Tide of New Privacy Laws Rolls On: Alabama to Kick off its Personal Data Protection Act

Firm Publication

On April 17, Alabama became the twenty-second state to enact comprehensive consumer data privacy legislation after Governor Kay Ivey signed HB 351 into law. The bill received unanimous support in both Alabama’s House of Representatives and Senate.

The Alabama Personal Data Protection Act (APDPA or the Act) will take effect on May 1, 2027. The Act joins 21 other states’ laws in the growing roster of data privacy legislation that imposes obligations upon businesses that control or process personal data and grants certain rights to consumers regarding the personal data they provide.

Though it largely mirrors other states’ data privacy laws, the APDPA contains several distinct provisions, some of which may require additional compliance steps for relevant businesses. Notably, the APDPA requires consent for any processing of sensitive information, includes a low applicability threshold and a narrow definition of “sale of personal data,” and incorporates a non-sunsetting right to cure alleged violations of the Act’s provisions.

Applicability Threshold

The APDPA impacts both “controllers” and “processors” of “personal data.” “Personal data” is any information that is linked or reasonably linkable to an identified or identifiable individual and does not include de-identified or publicly available information or information about employees and business contacts.  A “controller” is an individual or legal entity who, alone or jointly with others, determines the purposes and means of processing personal data. A “processor” is an individual or legal entity that processes personal data on behalf of a controller. These definitions are similar to those under other states’ privacy statutes.

The APDPA applies to any controller or processor that conducts business in Alabama or produces products or services targeted to Alabama residents, and that meet either of the following thresholds:

  • Volume: The controller controls, or the processor processes, personal data of more than 25,000 Alabama residents, excluding personal data controlled or processed solely for the purpose of completing a payment transaction. Note that this includes IP addresses collected from hits on a website and personal data that is archived or stored in backup copies.
  • Revenue: The controller or processor derives more than 25% of its gross revenues from the sale of personal data.

The APDPA’s data-volume threshold is the lowest numerical floor among all states’ comprehensive consumer data privacy laws that have a minimum threshold (Texas and Nebraska have no floor) and is consequently rather easy to trigger. Additionally, unlike other states’ consumer data privacy laws, the Act itself does not include an express time period (for example, a calendar year) within which the entity must control or process the personal data of 25,000 or more Alabama consumers.

The Act’s data-revenue threshold is equally broad because it explicitly states that the number of impacted consumers does not affect the Act’s applicability. This is in stark contrast to most other states’ privacy laws, which pair their data-revenue thresholds with a minimum number of impacted consumers.

Exemptions

In contrast to its wide applicability thresholds, the APDPA enumerates several entity-level and data-level exemptions, some of which are relatively rare among comprehensive privacy laws.

The APDPA expressly exempts two- and four-year institutions of higher education, state government agencies, national securities associations, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), covered entities and business associates (as those terms are defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA)), and electric providers. The Act also does not apply to small businesses with fewer than 500 employees and non-profits with fewer than 100 employees unless either such business sells personal data. The Act even exempts political action committees and political parties – an addition that was highly debated during Alabama’s 2026 legislative session.

The APDPA follows other states’ legislation by adopting standard data-level exemptions, including Protected Health Information (as such term is defined by HIPAA) and patient-identifying information, information relating to human clinical research subjects, and information protected under federal statutes such as GLBA, the Fair Credit Reporting Act (FCRA), the Family Educational Rights and Privacy Act (FERPA), the Farm Credit Act (FCA), and the Driver’s Privacy Protection Act. The Act also exempts employee, contractor, business-to-business, and human-resource data.

Sale of Personal Data

The APDPA places several restrictions upon controllers’ ability to “sell” personal data.

Under the Act, “sale of personal data” is defined as the exchange of personal data for monetary consideration or other valuable consideration by a controller to a third party, where the controller receives a material benefit and where the third party is not restricted in its subsequent uses of the personal data.

