Alabama Personal Data Protection Act (APDPA): An Overview

Alabama joined the growing number of U.S. states with a comprehensive data privacy regulation when HB 351 was passed on April 7, 2026, and subsequently signed into law. Formally titled the Alabama Personal Data Protection Act (APDPA), the law takes effect May 1, 2027.

For businesses already operating under Virginia’s Consumer Data Protection Act (VCDPA), Texas’s Data Privacy and Security Act (TDPSA), or more recent Oklahoma Consumer Data Privacy Act (OCDPA), Alabama’s framework will cover familiar ground. It generally follows the same opt-out consent structure now common across all U.S. state-level data privacy laws passed to date.

That said, the APDPA contains provisions that distinguish it from its closest counterparts. Its applicability threshold is set at 25,000 consumers, currently the lowest among the state privacy laws. This can bring more small and mid-sized businesses into scope. 

Its definition of “sale of personal data” extends beyond monetary consideration in certain circumstances. It includes an explicit consent revocation right. And it imposes opt-in consent requirements for targeted advertising and data sales involving 13- to 15-year-olds, a protection absent from many comparable state laws.

This article covers who the APDPA applies to, what rights it grants Alabama consumers, what it requires of businesses, and what organizations can do to prepare for the May 1, 2027 effective date.

What Is the Alabama Personal Data Protection Act?

The Alabama Personal Data Protection Act (APDPA) establishes rights for Alabama residents over their personal data and corresponding obligations for businesses that collect and process it. Enacted through House Bill 351, the law was passed by both chambers of the Alabama Legislature in April 2026, taking effect May 1, 2027.

Consistent with other U.S. state-level data privacy laws, the APDPA follows an opt-out consent model for most data processing activities. Organizations can, in most cases, collect and process personal data without obtaining prior consent, provided consumers are given clear and accessible means to opt out of certain uses — particularly the sale of personal data, targeted advertising, and certain profiling — and are informed about how their data is handled.

The APDPA governs controllers’ and processors’ obligations as well. Controllers are entities that, alone or jointly with others, determine the purposes and means of processing personal data. Processors act with that data on the controller’s behalf.

Key Definitions Under the APDPA

Section 2 of the APDPA establishes a set of definitions that determine how the law applies to specific data types and processing activities. Understanding these definitions is essential to determining which obligations apply.

Personal Data

The APDPA defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable individual,” a standard formulation across U.S. and global privacy law.

The definition expressly excludes deidentified data and publicly available information. Pseudonymous data may fall within scope where it is used in conjunction with additional information that could identify an individual.

Sensitive Data

Sensitive data is a category of personal data requiring heightened protection, for which controllers may not process without consumer consent. The APDPA defines sensitive data as personal data that includes any data that reveals:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health condition or diagnosis
• Information about an individual’s sex life, sexual orientation
• Citizenship or immigration status
• Genetic or biometric data processed for the purpose of uniquely identifying an individual
• Personal data collected from a known child
• Precise geolocation data

Biometric Data

The APDPA defines biometric data as data “generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, retina, or iris, that are used to identify a specific individual.” 

The definition expressly excludes digital or physical photographs, audio or video recordings, and data generated from photographs or recordings, “unless the data is used to identify a specific individual.” 

Businesses using image- or audio-derived data for identification purposes must treat that data as biometric data in scope under the law.

Consumer

A consumer under the APDPA is “an individual who is a resident of ” Alabama acting in an individual or household context. 

The definition does not cover individuals acting in a commercial or employment context, or as employees, owners, directors, officers, or contractors of a company, partnership, nonprofit, or government agency where communications occur solely within that professional role.

Sale of Personal Data

The APDPA’s definition of “sale of personal data” is broader than many comparable state laws. It covers both exchanges for monetary consideration and exchanges for other valuable consideration, “where the controller receives a material benefit and the third party is not restricted in its subsequent uses of the personal data.” 

Data-sharing arrangements that might be excluded from the “sale” definition in Virginia or Oklahoma, for example, may meet the threshold in Alabama if the controller receives material benefit and the recipient has unfettered use of the data.

The definition includes specific exclusions, among them, disclosure to a processor acting on the controller’s behalf, disclosure to fulfill a consumer-requested product or service, transfers to affiliates, disclosures directed by the consumer, disclosures to provide analytics services, and disclosures for marketing services solely to the controller.

