Alabama has joined the growing list of states with a comprehensive data privacy law. The Alabama Personal Data Protection Act (APDPA) makes Alabama the 21st state to enact a comprehensive privacy framework. The law takes effect on May 1, 2027, giving businesses roughly a year to prepare.
While the APDPA draws most heavily from Virginia's Consumer Data Protection Act (VCDPA), it has plenty of unique features that make it worth studying for businesses seeking to become compliant in either the US as a whole or Alabama specifically. Notable features include:
Let’s dive in.
If you haven't had to interpret data privacy law before, a few terms might seem unfamiliar. For this article, two in particular are worth defining upfront.
Under the APDPA, a controller is "an individual or legal entity that, alone or jointly with others, determines the purposes and means of processing personal data," and a processor is "an individual or legal entity that processes personal data on behalf of a controller."
If you come across other terms in this article that are new to you, our data privacy terminology cheat sheet is a good place to start.
You're subject to the Alabama data privacy law if you conduct business in Alabama or produce a product or service targeted to Alabama residents, and during a calendar year, meet either of the following:
The 25,000-consumer threshold is one of the lowest of any comprehensive state privacy law. Most Virginia-model laws—including Oklahoma's SB 546 and Virginia's VCDPA—use 100,000 consumers as the primary threshold.
The 25% threshold for sales of personal data, also referred to as data broker thresholds, is much lower than other states’ privacy laws (possibly due to the exceptions baked into the law’s definition of a “sale”—more on that below).
Together, these thresholds mean mid-sized businesses that have historically stayed below the radar of other state laws may now find themselves in scope.
The APDPA's definition of "sale" is one of its most distinctive features, and it's worth understanding carefully because it sits in its own position within the state privacy law landscape.
Under the APDPA, a sale is the exchange of personal data for monetary consideration—or for other valuable consideration where the controller receives a material benefit and the third party is not restricted in its subsequent use of the data.
This puts Alabama in an interesting position relative to its peers:
Compliance teams should map their data-sharing arrangements carefully and audit their vendor agreements, since whether a transfer meets the "material benefit" and "unrestricted use" conditions will be a fact-specific judgment call.
It's also worth noting that the APDPA explicitly carves out two categories that most other state laws don't address separately: disclosures to third parties for analytics services, and disclosures for marketing services provided solely to the controller. Neither qualifies as a sale under the APDPA. In particular, the carve-out for marketing services means that targeted advertising isn’t considered a “sale” of data. This is a fairly lenient approach compared to other state privacy laws, though it’s important to note that consumers still have the right to opt out of targeted advertising.
The APDPA includes two categories of exemptions.
Entity-level exemptions–the following entities are not subject to the law:
The size-conditioned exemptions for small businesses and nonprofits are notable. Most peer laws exempt all nonprofits and all higher education institutions outright, without conditions. Alabama's approach means small businesses and small nonprofits that sell personal data lose their exemption and need to comply. Organizations in those categories should assess their data transfer activities carefully.
Data-level exemptions–Even for covered entities, certain categories of data fall outside the law's scope, including:
For those familiar with other state privacy laws, there shouldn’t be too many surprises in the APDPA’s list of consumers’ subject rights. The APDPA grants Alabama residents five core rights.
Right to Access: Consumers can confirm whether a controller is processing their personal data and request a copy of it—unless providing that copy would require the controller to reveal a trade secret. This trade secret carve-out on the access right is explicit in the statute and gives controllers a defined basis for limiting disclosure in circumstances where their proprietary data structures or processing methods would be exposed.
Right to Correct: Consumers can request that inaccuracies in their personal data be corrected.
Right to Delete: Consumers can request deletion of their personal data. For controllers that obtained data from a source other than the consumer directly, the APDPA offers two compliant paths: retain a suppression record containing the minimum data necessary to ensure the deletion holds, or opt the consumer out of any further processing.
Right to Transfer (Portability): Consumers can request a portable copy of personal data they previously provided to a controller, in a format that allows transmission to another controller. The same trade secret carve-out applies here as with the access right.
