On April 17, 2026, the Governor of Alabama signed HB 351, Alabama Personal Data Protection Act (ALDPA), into law.  The law resembles Connecticut’s data privacy statute, but omits certain requirements, such as a data protection impact assessment.  Alabama follows  Oklahoma as the second state to enact a comprehensive privacy law this year.  The law will take effect on May 1, 2027.

The below lists key provisions in ALDPA:

  • Scope.  ALPDA applies to controllers and processors that conduct business in Alabama or produce products or services that target Alabama residents and either (a) process or control the personal data of more than 25,000 Alabama residents, excluding personal data processed or controlled solely for the purpose of completing a payment transaction, or (b) derive over 25% of their gross revenue from the sale of personal data, regardless of the number of consumers.
  • Exemptions.  The law exempts individuals acting in a commercial or employment context, and contains several entity-level exemptions, including for a financial institution subject to the GLBA, a business with fewer than 500 employees that does not sell personal data, covered entities and business associates governed by HIPAA, nonprofits, and institutions of higher education.
  • Consumer Rights.  The law grants consumers a set of rights, including rights of access, deletion, correction, and portability, and rights to opt-out of targeted advertising, sale, or profiling in furtherance of solely automated significant decisions concerning the consumer, defined to include decisions about topics such as credit or lending services, employment opportunity, health care service, and access to basic necessities.  Notably, and unlike other state privacy laws, the law defines “sale” to include the exchange of personal information for monetary consideration by a controller to a third party or for “other valuable consideration” where the controller “receives a material benefit and the third party is not restricted in its subsequent uses of the personal data.”  The law also requires that controllers honor opt-out preference signals, but permits the controller to notify the consumer of conflicting signals and provide the choice to confirm controller-specific privacy settings or participation in loyalty and similar programs.
  • Transparency Requirements.  Controllers must provide consumers reasonably clear and accessible privacy notices that resemble notices required in other state privacy statutes, including by disclosing the categories of personal data processed, the purposes of processing that data, and the categories of personal data shared with third parties.
  • Sensitive Data.  Controllers must obtain consent to process sensitive data, with the standard for consent largely tracking the Connecticut approach.  The scope of sensitive data generally follows the approach taken in Oklahoma and other state comprehensive privacy laws, and includes data such as personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, genetic or biometric data that is processed for the purpose of uniquely identifying an individual, personal data collected from a known child under 13, and precise geolocation data.
  • Enforcement.  Enforcement authority rests exclusively with the Alabama Attorney General, who can impose civil penalties of up to $15,000 per violation.  The bill includes a mandatory 45-day cure period that does not sunset.
Tags: State Privacy
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws.

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state laws, including the California Consumer Privacy Act, the Colorado AI Act, and other state laws. As part of her practice, she also regularly represents clients in strategic transactions involving personal data, cybersecurity, and artificial intelligence risk and represents clients in enforcement and litigation postures.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Chambers USA 2025 ranks Libbie in Band 3 Nationwide for both Privacy & Data Security: Privacy and Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”

Read more about Libbie CanterEmail
Show more Show less
Photo of Jayne Ponder Jayne Ponder

Jayne Ponder provides strategic advice to national and multinational companies across industries on existing and emerging data privacy, cybersecurity, and artificial intelligence laws and regulations.

Jayne’s practice focuses on helping clients launch and improve products and services that involve laws governing data privacy…

Jayne Ponder provides strategic advice to national and multinational companies across industries on existing and emerging data privacy, cybersecurity, and artificial intelligence laws and regulations.

Jayne’s practice focuses on helping clients launch and improve products and services that involve laws governing data privacy, artificial intelligence, sensitive data and biometrics, marketing and online advertising, connected devices, and social media. For example, Jayne regularly advises clients on the California Consumer Privacy Act, Colorado AI Act, and the developing patchwork of U.S. state data privacy and artificial intelligence laws. She advises clients on drafting consumer notices, designing consent flows and consumer choices, drafting and negotiating commercial terms, building consumer rights processes, and undertaking data protection impact assessments. In addition, she routinely partners with clients on the development of risk-based privacy and artificial intelligence governance programs that reflect the dynamic regulatory environment and incorporate practical mitigation measures.

Jayne routinely represents clients in enforcement actions brought by the Federal Trade Commission and state attorneys general, particularly in areas related to data privacy, artificial intelligence, advertising, and cybersecurity. Additionally, she helps clients to advance advocacy in rulemaking processes led by federal and state regulators on data privacy, cybersecurity, and artificial intelligence topics.

As part of her practice, Jayne also advises companies on cybersecurity incident preparedness and response, including by drafting, revising, and testing incident response plans, conducting cybersecurity gap assessments, engaging vendors, and analyzing obligations under breach notification laws following an incident.

Jayne maintains an active pro bono practice, including assisting small and nonprofit entities with data privacy topics and elder estate planning.

Read more about Jayne PonderEmail
Show more Show less
Photo of Irene Kim Irene Kim

Irene Kim is an associate in the firm’s Washington, DC office, where she is a member of the Privacy and Cybersecurity and Advertising and Consumer Protection Investigations practice groups. She advises clients on a broad range of issues, including U.S. state and federal…

Irene Kim is an associate in the firm’s Washington, DC office, where she is a member of the Privacy and Cybersecurity and Advertising and Consumer Protection Investigations practice groups. She advises clients on a broad range of issues, including U.S. state and federal AI legislation, comprehensive state privacy laws, and regulatory compliance matters.

Read more about Irene KimEmail
Show more Show less