Deadlines to Notify Data Subjects
Under State breach notification laws, data controllers generally have primary responsibility for notifying data subjects of breaches involving their personal information. Usually, the statutes allow controllers to delay notice when requested by law enforcement, to determine the nature and scope of the breach, or other limited circumstances provided by statute. Subject to such delays, the following table summarizes the statutory deadlines or timing requirements to notify data subjects.
State | Conditions For Notice | Timing / Deadline | Notes |
---|---|---|---|
10 | Days | ||
30 | Days | ||
45 | Days | ||
Alabama | unauthorized acquisition of sensitive personally identifying information of Alabama residents reasonably likely to cause substantial harm | 45 days | Ala. Code ยง 8-38-5. Last updated 2023/10/20 |