Media Centre

Alabama Joins States Enacting Comprehensive Privacy Law

Ariel Yosefi Kobi Plotkin

14 April 2026

Alabama is poised to become the 21st US state to enact a comprehensive data protection law, following the state legislature’s passage of House Bill 351, which adopts the Alabama Personal Data Protection Act.

While the new act largely follows the established US state privacy framework and incorporates provisions consistent with its predecessors, it also introduces new elements requiring businesses to exercise particular care when assessing their privacy compliance obligations in the state.

Alabama’s new privacy act, which is expected to be approved by the governor, would take effect on 1 May 2027.

Scope of Application and Special Exemptions

The act applies to: (i) persons conducting business in the state or (ii) producing products or services targeted to residents of the state, and that either:

  • Control or process the personal data of at least 25,000 Alabama residents (excluding payment transaction data); or
  • Derive more than 25% of their gross revenue from the sale of personal data, regardless of the number of Alabama residents whose data is collected or processed.

The new act’s applicability thresholds reflect a departure from the prevailing US privacy law framework in two key respects: (i) the number of residents whose personal data must be processed to trigger applicability is comparatively low, aligning with states such as Montana and Delaware in establishing a sub-100,000 consumer threshold, and (ii) applicability may be triggered solely by meeting the revenue-based threshold due to the sale of personal data, without any minimum resident threshold; an approach that remains uncommon and is adopted by only a limited number of states, including California and Nebraska.

The act further provides exemptions for certain de-identified and publicly available information, as well as data regulated under other federal laws such as the Fair Credit Reporting Act and the Health Insurance Portability and Accountability Act (HIPAA).

Additionally, the act aligns with state privacy laws in Texas and Minnesota by exempting small businesses employing fewer than 500 employees from its scope, provided that such entities do not engage in the sale of personal data. Similarly, the act exempts non-profit organizations with fewer than 100 employees, provided that they do not engage in the sale of personal data.

The “Artificial Intelligence” Exemption: earlier version of the act included a unique exemption that would have excluded from its scope information or data included as part of “Artificial Intelligence Models”, provided that no personally identifiable information is present in, or can be extracted from, such models. However, this exemption that would have put Alabama’s privacy act as the first state privacy law to expressly address AI models as part of operative provisions, was removed from the final bill.

Exemptions From the Definition of “Sale”: The act imposes certain obligations on controllers that engage in the sale of personal data. However, it differs from other US privacy laws in its definition of what constitutes a “sale”.

While recognizing the exchange of personal data for monetary or other valuable consideration, the new act expands the definition of “sale” by including exchanges made where the controller receives a “material benefitas well, thereby potentially capturing a broader range of business activities not typically covered under other US privacy laws. At the same time, the act introduces two notable derogations from the definition of “sale”:

  • Limitations on use: For an exchange to constitute a sale, the recipient must not be subject to restrictions on its subsequent use of personal data. Accordingly, where the recipient’s use is contractually restricted, such exchange may fall outside the definition of a “sale” even if consideration or other material benefit is involved; and
  • Marketing and analytics: The disclosure or transfer of personal data to a third party for the purposes of providing analytics or marketing services solely to the controller will not constitute a “sale”, even where consideration or other material benefit is involved.

Controller Obligations

Controllers covered by Alabama’s new act are required, inter alia, to:

  • Limit the collection and processing of personal data to what is adequate, relevant and reasonably necessary for the disclosed purposes;
  • Implement and maintain reasonable safeguards to protect personal data;
  • Provide a privacy notice that includes information such as the categories of personal data processed, the purposes of processing, categories of personal data shared and how consumers may exercise their rights; and
  • Ensure that processing by third-party processors is governed by a binding agreement incorporating the obligations set forth in the act.

A notable omission from the act is the absence of any requirement to conduct risk assessments for processing activities that may pose a heightened risk to consumers, aligning Alabama with states such as Iowa and Utah.

Consumers Rights

The act follows the general approach adopted in US privacy laws by granting consumers a range of rights with respect to their personal data, including, inter alia:

  • The right to confirm whether a controller processes their personal data and to access such data (without requiring disclosure of third parties to whom the data was disclosed);
  • The right to correct inaccuracies in personal data;
  • The right to obtain personal data in a portable format; and
  • The right to opt out of the processing of personal data for targeted advertising, sale and profiling in furtherance of solely automated decisions that produce significant effects.

Controllers must respond to consumer requests within 45 days of receipt (with a possible 45-day extension under certain circumstances).

The act departs from the standard approach by neither requiring controllers to establish an appeal mechanism when denying consumer requests, nor mandating the provision of the Attorney General’s contact details for submitting complaints as part of the response to such requests. In this respect, it aligns with Utah privacy framework, as the two US privacy laws that omit both of these elements.

Enforcement

The Alabama Attorney General has exclusive authority to enforce the act. The Attorney General may issue a notice of violation, and failure to cure such violation within 45 days may result in enforcement action, including injunctive relief and civil penalties of up to USD 15,000 per violation – among the highest penalties currently imposed under US state privacy laws.

Companies providing services to consumers in the United States should evaluate their exposure to this additional data protection regulatory regime in Alabama, with particular attention to the unique provisions introduced by the act. Please feel free to contact us with any questions regarding the act and its practical implications.

Related Practice Areas

Related Lawyers

More news

Age Verification Laws Herzog’s Guide to the Evolving Legal Landscape
Oklahoma Becomes the 20th State to Enact Privacy Law
Detecting and Mitigating Dark Patterns on Digital Platforms
JOIN OUR
Newsletter

    © 2020, All rights reserved, Herzog Law
    Site by Gootte

    The information contained in this web site is provided for informational purposes only and should not be construed as legal advice on any subject matter and should not be relied upon as such. Herzog accepts no responsibility for any consequences whatsoever arising from use of the information contained in this web site. The accessing of information contained in this web site shall under no circumstances be considered as creating an attorney-client relationship between Herzog and any party accessing this web site. Contacting through email any lawyer named in this web site or sending information without prior agreement of Herzog shall not be construed as automatically creating an attorney-client relationship between Herzog and the party sending an email or information. The material contained in this web site has been created by and remains the property of Herzog. No reproduction, transmission, publication or any other form of dissemination shall be permitted unless the prior written consent of Herzog has been obtained. This web site may contain links to other web sites operated by third parties. Herzog does not sponsor, approve or endorse the content of any such web site and is not responsible for the materials appearing in such sites.