Alabama enacted a comprehensive consumer privacy law—the Alabama Personal Data Protection Act (HB 351)—that will require incremental, not radical, change for companies with existing privacy-compliance programs. Taking effect May 1, 2027, the law brings Alabama largely into alignment with the familiar Virginia-style privacy framework that now dominates U.S. state privacy law. But the law does include a few distinctive features, including lower applicability thresholds and greater potential penalties for non-compliance, that warrant attention.

Because the law does not include rulemaking, companies can start developing compliance strategies now. Below are the key provisions and takeaways in-house counsel should keep in mind as they plan for compliance.

Application: Routine Framework with Generous Exemptions

The law applies to companies that conduct business in Alabama or target Alabama residents and meet either of the following thresholds:

• Volume. Control or process personal data of more than 25,000 Alabama consumers; or
• Sales Revenue. Derive more than 25% of gross revenue from the sale of personal data.

These thresholds reflect deviations from the norm. The volume trigger is lower than most other states, while the revenue option does not require processing data on a certain number of consumers. Meeting one of the thresholds, however, does not end the inquiry. Following Oklahoma’s lead, the law includes a generous set of exemptions covering both standard data and entity-level exemptions, such as PHI, B2B data, and HIPAA/GLBA-regulated companies. We also get new exclusions for the beltway crowd, including PACs and political parties. In a twist, however, the state exempted small businesses, provided they do not sell personal data, while including only a limited carveout for nonprofits. 

Controller Obligations: Déjà Vu All Over Again 

The law imposes nearly all the standard obligations on controllers, including notice, consumer rights, data minimization, purpose limitations, processor contracts, and a consent-driven framework for sensitive data. But what is missing is a doozy:

• No data protection impact assessments. Alabama becomes just the third state with a comprehensive privacy law without data protection impact assessments.
• No enhanced protections for minors. The law skips the greater protections for minors that states such as Colorado and Virginia recently adopted.

Controllers get a bit of a reprieve when it comes to obligations around sales, such as notice and opt-outs, because of a narrower framing of sales. The state tweaks the standard “valuable consideration” element by limiting it to situations where the controller gets a material benefit and the recipient has unrestricted use of the data. The law also adds two unique exclusions: disclosure is to a third party for the purposes of providing analytics or marketing services just to the controller.  

Consumer Rights: Standard Fare with a Pro-Business Twist

Alabama consumers receive the standard suite of privacy rights. They have the right to (1) access, correct, delete, and obtain a copy of their personal data; (2) opt out of sales, targeted advertising, and certain profiling; and (3) appeal denied requests. There are a couple of potential curveballs with respect to agents and opt-out signals. The law never affirmatively requires honoring opt-out signals or requests that agents submit. But there are a few stray lines that incidentally touch on both topics. The legislature likely just missed those lines when they amended the initial bill to remove the obligations to honor opt-out signals and agents’ requests. 

Enforcement: Regulatory Action with Real Teeth

The Alabama attorney general can seek civil penalties of up to $15,000 per violation—a higher cap than many comparable state laws. Before bringing an enforcement action, the attorney general must notify the company and provide them a 45-day opportunity to cure. That cure provision does not sunset.

Although the law does not explicitly state there is no private right of action, it doesn’t explicitly include one either. But fear not. Alabama strongly disfavors implied causes of action, and the legislative history—silent on creating such a right—coupled with the structure of the enforcement section reflects an intent to grant the attorney general all enforcement power. 

Next Steps: Uplift Operationalization

With a May 1, 2027, effective date, companies have time—but not unlimited runway—to prepare. For most organizations, Alabama compliance will involve a program refresh rather than a rebuild.

Key steps to prioritize include: 

• Assess Applicability. Assess whether you process sufficient personal data on Alabama residents and or sell enough personal data.
• Update Privacy Policy. Add Alabama to state-specific privacy notices.
• Revisit Opt-Out Infrastructure. Ensure website and backend systems honor requests to opt out of sales and targeted advertising.
• Revise Consumer-Rights Workflow. Update request intake and appeals process to cover Alabama residents.

Bottom Line

Alabama’s new privacy law is firmly mainstream, but it is not toothless. The lower applicability threshold and high potential fines may mean some companies will face new obligations for the first time, while others will need targeted enhancements to existing programs. For in-house counsel, the message is straightforward: if you comply with a Virginia-style privacy framework, Alabama’s law is manageable with minimal effort. Early planning now will turn Alabama into just another checked box rather than a last-minute compliance scramble in 2027.