Alabama passes privacy law

Alabama now has a statewide consumer privacy law after Gov. Kay Ivey signed House Bill 351, with the rules taking effect on May 1, 2027. (hunton.com) The new statute is called the Alabama Personal Data Protection Act. Ivey signed it on April 17, 2026, after the Legislature passed it earlier this month. (hunton.com) The bill cleared the Alabama House 104-0 and the Senate 34-0 on April 7, making Alabama the 21st state to enact a broad consumer privacy law. (privacymatters.dlapiper.com) The law gives Alabama residents rights to see, correct, delete, and obtain a copy of personal data that companies hold about them. It also lets consumers opt out of targeted advertising, data sales, and some automated profiling decisions. (insideprivacy.com) Alabama’s law follows the same state-by-state model that has spread since Virginia passed its statute in 2021. Like most of those laws, it does not create a private right of action, so consumers cannot sue directly under the act. (hunton.com) Enforcement belongs to the Alabama attorney general alone, and the law includes a 45-day cure period that does not expire. That means businesses accused of violating the statute can get time to fix problems before the state pursues a case. (iapp.org) The law reaches companies doing business in Alabama or targeting Alabama residents if they handle data on more than 25,000 consumers, excluding payment-only data, or get more than 25% of gross revenue from selling personal data. That 25,000-person threshold is lower than the 100,000-consumer trigger used in many other state privacy laws. (insideprivacy.com, fpf.org) The act exempts many categories already covered by other laws, including health data regulated by the Health Insurance Portability and Accountability Act, financial data covered by the Gramm-Leach-Bliley Act, education records, and some employment and business-to-business data. Small businesses with fewer than 500 employees and nonprofits with fewer than 100 employees are also exempt if they do not sell personal data. (hunton.com) For health and wellness apps, the gap matters: data outside federal health privacy law can still fall under Alabama’s new state rules if the app targets Alabama users and meets the act’s thresholds. Controllers must get consent to process sensitive data and must provide privacy notices describing what data they collect, why they use it, and what they share. (insideprivacy.com, fpf.org) Alabama’s version also defines a “sale” of personal data more broadly than some states do, covering some transfers for “other valuable consideration” when the controller gets a material benefit and the recipient is not limited in later uses. Companies serving Alabama users now have just over a year to decide whether those data-sharing practices need to change before May 2027. (insideprivacy.com)