The Alabama Personal Data Protection Act (“APDPA”) will become effective on May 1, 2027. With the APDPA’s enactment, Alabama becomes the 22^nd state to enact a comprehensive data privacy law. While the APDPA follows the framework of many existing state privacy laws, it includes several distinctive features, such as an exemption for small businesses with fewer than 500 employees and a 45-day right to cure that does not sunset. Businesses should carefully evaluate their data practices and ensure compliance.

Applicability and Scope

The APDPA applies to entities conducting business in Alabama, or those producing products or providing services targeted to Alabama residents, provided the entity:

• controls or processes the personal data of more than 25,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
• derives more than 25 percent of gross revenue from the sale of personal data, regardless of the number of consumers whose data the person controls or processes.

Like other state privacy laws except for the California Consumer Privacy Act, “consumer” does not include individuals acting in a commercial or employment context, including employees, owners, directors, officers, or contractors of a company, partnership, sole proprietorship, nonprofit, or government agency.

The APDPA provides an unusually broad range of entity-level exemptions that go well beyond those found in most other state privacy laws. In addition to standard exemptions for political subdivisions, institutions of higher education, national securities associations, financial institutions governed by 15 U.S.C. Chapter 94 or the Gramm-Leach-Bliley Act, and HIPAA covered entities and business associates, the APDPA exempts: (1) small businesses with fewer than 500 employees, provided they do not sell personal data; (2) nonprofit entities with fewer than 100 employees, provided they do not sell personal data; (3) political action committees, political parties, principal campaign committees, and political organizations under 26 U.S.C. § 527; (4) business entities that sell data primarily to political organizations; (5) electric providers subject to North American Electric Reliability Corporation standards; (6) certain insurance trade associations; and (7) persons and entities regulated under specific provisions of the Alabama Code. Data-level exemptions include data subject to HIPAA, FERPA, the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Farm Credit Act, and the Airline Deregulation Act, among others.

Sale of Personal Data

Controllers that sell personal data to third parties must clearly and conspicuously disclose such processing, as well as the manner in which consumers may exercise their right to opt out. This disclosure obligation also applies to controllers that process personal data for targeted advertising. Controllers must provide a clear and conspicuous link on their website to a web page that enables consumers to opt out directly, or must provide up-to-date contact information for consumers to submit opt-out requests.

Definition

The APDPA defines “sale of personal data” as the exchange of personal data for monetary consideration by a controller to a third party, or for other valuable consideration where the controller receives a material benefit and the third party is not restricted in its subsequent uses of the personal data. Notably, this definition is narrower than comparable provisions in certain other state privacy laws, such as California’s, which may capture a broader range of data-sharing arrangements.

The following disclosures do not constitute a “sale” under the APDPA:

• disclosure of personal data to a processor that processes the data on behalf of the controller;
• disclosure to a third party for purposes of providing a product or service requested by the consumer;
• disclosure or transfer to an affiliate of the controller;
• disclosure directed by the consumer or made through the consumer’s intentional interaction with a third party;
• disclosure of information the consumer intentionally made publicly available without restricting the audience;
• disclosure or transfer as part of a merger, acquisition, bankruptcy, or similar transaction in which the third party assumes control of all or part of the controller’s assets;
• disclosure or transfer for purposes of providing analytics services; and
• disclosure or transfer for purposes of providing marketing services solely to the controller.

For businesses, these exclusions are significant because they clarify that many common data-sharing arrangements—such as disclosures to service providers, analytics vendors, or marketing partners acting solely on the controller’s behalf—may fall outside the statutory definition of a “sale,” depending on how the arrangement is structured.

Opt-Out Rights

Under the APDPA, consumers have the right to opt out of the sale of their personal data. This right is one of several opt-out rights granted to consumers, which also include the right to opt out of processing for targeted advertising and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.

The APDPA contemplates the use of opt-out preference signals, but does not expressly require controllers to recognize such signals. If a consumer’s opt-out preference signal conflicts with the consumer’s existing controller-specific privacy setting or voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program, the controller must comply with the consumer’s opt-out preference signal but may notify the consumer of the conflict and provide the consumer an opportunity to confirm their controller-specific settings or program participation.

