Alabama Data Privacy Laws: Breach Notification & Consumer Rights (2026)

Alabama governs consumer data privacy through two statutes: the Data Breach Notification Act of 2018 (Ala. Code 8-38-1) requiring breach notice within 45 days, and the Alabama Personal Data Protection Act (HB 351), signed April 17, 2026 and effective May 1, 2027, granting residents rights to access, correct, and delete personal data.

Alabama became the 21st state to enact a comprehensive consumer data privacy law when Governor Kay Ivey signed House Bill 351, the Alabama Personal Data Protection Act (ALDPA), on April 17, 2026. The legislature passed the bill unanimously: 104-0 in the House and 34-0 in the Senate on April 7, 2026. The law takes effect May 1, 2027.

Before that signing, Alabama's only dedicated data protection statute was the Data Breach Notification Act of 2018 (Ala. Code 8-38-1 through 8-38-12), which made Alabama the last of all 50 states to pass a breach notification law when Governor Ivey signed it on March 28, 2018. That law remains in force alongside the new ALDPA and continues to govern breach notification obligations.

This guide covers both laws in full, along with Alabama's Insurance Data Security Law (Ala. Code 27-62), key enforcement actions, federal laws that apply in Alabama, and practical steps for businesses and residents ahead of the May 2027 effective date.

Alabama also maintains criminal identity theft protections under the Consumer Identity Protection Act (Ala. Code 13A-8-190 through 13A-8-201) and a supplementary enforcement mechanism in the Alabama Deceptive Trade Practices Act (Ala. Code 8-19-1 et seq.).

The Alabama Personal Data Protection Act (ALDPA)

Governor Ivey signed HB 351 into law on April 17, 2026. The ALDPA is a comprehensive consumer privacy statute modeled on the controller-processor framework used in Virginia, Texas, and most other second-wave state privacy laws. It takes effect on May 1, 2027, giving businesses roughly a year to comply.

Who Must Comply

The ALDPA applies to any person that conducts business in Alabama or produces products or services targeted to Alabama residents, and that meets at least one of two thresholds:

• Controls or processes the personal data of more than 25,000 Alabama consumers in a calendar year (excluding data processed solely to complete a payment transaction); or
• Derives more than 25% of gross revenue from the sale of personal data, regardless of the number of consumers whose data is processed.

The 25,000-consumer threshold is the lowest numerical floor among all enacted state comprehensive privacy laws. The revenue-from-sales test also applies regardless of processing volume, a combination no other state law uses. Both factors will bring more businesses into scope than comparable state laws with higher thresholds.

Exemptions

The ALDPA exempts several categories of entities and data:

• Financial institutions and data subject to the Gramm-Leach-Bliley Act (GLBA)
• HIPAA-covered entities and protected health information
• Higher education institutions
• Employee and business-to-business (B2B) data
• Small businesses with fewer than 500 employees that do not sell personal data
• Nonprofit organizations with fewer than 100 employees that do not sell personal data

The exemptions for small businesses and nonprofits are conditional: if the entity sells personal data, the exemptions do not apply. That is a meaningful distinction for data brokers organized as small businesses.

Consumer Rights Under the ALDPA

The ALDPA grants Alabama residents the following rights against controllers:

"Significant decisions" under the ALDPA are those that result in the provision or denial of critical services, including credit, lending, housing, insurance, education enrollment, employment, or healthcare. Consumers can opt out of profiling that feeds into those outcomes without any human review.

One notable absence: the ALDPA does not require controllers to recognize universal opt-out preference signals (such as the Global Privacy Control). A Senate amendment removed that requirement before final passage. Alabama consumers must submit individual opt-out requests; there is no automatic signal recognition as of the May 2027 effective date.

Sensitive Data

The ALDPA defines sensitive data to include:

• Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status
• Genetic or biometric data processed to uniquely identify an individual
• Personal data collected from a known child under age 13
• Precise geolocation data

Controllers must obtain consumer consent before processing sensitive data. For consumers between 13 and 15 years old, consent is required for targeted advertising and data sales.

Controller and Processor Obligations

Controllers (entities that determine the purpose and means of processing) must:

• Limit data collection to what is adequate, relevant, and reasonably necessary for the stated processing purpose (data minimization)
• Implement reasonable administrative, technical, and physical data security practices
• Establish a clear and accessible privacy notice describing what data is processed, why, with whom it is shared, and how consumers can exercise their rights
• Obtain consent before processing sensitive data
• Execute data processing agreements (DPAs) with processors that bind the processor to confidentiality, security, and processing-scope requirements
• Conduct and document data protection assessments (DPAs) for high-risk processing activities, including targeted advertising, data sales, sensitive data processing, profiling for significant decisions, and any processing that presents heightened risks

Consumers have 45 days to receive a response to a rights request. Controllers may extend that period by an additional 45 days with notice to the consumer.

