On April 17, the Alabama Legislature enacted the Alabama Personal Data Protection Act, granting state residents rights over their personal data and setting obligations for businesses that control or process such information. The law applies to entities conducting business in Alabama or targeting its residents if the entity: (i) controls or processes personal data of more than 25,000 consumers, excluding data used solely to complete a payment transaction; or (ii) derives more than 25 percent of gross revenue from selling personal data. Consumers may confirm whether their data is processed, correct inaccuracies, delete data, obtain portable copies, and opt out of targeted advertising, data sales, or profiling that produces significant decisions (defined as decisions that result in the “provision or denial of credit or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunity, health care service, or access to basic necessities such as food or water”).

Controllers (defined as entities that determine “the purposes and means of processing personal data”) must provide clear privacy notices, limit collection to what is necessary, implement security measures, and obtain consent before processing sensitive data. The law exempts financial institutions subject to the GLBA; political subdivisions; businesses with fewer than 500 employees and nonprofits with fewer than 100 employees that do not engage in the sale of personal data; electric providers subject to NERC reliability standards; and specific data types covered by federal statutes such as the FCRA and COPPA, among others. Controllers and processors of personal data must comply with contractual requirements for processing on another’s behalf, safeguard deidentified data, and honor consumer opt-out methods. The state attorney general enforces the law, with authority to issue violation notices and impose penalties of up to $15,000 per violation if not cured within 45 days. The statute takes effect May 1, 2027.