Alabama recently passed its comprehensive consumer privacy law. Governor Kay Ivey signed Alabama HB 351 into law, establishing the Alabama Personal Data Protection Act (APDPA) effective from May 1, 2027. This means that handling personal data of Alabama residents is not the same anymore. This guide preps businesses to comply with the new Alabama law, from applicability thresholds to enforcement mechanisms in plain, actionable terms.
What is Alabama data privacy law?
The Alabama Personal Data Protection Act is Alabama’s comprehensive state privacy law. It grants consumers specific rights over their personal data and imposes obligations on businesses that collect, process, or sell that data. Enacted through HB 351, the APDPA establishes a regulatory framework for how businesses must handle the personal data of Alabama residents.
Structurally, the APDPA draws most directly from the Virginia Consumer Data Protection Act (VCDPA): distinct roles for data controllers and data processors, enumerated consumer rights, and enforcement through the state attorney general rather than private litigation.
The APDPA takes effect on May 1, 2027. Enforcement authority rests with the Alabama Attorney General.
Who does the Alabama privacy law apply to?
The APDPA applies to persons that conduct business in Alabama or produce products or services targeted to Alabama residents and meet specific data processing thresholds.
Your business falls under the APDPA if it meets either of two thresholds during a calendar year:
- Controls or processes personal data of more than 25,000 Alabama consumers annually, excluding data processed solely to complete payment transactions.
- Derives more than 25 percent of gross revenue from the sale of personal data.
There is no standalone revenue-based threshold here. A business with $50 million in annual revenue still falls outside the law’s scope if it processes data from fewer than 25,000 Alabama consumers and does not meet the second threshold. That’s a meaningful structural difference from the California Consumer Privacy Act (CCPA), which includes an annual gross revenue threshold of $25 million as one of its three criteria.
Who is exempt?
Alabama privacy law exempts specific entities and data types, such as:
- Political subdivisions of Alabama
- Nonprofit organizations with fewer than 100 employees
- Financial institutions governed by the Gramm-Leach-Bliley Act (GLBA)
- Covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA)
- Certain higher education institutions
- Organizations with fewer than 500 employees if they do not sell data
Exempt data types include protected health information under HIPAA, Education records governed by the Family Educational Rights and Privacy Act (FERPA), employee and job applicant data processed in an employment context, and data processed for certain approved research purposes.
What is personal data under Alabama privacy law?
Personal data is defined as any information that is linked or reasonably linkable to an identified or identifiable individual.
This includes common data points such as:
- Name, email address, phone number
- IP address and online identifiers
- Device and browser data
- Location data
- Account and transaction information
The definition is broad, covering both direct identifiers and data that, when combined with other information, can indirectly identify a person.
However, the Alabama Data Protection Act excludes:
- Deidentified data that cannot be linked back to an individual
- Publicly available information lawfully made available through government records or public sources
Employee data and data processed in a commercial or employment context are also outside the scope of this law.
In practice, if your business can reasonably connect data to a specific individual, it will be treated as personal data under this Alabama privacy law.
What is sensitive data under Alabama privacy law?
Under the Alabama Personal Data Protection Act, sensitive data is a specific category of personal data that requires higher protection and explicit consent before processing.
Sensitive data includes:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health condition or diagnosis
- Information about an individual’s sex life or sexual orientation
- Citizenship or immigration status
- Genetic and biometric data used to identify an individual
- Precise geolocation data
- Personal data of a known child
The Alabama Data Protection Act requires businesses to obtain clear opt-in consent before processing any of these categories.
Also read
For children under 13, businesses must comply with COPPA requirements, including verifiable parental consent. Alabama law provides no further clarification regarding children’s data, unlike states such as Colorado, which have amended their laws on this.
Consent requirements under Alabama new privacy law
Under the Alabama Personal Data Protection Act, consent must meet a clear legal standard. It must be a freely given, specific, informed, and unambiguous indication of the consumer’s agreement to process their personal data.
Valid consent requires a clear affirmative act, such as actively selecting an option or confirming agreement. It cannot be inferred from silence, inactivity, pre-ticked boxes, or acceptance of broad terms (dark patterns).
Consent is specifically required when:
- Processing sensitive data
- Processing data of a known child under 13 (parental consent required under COPPA)
In addition, businesses must provide a simple way for users to withdraw consent, and must stop processing the data once consent is revoked.
Opt-out requirements under Alabama privacy law
The Alabama Data Protection Act gives consumers the right to opt out of certain types of data processing.
Consumers can opt out of:
- Targeted advertising
- Sale of personal data
- Profiling that leads to significant decisions
Businesses must provide a clear and conspicuous link on their website or another accessible method for consumers to opt out.
Unlike other US privacy laws, Alabama law doesn’t explicitly require recognizing global opt-out signals. However, if a consumer’s opt-out signal conflicts with privacy settings or loyalty program participation, the controller must honor the signal and may notify the consumer, offering a chance to confirm settings.
Once a valid opt-out request is received, the business must stop the relevant processing without delay and cannot discriminate against the user for exercising this right.
Comply with Alabama cookie banner requirements
Sign up to CookieYes, connect your site, and deploy the banner today!
