Consumer Privacy Embraced by The “Heart of Dixie”
Consumer Privacy Embraced by The “Heart of Dixie”
https://natlawreview.com/article/heart-dixie-embraces-consumer-privacy
Publish Date: 2026-04-20 14:01:00
Source Domain: natlawreview.com
On April 16, 2026, Governor Kay Ivey signed into law the Alabama Personal Data Protection Act (“APDPA”) after a unanimous vote in favor from both chambers of the Alabama legislature. The APDPA is the 22nd state consumer privacy law overall (counting Florida) and the second one enacted in 2026, following enactment of Oklahoma’s privacy law in March.
1. HOW DOES THE APDPA COMPARE?
Overall, the APDPA does not set any new compliance “high water mark.” Some notable differences are, however, discussed in the summary of the law below.
2. WHO IS A CONSUMER AND WHAT DATA IS PROTECTED?
The APDPA defines the term “consumer” like the other non-California CPLs: a state resident acting in his or her individual capacity and not in a commercial or employment context. (§2(6))
Also like the other CPLs, personal data is “[a]ny information that is linked or reasonably linkable to an identified or identifiable individual[….]” (§2(13))
Personal data includes pseudonymous data, which is defined as “personal data that cannot be attributed to a specific individual without the use of additional information, provided the additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributable to an identified or identifiable individual.” (§2(18))
As noted in FAQ 4 below, deidentified data and publicly available information are not personal data.
3. WHAT ORGANIZATIONS ARE IN SCOPE?
The APDPA applies to a controller or processor that conducts business in Alabama or produces a product or service targeted to the Alabama residents and either:
- controls or processes personal data of at least 25,000 consumers (excluding personal data controlled or processed solely for purposes of completing a payment transaction); or
- derives over 25% of gross revenue from the sale of personal data.
The second threshold is notable because the gross revenue measurement is not linked to a…
