Alabama Privacy Law Attorneys

Alabama Personal Data Protection Act (Alabama PDPA) — Effective May 1, 2027

Home / States / Alabama

Alabama Privacy Law Overview

Alabama has enacted a comprehensive consumer privacy law that is not yet in force. The Alabama Personal Data Protection Act takes effect May 1, 2027, so Alabama businesses have a window now to map their data, update privacy notices, and stand up consumer-rights processes before obligations begin.

The Alabama Personal Data Protection Act (Alabama PDPA)

The Alabama Personal Data Protection Act (Alabama PDPA) was signed into law in April 2026 and takes effect May 1, 2027. It follows the mainstream multistate framework, giving Alabama residents rights to access, correct, delete and port their personal data and to opt out of targeted advertising, the sale of data, and profiling, with opt-in consent required for sensitive data. Enforcement rests with the Alabama Attorney General; there is no private right of action. Businesses should use the lead time before May 1, 2027 to build their compliance programs.

Status: Enacted but not yet in force — the law takes effect May 1, 2027. Businesses should prepare now.

Alabama PDPA: Quick Overview

  • Effective Date: May 1, 2027
  • Citation: HB 351 (2026)
  • Enforced By: Alabama Attorney General
  • Maximum Penalty: Civil penalties set by statute, enforced by the Alabama Attorney General
  • Private Right of Action: No (enforcement by the state only)
  • Right to Cure: Applies once the law takes effect on May 1, 2027

Who Must Comply

The Alabama PDPA applies to businesses that meet Alabama's applicability thresholds:

  • Applicability thresholds are set by the statute and take effect with the law on May 1, 2027; businesses operating in or targeting Alabama should assess coverage before that date.

Consumer Rights Under the Alabama PDPA

Alabama residents can exercise the following rights over their personal data:

  • Right to access / confirm what data is held
  • Right to correct inaccurate data
  • Right to delete personal data
  • Right to data portability
  • Right to opt out of targeted advertising
  • Right to opt out of the sale of personal data
  • Right to opt out of profiling for significant decisions

Sensitive personal data: Businesses must obtain opt-in consent before processing sensitive data (such as health, biometric, precise-geolocation, or demographic data).

Data Breach Notification in Alabama

Alabama requires notice to affected residents within 45 days and to the Attorney General when more than 1,000 residents are affected.

  • Deadline to notify residents: No later than 45 days after discovery
  • Attorney General notice: Notify the Alabama Attorney General if more than 1,000 residents are affected
  • Covered data: Name combined with sensitive identifiers (SSN, driver's license, financial-account or medical information, and more)

Federal Privacy Laws That Apply in Alabama

Even where Alabama law is silent, residents and businesses are covered by federal privacy statutes:

  • HIPAA — health information held by providers, plans and their vendors
  • GLBA — privacy and safeguards rules for financial institutions
  • FERPA — student education records
  • FCRA — consumer reporting agencies and background screening
  • COPPA — online collection of data from children under 13
  • FTC Act §5 — unfair or deceptive privacy and data-security practices

Alabama Privacy Law FAQ

Is Alabama's privacy law in effect yet?
No. The Alabama Personal Data Protection Act has been signed but does not take effect until May 1, 2027. Until then, Alabama residents rely on the state's data-breach and consumer-protection laws and on federal privacy statutes, but businesses should prepare now for the new rights and obligations.
What should Alabama businesses do before the law takes effect?
Use the lead time to inventory what personal data you collect, update privacy notices, build processes to honor access/deletion/opt-out requests, put data-processing agreements in place with vendors, and obtain opt-in consent flows for sensitive data — all before May 1, 2027.

How a Alabama Privacy Attorney Can Help

For Businesses

  • Build and audit a privacy compliance program
  • Draft privacy policies, notices and vendor contracts
  • Respond to consumer rights requests
  • Manage data-breach response and notification
  • Defend regulatory investigations and enforcement

For Consumers

  • Enforce your privacy rights against non-compliant businesses
  • Pursue or join data-breach litigation
  • File complaints with the Alabama Attorney General
  • Seek damages for identity theft and fraud
  • Stop unlawful data sales and unwanted marketing

Need a Alabama Privacy Attorney?

Whether you are a business working toward compliance or a Alabama resident whose privacy has been violated, our network of Alabama-licensed attorneys can help.

Find a Alabama Privacy Attorney

Other State Privacy Laws

Texas

TDPSA – comprehensive privacy law

Florida

FDBR – comprehensive privacy law

Oklahoma

OKCDPA – comprehensive law effective January 1, 2027

Louisiana

LDPA – comprehensive law effective January 1, 2027

California

CCPA/CPRA – strongest consumer privacy law in the U.S.

Virginia

VCDPA – comprehensive privacy law