Targeted Advertising

The APDPA defines targeted advertising as “displaying advertisements to a consumer in which the advertisement is selected based on personal data obtained or inferred from that consumer’s activities over time and across nonaffiliated Internet websites or online applications to predict the consumer’s preferences or interests.” 

Ads based on a consumer’s activities within a controller’s own properties, contextual ads, or ads in response to a consumer’s direct request are excluded.

Consent

Consent under the APDPA means “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer.” This is fairly standard among U.S. and global privacy laws.

The definition expressly excludes acceptance of broad terms of use alongside unrelated information, passive actions such as hovering over or muting content, and consent obtained through dark patterns.

Dark Patterns

The APDPA defines a dark pattern as “a user interface designed or manipulated with the effect of substantially subverting or impairing user autonomy, decision-making, or choice.” Consent obtained through such interfaces is invalid under the law.

Profiling and Significant Decisions

The APDPA defines profiling as “any form of solely-automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.” 

A significant decision is one that results in the provision or denial of credit, housing, insurance, education, criminal justice, employment, healthcare, or access to basic necessities. 

Consumers may opt out of profiling used in furtherance of such decisions.

Who Does the APDPA Apply To?

Section 3 of the APDPA applies the law to persons conducting business in Alabama, or producing products or services targeted to Alabama residents, where the person meets either of the following thresholds:

• Controls or processes the personal data of more than 25,000 consumers (excluding data processed solely to complete a payment transaction), or
• Derives more than 25 percent of gross revenue from the sale of personal data, regardless of the number of consumers whose data is processed

The 25,000-consumer threshold is notably lower than all other states that currently have privacy laws, where 100,000 is a more common threshold. This means the APDPA will capture a substantially broader range of businesses. The APDPA does not include a minimum annual revenue threshold like there is in California and some other states, so, for example, there is no USD 25 million floor of any kind.

APDPA Exemptions

Section 4 of the APDPA establishes entity-level and data-level exemptions. Among those exempt from the law’s requirements:

• Political subdivisions of the state and related public bodies
• Two-year and four-year institutions of higher education, including affiliates
• Financial institutions and affiliates governed by or subject to the Gramm-Leach-Bliley Act (GLBA)
• Covered entities and business associates as defined under HIPAA
• Businesses with fewer than 500 employees, provided the business does not engage in the sale of personal data
• Nonprofit entities with fewer than 100 employees, provided they do not sell personal data
• Political action committees, political parties, principal campaign committees, and political organizations, as well as businesses that sell data primarily to such organizations
• Electric providers subject to North American Electric Reliability Corporation (NERC) standards

The small business exemption, which applies to entities with fewer than 500 employees that do not sell personal data, is a meaningful provision absent from many comparable state laws. 

Businesses near this threshold can carefully assess whether their data-sharing arrangements constitute a “sale” under the APDPA’s definition before relying on it.

Data-level exemptions follow the standard pattern: HIPAA-regulated protected health information, FCRA-regulated data, FERPA-regulated student data, employee and job applicant data, and emergency contact information are all excluded from scope.

Consumer Rights Under the APDPA

Section 5 of the APDPA grants Alabama residents a set of individual data rights, which they can exercise by submitting a verified request to a controller:

• Right to access: Confirm whether a controller is processing their personal data and access any personal data held, unless doing so would require revealing a trade secret
• Right to correct: Request that inaccuracies in their personal data be corrected
• Right to delete: Direct the controller to delete their personal data, with some exceptions
• Right to portability: Obtain a copy of personal data previously provided, in a portable and readily usable format, where processing is carried out by automated means
• Right to opt out: Of targeted advertising, the sale of personal data, and profiling in furtherance of solely automated significant decisions
• Right to nondiscrimination: Controllers may not deny goods or services, charge different prices, or provide a lower quality of service to consumers who exercise their opt-out rights

The APDPA also provides for parental and guardian exercise of rights: a parent or legal guardian of a known child (those under 13 years old) — and a guardian or conservator of a consumer — may exercise rights on their behalf.

There is no private right of action under the APDPA, so consumers cannot directly sue companies in the event of a violation such as a data breach. Enforcement is reserved to the Alabama Attorney General.

How Must Businesses Respond to Consumer Requests?

