On April 16, 2026, Governor Kay Ivey signed into law the Alabama Personal Data Protection Act (“APDPA”) after a unanimous vote in favor from both chambers of the Alabama legislature.  The APDPA is the 22^nd state consumer privacy law overall (counting Florida) and the second one enacted in 2026, following enactment of Oklahoma’s privacy law in March (summarized here).

We highlight key features of the APDPA below.  (We also offer a subscription service that offers details and comparisons (by topic) of state consumer privacy laws (“CPLs”).)

1. HOW DOES THE APDPA COMPARE?

Overall, the APDPA does not set any new compliance “high water mark.”  Some notable differences are, however, discussed in the summary of the law below.

2. WHO IS A CONSUMER AND WHAT DATA IS PROTECTED?

The APDPA defines the term “consumer” like the other non-California CPLs: a state resident acting in his or her individual capacity and not in a commercial or employment context. (§2(6))

Also like the other CPLs, personal data is “[a]ny information that is linked or reasonably linkable to an identified or identifiable individual[….]” (§2(13))

Personal data includes pseudonymous data, which is defined as “personal data that cannot be attributed to a specific individual without the use of additional information, provided the additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributable to an identified or identifiable individual.” (§2(18))

As noted in FAQ 4 below, deidentified data and publicly available information are not personal data.

3. WHAT ORGANIZATIONS ARE IN SCOPE?

The APDPA applies to a controller or processor that conducts business in Alabama or produces a product or service targeted to the Alabama residents and either:

• controls or processes personal data of at least 25,000 consumers (excluding personal data controlled or processed solely for purposes of completing a payment transaction); or
• derives over 25% of gross revenue from the sale of personal data.

The second threshold is notable because the gross revenue measurement is not linked to a specific timeframe – compare, for example, the Oklahoma CPL which measures gross revenue by calendar year, and the New Hampshire CPL which measures gross revenue over a one-year period. (§3) Unless and until there is clarification, a business should consider taking a conservative approach and measure the second threshold over any 12-month period.

4. WHAT DATA AND ORGANIZATIONS ARE NOT IN SCOPE?

Like the other state CPLs, the APDPA has several entity-level and data-level exemptions:

a. Entity-level exemptions include:

• Political subdivisions and certain governmental organizations;
• Institutions of higher education;
• National securities associations registered under 15 U.S.C. Section 78o-3;
• Financial institutions governed by the Gramm-Leach-Bliley Act and their affiliates;
• Covered entities and business associates subject to the privacy provisions of the Health Insurance Portability and Accountability Act;
• A business with fewer than 500 employees, provided the business does not engage in the sale of personal data;
• Non-profit entities (as defined in Alabama law) with fewer than 100 employees and that do not sell personal data;
• Securities broker-dealers and investment advisors;
• Licensed money transmitters;
• Certain insurance fraud prevention organizations;
• Political parties, action committees and similar organizations, or organizations that sell personal data “primarily” to them; and
• Certain electricity providers.

Notably, only some nonprofit entities (those with 100 or more employees that do not sell personal data) and businesses with fewer than 500 employees that do not sell personal data are out of scope.

b. Data level exemptions include:

• Deidentified data; (§2(10))
• Publicly available information; (§2(19))
• Personal data collected, processed, sold, or disclosed in accordance with the Gramm-Leach-Bliley Act;
• Protected health information under the Health Insurance Portability and Accountability Act, as well as certain other specifically designated healthcare related data;
• Data for use in a consumer report by a user of a consumer report if the use is regulated and authorized by the Fair Credit Reporting Act;
• Personal data processed in compliance with the federal Driver’s Privacy Protection Act;
• Personal data regulated by the Family Education Rights and Privacy Act;
• Personal data collected, processed, sold or disclosed in compliance with the Farm Credit Act;
• Personal data processed or maintained by an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or “third party” (i.e., not a consumer, controller, processor, or an affiliate of the controller or processor) if the personal data is collected and used within the context of the role as applicant, employee or independent contractor;
• Emergency contact personal data used for emergency contact purposes only;
• Personal data “necessary” to provide benefits to another person and used for benefits administration only;
• Personal data processed in connection with deregulated price, route and service activities by an air carrier subject to the federal Airline Deregulation Act;
• Data collected or processed to comply with or “in accordance with state law”; and
• Record keeping data under certain portions of the Controlled Substance Act.

