Skip to main content
Featured Topics
Featured Insights
View All Services
View All Industries
About Us Overview
    • Home
    • Insights
    • Alabama Enacts Comprehensive Consumer Data Privacy Law
      April 28, 2026

      Alabama Enacts Comprehensive Consumer Data Privacy Law

      Authors:
      Generate PDF
      Share

      On April 17, 2026, Governor Kay Ivey signed House Bill 351 into law, enacting the Alabama Personal Data Protection Act (the "APDPA" or the "Act") and making Alabama the 22nd state to adopt a comprehensive consumer privacy law. The APDPA, which takes effect on May 1, 2027, largely follows the dominant model for state privacy legislation observed in states outside of California; however, it departs from that model in several notable respects, including generally lower applicability thresholds, a novel definition of "sale," and the absence of a data protection assessment requirement. For more information about how the APDPA compares to other privacy laws, please see our state privacy law tracker.

      Who is Covered?

      The APDPA applies to persons that conduct business in Alabama, or that target products or services to Alabama residents, and that meet either of the following thresholds: (1) controlling or processing the personal data of more than 25,000 Alabama consumers (excluding personal data processed solely to complete a payment transaction); or (2) deriving more than 25% of gross revenue from the sale of personal data, regardless of the number of consumers whose data the person controls or processes.

      Entity-Level Exemptions

      A number of entities are exempt from the APDPA, including the following:

      • Financial institutions and affiliates subject to the Gramm-Leach-Bliley Act (“GLBA”);
      • Covered entities and business associates as defined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”);
      • State agencies and political subdivisions of Alabama;
      • Institutions of higher education and their affiliates;
      • National securities associations registered under federal law;
      • Small businesses with fewer than 500 employees that do not sell personal data; and
      • Non-profit organizations with fewer than 100 employees that do not sell personal data.

      In addition to these entity-level exemptions, the APDPA provides certain data-level exemptions, including, inter alia, data subject to the GLBA, protected health information under HIPAA, data regulated by the Fair Credit Reporting Act, data regulated by the Family Educational Rights and Privacy Act, employee and job applicant data, and data of individuals acting in a commercial context (e.g., business contact information).

      Consumer Rights

      The APDPA provides Alabama residents with the following suite of privacy rights, generally consistent with the rights offered under other US state privacy laws:

      • Right to Access: Consumers may confirm whether a controller is processing their personal data and access that data.
      • Right to Correction: Consumers may request correction of inaccuracies in their personal data.
      • Right to Deletion: Consumers may request deletion of their personal data.
      • Right to Data Portability: Consumers may request a copy of their personal data in a portable format.
      • Right to Opt Out of Targeted Advertising, Sale, and Profiling. Consumers may opt out of the processing of their personal data for purposes of targeted advertising, sale of their personal data, or for profiling in furtherance of solely automated significant decisions concerning a consumer. Unlike other state comprehensive consumer privacy laws, the definition of “sale” excludes the disclosure of personal data to a third party for the purposes of providing analytics services and marketing services solely to the controller.

      Notably, the APDPA does not provide consumers with a right to appeal a controller's decision regarding a privacy request, departing from the majority of state comprehensive consumer privacy laws.

      Internal Business Obligations

      The APDPA imposes several business obligations on controllers:

      • Privacy Notice Requirements: Controllers must provide consumers with a reasonably accurate, clear, and meaningful privacy notice.
      • Data Minimization and Purpose Limitation: Controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the personal data is processed. Controllers are prohibited from processing personal data for purposes that are not reasonably necessary to, or compatible with, the disclosed purposes.
      • Data Security: Controllers must also establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
      • Sensitive Personal Data: The APDPA prohibits controllers from processing sensitive data without first obtaining the consumer's consent. “Sensitive data” includes data revealing racial or ethnic origin, citizenship or immigration status, religious beliefs, health condition or diagnosis, sex life or sexual orientation, genetic or biometric data used to identify an individual, and precise geolocation data. Personal data collected from a known child under the age of 13 is also treated as sensitive data and must be processed in accordance with the federal Children's Online Privacy Protection Act (“COPPA”). For consumers whom the controller has actual knowledge are at least 13 years of age but younger than 16, the controller must obtain affirmative opt-in consent before processing their personal data for targeted advertising or selling their personal data.

      Unlike the majority of state comprehensive consumer privacy laws, the APDPA does not require controllers to conduct data protection assessments for processing activities that pose a heightened risk of harm.

      Enforcement and Penalties

      The Alabama Attorney General has exclusive authority to enforce the APDPA, and the APDPA does not provide a private right of action.

      Before initiating an enforcement action, the Attorney General must issue a notice of the alleged violation and provide the controller with a mandatory 45-day right-to-cure period. If the controller fails to cure the violation within that period, the Attorney General may bring an action in court, and a court may impose civil penalties of up to $15,000 per violation, a higher cap than most other state comprehensive consumer privacy laws. Unlike most other state comprehensive consumer privacy laws, the APDPA does not specify that the cure period will sunset after a defined period of time.

      Key Takeaways

      • Assess applicability carefully. The APDPA's 25,000-consumer processing threshold is relatively low compared to other state comprehensive consumer privacy laws, meaning that even businesses with a limited footprint in the state may fall within its scope.
      • Evaluate the small business exemption. Businesses with fewer than 500 employees and nonprofits with fewer than 100 employees are exempt only if they do not engage in the sale of personal data.
      • Understand the novel definition of "sale." The comprehensive consumer 's definition of "sale" is narrower in some respects than other state privacy laws because it excludes disclosures made solely for providing analytics or marketing services to the controller.
      • Review and update privacy policy. Ensure that Alabama is included within your privacy policy’s scope and that the APDPA-specific requirements are addressed, including the categories of personal data processed, processing purposes, third-party sharing, targeted advertising practices, and consumer rights.
      • Provide a clear opt-out mechanism on your website. The APDPA requires a clear and conspicuous link on the controller's website enabling consumers to opt out of targeted advertising and the sale of personal data.
      • Obtain consent for sensitive data processing. Ensure that affirmative consent is obtained before processing any sensitive data, including data from known children under 13 (in accordance with COPPA) and, where the controller has actual knowledge, from teenagers aged 13 to 16 for targeted advertising or data sales.

      Authors

      Related Services & Industries

      Stay Up To Date With Our Insights

      See how we use a multidisciplinary, integrated approach to meet our clients' needs.
      Subscribe

      Follow us

      © 2026 Mayer Brown. All Rights Reserved

       

       

      Mayer Brown is a global legal services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown Hong Kong LLP (a Hong Kong limited liability partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) (collectively, the “Mayer Brown Practices”). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong LLC (“PKW”) is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong Pte. Ltd. More information about the individual Mayer Brown Practices and PKW can be found in the Legal Notices section of our website.

      “Mayer Brown” and the Mayer Brown logo are the trademarks of Mayer Brown.

      Attorney Advertising. Prior results do not guarantee a similar outcome.