Back to Alabama

HB263 • 2026

Biological and neural data of individuals; certain disclosures, transfers, and use by a health and fitness app prohibited without express consent, Attorney General authorized to enforce, civil penalties provided

Biological and neural data of individuals; certain disclosures, transfers, and use by a health and fitness app prohibited without express consent, Attorney General authorized to enforce, civil penalties provided

Passed Legislature

This bill passed both chambers and reached final enrollment, even if later executive action is not shown here.

Sponsor
Robbins
Last action
2026-03-11
Official status
Read Second Time in Second House
Effective date
Not listed

Plain English Breakdown

The bill text lists specific exceptions but does not explicitly define a general category for 'safety checks' outside of security incidents and fraud prevention; the summary was adjusted to match Section 4(10) exactly.

Rules for Health and Fitness Apps Using Body Data

This law requires health and fitness apps to get clear permission from Alabama users before sharing, selling, or using their biological or brain data in certain ways.

What This Bill Does

  • Prohibits covered entities from transferring, disclosing for non-service reasons, marketing based on, or using a consumer's biological or neural data without express consent.
  • Requires the Attorney General to send a notice of violation before taking legal action against an app that breaks these rules.
  • Allows courts to charge fines of up to $3,000 per violation if the covered entity does not fix the problem within 45 days after receiving notice.

Who It Names or Affects

  • Owners or operators of health and fitness applications that collect biological or neural data from Alabama residents.
  • Alabama residents who use these applications.

Terms To Know

Biological Data
Data generated by measuring an individual's body, genes, brain activity, or bodily functions that can uniquely identify them. It does not include photos or videos unless they are used to uniquely identify the person.
Neural Data
Information created by measuring a person's central nervous system activity using a device.
Express Consent
Written or electronic permission given after the consumer receives a clear and prominent notice about how their data will be used.

Limits and Unknowns

  • The law does not apply to actions by law enforcement, compliance with court orders or federal laws, genetic testing companies following specific state rules, businesses covered by HIPAA regulations (45 C.F.R. Parts 160 and 164), insurance business activities governed by state or federal law, de-identified data, noncommercial research by universities, product recalls, security incident responses, internal technical repairs, or fulfilling a consumer's specific request.
  • The effective date of the law is October 1, 2026.

Amendments

These notes stay tied to the official amendment files and metadata from the legislature.

6YR4511-1

R 648

Adopted

Plain English: This amendment creates new rules for health and fitness apps in Alabama to stop them from sharing, selling, or using a user's body data without clear permission.

  • Health and fitness apps must get written or electronic consent before they share or sell a consumer's biological or neural data with anyone else.
  • Apps are not allowed to use this personal data for marketing purposes unless the consumer agrees first.
  • If an app wants to use the data in ways that were not originally expected, it must tell the user and let them stop the action before it happens.
  • The Attorney General can fine apps up to $3,000 for each time they break these rules if they do not fix the problem within 45 days.
  • The official text provided ends abruptly in Section 8 and does not list all possible exceptions or details about how data is defined.
  • Some specific legal terms like 'covered entity' rely on complex definitions that may be hard to fully explain without the complete bill.
DG8FMHN-1

R 649

Adopted

Plain English: This amendment updates HB263 by clarifying the definitions of biological and neural data, defining what counts as a third-party processor, and listing specific situations where health apps can use this sensitive information without extra consent.

  • It defines 'biological data' to include body-related information that identifies a person but excludes standard photos or videos unless they are used specifically for identification.
  • It adds a definition for 'neural data' as measurements of an individual's central nervous system activity processed by a device.
  • It clarifies the term 'third party' and defines a 'processor' as an entity that handles biological or neural data on behalf of a company while following its instructions.
  • It lists specific exceptions where apps can use this data without express consent, such as for security, fixing technical errors, product recalls, internal research, or fulfilling contracts.
  • The provided text only shows the new definitions and exception list; it does not show the full context of how these changes affect penalties or enforcement rules.
  • Some sentences in the amendment are cut off at the beginning or end, so the exact connection to previous sections is unclear.

