← All US breach laws·AL

Alabama data breach notification law

Alabama's data breach notification requirements under Ala. Code §§8-38-1 to 8-38-12 (Alabama Data Breach Notification Act of 2018). Below: the resident-notification deadline, AG/regulator filing threshold, the encryption safe harbor, private right of action exposure, penalty schedule, and the common pitfalls that turn an avoidable incident into a regulator enforcement action.

Statute
Ala. Code §§8-38-1 to 8-38-12
Enforcer
Alabama Attorney General — Consumer Protection
AG notification
Required
Private right of action
No (AG-only enforcement)

Notification deadlines

Notify affected residents
Within 45 days of determining a breach has occurred and is reasonably likely to cause substantial harm
Notify the state regulator
Yes — within 45 days if breach affects more than 1,000 Alabama residents
Notify consumer reporting agencies
Yes — if more than 1,000 residents affected, notify all nationwide consumer reporting agencies without unreasonable delay

When is notification required?

Trigger / harm threshold
Notification required only if a reasonable investigation concludes substantial harm to affected individuals is reasonably likely
Encryption safe harbor
Yes — properly encrypted personal information is generally exempt from notification, provided the encryption key was not also compromised.

What counts as "personal information" under Alabama law

First name/initial + last name combined with SSN, DL/state ID, financial account + access code, medical/mental-health information, or health-insurance policy/subscriber ID, OR a username/email plus password or security Q&A allowing online account access

Penalties and enforcement

Up to $5,000 per day for ongoing violations; up to $500,000 per single breach for knowing violations; AG civil action under DTPA
Enforced by: Alabama Attorney General — Consumer Protection. Official regulator page →

Common pitfalls

Vendors/third-party processors must notify the data owner within 10 days — not the residents directly
The 'reasonable investigation' standard is fact-specific — document your harm analysis before deciding NOT to notify

Frequently asked questions

How long do I have to notify Alabama residents after a data breach?
Within 45 days of determining a breach has occurred and is reasonably likely to cause substantial harm
Do I have to notify the Alabama Attorney General?
Yes — within 45 days if breach affects more than 1,000 Alabama residents
Does Alabama require notification to nationwide consumer reporting agencies?
Yes — if more than 1,000 residents affected, notify all nationwide consumer reporting agencies without unreasonable delay
Is encrypted data exempt from Alabama's breach notification requirement?
Yes — Alabama has an encryption safe harbor. Breaches of properly encrypted personal information generally do not trigger notification, provided the encryption key was not also compromised.
Can Alabama residents sue me directly for a data breach?
No — Alabama's breach statute does not provide a direct private right of action. Residents typically must rely on the AG to enforce, or pursue common-law negligence claims.
What counts as 'personal information' under Alabama law?
First name/initial + last name combined with SSN, DL/state ID, financial account + access code, medical/mental-health information, or health-insurance policy/subscriber ID, OR a username/email plus password or security Q&A allowing online account access
What are the penalties for failing to comply with Alabama's breach notification law?
Up to $5,000 per day for ongoing violations; up to $500,000 per single breach for knowing violations; AG civil action under DTPA

Related state breach laws

Alaska (AK)
Alaska Stat. §§45.48.010–45.48.090
Arizona (AZ)
Ariz. Rev. Stat. §18-552

Pre-empt the Alabama breach notice — audit your policy now

ComplianceIQ runs a free audit of your privacy policy and incident-response language against Alabama's statutory requirements. You'll see every gap before you have to use it for real.

Run free policy audit