Section 5(d) sets out the response framework for data subject rights requests (DSARs). Controllers must respond to a consumer’s request within 45 days of receipt. Where reasonably necessary, the response period may be extended by a further 45 days, provided the consumer is informed of the extension and its reason within the initial 45-day period.

Responses must be provided free of charge once per 12-month period per consumer. If requests are manifestly unfounded, excessive, technically infeasible, or repetitive, the controller may charge a reasonable fee or decline to act. However, the controller bears the burden of demonstrating this characterization if challenged.

Controllers must establish an appeal process for consumers whose requests are denied. If an appeal is denied, the controller must direct the consumer to the Alabama Attorney General.

Opt-Out Mechanism Requirements

Section 6 of the APDPA requires controllers to provide a “clear and conspicuous link” on their website to a page that enables consumers to opt-out of targeted advertising and the sale of their personal data directly, or provide up-to-date contact information for submitting an opt-out request. 

Where an opt-out preference signal — such as the Global Privacy Control or other universal opt-out mechanism — conflicts with a consumer’s existing privacy setting or participation in a bona fide loyalty program, the controller must comply with the opt-out signal but may notify the consumer of the conflict.

Does the APDPA Require Honoring Global Privacy Control?

The APDPA does not explicitly require businesses to honor opt-out preference signals such as GPC. However, Section 6 requires controllers to comply with consumer opt-out preference signals where received, leaving some ambiguity around browser-level signals. 

As of mid-2026, 12 states explicitly require businesses to honor the GPC or a comparable Universal Opt-Out Mechanism (UOOM). So while Alabama is not among them, the provisions still warrant monitoring.

Sensitive Data, Consent Revocation, and Teen Protections

The APDPA requires affirmative, prior consent before any controller processes sensitive personal data. Controllers that rely on passive or implied signals to infer consent for sensitive data processing, including precise geolocation or health information, can review those practices against the APDPA’s consent standard.

A notable feature distinguishing the APDPA from several comparable state laws is the explicit consent revocation right. Section 7(a)(3) requires controllers to provide “an effective mechanism for a consumer to revoke the consumer’s consent under this act that is at least as easy as the mechanism by which the consumer provided the consumer’s consent.” 

Upon revocation, the controller must cease processing “as soon as practicable, but no later than 45 days” after the opt-out is received.

Protections for 13- to 15-Year-Olds

Section 7(b)(4) prohibits controllers from processing personal data for targeted advertising or from selling personal data when the controller has actual knowledge that the consumer is “at least 13 but younger than 16 years of age”, if it’s without that consumer’s consent. 

This opt-in requirement for teenagers is an important distinction from many other U.S. state privacy laws, which typically focus age-related consent requirements on children under 13.

Children’s Data and COPPA

Personal data collected from a known child, which is defined as an individual under 13 years of age, is classified as sensitive data under the APDPA. Section 4(c) provides that controllers and processors that comply with the verifiable parental consent requirements of the federal Children’s Online Privacy Protection Act (COPPA) are deemed compliant with any obligation to obtain parental consent under the APDPA.

Business Obligations Under the APDPA

Section 7 of the APDPA sets out core controller obligations regarding data use, security requirements, third parties, and other factors.

Data Minimization

Controllers must limit the collection of personal data to what is “adequate, relevant, and reasonably necessary in relation to the purposes for which the personal data is processed.” Processing data for purposes not reasonably compatible with disclosed purposes is prohibited unless consumer consent is obtained.

Security Requirements

Controllers must “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue.”

Privacy Notice Requirements

Section 7(d) requires controllers to provide “a reasonably accurate, clear, and meaningful privacy notice” that includes:

• Categories of personal data processed by the controller
• The purpose for processing personal data
• Categories of personal data shared with third parties, if any
• Categories of third parties with whom personal data is shared, if any
• An active email address or other contact mechanism for the controller
• How consumers may exercise their rights, including a link to the opt-out method required under Section 6

If a controller sells personal data to third parties or processes it for targeted advertising, Section 7(c) requires “clearly and conspicuously” disclosing this, as well as how consumers may exercise the right to opt out.

Data Protection Assessments

Controllers must conduct data protection assessments before undertaking processing activities that present heightened risk. These activities include targeted advertising, data sales, certain profiling, and sensitive data processing. Assessments apply only to processing commencing on or after May 1, 2027, and are not retroactive.

