By: Jordan Gerheim, CEO – Outside Chief Legal LLC
Alabama Just Passed a Consumer Privacy Law. Here Is What Gulf Coast Business Owners Need to Know Before 2027.
On April 17, 2026, Governor Kay Ivey signed the Alabama Personal Data Protection Act into law, making Alabama the twenty‑first state in the country to pass a comprehensive consumer privacy law. The law does not take effect until May 1, 2027, which means business owners still have time to understand what it requires. That time is worth using.
The law sets rules around how businesses collect, store, use, and share personal data belonging to Alabama residents. It gives consumers specific rights over their information and places compliance obligations on the businesses that handle that data. Whether it applies to your business depends on a few specific thresholds, and the answer matters because violations can carry civil penalties of up to $15,000 per violation.
Here is a plain‑English breakdown of what the law does, how to tell whether it covers your business, and what you can do now to get ahead of it.
Who the Law Actually Covers and Where Small Businesses Stand
The Alabama Personal Data Protection Act applies to businesses that conduct business in Alabama, or that target products or services to Alabama residents, and that meet at least one of two thresholds. The first threshold is processing or controlling the personal data of more than 25,000 Alabama consumers in a year, not counting data collected solely to complete a payment transaction. The second threshold is deriving more than 25 percent of gross revenue from the sale of personal data, regardless of how many consumers are involved.
The 25,000-consumer threshold is notably lower than what most other state privacy laws use. Several states set their threshold at 100,000 consumers. Alabama set it at 25,000, which pulls in a broader set of businesses, including smaller companies that collect customer data through websites, loyalty programs, email lists, or digital marketing.
Here is the exemption that matters most for Gulf Coast small businesses: the law carves out for-profit businesses with fewer than 500 employees, provided they do not sell personal data. If your business has under 500 employees and you are not in the business of selling customer data to third parties, the APDPA likely does not apply to you in its full form. That said, the word “sell” under this law has a specific definition worth understanding before you conclude you are exempt.
The law defines the sale of personal data as an exchange for monetary or other valuable consideration, where the controller receives a material benefit and the third party receiving the data is not restricted in how it can use that data going forward. This definition is narrower than what some other states use. Sharing data with a marketing or analytics vendor that is only using that data to serve your business does not count as a sale under Alabama’s law. But sharing or transferring customer data to a third party that can then use it however it wants, in exchange for something of real value to your business, likely does.
A practical example: a Gulf Coast retailer uses a customer loyalty program. The retailer collects names, email addresses, purchase histories, and location data. The retailer then shares some of that data with a marketing platform that sells audience segments to other advertisers. Depending on the terms of that arrangement and whether the retailer receives meaningful compensation, that data‑sharing relationship could qualify as a sale under the APDPA. The retailer would need to check two things: whether the 25,000‑consumer threshold is met and whether the data‑sharing arrangement crosses the line into a covered sale.
What the Law Requires If It Applies to Your Business
If the APDPA does apply to your business, the obligations fall into four main areas: consumer rights, privacy notices, vendor contracts, and data-handling practices for sensitive information.
On the consumer rights side, Alabama residents will have the right to access the personal data a business holds about them, request corrections, ask for deletion, and obtain a portable copy of their data. They will also have the right to opt out of targeted advertising and the sale of their personal data. Businesses covered by the law need to have a process in place to receive and respond to those requests within the required timelines.
Privacy notices are required. The law says covered businesses must post reasonably clear and accessible privacy notices on their websites that disclose what categories of personal data they collect, why they collect it, and what categories of data they share with third parties. If your business collects targeted advertising data or sells personal data, you are required to include a clear and visible link on your website where consumers can opt out. That link needs to lead to a page where they can actually complete the opt‑out, not just a contact form or a general privacy policy page.
Vendor contracts are another specific requirement. If your business uses outside companies to process personal data on your behalf, the APDPA requires a written contract that governs what the processor can do with that data. This is not a new concept for businesses that already have data‑processing agreements in place, but for many Gulf Coast businesses that have informal or loosely written arrangements with their software vendors, marketing platforms, or IT providers, this is a gap worth closing.