Enforcement and Penalties

The Alabama Attorney General has exclusive enforcement authority under the ALDPA. There is no private right of action. Before filing suit, the Attorney General must issue a notice of violation and give the controller 45 days to cure. The cure period is permanent and does not sunset, which is more business-favorable than states that have eliminated or capped cure periods.

If a controller fails to cure within 45 days, or if the violation cannot be cured, the AG may seek civil penalties of up to $15,000 per violation. The ALDPA does not specify an aggregate cap per investigation or per incident, which means exposure can compound across multiple violations.

The law also authorizes the AG to seek injunctive relief, recover investigative costs, and seek reasonable attorney fees.

What the ALDPA Does Not Include

The ALDPA notably omits several features present in some other state privacy laws:

• No universal opt-out signal requirement (removed by Senate amendment)
• No data broker-specific registration or opt-out framework
• No private right of action for consumers
• No dedicated state privacy agency (enforcement stays with the AG)
• No specific requirements around automated decision-making transparency notices beyond the opt-out right

The Alabama Data Breach Notification Act of 2018

The Data Breach Notification Act (Ala. Code 8-38-1 through 8-38-12, Act 2018-396) took effect June 1, 2018. Governor Ivey signed Senate Bill 318 on March 28, 2018, after it passed both chambers unanimously: 101-0 in the House and 30-0 in the Senate. Alabama was the 50th and final state to enact a breach notification law.

The Act applies to any "covered entity" that acquires or uses sensitive personally identifying information (SPII), including corporations, nonprofits, government entities, sole proprietorships, and third-party agents who maintain or process data on behalf of covered entities.

What Is Sensitive Personally Identifying Information?

Under Ala. Code 8-38-2, SPII means an Alabama resident's first name or first initial plus last name combined with one or more of:

Information that has been effectively encrypted, truncated, or rendered unusable is excluded. If the encryption key itself was breached, the exclusion does not apply.

The Substantial Harm Standard

Alabama uses a "substantial harm" threshold: notification is required only when a covered entity determines, after a good-faith and prompt investigation, that the breach is reasonably likely to cause substantial harm to affected individuals. Entities that conclude no substantial harm is likely must document that finding in writing and retain it for at least five years.

This standard is more permissive than states requiring notification for any unauthorized access, regardless of likely injury.

Notification Timeline and Recipients

When substantial harm is reasonably likely, covered entities must notify:

1. Affected Alabama residents: Within 45 days of determining the breach occurred and is likely to cause substantial harm. Notice must describe the breach date (or estimated range), the SPII exposed, the steps taken to restore security, any free services offered (such as credit monitoring), and a contact for further questions.

2. The Alabama Attorney General: If more than 1,000 individuals are affected, written notice is due within 45 days. The AG maintains a breach notification reporting portal for submissions.

3. Consumer reporting agencies: If more than 1,000 individuals receive notice simultaneously, the covered entity must also notify all nationwide consumer reporting agencies (as defined under the FCRA) without unreasonable delay.

Substitute notice (website posting plus media coverage) is available when direct notice is not feasible due to cost exceeding $500,000, insufficient contact information, or the number of affected individuals exceeding 100,000.

Third-Party Agent Obligations

If a third-party agent determines that a breach has occurred involving data it holds on behalf of a covered entity, it must notify that covered entity within 10 days of determining a breach occurred or having reason to believe one occurred.

Penalties

The Alabama AG has exclusive enforcement authority. A covered entity that fails to timely notify faces civil penalties of up to $5,000 per consecutive day of noncompliance, capped at $500,000 per breach. There is no private right of action under the breach notification statute, though consumers may pursue claims under the Alabama Deceptive Trade Practices Act.

Record Disposal

Ala. Code 8-38-10 requires covered entities to take reasonable measures to dispose of records containing SPII when those records are no longer needed for legal or business purposes. Disposal must render the information unreadable or undecipherable by any reasonable means, consistent with industry standards. This applies equally to paper and electronic records.

Federal Exemptions

Entities already subject to federal breach notification requirements are exempt from the state Act under Ala. Code 8-38-11, provided they comply with applicable federal law and provide a copy of any required breach notice to the Alabama AG when more than 1,000 individuals are affected. This exemption primarily covers HIPAA-regulated entities and GLBA-regulated financial institutions.

