Alabama Legislature Passes Comprehensive Data Privacy Bill

PDF

On April 7, 2026, the Alabama legislature enacted a comprehensive data privacy bill, positioning Alabama as the 21^st state (pending the governor’s signature) to pass such a bill. Sponsored by Rep. Mike Shaw, the “Alabama Personal Data Protection Act” (HB351) takes effect on May 1, 2027. Businesses that collect personal information on consumers should take note, as the law may require adjustments to website disclosures, contracts with vendors and other third parties, and marketing and advertising practices, among others. Below is a summary of the key provisions in the bill.

Bill Summary

Applicability: The Act applies to entities that: (1) control or process personal data of more than 25,000 consumers (excluding payment transaction data), or (2) derive more than 25% of gross revenue from the “sale” of personal data. Personal data is defined broadly as any information linked or reasonably linkable to an identified or identifiable individual. Exempt entities include, but are not limited to: state political subdivisions; higher education institutions; financial institutions subject to the Gramm-Leach-Bliley Act; HIPAA-covered entities; businesses with fewer than 500 employees (if not “selling” personal data); nonprofits with fewer than 100 employees (if not “selling” personal data); political action committees, political parties, and principal campaign committees; and electric providers subject to NERC reliability standards.

Consumer Rights: Alabama consumers have the right to: (1) confirm whether their personal data is being processed and access it; (2) correct inaccuracies; (3) delete their personal data; (4) obtain a portable copy of their data; and (5) opt out of targeted advertising, data sales, and profiling for solely automated significant decisions. Controllers must respond to requests within 45 days (with a possible 45-day extension). Parents/guardians may exercise rights on behalf of children under 13.

Controller Obligations: Controllers (i.e., businesses that collect personal information from consumers) must: limit personal data collection to what is adequate, relevant, and reasonably necessary; implement reasonable data security practices; provide a mechanism to revoke consent that is at least as easy as the mechanism to give consent; cease processing after revocation of consent, and publish a privacy notice disclosing data categories processed, processing purposes, third-party sharing, targeted advertising, and consumer rights information. Controllers must obtain consent before processing sensitive data (including racial/ethnic origin, citizenship/immigration status, religious beliefs, health data, sexual orientation, biometric data, precise geolocation, and children's data). Processing personal data of consumers ages 13-15 for targeted advertising or “sale” requires consent.

Processor Requirements: Processors (i.e., businesses who receive personal information from a controller) must adhere to controller instructions, assist controllers in meeting obligations (including responding to consumer requests and breach notifications), and enter into binding contracts specifying the details of the processing and required rights and obligations, including the duty of confidentiality and deletion/return of data at the end of services.

Opt-Out Mechanisms: Controllers must allow opt-out via a clear, conspicuous website link.

Enforcement: The Attorney General has enforcement authority. Before initiating action, the AG must provide a 45-day notice and cure period. Civil penalties may reach $15,000 per violation. The statute does not authorize a private right of action.

Notable Variations from Other State Comprehensive Privacy Laws

Lower Consumer Threshold: Alabama's 25,000-consumer information processing threshold is lower than some states (e.g., 100,000 in CO, CT, MN, OR, and NJ, 35,000 in DE and MD) and thus potentially captures more mid-sized businesses. However, the 500-employee exemption for non-data-“selling” businesses serves to further narrow the scope.

Definition of “Sale”: Typically, state privacy law definitions of “sale” fall into two camps: disclosures to a third party for (a) “monetary” consideration or (b) “monetary or other valuable” consideration. Critics of the former view it as too narrow, allowing for workarounds between parties for non-financial mutual benefit.  Critics of the latter view it as too broad, as the legal threshold of “consideration” (see “peppercorn” doctrine of consideration) is so low, broad, and ambiguous as to sweep in legitimate activities and create unintended consequences.

Alabama attempts to split the difference, including the exchange of personal data for “monetary consideration” or for valuable consideration where the controller received a material benefit and the third party is not restricted in its subsequent use of the personal data. The definition also explicitly excludes disclosures: (a) to a processor processing on behalf of the controller; (b) to a third party for purpose of providing a product or service requested by the consumer; (c) to a controller affiliate; (d) in which the consumer directs the controller to do so or intentionally uses the controller to interact with a third party; (e) that the consumer intentionally made publicly available via a channel of mass media and did not restrict to a specific audience; (f) to a third party as part of a merger, acquisition or similar transaction; (g) to a third party for purpose of providing analytics; or (h) to a third party for purpose of providing marketing services solely to the controller. This may serve to limit unintended consequences but could capture targeted advertising and other activities where the adtech processors’ terms allow it to store and reuse the personal data outside the scope of the services rendered to the controller.

No Universal Opt-Out Signal Requirement: Unlike California, Colorado, Connecticut, and several more recent state laws, the law does not require controllers to honor universal opt-out preference signals, such as the Global Privacy Control signal.

No Data Protection Assessment Requirement: Alabama does not require controllers to conduct data protection assessments for high-risk processing activities, unlike California, Colorado, Connecticut, Virginia, and most other comprehensive state privacy laws.

Generous Cure Period: The permanent 45-day cure period aligns with Virginia’s 30-day cure period and some other states, but contrasts with California (no cure period) and other states whose temporary cure periods have expired due to sunset provisions.

Small Business Exemptions: The exemption for businesses under 500 employees (when not “selling” data) is notably broader than most state laws, which typically lack employee-count exemptions and rely solely on revenue or consumer thresholds.

Nonprofit Exemption: 12 state privacy laws fully exempt nonprofits.  Other states have no nonprofit exemption, although the consumer thresholds would apply.  Alabama’s law is somewhat unique in that it exempts nonprofits with fewer than 100 employees (if not “selling” personal data).

Ages 13-15 Consent: Alabama requires consent for targeted advertising or “sales” of personal data of consumers ages 13-15, aligning with California and Connecticut but differing from those states without specific teen protections.

For a more in-depth discussion of this legislation and how to approach compliance, please contact Brandon N. Robinson, Danielle Cotter, or another member of our Cybersecurity, Privacy and Emerging Technologies team.