The statute's scope is notably broad. It covers any business targeting Alabama residents that processes data on more than 25,000 consumers—excluding payment transactions—or derives more than 25 percent of revenue from data sales regardless of consumer volume. The Attorney General holds exclusive enforcement authority, with a 45-day cure period before penalties of up to $15,000 per violation. Notably absent are requirements for data protection impact assessments, support for universal opt-out signals, or a private right of action for consumers. The law exempts small businesses, nonprofits without data sales, HIPAA-covered health information, and payment-only processors.
The Alabama Legislature passed the bill unanimously: 104-0 in the House and 34-0 in the Senate on April 7, 2026. The law reflects a business-friendly approach—for instance, pseudonymous ad data is exempt from opt-out requirements, and only consumers aged 13-15 need consent for targeted ads and sales. With Alabama now covering roughly 46 percent of the U.S. population under state privacy laws, the patchwork of state regulation continues to expand amid federal inaction. Attorneys should prioritize updating privacy notices and establishing consumer rights processes before the May 2027 deadline, particularly given the statute's low applicability thresholds.