Enforcement Actions

Blackbaud (October 2023)

Attorney General Steve Marshall announced Alabama's participation in a $49.5 million multistate settlement with Blackbaud, a cloud software company. A 2020 ransomware attack exposed sensitive data of millions of consumers at nonprofits and healthcare organizations worldwide. Alabama received $1.6 million from the settlement. The coalition found that Blackbaud failed to implement reasonable security measures and delayed providing accurate information about the scope of the breach to its customers.

Marriott (October 2024)

Alabama joined a coalition of state attorneys general in a $52 million multistate settlement with Marriott International, resolving claims arising from multiple data breaches between 2014 and 2018. The breaches collectively exposed the personal data of hundreds of millions of guests globally, including names, payment card numbers, passport numbers, and dates of birth.

Equifax (2019)

Alabama participated in the $600 million multistate settlement with Equifax following the 2017 breach that exposed the personal and financial data of approximately 147 million Americans.

Alabama Insurance Data Security Law

The Alabama Insurance Data Security Law (Ala. Code 27-62, Act No. 2019-98) was enacted in 2019 and modeled on the NAIC Insurance Data Security Model Law. It applies to insurance licensees regulated by the Alabama Department of Insurance.

Key obligations include:

• Implementing and maintaining a written information security program based on a risk assessment
• Exercising due diligence in selecting and overseeing service providers
• Developing a written incident response plan covering roles, responsibilities, remediation steps, and documentation
• Notifying the Commissioner of Insurance within three business days of determining a cybersecurity event has occurred
• Retaining documentation of cybersecurity events for at least five years

Licensees domiciled in Alabama must certify compliance in writing annually. Licensees subject to HIPAA that maintain a compliant information security program are deemed to meet the Insurance Data Security Law's requirements, provided they submit a written certification.

Alabama Consumer Identity Protection Act

The Consumer Identity Protection Act (Ala. Code 13A-8-190 through 13A-8-201) makes identity theft a criminal offense. Knowingly using another person's identifying information without authorization and with intent to defraud is a Class C felony when the value of the financial benefit obtained or attempted exceeds $500. Trafficking in stolen identities (possessing identifying information of three or more persons with intent to defraud) is also a Class C felony.

The Act includes restitution provisions, court orders to correct records, and mechanisms to block false information on credit reports.

Alabama Deceptive Trade Practices Act

The Alabama Deceptive Trade Practices Act (Ala. Code 8-19-1 et seq.) prohibits deceptive or unconscionable acts in trade or commerce. While not a dedicated privacy statute, it applies to misleading privacy policy claims, false representations about data security, and failure to honor disclosed privacy commitments.

Unlike the breach notification statute, the Deceptive Trade Practices Act provides a private right of action for consumers. The Attorney General and district attorneys can also seek injunctive relief and civil penalties.

Alabama Wiretap Law and Recording Consent

Alabama follows a one-party consent standard for recording conversations under Ala. Code 13A-11-30 et seq. A person may lawfully record a conversation in which they are a participant, or with the consent of at least one party. Recording a conversation without any party's consent is a criminal violation. For more detail, see the Alabama Recording Laws page.

Federal Laws That Apply in Alabama

Because the ALDPA does not take effect until May 1, 2027, and because it exempts significant sectors, federal law remains a critical layer of privacy protection for Alabama residents.

HIPAA

The Health Insurance Portability and Accountability Act applies to covered entities (healthcare providers, health plans, health clearinghouses) and their business associates. The HIPAA Privacy Rule governs the use and disclosure of protected health information. The Breach Notification Rule requires covered entities to notify affected individuals, HHS, and (for breaches affecting 500+ residents of a state) the media within 60 days of discovering a breach.

GLBA

The Gramm-Leach-Bliley Act applies to financial institutions and requires them to explain data sharing practices, safeguard consumer financial information, and protect nonpublic personal information (NPI). The FTC's updated Safeguards Rule (effective June 9, 2023) strengthened technical security requirements for GLBA-covered entities.

FCRA

The Fair Credit Reporting Act governs consumer reporting agencies and the use of consumer credit information. Alabama residents can dispute inaccurate information in their credit files, place security freezes, and request free annual credit reports under the FCRA and FACTA.

COPPA

The Children's Online Privacy Protection Act requires operators of websites and online services directed to children under 13 to obtain verifiable parental consent before collecting personal information. The FTC enforces COPPA and has issued substantial penalties for violations.

FTC Act Section 5

The FTC's authority under Section 5 of the FTC Act to prohibit unfair or deceptive practices applies broadly to data security failures and misleading privacy representations. Companies that fail to implement reasonable security measures or make false statements in privacy policies have faced FTC enforcement, consent orders, and in some cases civil penalties.

