Alabama Enacts Nation’s Twenty-First State Comprehensive Privacy Law

Alabama Enacts Nation’s Twenty-First State Comprehensive Privacy Law

Blog WilmerHale Privacy and Cybersecurity Law

On April 16, 2026, Alabama Governor Kay Ivey signed the Alabama Personal Data Protection Act (APDPA) into law, making Alabama the twenty-first state to enact a comprehensive privacy law. Alabama is the second state to pass a comprehensive privacy law this year, with Oklahoma passing a comprehensive privacy law last month.

Notably, the APDPA has low applicability thresholds, applying to entities that control or process personal information of more than 25,000 Alabama residents or derive more than 25% of gross revenue from the sale of personal data. However, the law contains a narrow definition of sale and includes standard entity-wide exemptions for entities covered by the Gramm-Leach-Bliley Act (GLBA), as well as both covered entities and business associates regulated by the Health Insurance Portability and Accountability Act (HIPAA). It also includes exemptions for personal data processed in a “commercial” or “employment” context. Additionally, unlike many comprehensive privacy laws, Alabama’s law does not require entities to conduct data protection assessments, and does not include a standalone, explicit requirement to recognize opt-out preference signals (though the bill is somewhat ambiguous on that latter point). Because of these provisions and others, companies that have taken steps to comply with comprehensive privacy law requirements in other states can likely adapt their compliance programs for Alabama, with some modifications.

In this post, we summarize notable provisions of the APDPA and highlight key takeaways for companies looking to understand how this law will affect their privacy compliance obligations. To stay up to date on the latest state privacy law developments, please subscribe to the WilmerHale Privacy and Cybersecurity Law Blog.

KEY TAKEAWAYS

  • Low Applicability Thresholds: The APDPA applies to entities that conduct business in Alabama or target products or services to Alabama residents and either: (1) control or process the personal data of more than 25,000 consumers (defined as Alabama residents), “excluding personal data controlled or processed solely for the purpose of completing a payment transaction;” or (2) derive more than 25% of gross revenue from the sale of personal data, “regardless of the number of consumers whose data the person controls or processes.” While most states include a consumer minimum in both applicability thresholds, the APDPA is unique in applying to entities that derive more than 25% of gross revenue from the sale of personal data, “regardless of the number of consumers whose data the person controls or processes.” Furthermore, Alabama’s 25,000-consumer minimum in the first applicability threshold is one of the lowest among state comprehensive privacy laws.
  • Narrowly Defines Sale: The APDPA is similarly unique in its definition of sale, which is limited to exchanges of personal information “for monetary or other valuable consideration,” where “the controller receives a material benefit and the third party is not restricted in its subsequent uses of the personal data.” Furthermore, the law’s definition of sale exempts a list of transfers or disclosures made to specific third parties or for certain purposes, including for data analytics or marketing services.
  • Broad Exemptions: While the APDPA has low applicability thresholds, the law exempts HIPAA covered entities, business associates, and protected health information from its scope, as well as financial institutions subject to the GLBA. This is broader than the “information-level” exemption that exists under certain state laws (such as California). Additionally, the APDPA exempts commercial and employment information from its scope, which is consistent with most of the other comprehensive privacy laws (outside of California).
    No Data Protection Assessment Requirement. Unlike most state comprehensive privacy laws, the APDPA does not require companies to conduct data protection assessments.
  • No Explicit Opt-Out Preference Signal Requirement. The APDPA does not include a standalone, explicit obligation for companies to recognize opt-out preference signals, unlike many recent state comprehensive privacy laws (though the law includes stray references to opt-out preference signals in the context of opt-out decisions conflicting with a consumer’s privacy settings or participation in a company’s rewards program).
  • Business-Friendly Enforcement. The APDPA is generally favorable to businesses from an enforcement perspective, as it does not contain a private right of action, includes a permanent cure period provision, and does not establish rulemaking authority for any state entity. 