Right to Opt Out: Consumers can opt out of the processing of their personal data for:
Parents, guardians, and conservators may exercise rights on behalf of the people they represent: parents and legal guardians on behalf of known children, and guardians or conservators on behalf of adult consumers. This latter provision—extending proxy rights to conservators acting for adults—is broader than most state privacy laws, which typically address only parental rights on behalf of children.
This is coupled with the fact that there is a gray area regarding authorized agent provisions in the APDPA. Authorized agent requests are referenced in the law, but there is not an explicit requirement to honor those requests. The safest bet is to honor them regardless, as this may have been an oversight.
Controllers must respond to authenticated consumer requests within 45 days of receipt. This can be extended by an additional 45 days when reasonably necessary, provided the controller notifies the consumer within the initial window and explains the reason. Information must be provided free of charge, once per consumer per 12-month period. Fees may be charged—or action declined—for requests that are manifestly unfounded, excessive, technically infeasible, or repetitive, with the controller bearing the burden of demonstrating that characterization if challenged.
If a controller declines to act on a request, it must notify the consumer within 45 days with a justification.
One important structural note for teams building data subject rights workflows: the APDPA does not offer a formal appeal process for consumers’ whose requests have been denied, which is fairly unusual as far as US state privacy laws go. While a documented internal review process remains sound privacy practice, it is not legally mandated here.
Under the APDPA, you may require consumers to verify their identities for all rights requests, including opt-out requests. This is significantly different from the CCPA, where it’s explicitly non-compliant to verify identities for opt-out requests. Honda and Ford both got hit with a $632,500 and $375,703 fine, respectively, in part due to requiring consumers to identify themselves to opt-out of sales/sharing of their data. Under the APDPA, however, you’re good to verify to your heart’s content.
Like the vast majority of state privacy laws, the APDPA requires controllers to limit data collection to what is adequate, relevant, and reasonably necessary in relation to the disclosed purposes of processing. Controllers must also establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data at issue.
The APDPA includes an affirmative requirement that the mechanism for revoking consent must be at least as easy as the mechanism used to provide it. On revocation, controllers must cease processing the personal data as soon as practicable, and no later than 45 days after complying with a valid opt-out request. The Honda and Ford enforcement actions described above are instructive here too — asymmetry between the ease of opting in versus opting out is a design pattern that draws regulatory attention.
Despite some references to "opt-out preference signals" in the APDPA's text, the law does not mandate that controllers honor browser-based signals like the Global Privacy Control (GPC).
Controllers have the option to honor such signals, but if they do and the signal conflicts with a consumer's existing controller-specific privacy setting or loyalty program participation, the controller must comply with the signal while being permitted to notify the consumer of the conflict and offer them the choice to confirm their existing settings.
The APDPA prohibits controllers from:
The APDPA's sensitive data definition tracks closely with most peer laws. Sensitive data includes:
Controllers must provide a reasonably accurate, clear, and meaningful privacy notice that includes:
If a controller sells personal data or processes it for targeted advertising, that activity must be clearly and conspicuously disclosed, along with the mechanism consumers can use to opt out.
The APDPA does not require controllers to conduct and document data protection assessments (DPAs) for high-risk processing activities. This is one of the law's most notable omissions–most US state privacy laws require assessments for activities like targeted advertising, sensitive data processing, and high-risk profiling. For organizations building multi-state compliance programs, Alabama won't add to the DPA workload—but it’s a good idea to continue conducting assessments for activities that commonly require them. Not only will you be compliant with other state laws, your overall privacy posture will be stronger.
Processors must adhere to controller instructions and assist in meeting the controller's obligations under the APDPA, including by maintaining appropriate technical and organizational measures to support DSR fulfillment, and by assisting with data security obligations and breach notification.
Controller-processor agreements must be written and binding, and must clearly set forth: instructions for processing data; the nature and purpose of processing; the type of data subject to processing; the duration of processing; and the rights and obligations of both parties. The contract must also require processors to:
The Alabama Attorney General has authority to enforce the APDPA. There’s one wrinkle in the statute’s language that opens up a (likely unintended) possibility for private action. The APDPA says the AG “may enforce” the law, rather than giving the AG “exclusive authority” as other state laws do, a private right of action may be on the table. Enforcement isn’t exclusively limited to the AG, so conceivably, individuals could sue violators. Odds are, enforcement was meant to be limited to the AG, however.
