In April 2026, Alabama passed a consumer privacy law, the Alabama Personal Data Protection Act, or APDPA.
This new law aims to protect the personal data of consumers in Alabama and outlines various obligations data controllers and processors must follow to lawfully collect, process, and use their data.
Below, learn all about this upcoming law and how it might impact your business.
- What Is the Alabama Personal Data Protection Act (APDPA)?
- Alabama Personal Data Protection Act Key Terms and Definitions
- What Does the Alabama Personal Data Protection Act Cover?
- What Are the Requirements of the Alabama Personal Data Protection Act?
- How Will Consumers Be Impacted by the Alabama Personal Data Protection Act?
- Who Does the Alabama Personal Data Protection Act Apply To?
- How Will Businesses Be Impacted by the Alabama Privacy Law?
- Who Must Comply with Alabama's New Privacy Law?
- How Can Businesses Prepare for APDPA?
- How Will the Alabama Personal Data Protection Act Be Enforced?
- What Are the Fines and Penalties Under the Alabama Personal Data Protection Act?
- How Will Termly Help Businesses with the Alabama Personal Data Protection Act?
- Alabama Personal Data Protection Act FAQs
What Is the Alabama Personal Data Protection Act (APDPA)?
The Alabama Personal Data Protection Act, or APDPA, is a U.S. state-level comprehensive consumer privacy law that gives rights to Alabama residents over their personal data.
It outlines requirements and obligations entities must follow to legally collect, process, and use that information.
When is the Alabama Personal Data Protection Act Effective?
The Alabama Personal Data Protection Act becomes effective on May 1, 2027.
Alabama Personal Data Protection Act Key Terms and Definitions
Next, see some key terms from the Alabama privacy law and their definitions exactly as they appear in the official legal text:
What Does the Alabama Personal Data Protection Act Cover?
The Alabama Personal Data Protection Act covers the personal data of residents of the state, authorizing them to take certain action regarding their information.
It also regulates how businesses can lawfully collect, store, use, and share that data, including a category of sensitive personal information.
It focuses on transparency and mandates responsible data processing.
What Are the Requirements of the Alabama Personal Data Protection Act?
Next, let’s cover some of the requirements outlined in Alabama’s new privacy law.
Data Collection Limitations
Alabama’s new privacy law requires businesses to only collect data that is considered adequate, relevant, and reasonably necessary in relation to the purposes for which that personal data is processed.
Data Safety Requirements
Businesses are required by the APDPA to establish, implement, and maintain administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data in your possession.
The security measures must be appropriate to the volume and nature of the data being collected.
Contractual Obligations Between Controllers and Processors
Under the APDPA, controllers and processors must both sign binding contracts that outline the following guidelines:
- Set forth clear instructions for the processing of the data,
- Set forth the nature and purpose of the processing,
- Clearly set forth the type of data being processes,
- Set forth the duration of the processing,
- Set forth the rights and obligations of both parties,
- Require the processor to be subject to a duty of confidentiality with respect to the personal data,
- Require to processor to delete or return all data to the controller as requested at the end of the services, at the controller’s direction,
- Make available all information in the processor’s possession necessary to demonstrate the processor’s compliance with this act,
- Obligate all subcontractors processing the personal data to meet the same obligations of the processor with respect to the personal data.
How Will Consumers Be Impacted by the Alabama Personal Data Protection Act?
The APDPA impacts consumers by granting them new rights over their personal information, which includes:
- The right to know if a controller or processor is preprocessing their data,
- Access their data,
- Correct their data,
- Request to delete their data,
- Obtain a portable copy of their personal information,
- Non-discrimination for following through on their privacy rights,
- Opt-out of targeted advertising, the sale of personal data, and profiling.
Who Does the Alabama Personal Data Protection Act Apply To?
The APDPA applies to anyone that conducts business in the state or produces products or services targeted at residents of Alabama who meet either guideline:
- Controls or processes personal data of at least 25,000 consumers, excluding data processes solely for the purposes of completing a payment transaction; or
- Derives over 25% gross revenue from the sale of data, regardless of the number of consumers whose data is being collected and processes.
How Will Businesses Be Impacted by the Alabama Privacy Law?
The Alabama Personal Data Protection Act will impact businesses in several ways, including requiring you to update the content of your privacy policy and cookie policy.
How Will APDPA Affect My Privacy Policy?
Under the APDPA, you need to provide consumers with a privacy notice that includes the following details:
- The categories of personal data processed by the controller,
- The purposes for why you process the data,
- The categories of personal data you share with third parties, if any
- The categories of the third parties themselves that data is shared with,
- An active email address or other mechanism so the consumer can contact the controller,
- Details about how consumers can exercise their privacy rights, including a link or contact information,
- Methods available for consumers to submit requests to follow through on their rights.
