Alabama Personal Data Protection Act

• April 7, 2026 – Law passed by the Alabama Legislature.
• April 16, 2026 – Alabama House Bill 351 signed into law by Governor Kay Ivey.
• May 1, 2027 – The Alabama Personal Data Protection Act becomes legally effective.

The law applies to persons conducting business in Alabama or producing products or services targeted to Alabama residents that meet either of the following thresholds:

• Control or process the personal data of more than 25,000 consumers, excluding personal data processed solely for completing a payment transaction.
• Derive more than 25 percent of gross revenue from the sale of personal data, regardless of the number of consumers whose data the business controls or processes.

Exemptions include but are not limited to:

• Entities: Financial institutions governed by the Gramm-Leach-Bliley Act; covered entities governed by HIPAA; businesses with fewer than 500 employees (if they do not sell data); nonprofits with less than 100 employees (if they do not sell data); and political action committees or parties.
• Health & Research Data: Protected health information under HIPAA, patient safety work products, and identifiable data used for human subjects research.
• Federal Regulated Data: Information regulated by the Fair Credit Reporting Act (FCRA), the Family Educational Rights and Privacy Act (FERPA), the Driver's Privacy Protection Act, and the Farm Credit Act.
• Employment Data: Data processed in the context of an individual applying to or acting as an employee, agent, or independent contractor.
• Other Data: Emergency contact information and data processed to administer benefits.

• Respond to consumer rights requests within 45 days of receipt.
• Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purpose for which it is processed.
• Establish, implement, and maintain reasonable administrative, technical, and physical data security practices.
• Obtain consumer consent before processing sensitive data.
• Do not deny goods or services, or charge different prices, to a consumer who opts out of data processing.

• Provide a clear and conspicuous link on the Internet website to enable consumers to opt-out of targeted advertising or the sale of personal data.
• Provide a mechanism to revoke consent that is "at least as easy" as the initial opt-in process, ensuring all processing stops within 45 days of a valid request.
• Post a reasonably accurate, clear, and meaningful privacy notice detailing data categories, purposes, and third-party sharing.
• Provide an active email address or other mechanism within the privacy notice for consumers to contact the controller.
• Establish and describe in the privacy notice a secure and reliable means for consumers to submit consumer rights requests.
• Implement age-appropriate consent layers: Obtain COPPA-compliant parental consent for children under 13 and affirmative opt-in consent for the sale or targeted advertising of data from known minors aged 13–16.

• Ensure processors adhere to instructions and assist the controller in fulfilling its obligations under the law, including responding to consumer rights requests and security obligations.
• Establish a binding contract between controllers and processors that meets the statutory requirements, detailing the instructions, nature, purpose, and duration of processing data.
• Protect deidentified data by taking measures to ensure it cannot be associated with an individual and refrain from reidentifying it.

• Right to confirm processing and access personal data.
• Right to correct inaccuracies in personal data.
• Right to direct a controller to delete personal data.
• Right to obtain a portable copy of personal data.
• Right to opt out of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated significant decisions.

• Enforcing Authority: The Alabama Attorney General has the exclusive authority to enforce this act.
• Cure Period: The Attorney General must issue a notice of violation and grant the controller 45 days to correct the violation before initiating an action.
• Fines: The court may assess a civil penalty of up to $15,000 per violation if a controller fails to correct it.