On May 16, 2026, the Governor of Alabama signed Alabama House Bill 351, enacting the Alabama Personal Data Protection Act (APDPA), a comprehensive privacy law that will go into effect on May 1, 2027. Alabama’s new law will provide residents of the State with privacy rights and will require businesses who need to comply with this law to meet its requirements, such as having a comprehensive and up to date Privacy Policy that contains the required disclosures. In this article, we will discuss the following aspects of Alabama’s privacy law:
- Who needs to comply with Alabama’s privacy law;
- How this law defines “personal data”;
- The privacy rights provided to residents of Alabama;
- The Privacy Policy requirements of the Alabama Personal Data Protection Act;
- Penalties for failure to comply; and
- How Termageddon will handle updates for Alabama’s privacy law.
Table of Contents
Who needs to comply with Alabama’s privacy law
Alabama’s privacy law applies to anyone doing business in Alabama or that produces products or services that are targeted to residents of Alabama and that meets one of the following criteria:
- Controls or processes the personal data of more than 25,000 residents of Alabama; or
- Derives more than 25% of gross revenue from the sale of personal data.
It is important to note that Alabama’s privacy law does not require the business to be located in Alabama for the privacy law to apply. In addition, it only exempts nonprofits from compliance requirements if they have less than 100 employees and if they do not sell personal data. Lastly, Alabama’s privacy law exempts businesses with fewer than 500 employees, provided the business does not engage in the sale of personal data.
How this law defines “personal data”
Since this privacy law applies to those controlling or processing personal data and meeting the factors above, it is important to determine how this law defines “personal data.” APDPA defines “personal data” as “any information that is linked or reasonably linkable to an identified or identifiable individual.” This means that personal information such as names, emails, phone numbers, physical addresses or IP addresses commonly collected through business websites would qualify as “personal data” under this law.
The privacy rights provided to residents of Alabama
The purpose of Alabama’s privacy law is to provide individuals with control over their personal data. To that end, APDPA provides the following privacy rights to residents of the State:
- The right to confirm whether their personal data is being processed by the business;
- The right to access the personal data that is being processed;
- The right to correct inaccuracies in the personal data;
- The right to request the deletion of their personal data;
- The right to obtain a copy of the personal data in a portable and, to the extent technically feasible, readily usable format that allows the individual to transmit that information to another provider;
- The right to opt out of targeted advertising;
- The right to opt out of the sale of their personal data;
- The right to opt out of profiling in furtherance of automated significant decisions concerning the individual;
- The right to not be discriminated against based upon the exercise of their privacy rights.
If a resident of Alabama submits a request to exercise their privacy rights, businesses that need to comply with this law have 45 days to reply but can also extend the reply period by an additional 45 days under certain circumstances.
The Privacy Policy requirements of the Alabama Personal Data Protection Act
Alabama’s privacy law requires businesses to provide an accurate, clear, and meaningful Privacy Policy that includes the following disclosures:
- The categories of personal data processed;
- The purpose of processing the personal data;
- The categories of personal data shared with third parties, if any;
- The categories of third parties, if any, with which personal data is shared;
- An active email address or other mechanism where individuals can contact the business; and
- How consumers can exercise their privacy rights.
Penalties for failure to comply
The Attorney General of Alabama will be responsible for enforcing Alabama’s privacy law. If the Attorney General finds that this privacy law has been violated, it can assess a penalty of up to $15,000 per violation. Usually, with privacy laws, “per violation” means per person whose privacy rights were infringed upon or, for example, per website visitor from Alabama who was not presented with a compliant Privacy Policy. As with other privacy laws, due to this calculation of “per violation”, fines for non-compliance can add up very quickly.
How will Termageddon handle updates for Alabama’s privacy law?
We have been tracking Alabama’s privacy law since it was initially introduced as a bill and through its many changes. We will continue to track this privacy law for any rules, regulations, and amendments. We will email all affected customers prior to the effective date of May 1, 2027 to make updates to Privacy Policies.
