, or victim's representative, shall retain the right to possess the image or recording (Ala. Code §13A-11-43(b)).

Identity Theft

Like many states, Alabama has passed the Consumer Identity Protection Act, located under §13A-8-190 et seq. of Article 10 of Chapter 8 of Title 13A of the Ala. Code, which makes it a Class B felony if a person, without authorization or consent, defrauds someone by (Ala. Code §13A-8-192):

• obtaining a recording, or accessing identifying information that would assist in accessing financial resources, obtaining identification document, so obtaining benefits of the victim;
• obtaining goods or series through the use of identifying information of the victim;
• obtaining identification documents in the victim's name; or
• obtaining employment through the use of identifying information of the victim.

There is a 7-year statutory limitation period for prosecuting this offense (Ala. Code §13A-8-192). The venue may be proper when prosecuted where the victim resides (Ex parte Egbuonu, 911 SO.2d 748 (Ala. Crim. App. 2044), rehearing denied, cert. denied 911 So.2d 755 (venue for California defendant's trial for identity theft proper in Alabama county where the victim resided). Additionally, a provision in Alabama's tax code authorizes the Department of Revenue to 'pursue all reasonable options available to it' and 'incur all reasonable costs associated in combating identify theft-related refund fraud, to partner with another state, federal, and private sectors in various programs and projects designed to reduce or eliminate such fraud, and to compensate or reimburse partners in these programs for their reasonable costs in carrying out these programs (§40-29-130 of Article 7 of Chapter 29 of Title 40 of the Ala. Code).

Similarly, §8-35-2 of Chapter 35 of Title 8 of the Ala. Code addresses steps required by consumers and consumer credit reporting agencies to place (or lift) a security freeze on a credit report.