The APDPA categorically excludes various activities from the definition of “sale.” Unique to the APDPA, disclosure or transfer of data to a third party for purposes of (1) providing analytics services, or (2) providing marketing services solely to the controller, does not constitute a sale of personal data.

This approach differs significantly from that taken in other states such as California, where the disclosure of personal data for analytics and marketing purposes may constitute “selling” or “sharing” subject to additional, potentially burdensome requirements.

Consent for Collection and Use of Sensitive Data

Controllers cannot process sensitive data concerning a consumer without obtaining that consumer’s consent. “Sensitive data” is defined to include such information as racial or ethnic origin, sex life or sexual orientation, citizenship or immigration status, genetic or biometric data, precise geolocation, and known child data. A “known child” is an individual known to be under 13 years of age. Controllers that comply with the verifiable parental consent requirements of the federal Children’s Online Privacy Protection Act of 1998 (COPPA) are deemed compliant with any parental consent obligations regarding known child data under the Act.

Consumer Rights

The rights granted to consumers under the APDPA are consistent with those granted under other states’ data privacy laws. The Act provides that consumers have the right to do any of the following:

  • Confirm whether the controller, processor, or third party acting on the controller’s or processor’s behalf is processing their personal data.
  • Access their personal data under the controller’s control, unless such access requires the controller to reveal a trade secret.
  • Correct inaccuracies in the personal data previously provided, considering the nature of the personal data and the purposes for processing.
  • Delete any personal data previously provided.
  • Obtain a copy of the data that they previously provided in a portable, readily usable format, unless doing so requires the controller to reveal a trade secret.
  • Opt out of the processing of their personal data for the purposes of (1) targeted advertising, (2) sale of their personal data, or (3) profiling in furtherance of solely automated significant decisions concerning the consumer.

The Act’s protections are a bit narrower than those afforded in other states, including California, Virginia, and Colorado. Unlike the statutes in those states, the APDPA does not create a right to limit further processing of one’s personal data. Further, the APDPA does not provide a right to appeal a controller’s denial of a consumer’s request, including requests pursuant to a consumer’s right to opt out of profiling.

Consumers who wish to exercise any of their rights under the APDPA must submit a request to the controller specifying the right they intend to exercise. The controller must respond to the request within 45 days, which may be extended once for an additional 45 days “if the complexity of the request” requires additional time. The controller must either affirmatively act upon the request and inform the consumer of any action taken upon the request or provide the consumer with a reason for declining to act upon the request.

As in other states’ statutes, the APDPA does not permit controllers to discriminate against a consumer who opts out of processing by denying the consumer a good or service, charging the consumer a different price, or providing the consumer with a different level of quality.

Other Controller Obligations

Controllers have several responsibilities under the APDPA in addition to those listed above.

Controllers must limit their collection of personal data to what is adequate, relevant, and reasonably necessary relative to the purposes for which the personal data is processed. Controllers must also establish, implement, and maintain reasonable administrative, technical, and physical data security practices designed to protect the confidentiality and integrity of consumers’ personal data. Relatedly, controllers must execute data processing agreements with all service provider processors that receive personal data (as further described below).

Controllers must provide consumers with a reasonably accurate, clear, and meaningful privacy notice similar to those required in other states. For example, it must describe the categories and purposes of personal data processed, the categories of personal data shared with third parties, and the types of third parties with whom the controller shares personal data.

Also, like other states, controllers must provide effective mechanisms for consumers to revoke consent, including a clear and conspicuous link on the controllers’ website to a webpage that enables consumers to opt out of any processing of their personal data for the purposes of targeted advertising or sale. By January 1, 2028, controllers must allow consumers to opt out through universal opt-out mechanisms as required in other states.

Unlike under the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), and CPPA regulations, for example, the APDPA does not require controllers to conduct data protection impact assessments, which are systematic processes to identify, assess, and mitigate privacy risks associated with processing activities for certain kinds of personal data or their uses.