Try for free14-day free trialCancel anytime
Privacy notice requirements
The Alabama Personal Data Protection Act requires businesses to provide a clear, accurate, and meaningful privacy notice to consumers.
The privacy notice must include:
- categories of personal data collected and processed
- purposes for processing that data
- categories of personal data shared with third parties, if any
- categories of third parties with whom the data is shared
- clear contact method, such as an active email address or similar mechanism
- Instructions on how consumers can exercise their rights, including how to opt out of data processing
Don’t know where to start?
Use our privacy policy generator to create and manage your privacy policy easily
Create a privacy policyGenerate instantlyNo signup required
Business obligations under the Alabama Data Protection Act
The Alabama Personal Data Protection Act places clear obligations on businesses that process personal data. These requirements focus on transparency, data minimisation, security, and consumer rights.
Businesses must:
Provide a clear privacy notice
Disclose the categories of personal data collected, purposes of processing, consumer rights, categories of third parties, and how users can exercise their rights.
Data minimisation and purpose limitation
Collect only data that is adequate, relevant, and reasonably necessary for the stated purpose. Businesses must not process personal data for purposes that are incompatible with the disclosed purpose.
Implement data security measures
Maintain reasonable administrative, technical, and physical safeguards to protect personal data.
Enable consumer rights
Provide secure and reliable methods for consumers to access, correct, delete, or obtain their data, and respond within the required timelines. Controllers must respond to authenticated consumer requests within 45 days, with a possible 45-day extension when reasonably necessary.
Offer opt-out mechanisms
Allow consumers to opt out of targeted advertising and sale of personal data through a clear and accessible method.
Obtain consent where required
Secure opt-in consent before processing sensitive data and comply with parental consent rules for children.
Maintain processor contracts
Ensure contracts with processors clearly define processing instructions, data types, duration, and responsibilities.
Allow consent withdrawal
Provide an easy way for users to withdraw consent. Businesses must stop processing the data as soon as practicable and no later than 45 days after consent is withdrawn.
Non-discrimination
Businesses must not deny goods or services, charge different prices, or provide a different level of quality solely because a consumer exercises their rights, except in limited cases such as voluntary loyalty programs.
Alabama law does not explicitly require a Data Protection Impact Assessment, unlike other state privacy laws such as the CCPA.
Consumer rights under the Alabama Personal Data Protection Act
The Alabama privacy law grants five core rights to consumers whose personal data is processed by covered businesses.
Right to access and confirm
Consumers have the right to confirm whether a controller is processing their personal data and to access that data.
Right to correction and deletion
Consumers may request correction of inaccuracies in their personal data. They may also request deletion of personal data provided by or obtained about them.
Right to data portability
Consumers can obtain a copy of their personal data in a readily usable, portable format that allows transmission to another controller without hindrance.
Right to opt out of sale and targeted advertising
Consumers may opt out of the processing of personal data for:
- Targeted advertising
- The sale of personal data
- Profiling in furtherance of decisions that produce legal or similarly significant effects
Penalties and enforcement under Alabama privacy law
Enforcement authority rests exclusively with the Alabama Attorney General. There is no private right of action under the APDPA, which means consumers cannot sue businesses directly for violations.
Before initiating enforcement, the Attorney General must issue a notice of violation and allow a 45-day cure period. If the violation is not cured, the Attorney General may bring an action. Courts may impose civil penalties of up to $15,000 per violation.
No private right of action reduces litigation risk compared to the CCPA. But state-level enforcement is a credible compliance driver. So, don’t read the absence of class action exposure as a reason to deprioritize this.
Alabama privacy law checklist
- Determine whether your business meets the applicability thresholds.
- Conduct a data inventory and mapping exercise.
- Publish a privacy policy
- Provide an opt-out cookie banner
- Maintain a contractual relationship with processors
- Implement a process for handling consumer rights requests within the 45-day response window,
- Establish opt-in consent processes for sensitive personal data and any processing that requires affirmative consent.
- Leverage a consent management platform like CookieYes to manage cookie consent
- Train relevant staff on consumer rights obligations and internal response procedures.
- Monitor the Alabama Attorney General’s guidance and regulatory updates ahead of the enforcement date.
Frequently asked questions
Consumers have five core rights: the right to access and confirm, correct, delete, obtain a portable copy of their personal data, and opt out of its sale, use for targeted advertising, and certain profiling. Businesses must respond to requests within 45 days.
The Alabama Attorney General enforces the law exclusively. There is no private right of action. Civil penalties reach up to $15,000 per violation. Businesses receive a 45-day cure period after written notice before enforcement action may proceed.
Confirm whether your business meets the applicability thresholds, conduct a data inventory, update your privacy notice, implement consumer rights request workflows, audit vendor contracts for data processing agreements, and deploy a consent management solution to handle sensitive data opt-in and targeted advertising opt-out.
Yes. Alabama has a comprehensive privacy law called the Alabama Personal Data Protection Act (APDPA). Enacted through HB 351, this Alabama privacy law gives consumers rights over their personal data and imposes obligations on businesses that collect, process, or sell that data. It applies to companies that meet specific data processing thresholds and is enforced by the Alabama Attorney General. The law will take effect on May 1, 2027.
CIPP/E from the International Association of Privacy Professionals (IAPP) | Data privacy writer at CookieYes.
