The Alabama Personal Data Protection Act (“APDPA”) was signed into law on April 17, 2026. The APDPA will go into effect on May 1, 2027. Alabama brings the total number of state consumer privacy laws to 23.
OVERVIEW
While the APDPA largely mirrors other states’ data privacy laws, especially the Virginia law, the APDPA contains several distinct provisions, some of which may require additional compliance steps for relevant businesses. Significantly, the APDPA requires affirmative consent for any processing of sensitive information, it includes a low applicability threshold and a narrow definition of “sale of personal data,” and it contains a permanent right for a business to cure alleged violations of the Act’s provisions.
KEY PROVISIONS
Applicability Threshold
The APDPA applies to controllers and processors that conduct business in Alabama or produce a product or service targeted to Alabama residents, and either 1) control or process personal data of at least 25,000 Alabama consumers (excluding personal data used solely to process a payment transaction) or 2) derive more than 25% of its gross revenue from the sale of personal data, regardless of the number of consumers whose data the person controls or processes.
Exemptions
Exempt from the APDPA are state agencies or political subdivisions, or service providers processing data on their behalf; financial institutions, affiliates, as well as data subject to Title V of the Gramm-Leach-Bliley Act (“GLBA”); covered entities or business associates covered by the privacy, security, and breach notification rules under the Health Insurance Portability and Accountability Act (HIPAA) as well as individual personal health information under HIPAA; nonprofit organizations with fewer than 100 employees that do not sell any personal data; institutions of higher education (both 2-year and 4-year degree institutions); registered national securities associations; and small businesses with fewer than 500 employees that do not sell any personal data.[1]
In addition to these entity-level exemptions, the APDPA provides certain data-level exemptions, including data regulated by the Fair Credit Reporting Act, data regulated by the Farm Credit Act, and data regulated by the Family Educational Rights and Privacy Act. Significantly, the Act also exempts employee, contractor, and human-resource data, and data of individuals acting in a commercial B2B context (e.g., business contact information).
Consumer Rights
The APDPA grants consumers the right to know what data is being collected and processed, and to access, correct, and request deletion of their data. Provisions facilitate data portability and grant opt-out rights with respect to sale of their data to unaffiliated third parties, targeted advertising, and profiling. Consumers are protected from unlawful discrimination resulting from processing of their data. However, unlike some states’ privacy legislation, the APDPA does not guarantee consumers the right to learn the third parties to whom their personally-identifiable information (PII) was disclosed, or to revoke consent once given. Notably, unlike the laws in California, Virginia, or Colorado, the APDPA does not create a right to limit further processing of one’s personal data, nor does it provide a right to appeal a controller’s denial of a consumer’s request, including requests pursuant to a consumer’s right to opt out of profiling.
Non-retaliation: A controller is prohibited from denying goods or services or providing a different level of quality for goods or services to a consumer in response to a consumer exercising an opt-out right, subject to exceptions (e.g., if the data is necessary to providing a service or the data is processed in connection with a bona fide loyalty program). The law separately provides that, if a controller responds to a consumer opt-out request by informing the consumer of a charge for using a product or service, the controller must present the terms of any financial incentive for the retention, use, or disclosure of the consumer’s personal data.
Otherwise, a controller must allow a consumer to opt out of the processing of his/her personal data for purposes of targeted advertising, sale of their personal data, or for profiling in furtherance of solely automated significant decisions concerning a consumer. Unlike most other state privacy laws, the APDPA does not require a controller to recognize universal opt-out preference signals.
Under the APDPA, the term “sale of personal data” is defined as the exchange of personal data for monetary consideration or other valuable consideration by a controller to a third party, where the controller receives a “material benefit” and where the third party is not restricted in its subsequent uses of the personal data. However, unique to the APDPA, disclosure or transfer of data to a third party for purposes of (1) providing analytics services, or (2) providing marketing services solely to the controller, does NOT constitute a sale of personal data. The practical effect of the material benefit provision is that exchanges of personal data for modest or indirect value may fall outside the definition, whereas under broader statutes (e.g., California), those same transfers could still qualify as a sale. Likewise, if the disclosure of personal data is restricted in its subsequent uses, the disclosure may not be considered a sale for purposes of the APDPA even if a material benefit is provided.
