Alabama Flag

Key point: Alabama becomes the 21st state to enact a broad consumer data privacy law with a law that is one of the more business-friendly laws passed to date.

According to Privacy Daily, on April 16, 2026, Alabama Governor Kay Ivey signed the Alabama Personal Data Protection Act (HB 351) into law, making Alabama the 21st state to pass a broad consumer data privacy law and the second state to do so this year. This is the second privacy law Alabama enacted this year. The state enacted an app store law in February.

With passage of Alabama’s law, approximately 46% of the U.S. population will now be covered by a broad consumer data privacy law.

The new business-friendly law is largely unremarkable. Companies that are complying with other state consumer data privacy laws will not need to do anything new to comply with Alabama’s law. However, the law does have a few nuances that we discuss in the article below — in particular, the law’s applicability standard and its definition of “sale.”

Applicability

The law applies to persons that conduct business in Alabama or that produce products or services that are targeted to residents of the state and that either (1) control or process the personal data of more than 25,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction, or (2) derive 25% of gross revenue from the sale of personal data, regardless of the number of consumers whose data the person controls or processes.

The 25,000-consumer threshold matches Montana as the lowest of any state law. Alabama is the first state to not have a consumer threshold for the second threshold.

The law defines “consumer” to exclude individuals acting in a commercial or employment context.

Exemptions

The law contains customary entity- and data-level exemptions, such as exempting GLBA-regulated financial institutions and data as well as HIPAA-covered entities and personal health information. The law exempts nonprofits with fewer than 100 employees and businesses with fewer than 500 employees if they do not engage in the sale of personal data. The law also contains exemptions for FCRA and FERPA data.

Definition of Sale

The law contains a unique definition of sale, stating that it is the “exchange of personal data for monetary consideration by a controller to a third party, or for other valuable consideration by a controller to a third party where the controller receives a material benefit and the third party is not restricted in its subsequent uses of the personal data.” The law also contains novel exemptions from the definition of sale for the “disclosure or transfer of personal data to a third party for the purpose of providing analytics services” and the “disclosure or transfer of personal data to a third party for the purposes of providing marketing services solely to the controller.”

Consumer Rights

The law contains the customary consumer rights to (1) correct inaccuracies in the consumer’s personal data; (2) delete personal data about the consumer; (3) obtain a copy of the consumer’s personal data; and (4) opt out of targeted advertising, the sale of personal data, and profiling in furtherance of solely automated significant decisions concerning the consumer.

The law contains a slightly broader than customary right to confirm/access, stating that there is a right to “confirm whether a controller, or a processor or third party acting on a controller’s behalf, is processing the consumer’s personal data and accessing any of the consumer’s personal data under control of the controller, unless confirmation would require the controller to reveal a trade secret.” Conversely, the law does not contain a right to appeal.

All rights, excluding the opt-out rights, are subject to authentication.

The law requires controllers to obtain consumer consent for the processing of sensitive data. Sensitive data is defined narrowly to be: (1) personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, information about an individual’s sex life, sexual orientation, or citizenship or immigration status; (2) genetic or biometric data that is processed for the purpose of uniquely identifying an individual; (3) personal data collected from a known child; and (4) precise geolocation data.

Children’s Privacy Rights

The law provides that controllers cannot process the personal data of a consumer for the purpose of targeted advertising or sell a consumer’s personal data without the consumer’s consent under circumstances in which a controller has actual knowledge that a consumer is at least 13 years of age but younger than 16 years of age.

Opt-Out Preference Signals

The law does not require controllers to recognize opt-out preference signals. Confusingly, the law does refer to opt-out preference signals in Section 6(c)(1); however, the affirmative duty to recognize such signals was removed prior to final passage.

Data Protection Assessments

The law does not require data protection assessments.

Enforceability

The law is enforceable by the state attorney general. It contains a 45-day right to cure that does not sunset.

Effective Date

The law goes into effect May 1, 2027.