Controller Requirements

The APDPA outlines several responsibilities for data controllers:

• Data Minimization and Security:
  • Controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed purposes.
  • Controllers must also establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data.
• Transparency Obligations:
  • Controllers must provide consumers with a reasonably accurate, clear, and meaningful privacy notice that includes the categories of personal data processed, the purpose for processing, the categories of personal data shared with third parties, the categories of third parties with whom data is shared, a method for consumers to contact the controller, and how consumers may exercise their rights.
• Sensitive Data: Like most other state privacy laws, the APDPA requires controllers to obtain consumer consent before processing sensitive data. In the case of a known child, controllers must process the data in accordance with the federal Children’s Online Privacy Protection Act of 1998.
  • Sensitive data is defined as personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, information about an individual’s sex life, sexual orientation, or citizenship or immigration status; genetic or biometric data processed for the purpose of uniquely identifying an individual; personal data collected from a known child; or precise geolocation data.
  • Precise geolocation data is defined as information derived from technology, including GPS coordinates, that directly identifies the specific location of an individual with precision and accuracy within a radius of 1,750 feet.
  • The APDPA defines “consent” as a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement. Notably, consent cannot be obtained through acceptance of broad terms of use, hovering over or pausing content, or through the use of “dark patterns”—user interfaces designed or manipulated to substantially subvert or impair user autonomy, decision-making, or choice. Controllers must also provide consumers with an effective mechanism to revoke consent that is at least as easy as the mechanism by which consent was originally provided.
• Youth Protections: Controllers may not process the personal data of a consumer for the purposes of targeted advertising or sell a consumer’s personal data without consent where the controller has actual knowledge that the consumer is at least 13 years of age but younger than 16 years of age.
• Non-Discrimination: Controllers may not deny goods or services, charge different prices or rates, or provide a different level of quality to a consumer who opts out of data processing, although controllers are not required to provide a service that requires data processing if the consumer opts out. Controllers may offer different prices or levels for goods or services as part of a bona fide loyalty, rewards, premium features, discount, or club card program in which a consumer voluntarily participates.
• Unlike some other state privacy laws, the APDPA does not require controllers to conduct data protection assessments prior to engaging in higher-risk processing activities.

Consumer Rights

Alabama consumers have the following rights:

• Right to confirm whether a controller is processing the consumer’s personal data and to access such data;
• Right to correct inaccuracies in personal data;
• Right to delete personal data;
• Right to obtain a copy of personal data previously provided by the consumer to the controller, in a portable and readily usable format; and
• Right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated significant decisions concerning the consumer.

Controllers must respond to consumer requests within 45 days, with the possibility of a 45-day extension when reasonably necessary. Unlike some states, the APDPA does not require controllers to establish an appeal process for consumers whose requests are denied.

The APDPA requires controllers to allow consumers to opt out via a clear and conspicuous link on the controller’s website.

Enforcement

The Alabama Attorney General has exclusive authority to enforce the APDPA. Prior to initiating any action, the Attorney General must issue a notice of violation to the controller. If the controller fails to correct the violation within 45 days of receipt of the notice, the Attorney General may bring an action and seek an injunction. Upon a finding of violation, a court may assess a civil penalty of up to $15,000 per violation. If the controller corrects the violation within the 45-day period and provides the Attorney General a written statement confirming the correction and that no further violations will occur, no action may be initiated. Unlike many other state privacy laws, the cure period does not sunset. A violation of the APDPA does not establish a private cause of action.

Koley Jessen is committed to staying informed about developments related to state privacy laws and will offer guidance as new information emerges. If you are unsure about your business’s compliance needs or the steps required to adhere to state privacy laws, please contact one of the specialists in Koley Jessen’s Data Privacy and Security Practice Area for expert assistance.

^{*Special thanks to Summer Associate Tyler Tschida for his contributions to this article.}

_{This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.}