Ala. Code § 8-44-5 (2026)
Section 8-44-5
(a) Subject to authentication and any other conditions or limitations provided by this chapter, a consumer may invoke the rights authorized pursuant to this subsection at any time by submitting a request to a controller specifying the consumer right the consumer seeks to invoke. A controller shall comply with an authenticated request to do any of the following:
(1) Confirm whether a controller, or a processor or third party acting on a controller’s behalf, is processing the consumer’s personal data and accessing any of the consumer’s personal data under the control of the controller, unless confirmation or access would require the controller to reveal a trade secret.
(2) Correct inaccuracies in the consumer’s personal data, considering the nature of the personal data and the purposes of the processing of the consumer’s personal data.
(3) Direct a controller to delete the consumer’s personal data.
(4) Obtain a copy of the consumer’s personal data previously provided by the consumer to a controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the personal data to another controller without hindrance when the processing is carried out by automated means, unless the provision of the data would require the controller to reveal a trade secret.
(5) Opt out of the processing of the consumer’s personal data for any of the following purposes:
a. Targeted advertising.
b. The sale of the consumer’s personal data.
c. Profiling in furtherance of solely automated significant decisions concerning the consumer.
(b) A controller shall establish a secure and reliable method for a consumer to exercise rights established by this section and shall describe the method in the controller’s privacy notice.
(c)(1) A parent or legal guardian of a known child may exercise the consumer’s rights on behalf of the known child regarding the processing of personal data.
(2) A guardian or conservator of a consumer may exercise the consumer’s rights on behalf of the consumer regarding the processing of personal data.
(d) Except as otherwise provided in this chapter, a controller shall comply with a request by a consumer to exercise the consumer’s rights authorized by this section as follows:
(1)a. A controller shall respond to a consumer’s request within 45 days of receipt of the request.
b. A controller may extend the response period by 45 additional days, when reasonably necessary considering the complexity and number of the consumer’s requests, by notifying the consumer of the extension and the reason for the extension within the initial 45-day response period.
(2) If a controller declines to act regarding a consumer’s request, the controller shall inform the consumer of the justification for declining to act within 45 days of receipt of the request.
(3) Information provided in response to a consumer request must be provided by a controller, free of charge, once for each consumer during any 12-month period. If a consumer’s requests are manifestly unfounded, excessive, technically infeasible, or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with a request or decline to act on a request. Upon inquiry by an enforcement authority, the controller bears the burden of demonstrating the manifestly unfounded, excessive, technically infeasible, or repetitive nature of a request.
(4) If a controller is unable to authenticate a consumer’s request using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the consumer that the controller is unable to authenticate the request until the consumer provides additional information reasonably necessary to authenticate the consumer and the request. A controller is not required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent or otherwise not authorized. If a controller denies an opt-out request because the controller believes the request is fraudulent or not authorized, the controller shall send notice to the person who made the request disclosing that the controller believes the request is fraudulent or not authorized and that the controller may not comply with the request.
(5) A controller that has obtained personal data about a consumer from a source other than the consumer is in compliance with a consumer’s request to delete the consumer’s data if the controller has done either of the following:
a. Retained a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer’s personal data remains deleted from the controller’s records and refrains from using the retained data for any other purpose.
b. Opted the consumer out of any further processing of the consumer’s personal data for any purpose except for those exempted pursuant to this chapter.
(Act 2026-552, §5.)