Alabama Becomes 21st State to Pass Personal Data Protection Act

Alabama has joined the growing list of states enacting comprehensive privacy legislation with the Alabama Personal Data Protection Act (APDPA). As the 21st state to pass such a law, Alabama largely follows the established “Virginia model,” but introduces several notable differences in applicability, exemptions, and how data sales are defined. Organizations should take a closer look, as some of these nuances materially impact scope and compliance strategy.

Scope and Applicability: Who Must Comply

The APDPA applies to organizations that conduct business in Alabama or produce products or services that target Alabama residents, but its thresholds are where the law stands out.

An organization is in scope if it meets either of the following:

• Controls or processes the personal data of more than 25,000 Alabama residents (excluding data used solely for payment transactions)
• Derives 25% or more of gross revenue from the sale of personal data, regardless of how many individuals’ data is involved

These thresholds are among the most business-relevant aspects of the law:

• The 25,000-consumer threshold is the lowest baseline of any U.S. state privacy law, significantly below the common 100,000 threshold used elsewhere.
• The 25% revenue threshold has no minimum data volume requirement, which is unique across state laws.
• In practice, this can capture organizations with relatively modest data footprints or niche data monetization models.

The definition of “consumer” excludes individuals acting in an employment or commercial context, which aligns with most other state frameworks.

Who Is Exempt in the APDPA?

Alabama also introduces one of the broadest exemption frameworks among state privacy laws.

Notable entity-level exemptions include:

• Businesses with fewer than 500 employees, provided they do not sell personal data
• Nonprofits with fewer than 100 employees, also conditioned on not selling personal data

Additional exemptions cover:

• GLBA-regulated financial institutions and HIPAA-covered entities
• Higher education institutions and political subdivisions
• Political organizations and entities primarily selling data to them

These employee-based exemptions are relatively uncommon and narrow the law’s reach compared to other states.

Key Requirements: Consumer Rights & Sensitive Data

The APDPA aligns closely with other state privacy laws in terms of core obligations, with a few important variations.

Consumer Rights

Consumers are granted rights to:

• Access and confirm the processing of their data
• Correct inaccuracies
• Delete personal data
• Data portability
• Opt-out of targeted advertising, data sales, and certain profiling activities

Parents and legal guardians may also exercise consumer rights on behalf of a known child regarding the processing of personal data.

Consumers may opt-out under the APDPA using an opt-out preference signal (OOPS).

Transparency

Organizations must provide clear privacy notices detailing:

• Categories of personal data collected and shared
• Processing purposes
• Third-party disclosures
• Methods for exercising consumer rights

Sensitive Data

Sensitive data requires consent prior to processing. The law also includes protections for children under 13 and adds consent requirements since children's data is considered sensitive data. Controllers may not process personal data for targeted advertising or sell data without consent for children between 13 to 16.

A Different Approach to ‘Sale’

One of the most notable departures is how Alabama defines “sale”:

• It includes exchanges for monetary or other valuable consideration where the controller receives a material benefit
• However, it excludes data sharing for analytics services and marketing services performed on behalf of the controller

This creates a narrower interpretation of “sale” compared to states like California, and may reduce the scope of opt-out obligations for some data-sharing practices.

Organizational Obligations and Enforcement

Like other state laws, the APDPA distinguishes between controllers and processors.

Controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary, alongside establishing, implementing, and maintaining reasonable security practices.

Controllers are also responsible for:

• Determining purposes and means of processing
• Responding to consumer rights requests
• Conducting data protection assessments for high-risk activities

Processors must:

• Follow controller instructions
• Support compliance efforts
• Maintain appropriate security safeguards

Enforcement

Enforcement authority rests exclusively with the Alabama Attorney General:

• A 45-day cure period is provided before enforcement actions proceed
• Civil penalties can reach $15,000 per violation if issues are not remedied
• There is no private right of action

This enforcement model is considered more business-friendly, though penalties can still scale quickly.

Ways to Prepare for APDPA Compliance

Although the law does not take effect until May 1, 2027, organizations should begin preparation early, especially given the low applicability threshold.

A structured approach should include:

• Assess applicability early
  Map data volumes and revenue streams to determine whether thresholds are met
• Build or update data inventories
  Understand what personal data is collected, where it resides, and how it is used
• Review privacy notices
  Align disclosures with Alabama-specific requirements and definitions
• Operationalize consumer rights
  Ensure processes are in place to intake and respond to consumer rights' requests within required timelines
• Evaluate data-sharing practices
  Reassess whether analytics and marketing transfers fall inside or outside the law’s definition of “sale”
• Update vendor contracts
  Include controller–processor obligations and data protection terms
• Train internal teams
  Align legal, privacy, and operational teams on the nuances of the law

Moving Forward

Alabama’s privacy law does not dramatically change the compliance landscape, but its details matter. The low applicability threshold and broad exemptions create a different risk profile than other states. Organizations that may have assumed they fall outside scope in other jurisdictions could be captured here.

At the same time, the law remains aligned with the broader U.S. privacy framework. Companies with mature privacy programs will find much of the structure familiar, with adjustments needed around applicability analysis and data-sharing definitions.

The practical path forward is to treat Alabama as part of a scalable, multi-state compliance strategy. Organizations that standardize processes across jurisdictions, while accounting for state-specific nuances like those in Alabama, will be better positioned as the U.S. privacy landscape continues to expand.

Organizations must also account for the nuances between consent requirements relating to children under the APDPA, with the recently passed House Bill 161 on app store providers and developers.

Managing compliance with laws like APDPA will take more than manual processes. OneTrust helps privacy teams automate data subject rights, build accurate data inventories, and integrate privacy by design into daily operations. With automation, organizations can respond quickly to regulatory change, reduce the burden of repetitive tasks, and maintain a clear line of accountability.

To explore how OneTrust can support your privacy program as MODPA approaches, request a demo to see the platform in action.