What Businesses Need to Know About the Alabama Personal Data Protection Act

In April 2026, Alabama enacted the Alabama Personal Data Protection Act (APDPA), making it the 22nd U.S. state to adopt a broad consumer privacy law governing how organizations collect, use, and disclose personal data. While the APDPA reflects many elements common to other state privacy frameworks, it also stands out for several business‑friendly features, including broad exemptions, a permanent cure period, and narrower operational obligations than those imposed by some other state laws. The APDPA is scheduled to take effect on May 1, 2027, and reflects the continued expansion of state-level privacy legislation across the United States. Given its close alignment to existing consumer privacy laws such as the Virginia Consumer Data Protection Act (VCDPA) that was enacted in 2021, organizations with existing privacy compliance programs likely will not be required to make substantial adjustments to their compliance programs if the APDPA applies to them.

We discuss the APDPA in more detail below.

Applicability and Exemptions

The APDPA applies to entities that conduct business in Alabama or produce products or services targeted to Alabama residents and that meet either of two data‑processing thresholds:

• Those that control or process personal data of at least 25,000 Alabama consumers; or
• Those that derive more than 25% of gross revenue from the sale of personal data.

These thresholds are significantly lower than many other state privacy laws, which could potentially increase the number of entities that may be subject to the law relative to other states. However, the law includes a substantial carve‑out for small businesses: companies with fewer than 500 employees are exempt unless they sell personal data. This exemption potentially removes a large segment of smaller companies from the statute's reach as compared to other states.

Like other state privacy laws, the APDPA also contains entity- and data-level exemptions for the Health Insurance Portability and Accountability Act (HIPAA), the Gramm‑Leach‑Bliley Act (GLBA), and the Family Educational Rights and Privacy Act (FERPA). It also contains an exemption for nonprofit entities with fewer than 100 employees, provided the entity does not sell personal data.

Also, like other state privacy laws (other than California's) the APDPA does not apply to individuals acting in solely a commercial or employment context, including employees, owners, directors, officers, or contractors of a company, partnership, sole proprietorship, nonprofit, or government agency.

Unique Definition of Sale of Personal Data

The APDPA includes a unique definition of a "sale of personal data," which means "the exchange of personal data for monetary consideration by a controller to a third party, or for other valuable consideration by a controller to a third party where the controller receives a material benefit and the third party is not restricted in its subsequent uses of the personal data" (emphasis added). The practical effect of the material benefit provision is that exchanges of personal data for minor or indirect value may fall outside the definition, whereas under broader statutes (especially the California Consumer Privacy Act (CCPA)), those same transfers could still qualify as a sale. Likewise, if the disclosure of personal data to a recipient is restricted in its subsequent uses, the disclosure may not be considered a sale for purposes of the APDPA even if a material benefit is provided. To date, only the CCPA requires a controller to enter into a contract with a third party for sales of personal data. In Alabama, however, if the receiving party is contractually limited in its processing to specified purposes, or the disclosing party does not receive a material benefit, the transfer would not qualify as a sale under APDPA.

The APDPA also explicitly excludes certain transfers from the definition of a sale, including:

• disclosures for analytics services, and
• transfers to third parties that provide marketing services solely on behalf of the controller.

In several other states, similar transfers can still raise "sale" or "sharing" questions depending on how the relationship is structured. Because of these distinctions, a data subject's opt-out request may not have the same reach as it would under other state privacy laws.

Processing Sensitive Data and Consent Requirements

Similar to other state privacy laws, controllers are prohibited from processing sensitive data concerning a consumer without first obtaining that consumer's consent. If the controller knows the consumer is a child, it may only process the data in accordance with the federal Children's Online Privacy Protection Act of 1998 (COPPA).

• Sensitive Data is defined as personal data that includes any of the following:
  • Data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, information about an individual's sex life, sexual orientation, or citizenship or immigration status.
  • The processing of genetic or biometric data for the purpose of uniquely identifying an individual.
  • Personal data collected from a known child.
  • Precise geolocation data.

Controllers are also prohibited from:

• Processing personal data for purposes that are not reasonably necessary to, or compatible with, the purposes disclosed by the controller for which the personal data was originally collected, except as otherwise permitted under the APDPA.
• Processing personal data of a consumer for the purposes of targeted advertising or selling a consumer's personal data without the consumer's consent when a controller has actual knowledge that the consumer is at least 13 years of age but younger than 16 years of age.
• Denying goods or services, charging different prices or rates, or providing a different level or quality of goods or services to a consumer because the consumer has opted out of the processing of the consumer's personal data. However, if a consumer opts out of data processing, a controller is not required to provide a service that requires such processing. Controllers may offer different prices or levels of goods or services if the offering is part of the controller's bona fide loyalty, rewards, premium features, discounts, or club card program in which the consumer voluntarily participates.