Bill History

  1. 2026-03-11 Senate

    Read for the Second Time and placed on the Calendar

  2. 2026-03-11 Senate

    Reported Out of Committee Second House

  3. 2026-02-26 House

    Motion to Read a Third Time and Pass as Amended - Adopted Roll Call 650 (Yeas 104, Nays 0)

  4. 2026-02-26 House

    Motion to Adopt - Adopted Roll Call 649 (Yeas 104, Nays 0)

  5. 2026-02-26 House

    Motion to Adopt - Adopted Roll Call 648 (Yeas 104, Nays 0)

  6. 2026-02-26 House

    Third Reading in House of Origin (Yeas 103, Nays 0)

  7. 2026-02-26 Senate

    Pending Committee Action in Second House

  8. 2026-02-26 Senate

    Read for the first time and referred to the Senate Committee on Judiciary

  9. 2026-02-26 House

    Engrossed

  10. 2026-02-26 House

    Robbins 1st Amendment Offered

  11. 2026-02-26 House

    Judiciary 1st Substitute Offered

  12. 2026-02-19 House

    Read for the Second Time and placed on the Calendar

  13. 2026-02-18 House

    Reported Out of Committee House of Origin

  14. 2026-02-18 House

    Judiciary 1st Substitute

  15. 2026-01-15 House

    Pending Committee Action in House of Origin

  16. 2026-01-15 House

    Read for the first time and referred to the House Committee on Judiciary

Official Summary Text

Biological and neural data of individuals; certain disclosures, transfers, and use by a health and fitness app prohibited without express consent, Attorney General authorized to enforce, civil penalties provided

