Alabama’s New Data Privacy Law: Who’s Covered and What Changes?

Alabama now has a comprehensive data privacy law. Governor Ivey signed the Alabama Personal Data Protection Act (APDPA) on April 16, 2026, after it passed both chambers unanimously. Businesses operating in Alabama should review how they collect, use, store and share Alabama residents’ personal data to prepare for the law before it takes effect May 1, 2027.

The APDPA makes Alabama the 21st state to pass comprehensive data protection legislation. Alabama’s law follows the standard approach, where "consumer" is an individual acting in a personal capacity, not in a commercial or employment context. However, the applicability provisions vary notably from other approaches.

The APDPA applies to businesses that meet one of these conditions:

• Control or process the personal data of more than 25,000 consumers (excluding personal data controlled or processed solely to complete a payment transaction)
• Derive more than 25% of gross revenue from the sale of personal data, regardless of the number of consumers the business processes

While the 25,000-consumer threshold is the lowest of any state, the law includes a long list of exempt businesses, entities, institutions and organizations, including  financial institutions and those collecting personal data governed by the Gramm-Leach-Bliley Act, covered entities and business associates, and, critically for many Alabama businesses, businesses with fewer than 500 employees that do not engage in the sale of personal data. The gross revenue prong does not include a minimum number of records processed, which is a deviation from laws with a similar prong.

The APDPA's definition of "sale of personal data" also stands apart. It retains the standard "exchange for monetary or other valuable consideration" language but adds two notable distinctions. First, the law adds “where the controller receives a material benefit and the third party is not restricted in its subsequent uses of the personal data.” Second, the law carves out several exclusions, including disclosures to third parties for analytics services.

While Alabama’s definition shows an attempt to balance competing interests and provide a workable definition when it comes to the reality of disclosures of personal data, businesses must weigh this definition of sale of personal data against the definitions used in other states where they operate. The APDPA’s position introduces more, not less, ambiguity for multistate businesses and could be a trap for businesses seeking to use the entity-level exemption of having fewer than 500 employees.

The APDPA also differs from other state privacy laws in several ways:

• No requirement for data protection impact assessments
• Certain requirements with respect to children's data are treated in alignment with the Children’s Online Privacy Protection Act
• No obligation to recognize universal opt-out mechanisms

While these requirements are far from universal among the existing state laws, Alabama’s approach adds another layer of complexity to those managing multistate regimes.

The law contains a 45-day cure period, no private right of action and penalties of up to $15,000 per violation.

Contact Lucy Porter or any member of the Phelps cybersecurity, privacy and data protection team with questions.