Sweet Home Data: Alabama’s Privacy Law Takes Center Stage
On April 16, 2026, Alabama Governor Kay Ivey signed into law House Bill 351, the Alabama Personal Data Protection Act (APDPA), making Alabama the 21st state to adopt a comprehensive consumer privacy and data protection law and the second state to do so in 2026. Taking effect on May 1, 2027, the APDPA follows the path of other business‑friendly data protection regimes adopted across the country while introducing its own distinct nuances in applicability, thresholds, and definitions that warrant close attention.
Covered Entities
The APDPA applies to persons that conduct business in Alabama or produce products or services targeted to state residents, provided they meet either of the following thresholds:
- Control or process the personal data of more than 25,000 Alabama consumers, excluding data processed solely for completing payment transactions; OR
- Derive more than 25% of gross revenue from the sale of personal data, regardless of the number of consumers whose data is controlled or processed.
Notably, the APDPA’s 25,000‑consumer threshold matches Montana’s for the lowest in the nation, broadening the range of businesses within its scope. Alabama is also the first state to apply the 25% gross revenue threshold without a minimum consumer count requirement. The law defines “consumer” as an Alabama resident while excluding individuals acting in a commercial or employment context.
Exemptions
The Act includes several entity and data exemptions, including for political subdivisions of the state, institutions of higher education, financial institutions governed by the Gramm-Leach-Bliley Act, and protected health data under HIPAA. Small businesses with fewer than 500 employees and nonprofits with fewer than 100 employees are also exempt, provided they do not engage in the sale of personal data.
Requirements
The APDPA imposes several obligations on covered entities:
- Data Minimization: Controllers must limit data collection to what is adequate, relevant, and reasonably necessary for the disclosed purposes.
- Affirmative Consent: For sensitive data, which includes data revealing racial or ethnic origin, religious beliefs, health conditions, sexual orientation, citizenship status, and precise geolocation, controllers must obtain affirmative consumer consent before processing.
- Data Security: Businesses must implement reasonable administrative, technical, and physical security practices to protect data confidentiality and integrity.
- Processor Contracts: Relationships between controllers and processors must be governed by a binding written contract that includes clear processing instructions and confidentiality duties.
In a notable departure from states like California and Colorado, the APDPA does not require controllers to carry out formal data protection assessments or require that they recognize opt-out preference signals.
Consumer Rights
Under the APDPA, Alabama consumers are granted the following rights:
- Right to Know: Confirming whether a controller, or a processor or third party acting on a controller’s behalf, is processing or accessing their personal data.
- Right to Correct: Rectifying inaccuracies in their personal data.
- Right to Delete: Requesting that a controller delete personal data about the consumer.
- Right to Access and Portability: Obtaining a copy of their data in a portable and readily usable format.
- Right to Opt-Out: Opting out of the processing of their personal data for targeted advertising, the sale of personal data, or profiling in furtherance of solely automated significant decisions.
Crucially, the rights to know, access and portability include an exception: controllers are not required to comply if doing so would require them to reveal a trade secret. Furthermore, Alabama does not provide consumers with a formal right to appeal a controller’s decision. Should a consumer wish to enforce their rights, controllers must respond within 45 days, with a 45-day extension available when “reasonably necessary”.
Unique Definition of “Sale”
The law contains a unique definition of "sale," which is defined as, “the exchange of personal data for monetary consideration by a controller to a third party, or for other valuable consideration by a controller to a third party where the controller receives a material benefit and the third party is not restricted in its subsequent uses of the data.” Notably, the definition explicitly exempts certain disclosures of personal data from the definition of sale, including transfers to third parties for analytics services or for marketing services provided solely to the controller.
Privacy Notices
Controllers must provide a "reasonably accurate, clear, and meaningful" privacy notice. This notice must disclose the categories of personal data processed, the purpose of processing, the categories of data shared with third parties, and the categories of those third parties. Additionally, the notice must provide an active email address or mechanism for contact and explain how consumers may exercise their rights.
Enforcement
The Alabama Attorney General (AG) has exclusive authority to enforce the APDPA. Prior to initiating any action, the AG must provide the controller with a written notice of the violation.
- Right to Cure: The law provides a 45-day right to cure period to correct alleged violations and notify the AG of such correction, allowing businesses the ability to avoid enforcement actions by correcting alleged violations.
- Civil Penalties: Violations that remain uncorrected are subject to a civil penalty of up to $15,000 per violation.
- No Private Right of Action: The Act is enforceable only by the AG, barring individual consumers from filing lawsuits for violations.
Final Thoughts
The passage of the APDPA signals that the momentum for state level data protection frameworks remains strong heading into 2026. While the Alabama law largely mirrors other state privacy laws in key respects, its unique nuances warrant careful attention and review by businesses as the May 2027 effective date approaches.
