Alabama Enacts Comprehensive Data Privacy Law

A comprehensive bill strengthening data privacy protections for Alabama residents has been enacted into law. House Bill 351, known as the Alabama Personal Data Protection Act (the “Act”), will become effective on May 1, 2027. The Act establishes new consumer rights regarding personal data and creates clear rules for businesses that collect and process information from Alabama residents, including rights available to consumers under similar U.S. state data privacy laws. Alabama’s enactment continues the national trend of states implementing consumer data privacy regulation.  In this latest in our series of articles on US State Data Privacy Laws, we summarize the key components of the Alabama Personal Data Protection Act.

To Whom Does the Alabama Data Privacy Act Apply?

The Act applies to persons that conduct business in Alabama or produce products or services targeted to residents of Alabama and that meet either of the following thresholds: (a) control or process the personal data of more than 25,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction, or (b) derive more than 25 percent of gross revenue from the sale of personal data, regardless of the number of consumers whose data the person controls or processes.

Notwithstanding these thresholds, the Act does not apply to a number of entity types. These include political subdivisions of the state and any board, authority, district, or public corporation organized under certain Alabama statues; institutions of higher education; financial institutions governed by the Gramm-Leach-Bliley Act; covered entities or business associates as defined under Health Insurance Portability and Accountability Act (HIPAA); businesses with fewer than 500 employees, provided they do not engage in the sale of personal data; nonprofit entities with fewer than 100 employees, provided they do not engage in the sale of personal data; certain political campaign and party related entities; and electric providers subject to the reliability standards of the North American Electric Reliability Corporation.

Additionally, certain categories of data are also exempt. These include protected health information under HIPAA; consumer credit-reporting data regulated by the Fair Credit Reporting Act; personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act; personal data regulated by the Family Educational Rights and Privacy Act; employee and contractor data; emergency contact information; and data processed to comply with state law, among others.  Additionally, controllers and processors that comply with the verifiable parental consent requirements of the federal Children's Online Privacy Protection Act (COPPA) will be deemed compliant with any obligation to obtain parental consent under the Act.

What Rights Does the Alabama Data Privacy Act Give to Consumers?

A “consumer” under the Act means an individual who is a resident of Alabama acting only in an individual or household context and does not include an individual acting in a commercial or employment context.  Alabama consumers will gain rights that are largely consistent with other states’ data privacy regimes. A consumer may invoke these rights by submitting an authenticated request to the controller.  Consumers may:

• confirm whether a controller, or a processor or third party acting on a controller’s behalf, is processing their personal data and access such data,
• correct inaccuracies in their personal data;
• direct a controller to delete their personal data;
• obtain a copy of their personal data previously provided to a controller in a portable and, to the extent technically feasible; and
• opt out of the processing of their personal data for purposes of targeted advertising, the sale of their personal data, or profiling in furtherance of solely automated significant decisions concerning the consumer via a conspicuous link on the controller’s website.

A controller must respond to an authenticated consumer request within 45 days, with the option to extend that period once by an additional 45 days, provided the controller informs the consumer of the extension within the initial 45-day period.

Notably, unlike a number of other state privacy laws the Alabama Personal Data Protection Act does not require controllers to establish a formal consumer appeal process for denied consumer rights requests.

What Obligations Does the Alabama Data Privacy Act Impose on Controllers and Processors?

Key Definitions

“Personal data” means any information that is linked or reasonably linkable to an identified or identifiable individual, and does not include deidentified data or publicly available information.

“Sensitive data” is defined as personal data that reveals racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, information about an individual’s sex life, sexual orientation, or citizenship or immigration status; genetic or biometric data processed for the purpose of uniquely identifying an individual; personal data collected from a known child; or precise geolocation data.

“Sale of personal data” means the exchange of personal data for monetary consideration by a controller to a third party, or for other valuable consideration by a controller to a third party where the controller receives a material benefit and the third party is not restricted in its subsequent uses of the personal data.

“Profiling” means any form of solely automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

Controller Obligations

Controllers must provide consumers with a reasonably accurate, clear, and meaningful privacy notice that includes: 

• the categories of personal data processed; 
• the purpose for processing personal data; 
• the categories of personal data shared with third parties, if any; 
• the categories of third parties with which personal data is shared, if any; 
• an active email address or other contact mechanism; and 
• how consumers may exercise their consumer rights, including a link or contact information for the opt-out method.

If a controller sells personal data to third parties or processes personal data for targeted advertising, it must clearly and conspicuously disclose the processing, as well as the manner in which a consumer may exercise the right to opt out.