KEY PROVISIONS

  • Key Definitions
    • Consumer: The APDPA defines “consumer” as Alabama residents and excludes individuals “acting in a commercial or employment context” from its definition of “consumer.”
    • Sale of personal data: The APDPA defines “sale” to include exchanges of personal information “for monetary or other valuable consideration,” where “the controller receives a material benefit and the third party is not restricted in its subsequent uses of the personal data.” The law excludes disclosures or transfers of personal data to affiliates, third-party marketing and analytics companies, and processors that process personal data on behalf of the controller, as well as disclosures directed by the consumer or made for the purpose of providing a product or service requested by the consumer, from its definition of sale.
    • Sensitive data: The APDPA defines “sensitive data” to include (a) “data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, information about an individual's sex life, sexual orientation, or citizenship or immigration status;” (b) “the processing of genetic or biometric data for the purpose of uniquely identifying an individual;” (c) personal data collected from a known child;” and (d) “precise geolocation data.”
  • Applicability Thresholds: The APDPA applies to entities that conduct business in Alabama or target products or services to Alabama residents and either: (1) control or process the personal data of more than 25,000 consumers, “excluding personal data controlled or processed solely for the purpose of completing a payment transaction;” or (2) derive more than 25% of gross revenue from the sale of personal data, “regardless of the number of consumers whose data the person controls or processes.”
  • Exemptions: The APDPA exempts various entities and information types, including: state entities and state political subdivisions; institutions of higher education; financial institutions and data subject to the GLBA; electric providers subject to the North American Electric Reliability Corporation; HIPAA covered entities, business associates, protected health information, and other information subject to HIPAA; other types of health and medical research-related information; information governed by FCRA, the Driver’s Privacy Protection Act, FERPA, and the Farm Credit Act; and certain employment-related information. The law also exempts political organizations, as well as entities that sell data primarily to political organizations, and small businesses (with less than 500 employees) and nonprofit organizations (with less than 100 employees) that do not “engage in the sale of personal data.”
    • Entities that comply with COPPA’s verifiable parental consent requirements are deemed to comply with the Act’s parental consent requirements.
  • Consumer Data Rights: The APDPA creates a fairly standard set of data rights for consumers, including: (1) the right to confirm whether a controller, or a processor or third party acting on a controller's behalf, is processing or accessing any of the consumer’s personal data under the control of the controller; (2) the right to correct inaccurate personal data; (3) the right to delete personal data; (4) the right to data portability; and (5) the right to opt-out of the processing of their personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of “solely automated significant decisions,” with “significant decisions” defined as decisions resulting “in the provision or denial by the controller of credit or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunity, health care service, or access to basic necessities such as food or water.”
  • Opt-In for Sensitive Data Processing: The APDPA prohibits controllers from processing sensitive data without obtaining consumers’ consent.
  • Privacy Notices: The APDPA requires controllers to provide consumers with a privacy notice that includes: the categories of personal data processed by the controller; the purposes for such processing; the categories of personal data that the controller shares with third parties; the categories of third parties with which personal data is shared; the controller’s active email address or other mechanism the consumer can use to contact the controller; and a description of how a consumer may exercise their data rights.
    • The APDPA also requires controllers that sell personal data or process personal data for targeted advertising purposes to “clearly and conspicuously disclose” the processing, “as well as the way a consumer may exercise the right to opt out of the processing.”
  • Data Processing Agreements for Processors: The APDPA imposes requirements on processors, such as requiring that a contract govern the processor’s execution of data processing activities on behalf of the controller.
  • Enforcement and Violations:
    • No private right of action: The APDPA grants the Alabama Attorney General (AG) enforcement authority and is silent on private rights of action.
    • No rulemaking authority: The APDPA does not grant rulemaking authority to the Alabama AG or any other state entity.
    • Cure period: The APDPA requires that the Alabama AG provide entities with a 45-day cure period before initiating an enforcement action. This cure period provision does not sunset.
    • Civil penalties: The APDPA creates civil penalties of up to $15,000 per violation.
  • Effective Date: The APDPA will take effect on May 1, 2027.

Authors

Related Solutions

We help companies protect data, comply with evolving regulations, and respond to investigations and litigation.

More from this series

Explore the Full Series

Notice

Unless you are an existing client, before communicating with WilmerHale by e-mail (or otherwise), please read the Disclaimer referenced by this link. (The Disclaimer is also accessible from the opening of this website). As noted therein, until you have received from us a written statement that we represent you in a particular manner (an "engagement letter") you should not send to us any confidential information about any such matter. After we have undertaken representation of you concerning a matter, you will be our client, and we may thereafter exchange confidential information freely.

Thank you for your interest in WilmerHale.

I Accept Cancel