Processor Contract Requirements

Section 8 requires that the relationship between controllers and processors be governed by a written contract. A valid data processing agreement must set out instructions for processing, nature and purpose, type of data, duration, and rights and obligations of both parties. 

Any contractual provision that purports to waive or limit a consumer’s rights under the APDPA “shall be deemed contrary to public policy and shall be void and unenforceable.”

De-Identified Data Obligations

Section 9 requires controllers in possession of deidentified data to take measures to prevent re-identification, refrain from re-identifying it, and contractually require any recipients to comply with the same obligations.

How Does the APDPA Handle Targeted Advertising and Data Sales?

The APDPA adopts an opt-out model for targeted advertising and data sales, consistent with the majority of U.S. state-level data privacy laws. Businesses must provide consumers with a clear and accessible opt-out mechanism and must honor opt-out requests.

The APDPA’s definition of “sale” extends to exchanges for “other valuable consideration” where the controller receives a material benefit and the third party is not restricted in its subsequent use of the data. Businesses that share data with third parties under arrangements involving non-monetary benefit can assess whether those arrangements meet this definition.

The law also introduces a meaningful restriction involving teenagers: where a controller has actual knowledge that a consumer is between 13 and 15 years of age, consent is required before that data can be used for targeted advertising or sold.

APDPA Enforcement

Section 11 reserves enforcement exclusively to the Alabama Attorney General. There is no private right of action.

Before initiating enforcement, the Attorney General must issue a notice of violation to the controller. If the controller fails to correct the violation within 45 days of receiving notice, the Attorney General may bring an action for an injunction. Upon a finding of violation and failure to cure, a court may assess a civil penalty of up to USD 15,000.

If the controller corrects the violation within the 45-day period and provides the Attorney General with a written statement confirming correction and that no further violations will occur, no action may be initiated. This cure period is permanent; it does not sunset as it has in some other states.

The maximum penalty of USD 15,000 per violation is double the USD 7,500 ceiling in many other states.

How the APDPA Compares to Other State Privacy Laws

• Applicability threshold: 25,000 consumers, vs. 100,000 in a number of other states, bringing substantially more businesses into scope
• Revenue trigger: 25 percent of gross revenue from data sales, vs. 50 percent in most comparable states
• No minimum revenue floor: No annual revenue threshold of any kind
• Small business exemption: Businesses with fewer than 500 employees that do not sell personal data are exempt (not widely replicated elsewhere)
• Broader “sale” definition: Covers non-monetary exchanges where the controller receives material benefit and the recipient has unrestricted use of the data
• Consent revocation: Explicitly required; controllers must cease processing within 45 days of revocation
• Teen protections: Opt-in consent required for targeted advertising and data sales involving known 13- to 15-year-olds
• Higher penalties: USD 15,000 per violation, vs. USD 7,500 in many comparable states
• Permanent cure period: The 45-day cure window does not expire
• No GPC mandate: The APDPA does not explicitly require recognition of GPC signals

How Can Businesses Prepare for the Alabama Personal Data Protection Act?

For businesses already operating under the VCDPA, TDPSA, or comparable state frameworks, the APDPA will not require a wholesale overhaul of existing privacy programs. Core obligations — transparency, data minimization, sensitive data consent, processor contracts, and security practices — align closely with those in other U.S. state laws.

To prepare, organizations can take the following steps before May 1, 2027:

Consent Management and the Alabama Personal Data Protection Act

As U.S. state privacy laws continue to expand in both number and complexity, managing consent and data subject access requests across multiple jurisdictions becomes an increasingly significant operational challenge. 

A consent management platform (CMP) can support businesses in meeting the APDPA’s opt-out requirements, sensitive data consent obligations, and consumer rights request workflows.

Usercentrics provides consent management and privacy compliance tools for businesses navigating U.S. state privacy laws, from opt-out consent flows to data protection assessments.

William Newmark

Senior Legal Counsel, Usercentrics

Read bio

Stay in the loop

Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.

Updates

Email address

Subscribe

By subscribing to the Usercentrics Newsletter, you agree that your data may be used for information related to the products and services offered by Usercentrics. You can revoke your consent by using the unsubscribe link in a newsletter email or by sending your request to unsubscribe@usercentrics.com. See Privacy Policy