Current Bill Text

Read the full stored bill text
HB263 ENGROSSED
Page 0
HB263
6YR4511-2
By Representative Robbins
RFD: Judiciary
First Read: 15-Jan-26
1
2
3
4
5
HB263 Engrossed
Page 1
First Read: 15-Jan-26
A BILL
TO BE ENTITLED
AN ACT
Relating to consumer protections; to prohibit certain
health and fitness applications from disclosing, transferring,
or taking certain other actions with regard to a consumer's
biological data or neural data without the consumer's express
consent, with exceptions; to authorize the Office of the
Attorney General to enforce; and to provide a civil penalty
for violations.
BE IT ENACTED BY THE LEGISLATURE OF ALABAMA:
Section 1. For the purposes of this act, the following
terms have the following meanings:
(1) BIOLOGICAL DATA. Data generated by the
technological processing, measurement, or analysis of an
individual's biological, genetic, biochemical, physiological,
or neural properties, compositions, or activities, or an
individual's body or bodily functions, which are used to
uniquely identify the specific individual to whom the data
pertains. The term does not include a photograph, video or
audio recording, or data generated from a photograph or audio
recording, unless such data is generated to uniquely identify
the specific individual to whom the data pertains.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
HB263 Engrossed
Page 2
the specific individual to whom the data pertains.
(2) CONSUMER. Any individual who is an Alabama
resident.
(3) COVERED ENTITY. The owner or operator of a health
and fitness application. The term includes any individual or
entity that offers, maintains, owns, licenses, or controls
software made available to consumers through an app store or
website, provided that:
a. The software collects, processes, uses, shares,
sells, or generates biological data or neural data from a
consumer, whether alone or in combination with other personal
data; and
b. The data is collected for purposes that include
health tracking, wellness, sleep, fitness, mental or cognitive
performance, mindfulness, or stress.
(4) EXPRESS CONSENT. A consumer's acknowledgment or
permission, in writing or captured electronically, to a clear,
meaningful, and prominent written notice regarding the
disclosure or use of the consumer's biological data or neural
data.
(5) NEURAL DATA. Information that is generated by the
measurement of the activity of an individual's central nervous
system and that can be processed by or with the assistance of
a device.
(6) THIRD PARTY. An individual or legal entity that is
not a consumer, covered entity, or processor. For the purposes
of this subdivision, a processor is an entity that: (i)
processes biological data or neural data on behalf of a
covered entity; (ii) adheres to the instructions of the
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
HB263 Engrossed
Page 3
covered entity; (ii) adheres to the instructions of the
covered entity; and (iii) assists the covered entity in
meeting its obligations under this act.
Section 2. (a) A covered entity may not do any of the
following without the express consent of the consumer:
(1) Transfer a consumer's biological data or neural
data to a third party.
(2) Disclose the consumer's biological data or neural
data to a third party for a reason other than fulfillment of
the entity's products or services.
(3) Use the consumer's biological data or neural data
for a purpose other than what is necessary to perform the
services or provide the goods reasonably expected by an
average consumer who requests those goods or services.
(4) Market to a consumer based on the consumer's
biological data or neural data.
(b) A covered entity that transfers, discloses, or uses
a consumer's biological data or neural data for purposes other
than those provided in subsection (a), before the transfer,
disclosure, or use, shall notify the consumer that the
information may be transferred, disclosed, or used for a
specified purpose and provide the consumer the opportunity to
limit or prevent the transfer, disclosure, or use of the
biological data or neural data.
Section 3. (a) The Attorney General has exclusive
authority to enforce this act.
(b)(1) The Attorney General, prior to initiating any
action for a violation of any provision of this act, shall
issue a notice of violation to the covered entity accused of
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
HB263 Engrossed
Page 4
issue a notice of violation to the covered entity accused of
the violation.
(2) If the covered entity fails to correct the
violation within 45 days after receipt of the notice of
violation, the Attorney General may bring an action for an
injunction pursuant to this section. Upon a finding that the
covered entity has violated this act and failed to correct the
violation as required by this section, the court may assess a
civil penalty of not more than three thousand dollars ($3,000)
per violation.
(3) If within the 45-day period the covered entity
corrects the noticed violation and provides the Attorney
General with an express written statement that the alleged
violation has been corrected and that no such further
violations will occur, no action may be initiated against the
covered entity.
Section 4. This act does not apply to any of the
following transfers, disclosures, or uses of biological data
or neural data:
(1) By law enforcement for any law enforcement
purposes.
(2) To comply with a subpoena, summons, other lawful
court order, or federal law.
(3) Pursuant to Article 2, Chapter 18 of Title 36, Code
of Alabama 1975.
(4) By a genetic testing company that complies with
Chapter 43 of Title 8, Code of Alabama 1975.
(5) The collection, use, retention, or disclosure of
biological or neural data by a covered entity or business
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
HB263 Engrossed
Page 5
biological or neural data by a covered entity or business
associate in accordance with 45 C.F.R. Parts 160 and 164.
(6) The use of de-identified biological or neural data.
(7) The collection, use, or retention of biological or
neural data for noncommercial purposes, including for research
and instruction, by a public or private institution of higher
education or any entity owned or operated by a public or
private institution of higher education.
(8) The transfer, disclosure, or use of biological or
neural data that is governed by state or federal law
regulating the business of insurance, including underwriting,
rating, risk classification, reinsurance, and claims
administration.
(9) To provide a product or service specifically
requested by a consumer; to perform a contract to which the
consumer is a party, including fulfilling the terms of a
written warranty; or to take steps at the request of the
consumer prior to entering into a contract.
(10) To prevent, detect, protect against, or respond to
security incidents, identity theft, fraud, harassment,
malicious or deceptive activities, or any illegal activity; to
preserve the integrity or security of systems; or to
investigate, report, or prosecute those responsible for any
such action.
(11) To conduct internal research to develop, improve,
or repair products, services, or technology.
(12) To effectuate a product recall.
(13) To identify and repair technical errors that
impair existing or intended functionality.
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
HB263 Engrossed
Page 6
impair existing or intended functionality.
(14) To perform internal operations that are reasonably
aligned with the expectations of the consumer or reasonably
anticipated based on the consumer's existing relationship with
the covered entity or are otherwise compatible with processing
data in furtherance of the provision of a product or service
specifically requested by a consumer or the performance of a
contract to which the consumer is a party.
Section 5. This act shall become effective on October
1, 2026.
141
142
143
144
145
146
147
148
149
HB263 Engrossed
Page 7
1, 2026.
House of Representatives
Read for the first time and referred
to the House of Representatives
committee on Judiciary
................15-Jan-26
Read for the second time and placed
on the calendar:
0 amendments
................19-Feb-26
Read for the third time and passed
as amended
Yeas 104
Nays 0
Abstains 0
................26-Feb-26
John Treadwell
Clerk
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170