On April 16, 2026, Governor Kay Ivey signed House Bill 351 into law as the Alabama Personal Data Protection Act (APDPA). The law created a comprehensive consumer privacy framework that grants Alabama consumers privacy rights, imposes duties on controllers and processors, and authorizes enforcement by the Alabama Attorney General.
The APDPA applies to businesses that operate in Alabama or target Alabama residents and either control or process the personal data of more than 25,000 consumers (excluding data processed solely to complete a payment transaction) or derive more than 25% of gross revenue from the sale of personal data.
This update applies to covered businesses doing business in Alabama or targeting Alabama residents, and the law takes effect on May 1, 2027.
What Employers Need to Do
- Review whether the organization meets the APDPA’s applicability thresholds and whether any exemptions apply.
- Identify Alabama consumer personal data, including where it is collected, where it is stored, how it is used, and which vendors or third parties receive it.
- Update privacy notices and processes so the organization can respond to consumer requests (such as access, correction, deletion, portability, and opt-out) within required timelines.
- Review advertising analytics and marketing-vendor relationships to determine whether any data sharing could be considered a sale of personal data and whether contracts properly limit how data is used.
- Review sensitive data and minors’ data practices, including whether consent processes are sufficient, particularly for consumers ages 13 through 15, when data would be sold or used for targeted advertising.
Overview
- One notable feature of the APDPA is its revenue‑based coverage, which applies regardless of the number of consumers whose data is processed.
- The APDPA excludes individuals acting in a commercial or employment context, which places most traditional HR and employment-related data outside the law’s scope.
- Consumers receive familiar rights to confirm whether personal data is being processed, access it, correct inaccuracies, delete it, obtain a portable copy of certain data they previously provided, and opt out of targeted advertising, the sale of personal data, and certain profiling tied to solely automated significant decisions.
- The law requires controllers to limit personal data collection to what is adequate, relevant, and reasonably necessary, maintain reasonable administrative, technical, and physical security practices, provide compliant privacy notices, and obtain consent before processing sensitive data in specified circumstances.
- Processors are required to follow controller instructions, assist with compliance, and operate under contracts that define the nature, purpose, duration, and obligations associated with processing.
- The law’s definition of sale of personal data is distinctive. It includes some exchanges for monetary or other valuable consideration where the controller receives a material benefit and the recipient is not restricted in later uses, but it excludes certain disclosures for analytics services and for marketing services provided solely to the controller.
- The APDPA also includes broad exemptions, including for many small businesses, certain nonprofits, institutions of higher education, HIPAA-regulated entities and business associates, GLBA-regulated financial institutions and affiliates, and numerous federally regulated data sets.
Why This Matters
The APDPA is aimed at consumer data, not most workplace data, making it less directly relevant to traditional HR information than some other state privacy laws.
For employers with consumer‑facing operations, however, the law can affect how personal data is collected, used, shared, and disclosed through websites, apps, marketing programs, and other customer interactions.
Key Risks for Employers
- Misjudging whether the organization is in scope, especially given the relatively low 25,000-consumer threshold and the fact that the revenue-based threshold does not require a minimum number of consumers.
- Assuming employment-related exemptions remove all risk when the organization also collects consumer-facing data through websites, apps, marketing programs, or other customer-facing channels.
- Assuming analytics, advertising, or marketing-related data sharing is not considered a “sale” without confirming how the receiving party is allowed to use the data.
- Failing to build workable consumer-rights response systems and privacy notices before the law becomes effective, especially where the business has not previously implemented a broader state-privacy compliance program.
- Ignoring the cure notice process on the assumption that it eliminates exposure; if violations are not cured within 45 days after notice, a court may impose civil penalties of up to $15,000 per violation.
Additional Information
The APDPA is enforced exclusively by the Alabama Attorney General, and the statute does not create a private right of action. Before taking enforcement action, the Attorney General provides a 45-day period to cure any violations.
The law includes provisions on children’s privacy. Organizations that comply with the federal Children’s Online Privacy Protection Act (COPPA) satisfy consent requirements for children under 13. For consumers ages 13 through 15, consent is required before selling or using personal data for targeted advertising when the organization has actual knowledge of the consumer’s age.
Source References
Need help understanding how changes to employment laws will affect your business?
Learn more about how Vensure's Alabama PEO services can help you navigate complex employment laws and keep your business compliant.
This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.