U.S.: Alabama Becomes 21st State to Enact Comprehensive Privacy Law

By Andrew Serwin & Kieran de Terra on April 10, 2026

On April 7, 2026, the Alabama legislature unanimously passed House Bill 351, the Alabama Personal Data Protection Act. The bill cleared the House 104-0 and the Senate 34-0, making Alabama the 21st state to enact a comprehensive consumer privacy statute. If signed by Governor Kay Ivey, the law will take effect on May 1, 2027.

While many recent additions to the state privacy patchwork have closely tracked the Virginia model, Alabama’s law introduces several notable departures, particularly around applicability thresholds, the definition of “sale,” and entity-level exemptions, that businesses collecting data of Alabama residents will need to evaluate carefully.

Applicability Thresholds

The Alabama Personal Data Protection Act applies to persons that conduct business in the state or produce products or services targeted to Alabama residents and that meet either of two thresholds. Section 3 of the Act provides:

“The provisions of this act apply to persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state and that meet either of the following qualifications:

(1) Control or process the personal data of more than 25,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.

(2) Derive more than 25 percent of gross revenue from the sale of personal data, regardless of the number of consumers whose data the person controls or processes.”

Two features of these thresholds stand out:

First, the 25,000-consumer processing threshold is the lowest numerical floor among all comprehensive state privacy laws (other states use 25,000 as a threshold only in the context of the sale/revenue prong).
Second, the revenue-from-sales prong is unique. Most states that use a 25% revenue threshold pair it with a minimum consumer count, typically requiring that the business also process data of at least 25,000 individuals (as noted above). Alabama’s statute applies the 25% revenue test “regardless of the number of consumers whose data the person controls or processes.” To date, no other state comprehensive privacy law takes this approach.

Exemptions

Alabama’s exemption framework is among the broadest in the state privacy landscape, covering a wide range of entities and data categories.

Entity-Level Exemptions.
- Most notably, the Act exempts businesses with fewer than 500 employees and nonprofit entities with fewer than 100 employees, provided, in both cases, that the entity does not engage in the sale of personal data. These employee-count-based carve-outs are distinctive; most state privacy laws do not extend blanket exemptions to small businesses and nonprofits solely on this basis (with the notable exception of Texas, depending on which Small Business Administration NAICS code the business falls under, as some contain employee headcount thresholds to determine whether the business is a “small business” and therefore exempt from Texas’ state privacy law).
- The Act also exempts political subdivisions of the state, two-year and four-year institutions of higher education (including affiliates), national securities associations registered under federal law, financial institutions and affiliates governed by the Gramm-Leach-Bliley Act, and HIPAA-covered entities and business associates.
- The Act further exempts political action committees, political parties, principal campaign committees, and political organizations as defined under 26 U.S.C. § 527, as well as business entities that sell data primarily to such organizations. The political organization exemption was added by Senate amendment and is intended to avoid potential First Amendment complications (a provision that has proven contentious in other states’ privacy statute deliberations).
Data-Level Exemptions.
- On the data side, the Act continues the trend of exempting employee, applicant, and contractor HR data as well as B2B data, which means the CCPA remains the only state that applies its law to such data.
- The Act also exempts protected health information under HIPAA, consumer report data regulated by the Fair Credit Reporting Act, data governed by the Driver’s Privacy Protection Act, FERPA-regulated educational records, Farm Credit Act data, and data processed under the Airline Deregulation Act.

Deviations from Existing State Privacy Laws

While Alabama’s law mostly aligns to the Virginia-model statutes, several provisions materially depart from established frameworks.

