.svg)
.avif)
On April 16, 2026, Alabama Governor Kay Ivey signed the Alabama Personal Data Protection Act (APDPA) into law. This makes Alabama one of the 22 states to enact a comprehensive consumer privacy law. The APDPA is scheduled to take effect on May 1, 2027, giving businesses some time to assess their compliance obligations and update their data collection and processing practices.
The Alabama law generally aligns with the “Virginia model” of data privacy regulation made famous by the Virginia Consumer Data Protection Act and largely mirrored in other states such as Indiana, Tennessee, and Minnesota. Nevertheless, the APDPA includes several notable distinctions in scope and applicability that merit close attention from covered businesses.
Didomi outlines the APDPA’s key provisions, including who the law applies to, how it differs from other state data privacy regulations, what businesses must do to comply, what rights are afforded to Alabama residents, and what penalties may be imposed for non-compliance. We also provide guidance on core compliance obligations that Alabama businesses should be prepared to meet in 2027.
Alabama Personal Data Protection Act: General overview
%20-%20Overview.avif)
Who does the Alabama data privacy law apply to?
The APDPA applies to persons who conduct business in Alabama or produce products or services targeted to Alabama residents, provided they meet at least one of two thresholds. Specifically, a covered company must either:
- control or process the personal data of more than 25,000 consumers, excluding data processed solely to complete a payment transaction; or
- derive more than 25 percent of gross revenue from the sale of personal data, regardless of the number of consumers whose data is involved.
The 25,000-consumer processing threshold is notable because it is among the lowest numerical floors of any comprehensive state privacy law in the United States. By comparison, several states use thresholds of 100,000 consumers or higher. In practice, this means that a covered company will only need to process data on roughly 0.48 percent of Alabama's population to fall within the APDPA’s jurisdictional orbit.
At the same time, the APDPA includes meaningful exemptions that limit its reach. Small businesses with fewer than 500 employees are exempt, as are nonprofit organizations with fewer than 100 employees, provided neither engages in the sale of personal data. These carve-outs may significantly reduce the compliance burden for smaller entities, even where the numerical threshold would otherwise be met.
Exempted entities
Like many other state consumer data privacy laws, the APDPA exempts a broad set of entities and data categories from its requirements. On the entity side, the law exempts the following entities from having to comply with the Alabama law:
- Businesses with fewer than 500 employees, as long as the small business does not engage in the sale of personal data.
- Nonprofits with fewer than 100 employees, as long as the entity does not engage in the sale of personal data.
- Trade associations authorized to receive certain records from state insurance regulators.
- Political subdivisions of the state, or any board, authority, district, or public corporation.
- Certain political action committees, political parties, or principal campaign committees, and political organizations.
- Higher education institutions
- National registered securities associations.
- Certain federally regulated financial institutions and their affiliates.
- HIPAA covered entities and business associates.
- Electric providers that are subject to national reliability standards.
Exempted data
On the data side, the APDPA exempts protected health information regulated under HIPAA, consumer report data under the Fair Credit Reporting Act, records governed by the Driver's Privacy Protection Act and the Family Educational Rights and Privacy Act (FERPA), and data processed under the Airline Deregulation Act and the Farm Credit Act.
Consistent with most other state consumer data privacy laws, the APDPA also exempts employee, applicant, and contractor data, meaning the California Consumer Privacy Act (CCPA) remains the only state law to extend privacy rights to workers and job applicants.
What do covered companies have to do to comply with the Alabama data privacy law?
At its structural core, the APDPA adopts the controller-processor framework, which is standard across states that have embraced the Virginia model of data privacy regulation. Controllers, which are covered companies that determine the purposes and means of processing personal data, bear the primary compliance burden.
Processors, typically vendors and other third-party companies that handle data on behalf of controllers, are subject to more limited duties and must adhere to the controller's instructions under a written data processing agreement.
Controller compliance obligations
Covered companies are subject to several affirmative obligations. They must limit data collection to what is "adequate, relevant, and necessary" for the disclosed purposes of processing. They must establish and maintain reasonable administrative, technical, and physical data security practices proportionate to the volume and sensitivity of the data involved.
