Alabama is now the 21st state with a “comprehensive” consumer privacy law. The Alabama Personal Data Protection Act was signed by Governor Ivey last week and takes effect May 1, 2027. The law applies to entities that do business in Alabama or target Alabama residents in certain circumstances. Namely, if they either process personal data of more than 25,000 Alabama residents, or earn more than 25% of their gross revenue from selling personal data. For the latter, regardless of how many people’s data they handle. This is unlike other states, which to the revenue threshold to a minimum number of people whose data a business sells. The 25,000 resident threshold is the lowest people-based threshold of any state privacy law.
Despite the applicability nuances, the rest of the Alabama law – with a few exceptions – looks similar to those in other states. Like other states, Alabama will give resident consumers a similar set of rights as other states (access, delete, correct, and download personal data). The law also includes requirements to comply with familiar duties around data minimization, security, notices, and processor contracts. Consumers will also be able to opt-out of targeted advertising and data sales. They can also opt out of data being used for automated decision-making that affects things like credit, employment, or healthcare. Civil penalties are capped at $15,000 per violation, and only the Attorney General can enforce the law. Like all other states, there is no private right of action.
With these similarities in mind, here are some differences in the upcoming Alabama law:
- A unique definition of "sale." Alabama will treat a “sale” as an exchange for money or other value, but only when the recipient can use the data without limits after the transfer. Alabama will also exclude some transfers, like sharing data with a vendor that provides analytics or marketing services only for the business that sends the data.
- No data protection impact assessments. Alabama will not require businesses to conduct data protection impact assessments, unlike 19 other states. The other two states that do not require an assessment are Iowa and Utah.
- Small business and nonprofit carve-outs. Businesses with fewer than five hundred employees and nonprofits with fewer than one hundred employees will qualify for an exemption, but only if they do not sell personal data.
- No GPC signal requirement. Alabama will fall into the group of states that do not require honoring universal browser‑based opt‑out signals.
- A cure period that does not expire. If a business violates the law, Alabama's Attorney General will need to send the company a notice of violation. If the company does not remediate the issue within 45 days, the AG can then bring action. This “cure” provision will not sunset, as it does in many other locations.
Putting it into Practice: 2026 has brought us two new comprehensive privacy laws (in addition to this Alabama law, there is also that in Oklahoma). This edges us up to half of US states. While federal bills have recently been proposed, we think it a heavy lift to have legislation that will roll back these developments. Meaning: this roll tide will likely keep flowing.