Alabama is on track to become the 21st U.S. state with a comprehensive consumer data privacy law after the state legislature unanimously passed House Bill 351, the Alabama Personal Data Protection Act, on April 7, 2026. The bill cleared the House 104-0 and the Senate 34-0 with no opposition in any roll call vote. It now awaits signature from Governor Kay Ivey. If enacted, the law will take effect on May 1, 2027, joining Oklahoma’s recently signed privacy statute as the second comprehensive privacy law enacted in 2026.
Sponsored by Rep. Mike Shaw (R-Ala.), a veteran technology professional with more than 30 years of experience in regulated environments, the legislation aims to strike a careful balance between protecting Alabamians’ personal data and supporting businesses operating in the state. “HB 351 is the product of two years of hard work to create a common-sense framework that protects consumers while also remaining friendly to those who do business in our state,” Shaw told the International Association of Privacy Professionals (IAPP). “As someone with more than 30 years as a technology professional in a regulated environment, my goal with HB 351 was to create a practical, workable law that protects the people of Alabama in the most responsible way possible.”
While many recent state privacy laws have closely followed the Virginia model, Alabama’s bill introduces several distinctive features—particularly in coverage thresholds, the definition of a “sale” of data, and certain business exemptions—that set it apart from the existing patchwork of 20 comprehensive statutes. These differences, lawmakers say, reflect Alabama’s unique economic needs and a deliberate effort to avoid overly burdensome regulation on small and mid-sized businesses.
Coverage Thresholds: Among the Most Inclusive in the Nation
One of the bill’s most notable innovations lies in its applicability thresholds, which are among the most nuanced—and potentially broadest—seen in any U.S. comprehensive privacy law. The Alabama Personal Data Protection Act would apply to any business that conducts business in the state or targets products or services to Alabama residents and that either:
- Controls or processes the personal data of more than 25,000 Alabama residents (excluding data processed solely for completing a payment transaction), or
- Derives more than 25 percent of its gross revenue from the sale of personal data, regardless of the number of consumers whose data is involved.
This 25,000-consumer processing threshold is the lowest numerical floor among all comprehensive state privacy laws to date. Most states use 25,000 only in combination with a revenue-from-sale trigger; standalone processing thresholds elsewhere typically start at 35,000 (Delaware, Maryland), 50,000, or as high as 100,000 (Colorado, Connecticut, Minnesota, Oregon). In Alabama, a covered entity would need to process data on roughly 0.48 percent of the state’s population to trigger applicability—making the law one of the easiest to activate relative to state population size.
The revenue prong is equally distinctive. No other state applies the law when any number of individuals’ data is sold if the 25 percent revenue threshold is met. Most states require that the business also process data of at least 25,000 or more individuals before the sale-based trigger applies. Rep. Shaw explained that these thresholds emerged from extensive consultations with the attorney general’s office and stakeholders. “This bill was all about balance: Balancing Alabamians’ rights with the burden of regulation,” he said. “Balancing the need for enforcement with fairness. In this case we are balancing what other states are doing with the unique needs of Alabama.”
Legal experts note that the low thresholds could capture more mid-sized companies than similar laws in larger states, yet Alabama includes significant carve-outs. Businesses with fewer than 500 employees and nonprofit entities with fewer than 100 employees are exempt—unless they sell personal data. This small-business protection is broader than in many other states and reflects Shaw’s stated goal of keeping compliance practical.
Unique Exemptions for What Constitutes a “Sale” of Data
Alabama’s definition of a “sale” of personal data is narrower than in many comparable laws, and the bill includes two exemptions not found in any other state statute: disclosures or transfers of data for the purposes of “providing analytics services” or “providing marketing services solely to the controller.”
Under the bill, a sale occurs only when personal data is exchanged for valuable consideration and the third party is not restricted in its subsequent uses of the data. This “cash-only” approach with built-in restrictions on downstream use was a deliberate compromise, according to Shaw. He noted that a purely monetary definition risked creating loopholes, while a broader “valuable consideration” standard raised other compliance issues. “We tried to thread the needle a bit and find something that was broad enough to allow legitimate relationships with important partners without rendering large parts of the bill useless,” Shaw added, observing that other states’ approaches are “being tested in the wild.”
Starr Drum, a Polsinelli shareholder and privacy expert (CIPP/E, CIPM, FIP), highlighted the potential ambiguity these exemptions could create for businesses. “Sale is more narrowly defined than in some comparable laws since the valuable consideration in exchange for personal data component only encompasses situations where third parties are not restricted in subsequent uses of the personal data,” Drum said. “This is something businesses should be mindful of during contracting.”
These sale exemptions could significantly ease compliance burdens for companies that share data with analytics or marketing partners under contractual limits, distinguishing Alabama’s law from stricter regimes like California’s or Colorado’s, where such transfers are more likely to qualify as sales or sharing requiring opt-out rights.
