Alabama’s 2026 Personal Data Protection Act

Alabama is joining many other states with its own data privacy and protection act. On April 16, 2026, Alabama Governor Kay Ivey signed House Bill 351 (HB351) into law, creating the Alabama Personal Data Protection Act (APDPA).  

What’s in the Alabama Personal Data Protection Act?

We will go into more detail below, but in short, the APDPA sets clearer boundaries for businesses that deal with the personal data of Alabama consumers and grants consumers firmer data privacy rights, similar to other comprehensive state-level data privacy laws.

Who does the APDPA apply to?

Businesses that are regulated by the APDPA are divided into two main categories: processors and controllers. Controllers are defined as an “individual or legal entity that, alone or jointly with others, determines the purposes and means of processing personal data.” Processors are defined as “an individual or legal entity that processes personal data on behalf of a controller.”

The APDPA applies to entities that:

• Conduct business in Alabama or produce products or services targeted to Alabama residents, and:
  • Control or process personal data of more than 25,000 consumers (excluding data used solely for payment transactions), OR
  • Derive 25% or more of gross revenue from the sale of personal data, regardless of the number of consumers affected.

Exemptions

The law contains some entity- and data-level exemptions, such as exempting GLBA-regulated financial institutions and data, as well as HIPAA-covered entities and personal health information. The law exempts nonprofits with fewer than 100 employees and businesses with fewer than 500 employees that do not engage in the sale of personal data. The law also contains exemptions for FCRA and FERPA data.

Additionally, the law generally does not consider employees, contractors, business representatives, and most individuals interacting directly with controllers and processors in a professional context as “consumers” under the law.

Key details that businesses need to know

Starting on May 1, 2027, controllers and processors that fall into any of the thresholds below will need to follow new guidelines. Processors and controllers both have obligations, but controllers are expected to carry a greater degree of responsibility.

Controller responsibilities

1: Transparency and communication with consumers

Applicable businesses are generally required to tell consumers:

• What data they collect, why they collect it, and the categories of third parties they share it with
• The purpose of processing the data
• How consumers can exercise their rights

Controllers are also responsible for responding to and fulfilling requests to:

• Access data
• Correct inaccuracies
• Delete personal data
• Obtain a copy of their data
• Opt out of the sale of personal data, targeted advertising, and profiling when applicable

2: Enabling consumers to enact rights

In addition to fulfilling consumer requests, controllers are also explicitly required to provide an easy means for consumers to opt out of processing personal data.

3: Data use and limitations

Applicable businesses are required to “limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the personal data is processed.”

4: Security requirements

The Act states that controllers must “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue.”

5: Sensitive data protection

Processing sensitive data requires explicit consumer consent under the act. Sensitive data includes:

• Health data
• Biometric data
• Religious beliefs
• Sexual orientation
• Precise geolocation
• Children’s data
  

6: Contract requirements with processors

Controllers are required to enter contracts that require processors to:

• Follow instructions
• Maintain confidentiality
• Delete or return data after processing ends
• Assist with compliance obligations
  

Processor responsibilities

While the law primarily focuses on the responsibilities of controllers, it also applies directly to processors. Processors are required to follow controller instructions and cannot process data for their own purposes outside of their contract with controllers, must implement security measures to maintain safety and confidentiality, and are required to delete or return personal data (unless required by law to retain it). Processors must also assist controllers with consumer rights requests, security obligations, and compliance support duties, and provide information necessary to demonstrate compliance.

The above information does not cover all details and nuances of processor and controller obligations under the Act. For a complete and detailed list of all processor and controller responsibilities, please look at the full version of the bill here.

Consumer Rights Under the APDPA

Consumers under the Act are defined as “a resident of Alabama, excluding individuals acting in a commercial or employment context.” Like other state-level consumer privacy laws, consumers protected under APDPA have the right to:

• Access their personal data
• Correct inaccuracies
• Delete personal data
• Obtain a copy of their data (data portability)
• Opt out of:
  • Targeted advertising
  • The sale of personal data
  • Profiling with significant effects

Enforcement and penalties for not following the APDPA

The Alabama Attorney General enforces the APDPA. Before acting, the Attorney General must issue a notice of violation and allow the controller 45 days to meet requirements and report the correction. Following this, if the violation is not cured, the Attorney General can pursue action in court. Courts may impose civil penalties up to $15,000 per violation. The cure provision does not sunset, meaning it remains available indefinitely.  

This content is for informational purposes only and shall not constitute legal opinion or advice. Consult your legal counsel to ensure compliance.