Processor Obligations

Under the APDPA, processors are required to adhere to the controllers’ instructions regarding how personal information is processed. Processors must take reasonably practical technical and organizational measures to assist controllers in complying with the provisions of the Act, including by supporting the controller in responding to consumer rights requests and in relation to notification of breaches in the processors’ security systems.

The APDPA requires that all processing obligations be governed by a contract or data processing agreement between the controller and the processor, similar to requirements in other states (e.g., providing clear instructions for processing data, describing the nature and purpose of the processing, specifics regarding that processing, and the parties’ respective rights and obligations).

Enforcement

The Alabama Attorney General (AG) holds the exclusive right to enforce violations of the APDPA. The Act does not provide for a private right of action, though it does not expressly prohibit private claims relating to actions in violation of the APDPA.

Prior to initiating any enforcement action, the AG must give the controller written notice of the alleged violation of the Act. The AG must allow the controller 45 days from receipt of the notice to cure the violation. Unlike in other states’ privacy laws, the right to cure under the APDPA does not sunset.

If the controller fails to cure its violation during the cure period, the AG may pursue injunctive relief and a civil penalty of up to $15,000 per violation. The per violation cap is twice as much as similar penalties in most other states.

Important Dates

May 1, 2027: The APDPA takes effect.

January 1, 2028: Controllers must allow consumers to opt out of processing for purposes of targeted advertising or sale through opt-out preference signals.

Our team will continue to monitor the APDPA. If you have any questions about the APDPA or other states’ data privacy laws and how they could affect your business, please contact the authors.

Resource: Data Privacy Regulations by State

Data Privacy Regulations by State

The data privacy regulatory landscape continues to evolve rapidly across jurisdictions. Our privacy & data security attorneys are actively tracking new legislation and regulatory developments nationwide. We will continue to provide ongoing analysis as new regulations emerge. Access our interactive map to learn more about comprehensive state laws and consumer health data privacy requirements.

 

Related Professionals
Related Services
Firm Publication

On April 17, Alabama became the twenty-second state to enact comprehensive consumer data privacy legislation after Governor Kay Ivey signed HB 351 into law. The bill received unanimous support in both Alabama’s House of Representatives and Senate.

The Alabama Personal Data Protection Act (APDPA or the Act) will take effect on May 1, 2027. The Act joins 21 other states’ laws in the growing roster of data privacy legislation that imposes obligations upon businesses that control or process personal data and grants certain rights to consumers regarding the personal data they provide.

Though it largely mirrors other states’ data privacy laws, the APDPA contains several distinct provisions, some of which may require additional compliance steps for relevant businesses. Notably, the APDPA requires consent for any processing of sensitive information, includes a low applicability threshold and a narrow definition of “sale of personal data,” and incorporates a non-sunsetting right to cure alleged violations of the Act’s provisions.

Applicability Threshold

The APDPA impacts both “controllers” and “processors” of “personal data.” “Personal data” is any information that is linked or reasonably linkable to an identified or identifiable individual and does not include de-identified or publicly available information or information about employees and business contacts.  A “controller” is an individual or legal entity who, alone or jointly with others, determines the purposes and means of processing personal data. A “processor” is an individual or legal entity that processes personal data on behalf of a controller. These definitions are similar to those under other states’ privacy statutes.

The APDPA applies to any controller or processor that conducts business in Alabama or produces products or services targeted to Alabama residents, and that meet either of the following thresholds:

  • Volume: The controller controls, or the processor processes, personal data of more than 25,000 Alabama residents, excluding personal data controlled or processed solely for the purpose of completing a payment transaction. Note that this includes IP addresses collected from hits on a website and personal data that is archived or stored in backup copies.
  • Revenue: The controller or processor derives more than 25% of its gross revenues from the sale of personal data.