There’s also a relatively generous cure provision in the law. Before initiating any enforcement action, the AG must issue written notice of the violation. Then, controllers have 45 days to cure the violation before being penalized. And this provision is permanent.
However, if you fail to cure your violation in 45 days, penalties under the APDPA are pretty steep: Civil penalties can reach up to $15,000 per violation—double the $7,500 cap used by most Virginia-model state privacy laws.
For organizations already managing compliance across multiple states, the following comparison may be useful.
|
Feature |
Alabama APDPA |
Virginia VCDPA |
California CCPA |
Texas TDPSA |
|
Applicability threshold |
25K consumers or derive more than 25% of gross revenue from the sale of personal data. |
100K consumers or 25K + 50% revenue from data sales |
$25M revenue or 100K+ consumers or 50% revenue from data sales |
No revenue or consumer data thresholds |
|
Private right of action |
Maybe |
No |
Yes (limited) |
No |
|
Universal opt-out (GPC) required |
No |
No |
Yes |
Yes |
|
Cure period |
45 days (permanent) |
30 days (permanent) |
None (expired) |
30 days (permanent) |
|
Sensitive data |
Affirmative consent required |
Affirmative consent required |
Opt-out (some categories) |
Affirmative consent required |
|
Authorized agents |
No* |
No |
Yes |
No |
|
Effective date |
May 1, 2027 |
In effect |
In effect |
In effect |
*Authorized agents are referenced in the statute, but the APDPA lacks an explicit requirement to honor requests from authorized agents.
With the APDPA's May 1, 2027 effective date on the horizon, here's where to focus your efforts.
Confirm whether you're in scope. The APDPA's thresholds are among the lowest of any state privacy law. Evaluate whether your current data inventory suggests you process over 25k Alabaman’s data or earn 25% of your revenue from data sales. Organizations that have historically stayed below Virginia's 100k-consumer threshold may now find themselves covered.
Update your data map. Identify personal and sensitive data collected from Alabama residents. Pay particular attention to the APDPA's "sale" definition. Non-monetary data-sharing arrangements that confer a material benefit to your organization and leave the recipient unrestricted in how they use the data may qualify as sales, even if they wouldn't under Virginia's law. If you need help getting started, our data mapping guide has you covered.
Review and update your privacy notice. Confirm that your notice covers all required disclosures and includes clear opt-out mechanisms for targeted advertising and data sales. The APDPA does not require GPC signal recognition, but opt-out options still need to be disclosed.
Build out your consumer request workflow. You'll need at least one secure method for consumers to submit requests. Make sure your team can respond within 45 days.
Audit your processor agreements. Review existing data processing contracts to confirm they include all elements required by the APDPA.
Evaluate your consent revocation mechanism. Alabama's requirement that opting out must be at least as easy as opting in is an operational obligation that needs to be tested in your existing consent flows.
Train your team. Ensure that privacy, legal, and customer-facing staff understand the new rights framework, the 45-day response window, and the absence of a mandatory appeal process.
By joining the US data privacy laws patchwork as the 21st state, Alabama confirms that businesses operating across the country need a privacy program built for scale, not just jurisdiction-by-jurisdiction patch jobs.
The APDPA leans business-friendly in several respects: no DPA requirement, no GPC mandate, a permanent cure period, and conditional exemptions for small businesses and nonprofits. But it is far from toothless. A low applicability threshold, a $15,000-per-violation penalty ceiling, and a "sale" definition that will require careful analysis ensure that mid-sized businesses and data-heavy enterprises alike will need to take the APDPA seriously.
As we've seen in states like Colorado and Connecticut, comprehensive privacy laws rarely stay static. Future legislative sessions may add DPA requirements or sharpen the law's enforcement language. The May 1, 2027 effective date provides meaningful runway—but data mapping, vendor auditing, and workflow design should start now. Staying ahead of the requirements is always easier than scrambling to catch up once enforcement begins.
If you want to stay abreast of the latest in data privacy developments, including whether legislators update the APDPA or introduce new state privacy laws, sign up for our newsletter, the Privacy Insider. We provide weekly updates curated to help businesses get and stay compliant in the constantly changing data privacy landscape.