The Alabama APDPA (HB 351), effective May 1 2027, sets a uniquely low 25% data-sale revenue threshold and grants five consumer privacy rights.
Alabama Becomes State #21: A Guide to the Alabama Personal Data Protection Act (APDPA)
If your business generates at least 25% of its gross revenue from selling personal data, the Alabama Personal Data Protection Act (APDPA) may already apply to you, even if you process fewer consumer records than any other US state privacy law requires. That is not a typo. Alabama has set the lowest "sale of data" revenue threshold in the country, and a lot of businesses are going to be caught off guard by it.
Signed into law as HB 351 in April 2026, the APDPA makes Alabama the 21st US state to join the US privacy patchwork. With an effective date of May 1, 2027, your business has roughly one year to get ready. In this guide, I am going to break down exactly who it applies to, what consumer rights it creates, and the concrete steps you need to take before the deadline.
What is the Alabama Personal Data Protection Act?
The Alabama Personal Data Protection Act (APDPA) is a state-level consumer privacy law that gives Alabama residents specific rights over their personal data and places obligations on businesses that collect or process that data. It follows the "Virginia model," closely mirroring the structure of the Virginia Consumer Data Protection Act (VCDPA), but includes one standout provision: a 25% gross revenue threshold for businesses that monetize personal data through sales.
The law was enrolled as House Bill 351 and takes effect on May 1, 2027. This gives businesses approximately one year to audit their data practices, update their consumer request workflows, and ensure their consent mechanisms are in place.
Does the APDPA apply to your business?
The APDPA applies to persons that conduct business in Alabama, or that produce products or services targeted to Alabama residents, and that meet either of the following thresholds:
Volume threshold: Control or process the personal data of more than 25,000 consumers, excluding data processed solely for payment transactions.
Revenue from data sales: Derive more than 25% of gross revenue from the sale of personal data, regardless of the total number of consumers served.
Note the word "either", you only need to meet one of these conditions to fall under the law.
The 25% revenue threshold: Alabama's standout rule
Most US state privacy laws set the "data sale revenue" bar at 50% of gross revenue. Alabama has cut that to 25%, the lowest such threshold of any comprehensive state privacy law enacted to date. In practice, this means smaller companies that monetize data as part of their core business model, think data brokers, ad-tech businesses, or platforms with significant data licensing revenue, could find themselves in scope even with a relatively modest consumer database.
Here is how Alabama compares to its peer states:
Law | Volume threshold | Revenue from data sales | Private right of action |
|---|---|---|---|
Alabama APDPA | 25,000 consumers | 25% of gross revenue | No |
California CCPA/CPRA | 100,000 consumers | 50% of annual revenue | Limited |
Virginia VCDPA | 100,000 consumers | 25,000 consumers + 50% of revenue | No |
Utah UCPA | 100,000 consumers | 25,000 consumers + 50% of revenue | No |
Colorado CPA | 100,000 consumers | No separate revenue threshold | No |
Not sure if you are in scope? Scan your website for free to understand your current data privacy footprint before mapping your revenue exposure.
Consumer privacy rights under the APDPA
The APDPA grants Alabama residents a set of consumer privacy rights that will feel familiar if you are already working across multiple state privacy laws. When a consumer submits an authenticated request, you are required to honor the following:
Right to confirm and access: Confirm whether you are processing their personal data and provide access to it.
Right to correct: Correct inaccuracies in their personal data.
Right to delete: Delete their personal data upon request.
Right to data portability: Provide a portable, readily usable copy of their data.
Right to opt out: Opt them out of targeted advertising, the sale of their personal data, or profiling used in automated significant decisions.
These rights must be honored within 45 days of receiving an authenticated request, with a potential 45-day extension available for complex cases. Managing this workflow across multiple states is one of the most operationally demanding parts of data privacy compliance. A purpose-built data subject request management platform can automate this process and keep your team ahead of overlapping deadlines.
Universal opt-out signals: a 2028 deadline to plan for now
By January 1, 2028, Alabama controllers must support universal opt-out preference signals such as Global Privacy Control (GPC). GPC is a browser-level signal that consumers can activate to indicate their opt-out preference across all websites they visit, without submitting individual requests to each business.
This is increasingly becoming the standard across US state privacy laws, and it requires a technical implementation on your website. If your consent management setup does not already detect and honor GPC signals, that needs to be on your roadmap well before 2028.
How the APDPA fits the broader US privacy patchwork
If your organisation is already working through Colorado Privacy Act (CPA) or Connecticut CTDPA obligations, much of the APDPA will feel like familiar territory. Here is what carries over directly.
Data minimization
The APDPA requires that data collection be "adequate, relevant, and reasonably necessary" for the disclosed purpose. This data minimization standard is consistent with what you see across the Virginia model states. If you are already documenting your processing activities and limiting collection to what you genuinely need, you are ahead of the curve.
Security safeguards
Businesses must implement reasonable administrative, technical, and physical security measures. The law does not prescribe specific controls, but the expectation is proportionate protection based on the sensitivity of the data processed.
Sensitive data categories
A subcategory of personal data requires affirmative consent before processing. Sensitive data under the APDPA includes information revealing racial or ethnic origin, religious beliefs, mental or physical health conditions, sex life, sexual orientation, citizenship or immigration status, genetic data, biometric data used to identify a person, and precise geolocation data uniquely.