The APDPA’s data-volume threshold is the lowest numerical floor among all states’ comprehensive consumer data privacy laws that have a minimum threshold (Texas and Nebraska have no floor) and is consequently rather easy to trigger. Additionally, unlike other states’ consumer data privacy laws, the Act itself does not include an express time period (for example, a calendar year) within which the entity must control or process the personal data of 25,000 or more Alabama consumers.

The Act’s data-revenue threshold is equally broad because it explicitly states that the number of impacted consumers does not affect the Act’s applicability. This is in stark contrast to most other states’ privacy laws, which pair their data-revenue thresholds with a minimum number of impacted consumers.

Exemptions

In contrast to its wide applicability thresholds, the APDPA enumerates several entity-level and data-level exemptions, some of which are relatively rare among comprehensive privacy laws.

The APDPA expressly exempts two- and four-year institutions of higher education, state government agencies, national securities associations, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), covered entities and business associates (as those terms are defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA)), and electric providers. The Act also does not apply to small businesses with fewer than 500 employees and non-profits with fewer than 100 employees unless either such business sells personal data. The Act even exempts political action committees and political parties – an addition that was highly debated during Alabama’s 2026 legislative session.

The APDPA follows other states’ legislation by adopting standard data-level exemptions, including Protected Health Information (as such term is defined by HIPAA) and patient-identifying information, information relating to human clinical research subjects, and information protected under federal statutes such as GLBA, the Fair Credit Reporting Act (FCRA), the Family Educational Rights and Privacy Act (FERPA), the Farm Credit Act (FCA), and the Driver’s Privacy Protection Act. The Act also exempts employee, contractor, business-to-business, and human-resource data.

Sale of Personal Data

The APDPA places several restrictions upon controllers’ ability to “sell” personal data.

Under the Act, “sale of personal data” is defined as the exchange of personal data for monetary consideration or other valuable consideration by a controller to a third party, where the controller receives a material benefit and where the third party is not restricted in its subsequent uses of the personal data.

The APDPA categorically excludes various activities from the definition of “sale.” Unique to the APDPA, disclosure or transfer of data to a third party for purposes of (1) providing analytics services, or (2) providing marketing services solely to the controller, does not constitute a sale of personal data.

This approach differs significantly from that taken in other states such as California, where the disclosure of personal data for analytics and marketing purposes may constitute “selling” or “sharing” subject to additional, potentially burdensome requirements.

Consent for Collection and Use of Sensitive Data

Controllers cannot process sensitive data concerning a consumer without obtaining that consumer’s consent. “Sensitive data” is defined to include such information as racial or ethnic origin, sex life or sexual orientation, citizenship or immigration status, genetic or biometric data, precise geolocation, and known child data. A “known child” is an individual known to be under 13 years of age. Controllers that comply with the verifiable parental consent requirements of the federal Children’s Online Privacy Protection Act of 1998 (COPPA) are deemed compliant with any parental consent obligations regarding known child data under the Act.

Consumer Rights

The rights granted to consumers under the APDPA are consistent with those granted under other states’ data privacy laws. The Act provides that consumers have the right to do any of the following:

  • Confirm whether the controller, processor, or third party acting on the controller’s or processor’s behalf is processing their personal data.
  • Access their personal data under the controller’s control, unless such access requires the controller to reveal a trade secret.
  • Correct inaccuracies in the personal data previously provided, considering the nature of the personal data and the purposes for processing.
  • Delete any personal data previously provided.
  • Obtain a copy of the data that they previously provided in a portable, readily usable format, unless doing so requires the controller to reveal a trade secret.
  • Opt out of the processing of their personal data for the purposes of (1) targeted advertising, (2) sale of their personal data, or (3) profiling in furtherance of solely automated significant decisions concerning the consumer.

The Act’s protections are a bit narrower than those afforded in other states, including California, Virginia, and Colorado. Unlike the statutes in those states, the APDPA does not create a right to limit further processing of one’s personal data. Further, the APDPA does not provide a right to appeal a controller’s denial of a consumer’s request, including requests pursuant to a consumer’s right to opt out of profiling.

