Overview
On April 8, 2026, Alabama’s legislature passed House Bill 351, the Alabama Personal Data Protection Act (the APDPA), which now goes to Alabama’s governor, Kay Ivey, for signature. If signed, the law will take effect May 1, 2027.
The APDPA has a very low threshold for applicability compared to other state privacy laws and includes some variation from the standard Virginia and Connecticut models. Companies, including larger nonprofits, should therefore evaluate application of the APDPA and prepare for it to come into effect.
In Depth
Who does the APDPA apply to?
The APDPA applies to a controller or processor that conducts business in Alabama or produces products or services that are targeted to Alabama residents and meets either of the following criteria:
- It controls or processes the personal data of more than 25,000 consumers (excluding information processed solely to complete a payment transaction).
- It derives more than 25% of gross revenue from the sale of personal data.
Key to these thresholds is that the APDPA is not limited to for-profit companies. While there is an exemption for smaller for-profit businesses and smaller nonprofits (discussed below), the APDPA will apply to larger nonprofit organizations.
Who is a consumer?
The definition of “consumer” in the APDPA aligns with the majority of other state consumer privacy laws.
A “consumer” is “an individual who is a resident of [Alabama].” However, the term does not include individuals acting in a commercial or employment context.
What is personal data?
Similarly, there are not any surprises in the definition of “Personal Data.”
Personal data in the APDPA is “any information that is linked or reasonably linkable to an identified or identifiable individual.” The term does not include deidentified data or publicly available information.
What is sensitive data?
Following the more narrow state consumer privacy law definitions of sensitive data, the APDPA defines “sensitive data” as:
- Data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, information about an individual’s sex life, sexual orientation, or citizenship or immigration status;
- The processing of genetic or biometric data for the purpose of uniquely identifying an individual;
- Personal data collected from a known child; and
- Precise geolocation data.
As in some of the newer state consumer privacy laws, “precise geolocation data” is defined as “information derived from technology, including, but not limited to, global positioning system level latitude and longitude coordinates, which directly identifies the specific location of an individual with precision and accuracy within a radius of 1,750 feet.”
Who can enforce the APDPA?
Alabama’s attorney general has exclusive enforcement authority. Prior to initiating an action for a violation, the attorney general must provide a notice of violation to the controller and give the controller 45 days to cure the alleged violation. To cure the violation, the controller must correct the violation and provide the attorney general an “express written statement” that the violation has been corrected and that no such further violations will occur. If the controller fails to do so, the attorney general may bring an action for an injunction and assess a civil penalty of up to $15,000 per violation.
Who is exempt?
While many of the usual entity types are exempt from the APDPA, the bill exempts a longer list of entities and data types as compared to other state consumer privacy laws. This is yet another reason that companies should review the APDPA to assess its applicability.
Perhaps the most notable of these new exemptions are for-profit entities with fewer than 500 employees and nonprofit entities of fewer than 100 employees as long as those entities are not selling personal data.
There is also an interesting carveout specifically for artificial intelligence models: They are exempt as long as they do not contain and cannot be used to extract personal data.
At the entity level, some of the standard exemptions in the APDPA include state political subdivisions, financial institutions subject to the Gramm-Leach-Bliley Act, covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA), and institutions of higher education, among others.
At the data level, exemptions include, but are not limited to, protected health information and other information regulated under HIPAA, consumer information protected by the Fair Credit Reporting Act, and the Driver’s Privacy Protection Act.
What obligations are imposed?
The APDPA imposes controller obligations that largely mirror what we have seen in other states, with a few wrinkles. The obligations include requirements to:
- “Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed”;
- “Establish, implement, and maintain reasonable administrative, technical, and physical data security practices”;
- Prohibit processing personal data in violation of the laws that prohibit unlawful discrimination against consumers and refrain from discriminating against consumers that exercise their rights;
- “Provide an effective mechanism for a consumer to revoke the consumer’s consent”;
- Process sensitive data only with consent of the consumer;
- Provide a clear privacy notice explaining how the company processes information and how consumers can exercise their rights; and
- Recognize GPC signals as of January 1, 2028, for the online opt-out of targeted advertising.
What is not required by the APDPA are any forms of data impact assessments.
What consumer rights are created by the APDPA?
Like other state privacy laws, the APDPA gives consumers certain rights, with respect to their personal data, to:
- Confirm whether a controller is processing their personal data and accessing any such data under the control of the controller (unless doing so would reveal a trade secret);
- Correct inaccuracies in their personal data;
- Direct the controller to delete their personal data;
- Obtain a portable copy of their personal data (unless doing so would reveal a trade secret); and
- Opt out of their personal data being processed for targeted advertising, sale, or profiling in furtherance of solely automated significant decisions.
Significantly, there is no right to appeal a denial of a consumer-rights request under the APDPA.
Response to consumer requests
Controllers must respond to an authenticated consumer request within 45 days after receipt, with one additional 45-day extension available upon notice to the consumer when reasonably necessary due to the complexity and number of requests. If a controller declines to act, it must explain the basis for the denial within the initial 45-day period. Responses must be provided free of charge up to once annually per consumer, and controllers may respond to manifestly unfounded, excessive, technically infeasible, or repetitive requests by charging the consumer a reasonable fee or denying the request. The bill also provides a specific compliance pathway for deletion requests when the controller obtained the personal data from a source other than the consumer.
When does the APDPA take effect?
If signed into law, the APDPA will go into effect May 1, 2027.
* * *
The state privacy law landscape continues to become more complex as each new omnibus law is introduced. If the APDPA is signed into law, organizations should review applicability, consumer-rights workflows, notices, controller-processor contracts, sensitive-data consent flows, and assessment practices to determine whether targeted Alabama updates are warranted. If you have questions or need assistance with readiness work for new state consumer privacy laws, please contact your regular McDermott lawyer.