ARTICLE
22 April 2026

Alabama Joins The Privacy Club: What In-House Counsel Need To Know

SH
Shook, Hardy & Bacon

Contributor

Shook, Hardy & Bacon logo

Shook, Hardy & Bacon has long been recognized as one of the premier litigation firms in the country. For more than a century, the firm has defended companies in their most substantial national and international products liability, mass tort and complex litigation matters.

The firm has leveraged its complex product liability litigation expertise to expand into several other practice areas and advance its mission of “being the best in the world at providing creative and practical solutions at unsurpassed value.” As a result, the firm has built nationally recognized practices in areas such as intellectual property, environmental and toxic tort, employment litigation, commercial litigation, government enforcement and compliance, and public policy.

Explore Firm Details
Alabama has enacted a comprehensive consumer privacy law that takes effect May 1, 2027, bringing the state largely into alignment with the Virginia-style privacy framework. While the law follows familiar patterns, it includes distinctive features such as lower applicability thresholds and higher potential penalties that require careful attention from compliance teams.
United States Alabama Privacy
Catherine Cozzolino and Josh Hansen
Shook, Hardy & Bacon are most popular:
  • within International Law and Finance and Banking topic(s)
  • with readers working within the Environment & Waste Management industries

Alabama enacted a comprehensive consumer privacy law—the Alabama Personal Data Protection Act (HB 351)—that will require incremental, not radical, change for companies with existing privacy-compliance programs. Taking effect May 1, 2027, the law brings Alabama largely into alignment with the familiar Virginia-style privacy framework that now dominates U.S. state privacy law. But the law does include a few distinctive features, including lower applicability thresholds and greater potential penalties for non-compliance, that warrant attention.

Because the law does not include rulemaking, companies can start developing compliance strategies now. Below are the key provisions and takeaways in-house counsel should keep in mind as they plan for compliance.

Application: Routine Framework with Generous Exemptions

The law applies to companies that conduct business in Alabama or target Alabama residents and meet either of the following thresholds:

  • Volume. Control or process personal data of more than 25,000 Alabama consumers; or
  • Sales Revenue. Derive more than 25% of gross revenue from the sale of personal data.

These thresholds reflect deviations from the norm. The volume trigger is lower than most other states, while the revenue option does not require processing data on a certain number of consumers. Meeting one of the thresholds, however, does not end the inquiry. Following Oklahoma’s lead, the law includes a generous set of exemptions covering both standard data and entity-level exemptions, such as PHI, B2B data, and HIPAA/GLBA-regulated companies. We also get new exclusions for the beltway crowd, including PACs and political parties. In a twist, however, the state exempted small businesses, provided they do not sell personal data, while including only a limited carveout for nonprofits.

Controller Obligations: Déjà Vu All Over Again

The law imposes nearly all the standard obligations on controllers, including notice, consumer rights, data minimization, purpose limitations, processor contracts, and a consent-driven framework for sensitive data. But what is missing is a doozy:

  • No data protection impact assessments. Alabama becomes just the third state with a comprehensive privacy law without data protection impact assessments.
  • No enhanced protections for minors. The law skips the greater protections for minors that states such as Colorado and Virginia recently adopted.

Controllers get a bit of a reprieve when it comes to obligations around sales, such as notice and opt-outs, because of a narrower framing of sales. The state tweaks the standard “valuable consideration” element by limiting it to situations where the controller gets a material benefit and the recipient has unrestricted use of the data. The law also adds two unique exclusions: disclosure is to a third party for the purposes of providing analytics or marketing services just to the controller.

Consumer Rights: Standard Fare with a Pro-Business Twist

Alabama consumers receive the standard suite of privacy rights. They have the right to (1) access, correct, delete, and obtain a copy of their personal data; (2) opt out of sales, targeted advertising, and certain profiling; and (3) appeal denied requests. There are a couple of potential curveballs with respect to agents and opt-out signals. The law never affirmatively requires honoring opt-out signals or requests that agents submit. But there are a few stray lines that incidentally touch on both topics. The legislature likely just missed those lines when they amended the initial bill to remove the obligations to honor opt-out signals and agents’ requests.

Enforcement: Regulatory Action with Real Teeth

The Alabama attorney general can seek civil penalties of up to $15,000 per violation—a higher cap than many comparable state laws. Before bringing an enforcement action, the attorney general must notify the company and provide them a 45-day opportunity to cure. That cure provision does not sunset.

Although the law does not explicitly state there is no private right of action, it doesn’t explicitly include one either. But fear not. Alabama strongly disfavors implied causes of action, and the legislative history—silent on creating such a right—coupled with the structure of the enforcement section reflects an intent to grant the attorney general all enforcement power.

Next Steps: Uplift Operationalization

With a May 1, 2027, effective date, companies have time—but not unlimited runway—to prepare. For most organizations, Alabama compliance will involve a program refresh rather than a rebuild.

Key steps to prioritize include:

  • Assess Applicability. Assess whether you process sufficient personal data on Alabama residents and or sell enough personal data.
  • Update Privacy Policy. Add Alabama to state-specific privacy notices.
  • Revisit Opt-Out Infrastructure. Ensure website and backend systems honor requests to opt out of sales and targeted advertising.
  • Revise Consumer-Rights Workflow. Update request intake and appeals process to cover Alabama residents.

Bottom Line

Alabama’s new privacy law is firmly mainstream, but it is not toothless. The lower applicability threshold and high potential fines may mean some companies will face new obligations for the first time, while others will need targeted enhancements to existing programs. For in-house counsel, the message is straightforward: if you comply with a Virginia-style privacy framework, Alabama’s law is manageable with minimal effort. Early planning now will turn Alabama into just another checked box rather than a last-minute compliance scramble in 2027.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Catherine Cozzolino
Catherine Cozzolino
Photo of Josh Hansen
Josh Hansen
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More