If your business processes any of these data types in relation to Alabama residents, you need consent before processing, not just an opt-out mechanism.
What your business needs to do before May 2027
A May 2027 effective date sounds distant, but state privacy readiness typically takes 6 to 12 months when done properly. Here is where to focus your efforts.
Step 1: Determine if you are in scope
Calculate the percentage of your gross revenue attributable to the sale of personal data. If it exceeds 25%, the APDPA likely applies regardless of how many Alabama consumers you serve. Also check your processing volume, if you handle more than 25,000 Alabama consumer records, the law applies even if data sales are not a significant revenue driver.
Step 2: Audit your data flows
Map what personal data you collect, where it goes, who has access, and how long you retain it. This is the foundation for both responding to consumer requests and demonstrating data minimization under the act.
Step 3: Update your consumer request workflow
Implement or extend your process to handle confirmation, access, correction, deletion, and portability requests within the 45-day window. If you are currently managing these manually, consider data privacy compliance tools that automate data subject request handling across multiple state laws simultaneously, reducing both the risk of missed deadlines and the staff hours required.
Step 4: Configure universal opt-out signals
Even though the GPC requirement does not kick in until January 2028, configuring your consent management platform to detect and honor GPC signals now avoids a separate implementation sprint later. Build it once, benefit from it across every state that requires it.
While Alabama’s GPC requirements don't kick in until 2028, the rapid adoption of these signals across 12 other states is already driving a massive consolidation in the CMP market as businesses rush to find platforms capable of handling multi-state automated opt-outs.
Step 5: Check your exemptions
Entities with fewer than 500 employees are exempt from the APDPA, provided they do not engage in the sale of personal data. Nonprofits with fewer than 100 employees receive the same exemption on the same condition. Confirm your eligibility before assuming you are out of scope.
Clym's consent management platform is designed to scale as new state laws come into effect, so you are not rebuilding your setup for every new regulation. The goal is to automate data privacy compliance across the patchwork rather than treating each law as a separate project.
Enforcement and penalties
There is no private right of action under the APDPA. Enforcement is handled exclusively by the Alabama Attorney General.
Before initiating any action, the Attorney General must provide a notice of violation. The business then has a 45-day cure period to correct the violation and submit a written statement confirming the issue has been resolved.
If the violation is not cured within that window, a court may impose civil penalties of up to $15,000 per violation. This enforcement model is more measured than states with dedicated privacy enforcement agencies, but the per-violation structure can add up quickly if systemic issues go unaddressed.
Conclusion
The Alabama Personal Data Protection Act confirms that the Virginia model is the de facto template for US state privacy law. But its 25% revenue threshold for data sales marks a meaningful shift in how regulators are thinking about data monetisation, they are looking more closely at how businesses profit from personal data, and they are lowering the bar for who has to comply.
With a May 2027 effective date, now is a realistic window to act. Audit your revenue streams, map your data flows, and check whether your existing state privacy compliance programmes extend cleanly to Alabama. The businesses that build scalable, multi-state data privacy compliance programmes now will spend far less time firefighting regulation by regulation as the patchwork continues to grow.
Frequently asked questions
The APDPA was officially enrolled in April 2026 and takes effect on May 1, 2027. This gives businesses roughly one year to audit their data practices and implement the required consumer request workflows before the law applies.
A consumer is a natural person who is a resident of Alabama. The law excludes individuals acting in a commercial or employment context, meaning B2B data and employee records are generally exempt from the act's primary requirements, similar to the exemptions found in the Texas Data Privacy and Security Act (TDPSA).
Most US state privacy laws require a business to derive 50% of its revenue from data sales before the law applies. Alabama has set this threshold at 25% of gross revenue, the lowest of any comprehensive state privacy law in the US. This expands the number of small and medium-sized businesses that must comply, even if they do not process a high volume of consumer records.
Alabama residents have the right to opt out of profiling that leads to solely automated significant decisions. The APDPA defines these as decisions resulting in the provision or denial of critical services, including credit, lending, housing, insurance, education enrollment, employment, or healthcare.
Entities with fewer than 500 employees are exempt from the APDPA, provided they do not engage in the sale of personal data. Nonprofits with fewer than 100 employees receive the same exemption under the same condition.
Unlike the California CCPA/CPRA, the APDPA does not explicitly mandate formal, documented Data Protection Impact Assessments for high-risk processing activities.
If a business fails to resolve a violation within the 45-day cure period provided by the Attorney General, a court may assess civil penalties of up to $15,000 per violation.
Yes. By January 1, 2028, Alabama controllers must support universal opt-out preference signals, including Global Privacy Control (GPC). This requires a technical implementation on your website so that browser-level opt-out signals are detected and honored automatically.
Compliance Content Manager | CPACC (IAAP)
Alex is a Compliance Content Manager at Clym, where he researches and writes about everything related to data privacy and web accessibility compliance for businesses, helping them stay informed on their compliance needs and spreading awareness about making the web safer and more inclusive. When he's not writing about compliance, Alex has his nose in a book or is hiking in the great outdoors.