They are prohibited from processing data for purposes incompatible with the purposes disclosed to the consumer, and they may not process sensitive personal data without first obtaining the consumer's consent.
The APDPA also requires controllers to establish a mechanism for revoking consent and that mechanism must be at least as easy as the mechanism used to provide consent. If a consumer revokes their consent, controllers must halt processing that consumer’s personal data as soon as practicable, and no later than 45 days after complying with a valid opt-out request.
Controllers must also provide consumers with a clear and reasonably accessible privacy notice disclosing the categories of data collected, the purposes for processing, how consumers may exercise their rights, and whether data is shared with third parties.
Processor compliance obligations
Under the APDPA, processors must follow the controller's instructions regarding data processing and assist in meeting the controller's statutory obligations under the law.
Controller-processor agreements must be in writing and must set forth the following:
- The types of data that will be processed
- The duration of processing activities
- The rights and obligations of both the controller and processor
- Specific instructions for processing data
- The nature and purpose of processing
In addition, the controller-processor agreement must require processors to do the following:
- Ensure that each individual responsible for processing personal data is subject to a duty of confidentiality
- Delete or return personal data to the controller at the controller's direction at the end of service
- Provide compliance documentation to the controller, upon request
What rights do Alabama consumers have under the APDPA?
The APDPA grants Alabama consumers a standard suite of privacy rights that are broadly consistent with other states that have adopted the Virginia model of data privacy regulation. Specifically, Alabama consumers have the right to:
- Request confirmation whether a controller, or any processor or third party acting on the controller’s behalf, is processing or accessing their personal data
- Request access their personal data
- Request correction of any inaccuracies
- Request deletion of their personal data
- Request a portable copy of data they have provided to the company
- Request to opt out of the processing of their personal data for purposes of targeted advertising, the sale of personal data, or automated profiling that makes important decisions about them such as decisions affecting their credit, housing, insurance, employment, or healthcare.
Responding to consumer requests
Companies must respond to consumer requests within 45 days, with the ability to extend that period by an additional 45 days if reasonably necessary.
Parents, guardians, and conservators have the ability to exercise rights on behalf of the people they represent. For example, parents and legal guardians may submit a request on behalf of a known child, while guardians or conservators may submit a request on behalf of an adult consumer.
What can happen if an Alabama business fails to comply with the APDPA?
If a company is alleged to have violated the APDPA, an enforcement action may only be brought by the Alabama Attorney General’s Office. This means there is no private right of action under the APDPA. In addition, there is no independent regulatory agency dedicated to privacy enforcement.
45-day cure period
Before initiating any enforcement action, the Attorney General must issue a notice of violation to the relevant controller, which then has 45 days to cure the violation and provide a written statement confirming that no further violations will occur. If the controller successfully cures the violation, no action may be brought.
The 45-day cure provision has no sunset date, meaning Alabama businesses will retain the opportunity to remediate without litigation for the foreseeable future.
Monetary penalty for non-compliance
If a violation is not cured, the Attorney General may pursue litigation, and courts may assess civil penalties of up to $15,000 per violation. This penalty cap is notably higher than those in several peer state laws, which commonly cap penalties at $7,500 per intentional violation.
How the APDPA is different from other state consumer data privacy laws
As mentioned earlier, the APDPA contains unique provisions that set it apart from the data privacy herd in the U.S. Notable “outlier” provisions are highlighted below.
No requirement to conduct data protection impact assessments
Unlike the consumer data privacy laws in Virginia, Colorado, Connecticut, and many other states, Alabama does not require covered businesses to conduct data protection impact assessments (DPIAs) for high-risk data processing activities. This is expected to materially reduce the compliance burden for covered companies operating in Alabama.
Narrower definition of "sale”
The APDPA limits the definition of a "sale of personal data" to situations where the controller receives a material benefit, and the recipient has unrestricted subsequent use of the data.
Additionally, the law creates two unique exclusions from the definition of a sale: disclosures to third parties for the purpose of providing analytics services to the controller, and disclosures for marketing services rendered solely on the controller's behalf. These carve-outs may reduce the scope of opt-out obligations for some businesses, particularly smaller companies that have not previously had to comply with other state privacy regimes.
