Alabama Enacts Business-Friendly Consumer Data Privacy Law

Governor Kay Ivey signed the Alabama Personal Data Protection Act, the state's new comprehensive privacy law.

On April 16, 2026, Alabama joined the ranks of states with sweeping data privacy regulation as Governor Kay Ivey signed the Alabama Personal Data Protection Act (HB 351). This makes Alabama the 21st state to enact such a law, signaling ongoing momentum for state-level privacy action in the absence of federal rules.

• Who’s covered: The law applies to entities that control or process the personal data of more than 25,000 consumers, or that derive over 25% of gross revenue from the sale of personal data (details).
• Consumer rights: Alabama residents can ask to confirm if their data is processed, correct inaccuracies, delete their data, obtain a portable copy, and opt out of targeted advertising, data sales, and automated profiling decisions.
• Business obligations: Controllers must respond to requests within 45 days (extendable to 90), and maintain clear, accessible privacy notices addressing processed data categories, purposes, and third-party sharing.
• Enforcement: The Attorney General retains exclusive authority to enforce the law. There’s a 45-day opportunity to cure alleged violations before action, with civil penalties up to $15,000 per violation.

Reaction has split. Rep. Mike Shaw, HB 351 sponsor, called the law “the product of two years of hard work to create a common-sense framework that protects consumers while also remaining friendly to those who do business in our state.” Meanwhile, Consumer Reports urged a veto, citing weak definitions, broad exemptions, and insufficient enforcement.

Large entities conducting business in Alabama—or nationwide—should assess and update compliance strategies to align with core provisions and enforcement realities of the new law.

Yes, but: Consumer advocacy groups say the law's broad exemptions and limited enforcement mechanisms may weaken consumer protections.