Alabama has become the latest state to enact a comprehensive consumer privacy regime, adding further complexity to an already fragmented U.S. regulatory landscape and raising new compliance imperatives for businesses operating across state lines.
Signed into law by Governor Kay Ivey on April 16, the Alabama Personal Data Protection Act (APDPA) will take effect on May 1, 2027, and establishes a broad framework governing the collection, use and sale of personal data. The law places Alabama alongside 20 other states that have adopted similar statutes and increasing pressure on companies to harmonize compliance programs nationwide.
The APDPA applies to businesses operating in Alabama or targeting its residents that either process the personal data of more than 25,000 consumers or derive more than 25% of revenue from the sale of personal data. According to an analysis of the statute by the Fisher Phillips law firm, those thresholds are comparatively low, meaning the law may reach a broader set of entities than similar statutes in other states.
At the same time, Alabama diverges from its peers by including extensive exemptions. Small businesses with fewer than 500 employees—provided they do not sell personal data—are carved out, as are nonprofits under 100 employees, higher education institutions, and certain regulated sectors such as financial institutions and HIPAA-covered entities.
Like most state privacy laws, the APDPA excludes employment-related data from coverage—aligning with states such as Virginia and Colorado, but diverging from California’s broader definition of “consumer,” which includes employees and job applicants.
For covered entities, compliance hinges on the distinction between “controllers” and “processors,” a model borrowed from other state laws and the EU’s GDPR. Controllers—those determining the purposes and means of data processing—bear the primary compliance burden.
Controllers must enable and respond to a suite of consumer rights, including access, correction, deletion and data portability, as well as opt-outs for targeted advertising, data sales and certain profiling activities. Businesses must respond to authenticated consumer requests within 45 days and provide at least one free response annually.
The law also imposes baseline governance requirements, including data minimization, purpose limitation, and the implementation of “reasonable” administrative, technical and physical security safeguards. Controllers must also publish compliant privacy notices and obtain consent before processing sensitive data.
However, Alabama stops short of adopting some of the more stringent features seen elsewhere. Unlike laws in California and Colorado, the APDPA does not mandate data protection impact assessments or require recognition of universal opt-out signals.
One area where Alabama aligns with a growing cohort of states is its broad definition of “sale.” The APDPA includes not only monetary exchanges but also transfers involving “other valuable consideration” that materially benefits the controller.
Read more: House GOP Rushing to Advance Federal Privacy Law Before Midterms
The law invests enforcement authority exclusively with the Alabama attorney general, providing no private right of action. Businesses benefit from a 45-day cure period following notice of violation, but failure to remediate can result in penalties of up to $15,000 per violation.
The Fisher Phillips analysis outlines several immediate steps for businesses ahead of the 2027 effective date. These include conducting data mapping exercises, reviewing and updating privacy notices, implementing systems to handle consumer rights requests, and assessing relationships with third-party data processors.
Companies are also advised to evaluate data practices involving minors and align Alabama compliance efforts with existing programs developed for other state regimes—an increasingly critical strategy as organizations contend with overlapping and sometimes inconsistent requirements.
In structure, the APDPA closely tracks the now-standard U.S. state privacy framework, emphasizing consumer rights, controller obligations and attorney general enforcement. But its broader exemptions and lighter compliance requirements in certain areas underscore the continued divergence among state laws.
For businesses, Alabama’s entry into the privacy landscape reinforces the need for scalable, multi-jurisdictional compliance architectures rather than state-by-state fixes. As more states adopt similar but not identical rules, operational complexity will continue to rise in the absence of federal preemption.