5. WHAT IS AND IS NOT A “SALE OF PERSONAL DATA”?

The APDPA defines a sale of personal data as “the exchange of personal data for monetary consideration by a controller to a third party, or for other valuable consideration by a controller to a third party where the controller receives a material benefit and the third party is not restricted in its subsequent uses of the personal data.” [emphasis added].  (§2(20))

Specifically excluded from the definition of sale are:

1. disclosure of personal data to a processor that processes the personal data on behalf of the controller.
2. The disclosure of personal data to a third party for the purposes of providing a product or service requested by the consumer. 
3. The disclosure or transfer of personal data to an affiliate of the controller. [Note that “affiliate” means “[a] legal entity that shares common branding with another legal entity or that controls, is controlled by, or is under common control with another legal entity.” (§2(1))].
4. The disclosure of personal data in which the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party.
5. The disclosure of personal data that the consumer intentionally made available to the public via a channel of mass media and did not restrict to a specific audience.
6. The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction, or a proposed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.

(§2(20)(a-f)

Two uncommon personal data sale exclusions are the disclosure or transfer of personal data to a third party for the purpose of providing analytics services or marketing services solely to the controller. (§2(20)(g-h)

As noted below, the APDPA also requires clear and conspicuous disclosure of personal data sales and opt out rights.

6. WHAT PRIVACY NOTICE REQUIREMENTS APPLY?

Like other CPLs, the APDPA requires a controller to provide consumers with a reasonably accurate, clear, and meaningful privacy notice that includes:

• The categories of personal data processed by the controller;
• The purposes for processing personal data;
• The categories of personal data shared with third parties;
• The categories of third parties with which personal data was shared; and
• An active email address or other mechanism to contact the controller.

(§7(d))

The privacy notice also must describe how (“by one or more secure and reliable means”)consumers may exercise their consumer rights. (§7(e)(1))

The APDPA also requires clear and conspicuous disclosure of personal data sales or use for targeted advertising and how a consumer may exercise the right to opt out of sale or targeted advertising. (§7(c))

The APDPA does not have any specific requirement related to updating a privacy notice, such as notification to consumers about material changes (such as per Colorado Privacy Act Rule 6.04(A)) or periodic reviews (such as in California’s CCPA).

7. WHAT RIGHTS ARE AVAILABLE FOR CUSTOMERS IN THE APDPA & WHAT ARE THE CONTROLLER’S OBLIGATIONS IN RESPONDING TO A CUSTOMER PRIVACY RIGHTS REQUEST?

Subject to authentication (i.e., a “reasonable method” to determine that the request is made by the consumer or an authorized agent (§2(2)), a consumer may request a controller to exercise the following rights:

• Confirming whether the controller (or a processor or third party acting on a controller’s behalf), is processing the consumer’s personal data and accessing any of the consumer’s personal data under the control of the controller;
• Correcting of the consumer’s personal data;
• Deleting of the consumer’s personal data;
• Obtaining copies of personal data previously provided by the consumer to the controller; and
• Opting out of:
  • Processing for targeted advertising;
  • Personal data sale; and
  • Profiling in furtherance of solely automated significant decisions concerning the consumer.

Note that the APDPA’s definition of “profiling” contains a solely-automated qualifier, i.e., “solely-automated processing to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.” (§2(17))

The APDPA includes typical exceptions to consumer rights, such as to comply with law, provide requested products or services, prevent fraud and preserve security.  The APDPA also has exceptions for certain research and public health processing, as well as for internal use to conduct internal research to develop, improve, or repair products, services, or technology; effectuate a product recall; identify and repair technical errors that impair existing or intended functionality; perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer’s existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service; provide a product or service specifically requested by a consumer; or perform a contract with consumer.

The APDPA provides that methods for exercising privacy rights must include a website homepage link that goes directly to the opt-out mechanism for sale and targeted advertising or instructions on how to make an opt-out request.  If the opt-out request conflicts with a prior opt-in (e.g., user privacy control settings or financial incentive terms), the opt-out governs unless notice is given and the consumer resolves the conflict by confirming the prior choice. Authentication is not required for opt-out requests, but rejection for a “good faith, reasonable and documented belief that the request is fraudulent or otherwise not authorized” requires notice of denial on that basis.