Treatment of Children’s and Minors’ Data: Aligned with COPPA but with Teen Consent Requirements
Alabama’s approach to minors’ data largely follows the federal Children’s Online Privacy Protection Act (COPPA) standard, defining a “child” as anyone under age 13. This is narrower than several states that have expanded protections for teens. For example, California, Connecticut, and Virginia treat data of consumers aged 13–15 or 16 as sensitive in certain contexts and require opt-in consent or heightened safeguards.
The bill does, however, require verifiable parental or guardian consent before processing the personal data of 13- to 15-year-olds for targeted advertising or the sale of their data—aligning with a handful of other states but stopping short of broader age expansions. Shaw noted that the under-13 definition was not heavily debated during drafting, but he acknowledged the need for future coordination across laws. “In general, I’d want to avoid creating different age standards for different regulations, so expanding age would likely be part of a larger discussion,” he said.
This stance contrasts with Alabama’s separate App Store Accountability Act (passed earlier in 2026), which imposes age verification and parental consent requirements for app downloads by users under 18. The coexistence of these two laws could create layered compliance obligations for digital platforms operating in the state.
Comparison to Oklahoma and the Broader State Privacy Patchwork
Alabama joins Oklahoma as the second state to enact a comprehensive privacy law in 2026, yet the two statutes diverge in meaningful ways. Oklahoma’s Consumer Data Privacy Act (SB 546), signed by Governor Kevin Stitt on March 20, 2026, and effective January 1, 2027, follows the more traditional Virginia model. Its applicability thresholds are higher: controllers must process data of at least 100,000 Oklahoma consumers or 25,000 consumers while deriving more than 50 percent of revenue from sales. There is no standalone low processing threshold and no unique sale exemptions for analytics or marketing services.
Oklahoma’s law also includes a 30-day cure period (shorter than Alabama’s 45 days) and similar consumer rights—access, correction, deletion, opt-out of sale and targeted advertising—but lacks Alabama’s explicit small-business and nonprofit exemptions tied to employee count. Privacy advocates, including the Electronic Privacy Information Center (EPIC), have critiqued both laws as relatively business-friendly compared to stronger models in California or Colorado, noting limited enforcement mechanisms and no private right of action.
Across the 21-state patchwork, Alabama’s thresholds stand out as particularly inclusive for a smaller state, while its sale definition and exemptions tilt toward practicality. Most states require data-protection assessments for high-risk processing; Alabama does not. Enforcement remains exclusively with the attorney general, reinforced by a permanent (non-sunsetting) 45-day cure period—one of the longest and most defendant-friendly in the country.
These choices reflect Shaw’s philosophy: “We tried to thread the needle… to allow legitimate relationships with important partners without rendering large parts of the bill useless.”
Alabama Data Protection Law Implications for Residents & Businesses
The bill grants consumers standard rights to confirm processing, access, correct, delete, and obtain a copy of their data, plus the ability to opt out of targeted advertising and the sale of personal data. Controllers must limit collection to what is reasonably necessary, implement security safeguards, and provide clear privacy notices. Sensitive data processing generally requires consent.
For businesses, the combination of low thresholds with generous exemptions creates a mixed compliance picture. Mid-sized companies that process data on even modest numbers of Alabamians may need to review operations, while very small firms and nonprofits are largely shielded unless they monetize data directly. The permanent cure period and AG-only enforcement are viewed by supporters as fair and efficient, reducing frivolous litigation risk.
Critics, including Consumer Reports, have urged Governor Ivey to veto the bill, arguing that loopholes in sale and targeted-advertising definitions, broad carve-outs, and the absence of a universal opt-out or private right of action weaken consumer protections. “This legislation adopts a lowest-common-denominator approach to privacy that will not meaningfully protect consumers,” a Consumer Reports policy analyst stated recently.
Yet Shaw and supporters maintain the law achieves responsible protection without stifling economic activity. As the 21st state law, it adds further complexity to the national privacy patchwork, forcing multistate businesses to map yet another set of rules onto existing compliance programs.
What Comes Next for Alabama Businesses and Consumers
If signed, companies should begin gap assessments now, focusing on data inventories, sale determinations, and whether their employee count or revenue model brings them within scope. The 13-month implementation period provides breathing room, but early movers may gain competitive advantage through transparent privacy practices.
For consumers, the law promises greater visibility and control over personal data, particularly around sales and targeted ads. Whether these protections deliver meaningful change will depend on enforcement and public awareness.
Alabama’s approach underscores a broader truth in the evolving U.S. privacy landscape: states continue to experiment with different balances between consumer rights and business realities. As Rep. Shaw emphasized, the goal was “common-sense” protection tailored to Alabama’s needs—practical, workable, and responsible. Time and enforcement will determine how well that balance holds.