This list of consumer rights, including the opt-out right, does not apply to data that the controller has de-identified if the controller is able to demonstrate that information necessary to re-identify the consumer is kept separately and subject to effective technical and organizational controls that prevent the controller from accessing the information and commits that it will not attempt to re-identify the information.
Data Protection Assessments
Significantly, unlike Virginia, Colorado, California, and Oklahoma, the APDPA does not require a controller to conduct data protection impact assessments, which are systematic processes to identify, assess, and mitigate privacy risks associated with processing activities for certain kinds of personal data or their uses, especially used for sensitive data and for targeted advertising.
Data Minimization and Data Security
Adopting language close to that in Maryland, the APDPA requires that a controller must limit its collection of personal data to what is “adequate, relevant, and reasonably necessary” relative to the purposes for which the personal data is processed. A controller also is prohibited from processing personal data for purposes that are not reasonably necessary to, or compatible with, the purposes the controller has disclosed in its notice for which the personal data was originally collected.
In addition, a controller must also establish, implement, and maintain “reasonable administrative, technical, and physical data security practices designed to protect the confidentiality and integrity of consumers’ personal data.” In the same vein, a controller must execute data processing agreements with all service provider processors with which it shares personal data, setting forth the obligations.
Privacy Notice
A controller must provide a “reasonably accurate, clear, and meaningful” privacy notice that includes the categories of personal data processed by the controller, including describing the categories and purposes of personal data processed, the categories of personal data shared with third parties, and the types of third parties with whom the controller shares personal data.
Consent and Sensitive Data
A controller is prohibited from processing a consumer’s sensitive data without first obtaining that consumer’s affirmative consent. If the controller knows the consumer is a child under the age of 13, it may only process the data in accordance with the federal Children’s Online Privacy Protection Act of 1998 (COPPA) and where the controller has actual knowledge that an individual is aged 13 to 16, it must obtain affirmative consent for targeted advertising or data sales.
Sensitive Data is defined as personal data that includes any of the following:
- Data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, information about an individual’s sex life, sexual orientation, or citizenship or immigration status;
- The processing of genetic or biometric data for the purpose of uniquely identifying an individual;
- Personal data collected from a known child; and
- Precise geolocation data.
Enforcement
The state Attorney General has sole enforcement authority. There is no private right of action. If the AG determines that a violation has occurred, it is required to give notice to the controller, who has forty-five (45) days to cure the violation. Unique to Alabama, the right to cure under the APDPA does not sunset.
If the controller fails to cure its violation during the cure period, the AG may pursue injunctive relief and a civil penalty of up to $15,000 per violation. The per violation cap is twice as much as similar penalties in most other states.
CONCLUSION
While the APDPA adds another piece to the patchwork of U.S. state privacy laws, it is probably more business‑friendly than many comparable statutes, based on the following features:
- Broad exemptions for small businesses and certain nonprofits;
- A permanent cure period before enforcement actions are taken;
- No private right of action;
- No need for data protection assessments; and
- Alignment with common privacy compliance frameworks, allowing many companies to leverage existing compliance efforts.
Thus, an organization that already complies with other existing state privacy laws may find that relatively modest adjustments are needed to address APDPA‑specific requirements. Nevertheless, a business that collects or processes personal data from Alabama residents should determine whether they meet Alabama’s applicability thresholds and whether an applicable exemption applies and review its privacy programs and contractual arrangements ahead of the May 1, 2027, effective date.
For those who have questions about the Alabama law or privacy laws in general, please contact Alan Thiemann at athiemann@conleyrose.com.
[1] The APDPA exemption for small businesses is much easier to apply than the exemptions in Texas, Nebraska, and Minnesota, which each use the U.S. Small Business Administration definition that varies based on industry—and those states do allow small businesses to sell sensitive data with a consumer’s consent.