Privacy & Cybersecurity Law Blog

On April 17, 2026, Alabama Governor Kay Ivey signed into law the Alabama Personal Data Protection Act (HB 351) (“APDPA” or “the Act”), making Alabama the twenty-first state to enact a comprehensive consumer privacy law. The law goes into effect on May 1, 2027.

 Alabama enacted the APDPA within an already maturing ecosystem of state-level privacy regulation that has increasingly coalesced around a shared statutory model. Rather than departing significantly from prevailing approaches, the Act largely aligns with the Virginia-style framework that has become the dominant template for U.S. comprehensive consumer privacy laws. Nevertheless, the APDPA contains several material distinctions in scope, applicability and enforcement that warrant careful examination.

The Structure and Main Provisions of the Act

At a structural level, the APDPA adopts the now-standard controller–processor paradigm, imposing obligations on entities that determine the purposes and means of processing personal data, while allocating more limited duties to processors acting on behalf of such entities. The Act also provides consumers a familiar set of data rights, including rights of access, correction, deletion and opt-out with respect to targeted advertising, sale of personal data and certain forms of profiling.

Additionally, the Alabama Attorney General is vested with sole enforcement power, with no private right of action. In this respect, Alabama’s approach is consistent with the baseline rights architecture that has emerged across recent state privacy enactments. Notwithstanding this structural alignment, the APDPA diverges in several significant respects.

The following are the main provisions of the Act:

• Scope. The Act establishes applicability thresholds that apply to a broader set of entities than other comprehensive consumer privacy laws. Controllers or processors that conduct business in Alabama or target Alabama residents and either (1) process personal data of more than 25,000 Alabama consumers; or (2) derive more than 25 percent of gross revenue from the sale of personal data, regardless of the number of consumers whose personal data are processed, are subject to the law. This threshold is lower than many other state privacy laws and will comparatively increase the number of entities subject to the law’s compliance obligations.
  • Exemptions: Like other state privacy laws, the APDPA exempts from application entities and data subject to HIPAA or GLBA, higher education institutions and employee and B2B data.
    • Small businesses (with fewer than 500 employees) and nonprofit entities (with fewer than 100 employees) also are exempt, provided they do not sell personal data.
    • Additionally, political parties and political action committees are exempt from the law’s application.
• Definition of “Sale.” The APDPA adopts a novel definition of “sale,” which is defined as “The exchange of personal data for monetary consideration by a controller to a third party, or for other valuable consideration by a controller to a third party where the controller receives a material benefit and the third party is not restricted in its subsequent uses of the personal data.” Many state privacy laws have adopted the “other valuable consideration language,” but Alabama is the first to clarify that the controller must receive a “material benefit” and the third-party recipient must not be restricted in its use of personal data, for such disclosure to constitute a sale.
  • Exemptions: The Act adds two important and novel exemptions to the definition of “sale” that are not present in other state privacy laws, namely the disclosure of personal data to a third party for the purpose of providing analytics or marketing services solely to the controller.
• No Universal Opt-Out Obligation. Unlike other state privacy laws, the APDPA does not require controllers to honor universal opt-out preference signals, such as the Global Privacy Control.
• Controller Obligations. The APDPA imposes many common obligations on controllers, including providing notice, honoring consumer rights requests, implementing reasonable data security measures, obtaining opt-in consent to process sensitive data, minimizing data collection and processing, and imposing contractual requirements on vendors. Unlike other privacy laws, however, the Act notably does not require controllers to conduct data processing impact assessments for more high-risk processing activities.
• No Right to Appeal. Unlike the majority of state privacy laws, the APDPA does not provide for the right to appeal a controller’s decision with respect to a consumer’s privacy rights request.
• Minors. The Act defines “sensitive data” to include personal data collected “from a known child” (under 13), for which COPPA-compliant parental consent is required for processing. Additionally, for minors aged 13 to 16, if a controller has actual knowledge of the consumer’s age, it must obtain affirmative opt-in consent before selling the minor’s personal information or using it for targeted advertising purposes.
• Enforcement. Enforcement authority under the APDPA is vested exclusively in the Alabama Attorney General. The Act does not establish an independent regulatory agency dedicated exclusively to privacy enforcement. Violations of the Act can result in penalties of up to $15,000 per violation, which is a higher statutory cap than many other state privacy laws. The Act also provides for a guaranteed 45-day cure period, with no sunset.

Practical Compliance Considerations

While the APDPA generally tracks the prevailing approach adopted in other state comprehensive consumer privacy laws, businesses should assess the following factors when evaluating whether modifications to their existing compliance programs are necessary:

• Assess the law’s applicability. Because the threshold for applicability is lower than many other state comprehensive consumer privacy laws, businesses that historically have not been subject to such laws should evaluate whether they meet the APDPA’s comparatively low threshold. The  APDPA has the lowest numerical consumer threshold, applying to entities controlling or processing the personal data of more than 25,000 consumers. More troubling is the 25% revenue-from-sales threshold, which applies regardless of how many consumers’ personal data is processed and could bring even small businesses that sell personal data within its scope. Smaller businesses (with fewer than 500 employees) and nonprofits (with fewer than 100 employees) also should evaluate whether they “sell” data under the Act, to determine if they are exempt from the Act’s application.
• Evaluate which processing activities constitute a “sale” and configure opt-out mechanisms accordingly. Given the APDPA’s broad exemptions for third parties that provide analytics or advertising services solely to the controller, businesses should evaluate whether vendors providing such services would be subject to the law’s opt-out right and configure their opt-out mechanisms appropriately. While these exemptions may not be materially helpful to businesses operating nationally and subject to other more stringent state privacy law opt-out rights, for smaller to mid-size businesses that have not yet had to comply with other state privacy laws, these carve-outs may significantly reduce the opt-out compliance burden.
• Be mindful of potentially high enforcement penalties. While the Act is in many ways business-friendly, be aware of the $15,000 per violation penalty cap, which is significantly higher than other state privacy laws.