Sensitive data carries extra obligations. The law identifies specific categories of information that require consumer consent before processing: data revealing racial or ethnic origin, religious beliefs, health conditions, sexual orientation, immigration status, biometric data, precise geolocation, and personal data collected from children under 13. If your business collects any of these categories, consent is required before you process that data for any purpose covered by the law.
There is one notable difference from other state privacy laws: Alabama’s APDPA does not require data‑protection impact assessments. Several other state laws require businesses to formally document their risk analysis when processing data for targeted advertising, profiling, or other higher‑risk activities. Alabama removed that requirement before the bill was finalized, which reduces the administrative load for covered businesses compared to what compliance looks like in states such as Colorado or Connecticut.
How to Use the Time Between Now and May 2027
The law takes effect in just over a year. That is enough time to get ready without rushing, but not enough time to put it off indefinitely. Here is how to think about the next twelve months.
The first step is determining whether the law applies to your business at all. That means looking at two things: how much personal data your business collects from Alabama residents in a year and whether any of your current data‑sharing arrangements could qualify as a sale under the APDPA’s specific definition. For businesses close to the 25,000‑consumer threshold, that analysis is worth doing carefully, because the exemption for small businesses that do not sell data only protects you if both conditions are true.
If the law applies, the next step is a review of your current privacy notice and website. Most small-business privacy policies were written for a general audience and have not been updated to reflect any specific state law. Alabama’s APDPA requires specific disclosures, and the opt-out mechanism for targeted advertising and data sales needs to be functional and visible, not buried.
From there, vendor contracts and data‑processing agreements with your software and marketing providers need to be reviewed. Any arrangement where a third party handles personal data on your behalf needs a written agreement that sets out what the third party can and cannot do with that data. If those agreements do not already exist or have not been updated in several years, getting them in order before the law takes effect is the right move.
Here is what poor preparation looks like in practice: a midsize Gulf Coast e‑commerce business waits until the spring of 2027 to look at its data practices. The business discovers that a loyalty program vendor it has been using for three years has been reselling aggregated customer data to third‑party marketers, and the original vendor agreement is silent on that practice. Bringing that arrangement into compliance by the May 1 deadline requires renegotiating the vendor contract, updating the privacy notice, adding an opt‑out mechanism to the website, and reviewing all historical data flows. That is a significant project handled under deadline pressure. Starting that same review now would take a fraction of the time and cost.
On the enforcement side, there is no private right of action under the APDPA, meaning individual consumers cannot sue your business directly. Only the Alabama Attorney General can bring an enforcement action. The law also includes a mandatory 45‑day cure period, which means the Attorney General is required to give you notice of a violation and an opportunity to fix it before moving to court. That is a business‑friendly feature, but it does not eliminate the risk. Penalties of up to $15,000 per violation are real, and reputational damage from an Attorney General investigation is not something a Gulf Coast business wants to manage publicly.
A Good Starting Point
The APDPA is new enough that many Alabama businesses have not looked at it yet. Getting a clear answer on whether it applies to your business, and what the right steps are if it does, is a straightforward conversation that does not require a major legal project to start.
A Risk-Free Strategy Session is a good way to get that answer. We sit down with you, look at your business, and give you a plain-English read on where you stand under the APDPA and what any required changes actually look like in practice. No obligation, no pressure, just a useful conversation before the clock starts running.
No representation is made that the quality of the legal services to be performed is greater than the quality of legal services performed by other lawyers.
Our Corporate/Business Counsel Services
Outside Chief Legal LLC is a modern, forward-thinking law firm serving as fractional chief legal officers and outside general counsel for businesses and their owners. With over 200 years of combined litigation, in-house, general counsel, and administrative legal experience, the firm delivers approachable, comprehensive counsel that blends legal expertise with practical business insight to help clients navigate ownership complexities with confidence. OCL is a trusted partner for founders, business owners, and leadership teams nationwide. Learn more about our firm, meet our team, or schedule a Risk-Free Strategy Session to talk with an attorney about how we can help your company.