Consumer Rights Similar to Other State Privacy Statutes

Like most comprehensive state privacy statutes, the APDPA grants consumers several rights regarding their personal data, including rights to:

• Confirm whether a controller or its processor is processing the consumer's personal data and to access that personal data.
• Obtain a copy of personal data in a portable and readily usable format.
• Correct inaccuracies in personal data.
• Delete personal data unless retention of the personal data is required or permitted by law or the contract.
• Opt out of processing for the sale of personal data, targeted advertising, or profiling in furtherance of solely automated significant decisions concerning the consumer.

The APDPA requires controllers to provide a clear and conspicuous link on their website directing consumers to a webpage where they can directly submit an opt‑out request or access up‑to‑date contact information for doing so. Unlike some other state privacy statutes, the final enacted version of the APDPA does not require controllers to recognize universal opt‑out preference signals (such as browser‑based signals like Global Privacy Control (GPC)). An earlier provision requiring controllers to honor such signals was removed during the legislative process.

The statute also addresses situations where a consumer's opt-out request conflicts with existing controller-specific privacy settings or participation in a loyalty or rewards program. In those circumstances, the controller must honor the opt-out request but may notify the consumer of the conflict and provide the opportunity to confirm their participation in the program or adjust their privacy settings. Additionally, if a controller responds to an opt-out request by informing the consumer that a charge may apply for the use of a product or service, the controller must present the terms of any financial incentive offered in connection with the retention, use, sale, or sharing of the consumer's personal data.

Compliance Obligations

For organizations within the APDPA's scope, the APDPA requires several core privacy compliance measures, including:

• Providing clear privacy notices describing the categories of personal data processed, the purpose for processing, the categories of personal data shared with third parties, the categories of third parties with whom personal data is shared, a method for consumers to contact the controller, and how consumers may exercise their rights.
  • Controllers must clearly and conspicuously disclose when personal data is sold to third parties or used for targeted advertising, and explain how consumers can exercise their right to opt out of such processing.
• Implementing reasonable administrative, technical, and physical security measures to protect the confidentiality, integrity, and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to consumers due to collection, use, or retention of personal data.
• Limiting personal data processing to disclosed and reasonably necessary and proportionate purposes.
• Maintaining appropriate contracts with processors.
• These obligations are broadly consistent with those in other state privacy laws, which may help companies leverage existing compliance programs.

The APDPA, however, does not impose some of the more complex requirements seen in other state privacy laws, such as specific data subject authentication requirements, data protection assessments, or more detailed disclosure requirements about categories of sources or third parties, thus significantly reducing compliance burdens.

Enforcement and Cure Period

Another feature that makes the APDPA more business-friendly is the APDPA's enforcement structure. The APDPA includes a 45‑day cure period that allows businesses to correct alleged violations before enforcement proceeds. Notably, the APDPA cure provision does not sunset, unlike cure periods in several other state privacy statutes that expired after an initial implementation period.

The APDPA grants exclusive enforcement authority to the Alabama Attorney General with no private right of action for individuals. Civil penalties under the APDPA may reach up to $15,000 per violation if violations are not cured after notice from the attorney general. This penalty value is higher than most other states and seemingly accounts for the generous cure provision.

Key Takeaways

Although the APDPA adds another layer to the evolving patchwork of U.S. state privacy legislation, the APDPA is widely viewed as more business‑friendly than many comparable statutes. Several features contribute to that characterization, including:

• Broad exemptions for small businesses and certain nonprofits;
• A permanent cure period before enforcement actions proceed;
• No private right of action;
• No data protection assessments; and
• Alignment with common privacy compliance frameworks, allowing many companies to leverage existing compliance efforts.

Organizations that already comply with other state privacy laws may find that relatively modest adjustments are needed to address APDPA‑specific requirements. Nevertheless, businesses that collect or process personal data from Alabama residents should determine whether they meet Alabama's applicability thresholds and whether an applicable exemption applies, and review their privacy programs and contractual arrangements ahead of the May 1, 2027, effective date of the APDPA.

+++

Apurva Dharia is an associate, and John Seiver is senior counsel in the Washington, D.C. office of DWT. For any questions about the APDPA or for more insights, please reach out to the authors or another member of our privacy & security team and sign up for our alerts.