Alabama is joining many other states with its own data privacy and protection act. On April 16, 2026, Alabama Governor Kay Ivey signed House Bill 351 (HB351) into law, creating the Alabama Personal Data Protection Act (APDPA).
We will go into more detail below, but in short, the APDPA sets clearer boundaries for businesses that deal with the personal data of Alabama consumers and grants consumers firmer data privacy rights, similar to other comprehensive state-level data privacy laws.
Businesses that are regulated by the APDPA are divided into two main categories: processors and controllers. Controllers are defined as an “individual or legal entity that, alone or jointly with others, determines the purposes and means of processing personal data.” Processors are defined as “an individual or legal entity that processes personal data on behalf of a controller.”
The APDPA applies to entities that:
The law contains some entity- and data-level exemptions, such as exempting GLBA-regulated financial institutions and data, as well as HIPAA-covered entities and personal health information. The law exempts nonprofits with fewer than 100 employees and businesses with fewer than 500 employees that do not engage in the sale of personal data. The law also contains exemptions for FCRA and FERPA data.
Additionally, the law generally does not consider employees, contractors, business representatives, and most individuals interacting directly with controllers and processors in a professional context as “consumers” under the law.
Starting on May 1, 2027, controllers and processors that fall into any of the thresholds below will need to follow new guidelines. Processors and controllers both have obligations, but controllers are expected to carry a greater degree of responsibility.
1: Transparency and communication with consumers
Applicable businesses are generally required to tell consumers:
Controllers are also responsible for responding to and fulfilling requests to:
2: Enabling consumers to enact rights
In addition to fulfilling consumer requests, controllers are also explicitly required to provide an easy means for consumers to opt out of processing personal data.
3: Data use and limitations
Applicable businesses are required to “limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the personal data is processed.”
4: Security requirements
The Act states that controllers must “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue.”
5: Sensitive data protection
Processing sensitive data requires explicit consumer consent under the act. Sensitive data includes:
6: Contract requirements with processors
Controllers are required to enter contracts that require processors to:
While the law primarily focuses on the responsibilities of controllers, it also applies directly to processors. Processors are required to follow controller instructions and cannot process data for their own purposes outside of their contract with controllers, must implement security measures to maintain safety and confidentiality, and are required to delete or return personal data (unless required by law to retain it). Processors must also assist controllers with consumer rights requests, security obligations, and compliance support duties, and provide information necessary to demonstrate compliance.
The above information does not cover all details and nuances of processor and controller obligations under the Act. For a complete and detailed list of all processor and controller responsibilities, please look at the full version of the bill here.
Consumers under the Act are defined as “a resident of Alabama, excluding individuals acting in a commercial or employment context.” Like other state-level consumer privacy laws, consumers protected under APDPA have the right to:
The Alabama Attorney General enforces the APDPA. Before acting, the Attorney General must issue a notice of violation and allow the controller 45 days to meet requirements and report the correction. Following this, if the violation is not cured, the Attorney General can pursue action in court. Courts may impose civil penalties up to $15,000 per violation. The cure provision does not sunset, meaning it remains available indefinitely.
This content is for informational purposes only and shall not constitute legal opinion or advice. Consult your legal counsel to ensure compliance.