TAKE IT DOWN Act (2025)

The TAKE IT DOWN Act (Pub. L. 119-12, signed May 19, 2025) created a federal criminal prohibition on nonconsensual intimate images (NCII), including AI-generated deepfakes. Section 2 (criminal prohibition) took effect immediately upon signing. Section 3 (platform obligations) became enforceable by the FTC on May 19, 2026. Covered platforms now must provide a process for removal requests and remove qualifying content within 48 hours of a valid request. Violations are subject to FTC civil penalties of up to $53,088 per violation. Alabama residents who are victims of NCII can report noncompliant platforms at TakeItDown.ftc.gov.

APRA Status

The American Privacy Rights Act (APRA), a bipartisan federal comprehensive privacy bill, was introduced in 2024 but did not pass. A revised version (sometimes called APRA 2.0) was introduced in 2025. As of May 2026, no federal comprehensive privacy law has been enacted.

How Alabama Compares to Other States

With the ALDPA signed, Alabama joins a growing majority of states with comprehensive privacy protections. Several distinctions stand out:

Lower threshold: The 25,000-consumer threshold is the lowest of any enacted state comprehensive privacy law, meaning even mid-sized businesses targeting Alabama residents will likely be covered.

No universal opt-out signal: Most states enacted after 2023 require controllers to honor browser-based opt-out signals like the Global Privacy Control. Alabama does not.

Permanent cure period: The 45-day cure period does not sunset. States like Virginia and Connecticut have moved toward eliminating or limiting cure periods. Alabama's permanent cure period is among the most business-favorable provisions in the class of 2026 privacy laws.

No private right of action: Only the AG can sue. Individual residents cannot bring civil claims under the ALDPA, unlike California residents under the CCPA's limited private right for data breaches.

AG-only enforcement: Similar to Virginia, Texas, Indiana, and most other states outside California.

For comparison with laws in other states, see the Data Privacy Laws hub.

Compliance Steps for Businesses

For businesses that will be subject to the ALDPA by May 1, 2027:

1. Determine if the law applies: Assess whether you process data of more than 25,000 Alabama consumers, or whether more than 25% of gross revenue comes from data sales.

2. Conduct a data inventory: Map what personal data you collect, why, and where it goes. This is the foundation for data minimization compliance and required data protection assessments.

3. Update privacy notices: The ALDPA requires clear disclosure of processing purposes, data categories, third-party sharing, and consumer rights.

4. Build a rights-request process: Establish a mechanism to receive and respond to access, correction, deletion, portability, and opt-out requests within the 45-day window.

5. Audit data processing agreements: Ensure all processors you work with have executed DPAs meeting the ALDPA's requirements.

6. Complete data protection assessments: Document assessments for targeted advertising, data sales, sensitive data processing, profiling, and any processing presenting heightened risk.

7. Verify breach notification procedures: The Data Breach Notification Act is already in force. Confirm you have a 45-day notification workflow and a mechanism to report to the AG when more than 1,000 residents are affected.

8. Check Insurance Data Security compliance: If you hold an Alabama insurance license, verify your written information security program and incident response plan meet Ala. Code 27-62.

How Alabama Residents Can Exercise Rights

Until May 1, 2027, the ALDPA consumer rights are not yet enforceable. After that date, residents can:

• Submit rights requests directly to controllers through their designated privacy channels (typically a web form or email address listed in the privacy policy)
• Expect a response within 45 days, with up to a 45-day extension
• File a complaint with the Alabama Attorney General's Consumer Protection Section if a controller fails to honor a request

Currently enforceable rights:

• Data breach notification: Report a breach notification failure to the AG's office
• Credit file rights: Request a free credit freeze or dispute inaccurate data with Equifax, Experian, and TransUnion under the FCRA
• HIPAA complaints: File with the HHS Office for Civil Rights
• NCII removal: Report noncompliant platforms to the FTC at TakeItDown.ftc.gov
• FTC complaints: File at ReportFraud.ftc.gov for deceptive privacy practices

For recording laws and wiretap consent in Alabama, see Alabama Recording Laws. For data privacy laws across all states, visit the Data Privacy Laws hub.

More Alabama Laws

• Alabama AI Meeting Recording Laws
• Alabama Alimony Laws
• Alabama At-Will Employment Laws
• Alabama Car Accident Laws
• Alabama Car Seat Laws
• Alabama Child Custody Laws
• Alabama Child Support Laws
• Alabama Common Law Marriage Laws
• Alabama Deepfake Laws
• Alabama Divorce Laws
• Alabama Dog Bite Laws
• Alabama Emancipation Laws
• Alabama Expungement Laws
• Alabama Hit and Run Laws
• Alabama Landlord-Tenant Laws
• Alabama Lemon Laws

This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney licensed in Alabama for guidance on your specific situation. Laws and regulations may change; verify all information with official state sources.