Under the Act, Controllers must also:

• limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the personal data is processed;
• establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data;
• provide an effective mechanism for a consumer to revoke consent that is at least as easy as the mechanism by which consent was provided, and cease processing the personal data as soon as practicable but no later than 45 days after receiving the revocation; 
• not process personal data for purposes that are not reasonably necessary to or compatible with the disclosed purposes for which it was collected, unless the controller obtains the consumer’s consent; 
• must allow consumers to opt out of targeted advertising and the sale of personal data by providing a clear and conspicuous link on their website to a page that enables the consumer to opt out directly, or by providing up-to-date contact information for submission of opt-out requests;  
• not process sensitive data concerning a consumer other than a known child without obtaining the consumer’s consent, or, in the case of a known child, without processing that data in accordance with COPPA; 
• not process personal data in violation of state or federal laws prohibiting unlawful discrimination against consumers; 
• not process the personal data of a consumer for the purposes of targeted advertising or sell that consumer’s personal data without consent where the controller has actual knowledge that the consumer is at least 13 but younger than 16 years of age; and
• not deny goods or services, charge different prices, or provide a different level of quality of goods or services to a consumer because the consumer has opted out of data processing, although controllers are not required to provide a service that itself requires data processing if the consumer opts out, and may offer bona fide loyalty, rewards, premium features, discount, or club card programs.

Notably, unlike a number of other state data privacy laws, the Alabama Personal Data Protection Act does not require controllers to conduct and document data protection assessments for high-risk processing activities.

Processor Obligations

Processors must adhere to the instructions of a controller and assist the controller in meeting its obligations under the Act, including maintaining appropriate and reasonably practical technical and organizational measures to support the fulfillment of the controller's obligation to respond to consumer rights requests and assisting the controller in relation to the security of processing and breach notification obligations.

Contractual Requirements

A contract between a controller and a processor must govern the processor’s data processing obligations with respect to processing performed on behalf of the controller.  The contract must clearly set forth instructions for processing data, the nature and purpose of the processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.  The contract must also require the processor to: ensure that each person processing personal data is subject to a duty of confidentiality; delete or return all personal data to the controller as requested at the end of the provision of services, unless retention is required or permitted by law or the contract; make available all information in the processor’s possession necessary to demonstrate the processor's compliance with the Act upon the reasonable request of the controller; and obligate any subcontractor processing personal data to meet the obligations of the processor with respect to that data.

Enforcement

The Alabama Attorney General has the sole authority to enforce violations of the Act.  The Act does not provide a basis for a private right of action.

Before initiating any action for a violation, the Attorney General must issue a notice of violation to the controller.  If the controller corrects the noticed violation within the 45-day period and provides the Attorney General with an express written statement that the alleged violations have been corrected and that no further violations will occur, no action may be initiated against the controller.

If the controller fails to correct the violation within 45 days after receipt of the notice, the Attorney General may bring an action for an injunction, and upon a finding that the controller has violated the Act and failed to correct the violation, the court may assess a civil penalty of not more than $15,000 per violation. 

Key Aspects of the Data Privacy Act

Non-Profit and Business Exemption.

The Act does not provide wholesale exemptions to non-profit entities.  Rather, the Act only exempts such organizations with: (1) less than 100 employees; and (2) that do not sell personal data.  Likewise, businesses with (1) less than 500 employees; and (2) that do not sell personal data, are also exempt from the Act’s obligations. 

Permanent 45-Day Cure Provision.

The Act affords controllers and processors a 45-day period to cure noticed violations before the Attorney General may initiate enforcement. This cure right is not time-limited and will remain available after the law’s effective date, providing businesses with an additional runway to remediate compliance gaps — but only where the controller subsequently commits in writing that no further violations will occur.

Consent Required for Sensitive Data Processing.

Controllers may not process a consumer’s sensitive data without first obtaining the consumer’s consent, or, in the case of a known child, without complying with COPPA. Businesses processing categories such as biometric data, geolocation data, health diagnosis information, or data collected from children must review and update their consent mechanisms accordingly.

No Data Protection Assessment Obligations.

Alabama’s Act does not require controllers to conduct and document data protection assessments for high-risk processing activities which are currently required under several comprehensive state data privacy laws.

No Private Right of Action.

The Act expressly provides that it shall not be construed as providing a basis for a private right of action for a violation of the Act or any other provision of law. Enforcement is exclusively vested in the Attorney General, limiting litigation exposure to businesses but underscoring the importance of proactive regulatory compliance.

Higher Penalties For Violation.

Notably, the Alabama Act’s civil penalty cap of $15,000 per violation is greater than most comprehensive state data privacy laws. Thus, businesses should prioritize complying with this law as the financial exposure may be greater than other state comprehensive data privacy laws.

Contractual Waiver of Consumer Rights Is Void.

Any contractual provision that purports to waive or limit a consumer’s rights under the Act is contrary to public policy and shall be void and unenforceable. Businesses should review their existing consumer-facing agreements and terms of service to identify and remove any provisions that could be read to limit consumer rights under the Act.

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2026 White & Case LLP}