Alabama Enacts Comprehensive Consumer Data Privacy Law | Insights
Alabama Enacts Comprehensive Consumer Data Privacy Law | Insights
Publish Date: 2026-04-28 03:00:00
Source Domain: www.mayerbrown.com
On April 17, 2026, Governor Kay Ivey signed House Bill 351 into law, enacting the Alabama Personal Data Protection Act (the “APDPA” or the “Act”) and making Alabama the 22nd state to adopt a comprehensive consumer privacy law. The APDPA, which takes effect on May 1, 2027, largely follows the dominant model for state privacy legislation observed in states outside of California; however, it departs from that model in several notable respects, including generally lower applicability thresholds, a novel definition of “sale,” and the absence of a data protection assessment requirement. For more information about how the APDPA compares to other privacy laws, please see our state privacy law tracker.
Who is Covered?
The APDPA applies to persons that conduct business in Alabama, or that target products or services to Alabama residents, and that meet either of the following thresholds: (1) controlling or processing the personal data of more than 25,000 Alabama consumers (excluding personal data processed solely to complete a payment transaction); or (2) deriving more than 25% of gross revenue from the sale of personal data, regardless of the number of consumers whose data the person controls or processes.
Entity-Level Exemptions
A number of entities are exempt from the APDPA, including the following:
- Financial institutions and affiliates subject to the Gramm-Leach-Bliley Act (“GLBA”);
- Covered entities and business associates as defined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”);
- State agencies and political subdivisions of Alabama;
- Institutions of higher education and their affiliates;
- National securities associations registered under federal law;
- Small businesses with fewer than 500 employees that do not sell personal data; and
- Non-profit organizations with fewer than 100 employees that do not sell personal data.
In addition to these entity-level exemptions, the APDPA provides certain data-level…
