Privacy Laws in Alabama: What You Need to Know

On April 16, 2026, Governor Kay Ivey signed the Alabama Personal Data Protection Act (APDPA) into law, making Alabama the 21st state to enact a comprehensive consumer data privacy law. The law takes effect on May 1, 2027, giving businesses roughly a year to prepare. Here's what Alabama residents need to know about their new privacy rights and how to take advantage of them.

What Is the Alabama Personal Data Protection Act?

The APDPA (House Bill 351) establishes a comprehensive framework for how businesses collect, use, and share the personal data of Alabama residents. It grants consumers specific rights over their data and imposes obligations on businesses that process personal information.

The Alabama legislature passed HB 351 unanimously, signaling strong bipartisan support for consumer privacy protections. The law follows the general framework established by Virginia's VCDPA and similar state privacy laws, with some notable distinctions.

Your Rights Under the APDPA

Once the law takes effect on May 1, 2027, Alabama residents will have the following rights:

Right to Access

You can request a copy of the personal data a business has collected about you. The business must provide it in a portable, easily usable format.

Right to Correct

If a business has inaccurate personal data about you, you can request that they correct it.

Right to Delete

You can request that a business delete the personal data it has collected about you. There are some exemptions — for example, data needed for legal compliance or fraud prevention — but in most cases, the business must comply.

Right to Opt Out

You can opt out of three specific types of data processing:

• Targeted advertising — Ads based on tracking your behavior across websites and apps.
• Sale of personal data — Businesses selling your information to third parties, including data brokers.
• Profiling — Automated decision-making that produces significant effects on you (like credit decisions or insurance pricing).

Which Businesses Are Covered?

The APDPA applies to businesses that conduct business in Alabama or target products and services to Alabama residents and meet one of these thresholds:

• Process the personal data of 25,000 or more Alabama consumers, or
• Derive more than 25% of gross revenue from the sale of personal data.

The 25,000-consumer threshold is notable because it matches Montana's as the lowest in the nation, meaning a broader range of businesses fall under the law compared to states like Virginia (100,000 consumers) or California (which uses a revenue threshold of $25 million). Alabama is also the first state to apply the 25% revenue threshold without requiring a minimum consumer count, which captures smaller data brokers that profit primarily from selling personal information.

How Alabama's Law Compares to Other States

The APDPA is broadly similar to the privacy laws in Virginia, Connecticut, and Indiana. However, there are some key differences:

No Data Protection Impact Assessments

Unlike Virginia, Colorado, Connecticut, and most other states, Alabama does not require businesses to conduct data protection impact assessments. This significantly reduces the compliance burden on businesses but also means less proactive scrutiny of high-risk data processing activities.

No Universal Opt-Out Signal Requirement

A Senate amendment removed the requirement for businesses to recognize universal opt-out preference signals (like the Global Privacy Control browser setting). This is a significant departure from the trend — states like California, Colorado, Connecticut, Montana, and Texas all require recognition of these signals. Without this requirement, Alabama consumers must opt out individually from each business rather than using a browser-level setting.

Sensitive Data Requires Consent

The APDPA requires businesses to obtain consumer consent before processing sensitive personal data, which includes data revealing racial or ethnic origin, religious beliefs, health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, children's data, and precise geolocation data.

Enforcement

Enforcement of the APDPA rests exclusively with the Alabama Attorney General. There is no private right of action, meaning individual consumers cannot sue businesses directly for violations. The AG must provide businesses with a 45-day right-to-cure period before taking enforcement action, giving businesses a chance to fix violations before facing penalties.

Civil penalties for violations can be up to $15,000 per violation, which can add up quickly for businesses engaging in widespread non-compliance.

What You Can Do Now

While the APDPA doesn't take effect until May 2027, there are steps you can take now to protect your privacy as an Alabama resident:

• Opt out of data brokers — You don't need to wait for the APDPA. You can submit opt-out requests to data brokers like Spokeo, BeenVerified, Whitepages, and others right now.
• Freeze your credit at Equifax, Experian, and TransUnion to prevent identity theft.
• Review your social media privacy settings and limit the personal information you share publicly.
• Use the CCPA and other existing laws — If a business operates in California (most large companies do), you may already have deletion rights under the CCPA regardless of where you live.

The Bigger Picture

Alabama's APDPA is part of a growing wave of state-level privacy legislation across the United States. With 21 states now having comprehensive privacy laws on the books, the pressure is building for a federal privacy law that would create a uniform standard. Until that happens, state laws like the APDPA provide an important — if incomplete — layer of protection for consumers.

Whether you're waiting for the APDPA to take effect or taking action now, the most important thing is to be proactive about your privacy. Regularly checking and removing your information from data broker sites remains one of the most effective steps you can take to protect your personal data.