The APDPA grants consumers rights to access, correct, delete, and port their personal data, and to opt out of targeted advertising, profiling, and data sales. It requires companies to provide privacy notices, obtain consent before processing sensitive data categories like race, health, and biometrics, minimize data collection, and maintain reasonable security. Enforcement rests exclusively with the Alabama Attorney General, who must provide a 45-day cure period before imposing penalties. Violations carry fines up to $15,000 each. The law contains no private right of action.
The statute follows the national pattern of state-by-state privacy legislation amid stalled federal action. It mirrors Virginia and Connecticut models but includes business-friendly provisions: low applicability thresholds, broad small business exemptions, no requirement for universal opt-out mechanisms, no mandatory data protection impact assessments, and carveouts for pseudonymous advertising. With Alabama's addition, approximately 46 percent of the U.S. population now lives under comprehensive state privacy laws. Companies already compliant with other state regimes should review their data practices before the 2027 effective date.