April 16, 2026
Alabama’s Quirky Take on Data Privacy
The Alabama Personal Data Protection Act is a strange blend of playing it safe and introducing new rules that may leave businesses scratching their heads.
Data privacy laws are evolving fast and keeping up shouldn't fall entirely on your team. If you're navigating multistate compliance, we're here to help. Get in touch with us today.
With its adoption of the Alabama Personal Data Protection Act (APDPA) in April 2026, Alabama is now the 21st state to pass a comprehensive data-privacy law. (If you count the Florida Digital Bill of Rights, it’s actually the 22nd.) The APDPA is set to take effect on May 1, 2027.
While the APDPA does closely follow a now-familiar model used by almost every other state going back to Virginia’s privacy law, it also contains a few unusual differences that are sure to delight the business and tech community.
Here’s what businesses should know about the Alabama Personal Data Protection Act.
The basic outline of compliance for the APDPA is the same as most other privacy laws. Businesses should be transparent about the data they collect, use, and disclose; consumers have rights regarding their own personal data; and consent is required for certain uses of data.
Here’s a quick summary.
Of course, this is not a comprehensive list, and it shouldn’t be taken to mean that compliance will be simple. As with other privacy laws, compliance requires a deep dive into an organization’s data practices, advance planning for handling privacy requests, and vigilance to stay current with any changes.
Alabama takes a novel approach to defining its scope. Like most other states, it sets out some numerical thresholds, which are:
On their own, these thresholds are actually quite liberal and would make the APDPA one of the most broadly applicable state privacy laws. However, the statute then significantly walks back these thresholds by stating that it does not apply to:
There are plenty of businesses that don’t meet these employee numbers, but handle the personal data of millions of people. As for the part about not selling personal data, keep reading to see why that might not be such a limitation after all.
Similarly, the APDPA’s definition of “selling” personal data starts out in familiar territory, then goes to some whacky places.
The bill defines the sale of personal data as:
The part about the third party not being restricted in its subsequent use of the personal data has the potential to swallow the entire rule. Under the California Consumer Privacy Act, all disclosures constituting a sale must be accompanied by contractual language specifying that the data is being disclosed for limited and specific purposes. Ironically (or perhaps the intention of savvy tech lobbyists), this restriction on data sales in California may exempt the disclosure from being considered a sale in Alabama.
The APDPA also adds two very significant exceptions to the definition of a sale of personal data:
The first of these creates a loophole you could drive a Google Analytics-sized bus through, and strongly suggests that giving Google unrestricted access to analytics data will not be considered a sale in Alabama.
All of these exceptions raise the question of why Alabama didn’t merely define the sale of personal data as exchanging data solely for monetary consideration (as many other states have done). While Alabama legislators may have been trying to make the APDPA more business friendly, the reality is that the exceptions just make multistate compliance more complicated for most companies.
Most other state privacy laws require businesses to carry out a data protection assessment (DPA) before engaging in any data processing that is considered high-risk. The most common high-risk activities are targeted advertising, selling personal data, and processing sensitive data.
The APDPA forgoes the DPA requirement entirely.
Another unusual omission in the Alabama privacy law is that businesses are not required to provide a mechanism for appealing. Virtually all other states (except California and Utah) give consumers this right.
Staying on top of laws like the APDPA is complex, time-consuming, and only getting harder. You don't have to figure it out alone. Whether you're just getting started or looking to strengthen your existing privacy program, our team is ready to chat.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.