Consumers who wish to exercise any of their rights under the APDPA must submit a request to the controller specifying the right they intend to exercise. The controller must respond to the request within 45 days, which may be extended once for an additional 45 days “if the complexity of the request” requires additional time. The controller must either affirmatively act upon the request and inform the consumer of any action taken upon the request or provide the consumer with a reason for declining to act upon the request.

As in other states’ statutes, the APDPA does not permit controllers to discriminate against a consumer who opts out of processing by denying the consumer a good or service, charging the consumer a different price, or providing the consumer with a different level of quality.

Other Controller Obligations

Controllers have several responsibilities under the APDPA in addition to those listed above.

Controllers must limit their collection of personal data to what is adequate, relevant, and reasonably necessary relative to the purposes for which the personal data is processed. Controllers must also establish, implement, and maintain reasonable administrative, technical, and physical data security practices designed to protect the confidentiality and integrity of consumers’ personal data. Relatedly, controllers must execute data processing agreements with all service provider processors that receive personal data (as further described below).

Controllers must provide consumers with a reasonably accurate, clear, and meaningful privacy notice similar to those required in other states. For example, it must describe the categories and purposes of personal data processed, the categories of personal data shared with third parties, and the types of third parties with whom the controller shares personal data.

Also, like other states, controllers must provide effective mechanisms for consumers to revoke consent, including a clear and conspicuous link on the controllers’ website to a webpage that enables consumers to opt out of any processing of their personal data for the purposes of targeted advertising or sale. By January 1, 2028, controllers must allow consumers to opt out through universal opt-out mechanisms as required in other states.

Unlike under the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), and CPPA regulations, for example, the APDPA does not require controllers to conduct data protection impact assessments, which are systematic processes to identify, assess, and mitigate privacy risks associated with processing activities for certain kinds of personal data or their uses.

Processor Obligations

Under the APDPA, processors are required to adhere to the controllers’ instructions regarding how personal information is processed. Processors must take reasonably practical technical and organizational measures to assist controllers in complying with the provisions of the Act, including by supporting the controller in responding to consumer rights requests and in relation to notification of breaches in the processors’ security systems.

The APDPA requires that all processing obligations be governed by a contract or data processing agreement between the controller and the processor, similar to requirements in other states (e.g., providing clear instructions for processing data, describing the nature and purpose of the processing, specifics regarding that processing, and the parties’ respective rights and obligations).

Enforcement

The Alabama Attorney General (AG) holds the exclusive right to enforce violations of the APDPA. The Act does not provide for a private right of action, though it does not expressly prohibit private claims relating to actions in violation of the APDPA.

Prior to initiating any enforcement action, the AG must give the controller written notice of the alleged violation of the Act. The AG must allow the controller 45 days from receipt of the notice to cure the violation. Unlike in other states’ privacy laws, the right to cure under the APDPA does not sunset.

If the controller fails to cure its violation during the cure period, the AG may pursue injunctive relief and a civil penalty of up to $15,000 per violation. The per violation cap is twice as much as similar penalties in most other states.

Important Dates

May 1, 2027: The APDPA takes effect.

January 1, 2028: Controllers must allow consumers to opt out of processing for purposes of targeted advertising or sale through opt-out preference signals.

Our team will continue to monitor the APDPA. If you have any questions about the APDPA or other states’ data privacy laws and how they could affect your business, please contact the authors.

Resource: Data Privacy Regulations by State

Data Privacy Regulations by State

The data privacy regulatory landscape continues to evolve rapidly across jurisdictions. Our privacy & data security attorneys are actively tracking new legislation and regulatory developments nationwide. We will continue to provide ongoing analysis as new regulations emerge. Access our interactive map to learn more about comprehensive state laws and consumer health data privacy requirements.

 

In Case You Missed It: