BlogLine

Roll Privacy: Alabama enacts comprehensive Privacy Law

4/27/26

By: Jacob Berlinger & Josette Brooksbank

Alabama has joined the growing wave of states regulating consumer data privacy, becoming the 21^st state to enact a comprehensive consumer data privacy statute. On April 16, 2026, Governor Kay Ivey signed the Alabama Personal Data Protection Act (HB 351) (APDPA) into law. The APDPA takes effect on May 1, 2027, and is expected to have significant implications for business that collect or process personal data of Alabama customers.

Scope and applicability

The law applies to persons that conduct business in Alabama or that offer products or services targeted to Alabama residents and that either (1) control or process the personal data of more than 25,000 consumers, excluding personal data processed solely to complete a payment transaction, or (2) derive at least 25% of their gross revenue from the sale of personal data, regardless of the number of consumers whose personal data they control or process. These thresholds are relatively low; by comparison, most comprehensive state privacy laws set their primary applicability thresholds at 1,000,000 or more consumers.

Notably, the Act adopts a relatively broad definition of “sale.” A sale is defined as the “exchange of personal data for monetary consideration by a controller to a third party, or for other valuable consideration by a controller to a third party where the controller receives a material benefit and the third party is not restricted in its subsequent uses of the personal data.”

Who is exempted

The Act provides for three categories of exemptions: Entity Exemptions, Data Exemptions, and a Children’s Data Exemption.

Entity Exemptions apply to businesses with fewer than 500 employees and nonprofit organizations with fewer than 100 employees, provided they do not engage in the sale of personal data. The Act also exempts certain defined political organizations.

Data Exemptions cover information already regulated by Federal Law as well as human‑resources (“HR”) and business‑to‑business (“B2B”) data. Specifically, the Act excludes HIPAA‑regulated health information, consumer reports governed by the Fair Credit Reporting Act, motor vehicle records protected under the Driver’s Privacy Protection Act, education records covered by FERPA, and data regulated by both the  Farm Credit Act and the Airline Deregulation Act.

The Act’s Children’s Data exemption reflects Alabama’s narrower approach to youth privacy.  Alabama defines a “known child” as a consumer under the age of 13 and treats compliance with Children’s Online Privacy Protection Act (“COPPA”) as sufficient to satisfy parental consent requirements. For consumers ages 13 to 15, consent is required for targeted advertising or the sale of personal data. Unlike Colorado, Connecticut, and Virginia, however, the Alabama Act does not impose additional heightened protections for minors beyond COPPA.

Consumer Rights

The law grants consumers a set of core rights commonly found in comprehensive state privacy statutes. These rights include the ability to  (1) correct inaccuracies in the consumer’s personal data; (2) delete personal data about the consumer; (3) obtain a copy of the consumer’s personal data; and (4) opt out of targeted advertising, the sale of personal data, and profiling in furtherance of solely automated  decisions that produce significant effects concerning the consumer.

Additionally, the law requires controllers to obtain consumer consent before processing “sensitive data,” which is defined relatively narrowly. Sensitive data includes:  (1) personal data revealing racial or ethnic origin, religious beliefs, information concerning an individual’s  mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status; (2) genetic or biometric data  processed for the purpose of uniquely identifying an individual; (3) personal data collected from a known child; and (4) precise geolocation data.

Enforceability

Enforcement of the law is vested exclusively in the state attorney general. It also includes a 45-day right-to-cure provision, which does not sunset.

Impact on business

If your business is subject to the APDPA, you should take several proactive steps to ensure compliance. These include evaluating current data collection and privacy practices, conducting or updating a data‑mapping exercise to identify what consumer data you collect and process, where that data resides, and how it flows through your organization.

For more information on this topic you can reach out to Jacob Berlinger at jacob.berlinger@fmglaw.com,  Josette Brooksbank at josette.brooksbank@fmglaw.com or your local FMG attorney.

Information conveyed herein should not be construed as legal advice or represent any specific or binding policy or procedure of any organization. Information provided is for educational purposes only. These materials are written in a general format and not intended to be advice applicable to any specific circumstance. Legal opinions may vary when based on subtle factual distinctions. All rights reserved. No part of this presentation may be reproduced, published or posted without the written permission of Freeman Mathis & Gary, LLP.