Limited protections for children's data
The APDPA defines a "known child" consistent with the federal Children's Online Privacy Protection Act (COPPA), meaning a child under the age of 13. Controllers that comply with COPPA's verifiable parental consent requirements are deemed compliant with any parental consent obligation under the APDPA.
The Alabama law requires consent to process the data of consumers between the ages of 13 and 16 for targeted advertising or sale, but does not extend heightened protections to minors under the age of 18.
States such as Colorado, Connecticut, and Virginia have recently amended their laws to provide enhanced protections for older minors, and Alabama's more limited approach is a notable divergence.
Compliance considerations for covered businesses
Generally speaking, a company that already complies with comprehensive consumer data privacy laws in Virginia, Colorado, Connecticut, or other states will likely find that Alabama's requirements are largely compatible with its existing programs. The APDPA's absence of a DPIA requirement and its narrower definition of "sale" may actually make it less demanding in certain respects than some peer laws.
However, the law's lower applicability threshold means that businesses not previously subject to any state privacy law may find themselves covered for the first time and facing a significant compliance burden.
Businesses that may fall within the APDPA's scope should consider taking specific steps before the May 1, 2027, effective date. Those steps include the following:
Determine applicability
Given the APDPA's relatively low 25,000-consumer processing threshold, businesses that have not previously been subject to state privacy laws should carefully assess whether their data processing activities meet this threshold.
The revenue-based threshold, which is only 25 percent of gross revenue from the sale of personal data, may also capture entities that do not cross the volume threshold.
Review and update privacy notices
Covered companies must provide consumers with a clear privacy notice meeting the APDPA's disclosure requirements. Businesses should review their existing notices for adequacy and update them to address any gaps.
Assess data processing agreements
Controllers must ensure that any processors handling personal data on their behalf are operating under a compliant written contract that addresses the obligations and restrictions imposed by the APDPA.
How can Didomi help businesses comply with the Alabama Personal Data Protection Act?
The APDPA will require businesses operating in, or serving, Alabama residents to satisfy an array of new compliance obligations. Specific provisions of APDPA warrant targeted attention from compliance teams, including the law’s relatively low applicability threshold, its narrower definition of "sale," and high per-violation penalty cap.
Legal and compliance teams should consider auditing data inventories against the APDPA’s consumer thresholds, review privacy notices for Alabama-specific disclosures, and confirm that consumer request workflows are configured to handle Alabama residents when the law goes into effect.
Keeping up with the pace and scope of these new data privacy regulations can add compliance complexity and risk to your business operations. Learn more about our multi-regulation Consent Management Platform (CMP), which covers privacy laws and regimes in the U.S. and worldwide, and discuss your challenges with one of our experts:
{{talk-to-an-expert}}
Alabama Data Privacy Law: Frequently Asked Questions (FAQs)
When will the APDPA go into effect?
The Alabama data privacy law will go into effect on May 1, 2027. This means covered companies have some time to get their privacy compliance program in order and ready to meet the obligations imposed by the APDPA.
Is there a private right of action under the Alabama law?
No. Alabama residents cannot sue a company for alleged violations of the APDPA. Enforcement authority is exclusively granted to the Alabama Attorney General’s Office.
How does the Alabama data privacy law treat sensitive data?
The scope of sensitive data in the Alabama law tracks closely with other state consumer data privacy laws, including the privacy laws in Virginia, Utah, Nebraska, and so forth. Specifically, the term “sensitive data” includes the following types of personal data under the APDPA:
- Personal data collected from a known child
- Precise geolocation data (within a radius of 1,750 feet)
- Data that reveals an individual’s racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status
- Genetic or biometric data processed to uniquely identify an individual
Are Alabama companies afforded a period of time to correct an alleged compliance violation of the APDPA?
Yes. The Alabama data privacy law contains a 45-day “cure period” during which companies can take corrective steps to address an alleged violation before the Alabama Attorney General’s Office can initiate an enforcement action.
.avif)