If your privacy policy does not include all of these details and you fall under Alabama’s privacy law, you’ll need to update it before the law enters into force in May 2027.
How Will the APDPA Affect My Cookie Policy?
The APDPA impacts your cookie policy, particularly if you use them for targeted advertising, collecting sensitive data, or profiling, because consumers have the right to opt out of those activities.
Ensure you cookie policy fully describes:
- The categories of data collected through cookies or other tracking technologies,
- The purposes for which you’re using that data,
- Instructions for how these consumers can opt out of targeted advertising and profiling.
Be sure to transparently explain all of this to consumers in a way that’s easy for them to read and understand directly in your privacy notice as well.
Who Must Comply with Alabama’s New Privacy Law?
Any business that meets the applicability thresholds and engages in data processing of Alabama residents must comply with this new privacy law, even those outside of the state.
Who Is Exempt from the Alabama Personal Data Protection Act?
The following organizations are exempt from Alabama’s new data privacy law:
- Political subdivisions of the state,
- Any board, authority, district, or public corporation organized to manage local services and infrastructure,
- National securities associations,
- Financial institutions subject to following the GLBA,
- HIPAA covered entities and their associates,
- A business with fewer than 500 employees, provided the business does not sell personal data,
- Nonprofit organizations with less than 100 employees, provided that the organization does sell personal data,
- Institutions of higher education,
- Any entity involved in the securities industry, including broker-dealers,
- Licensed money transmitters,
- Any trade association explicitly authorized to receive documents or evidence,
- A political action committee, political party, or principal campaign committee, or any political organization,
- A business entity that sells data primarily to a political action committee, political party, or principal campaign committee, or any political organization,
- An electric provider that is subject to the requirements or reliability standards of the North American Electric Reliability Corporation.
How Can Businesses Prepare for APDPA?
To prepare for Alabama’s new privacy law, businesses should take the following five easy steps:
- Conduct a data privacy audit or inventory and map all data locations,
- Review your current privacy policy and update it to comply with the new law,
- Develop a process for receiving and responding to consumer requests to follow through on their rights,
- Establish adequate consent mechanisms for sensitive data, targeted advertising, and/or profiling,
- Train all employees on compliance procedures.
How Will the Alabama Personal Data Protection Act Be Enforced?
The APDPA will be enforced by the Alabama Attorney General.
The AG will provide the entity with a 45-day cure period for the violation. If the issues are not addressed properly, the AG can move forward with enforcement.
What Are the Fines and Penalties Under the Alabama Personal Data Protection Act?
Upon finding that a controller has violated this act and failed to correct the violation as required by this section, the court may assess a civil penalty of not more than $15,000 per violation.
According to the APDPA, the court may assess a civil penalty of not more than $15,000 per violation.
Consumers do not have a private right of action under this law.
How Will Termly Help Businesses with the Alabama Personal Data Protection Act?
Termly will help businesses align with the Alabama Personal Data Protection Act by ensuring our consent management platform and privacy policy generator are equipped to help you meet the notification and consent requirements outlined by the law before it enters into force in 2027.
All of our tools are regularly updated by our legal team and data privacy experts to accommodate new and evolving laws, including laws like the APDPA.
Sign up for Termly today and start simplifying your data privacy compliance efforts.
Alabama Personal Data Protection Act FAQs
Below are answers to frequently asked questions about Alabama’s new data privacy law.
What is the consumer data privacy act in Alabama?
The Alabama Personal Data Protection Act or APDPA is a comprehensive consumer data privacy law that passed in the state of Alabama.
It outlines rights Alabama residents have over their personal data and obligated businesses and entities to follow specific requirements to lawfully collect, process, and use that data.
Who does the Alabama Data Privacy Act impact?
Alabama’s new privacy law impacts businesses all around the world who meet the thresholds outlined by the law, including data brokers and entities that rely on selling personal information as a means for making at least 25% of their gross annual revenue.
Citations & Resources
Written by Natasha Piirainen
Natasha Piirainen is a privacy writer with a Bachelor’s Degree in English and Philosophy from Wheaton College and over 10 years of professional experience in research-driven content development.
Read all posts by Natasha Piirainen
Reviewed by Amanda Lee
Amanda is a Documentation Specialist and Certified Privacy Professional (US). She converts product documentation into easily understood product for Termly's customers. She also has strong understanding of US privacy laws and regulations, helping to keep customer policies up to date at a time when US states are enacting more and more privacy laws.
Read all posts reviewed by Amanda Lee