A Narrower (but Novel) Definition of “Sale.”
- The Act defines the “sale of personal data” as the “exchange of personal data for monetary consideration…or for other valuable consideration…where the controller receives a material benefit and the third party is not restricted in subsequent uses of the data” (emphasis added). This formulation is both narrower and broader than existing formulations of “sale” – narrower than the CCPA-style “monetary or other valuable consideration” in that it tacks on an additional requirement that the third party be unrestricted in its use before such a data transfer is considered a “sale”; broader than the “monetary” (i.e., cash only) definitions found in states such as Virginia, Utah, and Iowa.
- Critically, the Act carves out from the definition of “sale” two categories of data transfers not found in any other state law: the disclosure or transfer of personal data to a third party “for the purposes of providing analytics services” and “for the purposes of providing marketing services solely to the controller.” These exemptions introduce potential ambiguity and confusion, particularly because businesses are now accustomed to treating such data sharing as a “sale” by default under state privacy laws that use the CCPA-style formulation of “sale.” It would appear, based on the framing of the exemptions to “sale,” that the law could allow for a situation where a business engages a third party (controller) to provide analytics services, with the third party allowed to keep and use the data received from the business for the third party’s own unrestricted uses, without this data transfer being considered a sale. Businesses will need to think carefully about how broadly or narrowly their analytics and marketing relationships may be characterized, and whether the third party a given data transfer falls within these carve-outs or constitutes a sale requiring opt-out rights.

No Requirement for Data Protection Impact Assessments. Unlike Virginia, Colorado, Connecticut, and most other states that have adopted comprehensive privacy legislation, Alabama does not require controllers to conduct data protection impact assessments. This is a notable omission that reduces the compliance burden for covered entities.

Children’s Data: COPPA Alignment Without Expansion. Alabama defines a “known child” in alignment with COPPA’s threshold of under 13 years of age, and controllers that comply with COPPA’s verifiable parental consent requirements are deemed compliant with any parental consent obligation under the Act. The Act does require consent before processing data of consumers ages 13 to 15 for targeted advertising or sale, but it does not go further. This is in contrast to states like Colorado, Connecticut, and Virginia, which have amended their laws in recent years to include heightened protections for minors beyond the COPPA baseline.

Removal of Universal Opt-Out Preference Signal Requirement. As originally passed by the House, HB 351 would have required controllers to recognize universal opt-out preference signals. A Senate amendment removed that requirement, which is a significant departure from the recent trend that mandates recognition of signals like the Global Privacy Control. The Act does reference opt-out preference signals in the context of conflicts with a consumer’s existing privacy settings or loyalty programs, but it does not impose a standalone obligation to honor such signals.

Non-Sunsetting Cure Period and AG-Only Enforcement. Alabama’s enforcement model follows the attorney general-exclusive approach adopted by most states, with no private right of action. The Attorney General must issue a notice of violation before initiating any enforcement action, and the controller has 45 days to cure. If the violation is corrected and the controller provides an express written statement that no further violations will occur, no action may be initiated. Importantly, this cure provision does not sunset, unlike several other states where cure periods were designed to phase out over time, giving regulators greater enforcement latitude. Civil penalties are capped at $15,000 per violation.

Key Takeaways for Businesses

The Alabama Personal Data Protection Act adds another layer to an already complex multistate compliance landscape with no federal equivalent in sight, but its specific features warrant attention from any businesses collecting personal data of residents in the state.

Assess applicability now. The 25,000-consumer threshold is the lowest numerical floor in the country, and the untethered 25% revenue-from-sales test could capture even small businesses engaging in sales of personal data.
Scrutinize analytics and marketing relationships. The novel “sale” definition exemptions for analytics services and controller-directed marketing services will require careful analysis. Businesses should review their data-sharing arrangements with third parties to determine which transfers qualify for these carve-outs and which may constitute sales triggering opt-out obligations. Contractual language restricting third-party use of personal data will be a key element in this analysis.
Leverage the small-business and nonprofit exemptions but understand their limits. Businesses with fewer than 500 employees and nonprofits with fewer than 100 employees are exempt, but only if they do not engage in the sale of personal data. Any sale activity, however modest, eliminates the exemption.
Take advantage of the lighter compliance framework. The absence of data protection impact assessment requirements, the non-sunsetting 45-day cure period, the lack of a private right of action, and the lack of express opt-out preference signal requirements make Alabama’s regime less burdensome than many of its counterparts.

For questions about the Alabama Personal Data Protection Act and its implications for your organization’s privacy compliance program, contact the authors or any member of our Privacy and Data Protection team.