Alabama becomes the 21st state to pass a comprehensive privacy law

The Alabama legislature unanimously passed House Bill 351, the Alabama Personal Data Protection Act (APDPA), on April 7, 2026. Governor Kay Ivey signed the bill into law on April 16, 2026, making Alabama the 21st US state with a comprehensive consumer privacy law.

• The law takes effect on May 1, 2027
• It applies to businesses processing the personal data of more than 25,000 Alabama consumers, or earning more than 25 percent of revenue from selling personal data
• A late Senate amendment removed the earlier requirement to honor universal opt-out signals like the Global Privacy Control (GPC), breaking with the recent trend in state privacy laws

What does the APDPA do?

The APDPA follows the Virginia model most other states have adopted. Consumers can access, correct, delete, and port their data. They can also opt out of targeted advertising, the sale of their data, and profiling used for automated significant decisions.

Businesses must get consent before processing sensitive data. They also have to publish a privacy notice, minimize the data they collect, and sign contracts with vendors that process data on their behalf.

Only the Alabama Attorney General can enforce the law. There is no private right of action, and businesses get 45 days to fix a violation after receiving notice. Penalties can reach $15,000 per violation.

What privacy teams should know about tracking and ads

Alabama's definition of "sale" is narrower than in most states. Two exemptions are unique to Alabama. Transfers to third parties to "analytics services" or "marketing services solely to the controller" for monetary or other valuable consideration are not sales under the law. Even if it’s not considered selling data, users still must be able to opt out of sharing personal data to third parties for targeted advertising. 

The Senate removed the earlier requirement to honor browser-level opt-out signals, but businesses still need to offer an opt-out link or contact method for targeted advertising and selling personal data.

The APDPA also requires opt-in consent before serving targeted ads to, or selling the data of, consumers aged 13 to 16, where the business actually knows the consumer's age.

What should businesses do?

The 25,000-consumer threshold is one of the lowest in the country. More mid-sized companies will fall in scope than under California or Texas law.

Teams with Alabama users should map where Alabama-resident data goes. Contracts with analytics and ad partners need review to confirm they meet the "solely to the controller" condition. Consent banners and opt-out flows will need Alabama-specific handling.

Reduce your privacy enforcement risk with Privado AI solutions that continuously monitor privacy compliance on websites and apps, where companies have the most risk. Web Auditor and App Auditor are the most comprehensive solutions to verify in real-time that your websites, apps, and CMP are compliant with all applicable privacy requirements for each location, including your privacy policies.