Alabama Passes Privacy Law

Alabama Governor Kay Ivey signed the Alabama Personal Data Protection Act, making the state the 21^st to pass a privacy law. The state is the second to pass a law in 2026, following Oklahoma. The law takes effect on May 1st, 2027.

Here is a summary of Alabama’s privacy law.

Applicability

Alabama’s privacy law applies to any business that produces products or services for Alabama residents if they meet these criteria:

• Controls or processes personal data of more than 25,000 Alabama residents
• Derive more than 25 percent of gross revenue from the sale of personal data, regardless of the number of consumers whose data the person controls or processes

There are exemptions for organizations and data covered by the GLBA. Personal Health Information (PHI) covered by HIPAA is also exempt. Exemptions are also in place for:

• Businesses with fewer than 500 employees that don’t engage in the sale of personal data
• Nonprofits with fewer than 100 employees that don’t engage in the sale of personal data
• Institutions of higher education
• State agencies and local governments
• Political organizations

Consumer Rights

Alabama’s privacy bill provides consumers with the following rights:

• Confirm whether a controller is processing the personal data, and to access the personal data
• Correct inaccurate data
• Delete personal data
• Obtain a copy of their data in a portable and readily usable format that allows the consumer to transmit the data to another controller without hindrance (applies if the processing is carried out by automated means).
• Opt out of the processing of the personal data for purposes of:
  • Targeted advertising 
  • The sale of personal data
  • Profiling
• A parent or legal guardian may exercise the consumer’s rights on behalf of a child.

Business Obligations

The Alabama Personal Data Protection Act places the following requirements and restrictions on businesses:

• Limit the collection of personal data to what is adequate, relevant, and reasonably necessary
• Establish a secure and reliable method for a consumer to exercise their privacy rights
• Provide an effective mechanism for a consumer to revoke consent that is as easy as the mechanism used to give consent
• Disclose if data is sold to a third party for targeted advertising
• Establish data security practices to protect personal data
• Not discriminate against a consumer for exercising any consumer rights
• Process the sensitive data of a consumer without the consumer’s consent. The Alabama law defines sensitive data as:
  • Racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status
  • Genetic or biometric data that is processed for uniquely identifying an individual
  • Personal data collected from a known child
  • Precise geolocation data
• Take measures to ensure any de-identified data in its possession cannot be associated with an individual
• A controller may not require a consumer to create a new account to exercise their rights, but may require a consumer to use an existing account.
• A contract between a controller and a processor must govern the processor’s data processing procedures.  The contract shall include:
  • Clear instructions for processing data
  • The nature and purpose of processing
  • The type of data subject to processing 
  • The duration of processing
  • The rights and obligations of both parties

Businesses must respond to consumer requests within 45 days. A 45-day extension is permitted for complex requests. If a business declines a request, it must provide its justification within 45 days.

Privacy Notices

The Alabama privacy law requires businesses to provide consumers with a “reasonably accurate, clear, and meaningful” privacy notice that includes:

• The categories of personal data processed
• The purpose for processing personal data
• How consumers may exercise their consumer rights
• The categories of personal data that the controller shares with third parties
• The categories of third parties the controller shares personal data with
• How consumers can opt out of the selling of their data for targeted advertising

“Sale” Exemptions

There are some exemptions for what constitutes a sale of data that are unique to Alabama’s law, specifically:

• The disclosure or transfer of personal data to a third party for the purposes of providing analytics services
• The disclosure or transfer of personal data to a third party for the purposes of providing marketing services solely to the controller

Enforcement

Enforcement is the responsibility of the Alabama Attorney General. There is no private right of action. There is a 45-day right-to-cure period that does not expire. Penalties can be up to $15,000 per violation.

CompliancePoint can help your organization comply with GDPR, CCPA, and all other state privacy laws. Reach out to us at connect@compliancepoint.com to learn more about our privacy services.