The APDPA provides that a consumer’s guardian or conservator or a parent or guardian of a child (under age 13) may exercise privacy rights on the consumer’s behalf.  While the APDPA has no express provision permitting use of an authorized agent to act for a consumer, the provision requiring one of more secure methods for making a request also requires that the method include authentication of the consumer’s authorized agent. 

The APDPA does not require a controller to identify or honor a consumer’s global privacy control signal. 

Like with many CPLs, a controller subject to the APDPA is not required to include pseudonymous data when responding to a consumer rights request if the controller is able to demonstrate that any information necessary to identify the consumer is kept separately and subject to effective technical and organizational controls that prevent the controller from accessing the information. (§9(d))

8. ARE CONTROLLERS REQUIRED TO CONDUCT DATA PROTECTION ASSESSMENTS?

No. Like the CPLs of Iowa and Utah, the APDPA does not require risk assessments for data processing activities.

9. WHAT OTHER OBLIGATIONS APPLY TO CONTROLLERS?

Under the APDPA, the processing of sensitive personal data requires a consumer’s consent, defined as “freely given, specific, informed and unambiguous agreement.” (§7(b)(2))  Note that a controller must offer a method for a consumer to revoke consent which is at least as easy as giving consent. 

The APDPA provides that the processing of personal data of a “known child” (under age 13) requires verified parental consent pursuant to the Children’s Online Privacy Protection Act.  For  a consumer age 13 to 16, the use of personal data for targeted advertising and the sale of personal data each require the consumer’s consent.

The APDPA has data minimization requirements (§ 7(a)(1)) and processing purpose limitations (§ 7(b)(1)) similar to other CPLs.

The APDPA requires controllers to have and maintain reasonable security to ensure the confidentiality, integrity and accessibility of personal data. (§ 7(a)(2))

Under the APDPA, a controller may not deny or provide different prices, rates or quality levels for goods or services because the consumer opts out of certain processing, but also is not required to provide a service that requires data processing if a consumer opts out. (§ 7(b)(5))  A controller may, however, provide different prices or levels for goods or services if the consumer chooses to participate in a “bona fide loyalty, rewards, premium features, discount, or club card program.” (§ 7(b)(5))

10. WHAT REQUIREMENTS RELATE TO PROCESSORS

A processor must adhere to the controller’s instructions about processing regarding the controller’s personal data and assist the controller in meeting its APDPA obligations. 

The APDPA requires that processing of personal data be subject to a contract that sets forth those instructions and the nature, duration and purposes of processing and that requires the processor to: ensure confidentiality of personal data; delete or return personal data as requested at the end of services except in so far as retention is required or permitted by law; demonstrate compliance upon request; and obligate subprocessors to comply with the processor’s obligations. The contractual and other limitations on processors are less robust than under many of the other CPLs. 

11. WHAT ARE THE CONSEQUENCES OF NONCOMPLIANCE?

The APDPA is enforced exclusively by the Alabama Attorney General. After the Attorney General provides notice of noncompliance, a 45-day cure period applies before the Attorney General may initiate a civil action. 

If the controller cures the violation within the 45-day period and confirms to the Attorney General with “an express written statement that the alleged violations have been corrected and that no such further violations will occur”, the Attorney General may not initiate a civil action. (§11(b)(3)) Note that unlike some other CPLs, this right to cure does not “sunset” after a certain date.

In a civil action, the Attorney General may seek injunctive relief and civil penalties of up to $15,000 per violation.

The APDPA does not offer a private right of action and does not require the Attorney General to issue regulations.

The authors are grateful to Mary Aldrich, Paralegal, for her contributions to this summary of the APDPA.

To help you understand and comply with the patchwork of state CPLs, Privacy Powered by SPB offers tools and guidance materials.  Privacy World will continue to cover privacy law developments in the US and around the world. Please contact the authors for more information.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only and is not intended to constitute or be relied upon as legal advice.

Stay Ahead on Consumer Privacy News

Not a subscriber yet? Subscribe here to be among the first to receive timely updates on the fast-moving world of data privacy, security, and innovation—delivered straight to your inbox.

Looking for deeper insights and expert analysis? You can also subscribe here to our privacy attorneys’ marketing communications for thought leadership and rich content when you need a more comprehensive perspective.