Alabama Privacy Law: What to Know About the Alabama Personal Data Protection Act (HB 351)
Alabama has been one of the few remaining large US states without a comprehensive consumer data privacy law. In 2026, the state legislature made its most serious attempt to change that with HB 351, the Alabama Personal Data Protection Act. The bill passed the Alabama House and advanced through Senate committee with amendments — but the Alabama Regular Session ended on March 27, 2026, and the bill\'s final fate remains uncertain as of this writing.
Whether HB 351 was enacted in the final days of the session or will be reintroduced in 2027, understanding its provisions is important for businesses operating in or targeting Alabama consumers. Here\'s what you need to know.
Current Status of HB 351
As of late March 2026, here is the bill\'s timeline:
- House passage: HB 351 passed the Alabama House of Representatives with bipartisan support in February 2026
- Senate committee: The bill was amended in the Senate Judiciary Committee and voted out of committee
- Senate floor: The bill needed a full Senate vote before the session closed on March 27, 2026
- Final status: Uncertain — the bill may have been passed in the final days or may have died without a floor vote
If HB 351 was signed by Governor Kay Ivey, it would take effect on May 1, 2027, making Alabama the 22nd state (or later, depending on other states enacting laws) with a comprehensive consumer data privacy law. If the bill died, it is widely expected to be reintroduced in the 2027 legislative session.
Note: We will update this article as soon as the final status is confirmed. Use our Privacy Law Calculator to check which state laws currently apply to your business.
Who Would the Alabama Privacy Law Apply To?
HB 351 follows the standard model used by many state privacy laws. It would apply to businesses that:
- Conduct business in Alabama or produce products or services targeted to Alabama residents, AND
- During a calendar year, control or process the personal data of at least 25,000 consumers, OR
- Derive over 25% of gross revenue from the sale of personal data and control or process data of at least 25,000 consumers
This threshold is similar to Virginia, Utah, and Oklahoma — placing Alabama in the moderate tier of state privacy laws. Compare this with California, which also has a $25 million revenue threshold, or Maryland, which has no revenue or consumer-count threshold at all.
Exemptions
Like most state privacy laws, HB 351 includes broad exemptions for:
- Government entities
- Nonprofits
- Higher education institutions
- Data regulated under HIPAA, GLBA, FCRA, FERPA, and other federal frameworks
- Employment and B2B data (following the majority of states)
The Senate amendments reportedly added further exemptions, though the exact text of the amended version has not been widely published as of this writing.
Consumer Rights Under HB 351
The Alabama bill would grant consumers a standard set of data privacy rights:
| Right | Description |
|---|---|
| Right to Know | Confirm whether a controller is processing your personal data |
| Right to Access | Obtain a copy of your personal data in a portable format |
| Right to Correct | Correct inaccuracies in your personal data |
| Right to Delete | Request deletion of personal data provided by or obtained about you |
| Right to Opt Out | Opt out of targeted advertising, sale of personal data, and profiling |
These rights closely mirror those found in Virginia\'s VCDPA, Connecticut\'s CTDPA, and other states that follow the "standard model" pattern. Use our comparison tool to see how these rights stack up across all 21 existing state privacy laws.
Key Provisions and Senate Amendments
Enforcement
HB 351 would be enforced exclusively by the Alabama Attorney General. There is no private right of action — meaning individual consumers cannot sue businesses directly for violations. This follows the approach taken by most state privacy laws (with the partial exception of California, which allows limited private lawsuits for data breaches).
Cure Period
The bill includes a 30-day cure period, meaning businesses would receive notice of an alleged violation and have 30 days to fix the issue before the AG can pursue enforcement. This is standard for newer state privacy laws, though several states (California, Maryland, Oregon) have either eliminated or sunset their cure periods.
Opt-Out Preference Signals
One notable change from the Senate amendments: the requirement for businesses to honor opt-out preference signals (like Global Privacy Control) was reportedly removed. This places Alabama behind states like California, Colorado, Connecticut, Montana, Texas, and Delaware, which all require recognition of universal opt-out mechanisms. If you operate in multiple states, you should still implement GPC recognition — use our GPC Compliance Checker to determine your obligations.
Data Protection Assessments
The bill would require controllers to conduct data protection assessments for processing activities that present a heightened risk of harm, including targeted advertising, sale of personal data, processing of sensitive data, and profiling.
How Alabama Compares to Other State Privacy Laws
If enacted, Alabama\'s law would fall into the moderate "Virginia model" tier of state privacy laws. Here\'s how it compares:
| Feature | Alabama (HB 351) | Virginia | California | Oklahoma |
|---|---|---|---|---|
| Consumer threshold | 25,000 | 100,000 | None (revenue-based) | 100,000 |
| Revenue threshold | 25% from data sales | 25% + 25K consumers | $25M | 25% + 25K consumers |
| Private right of action | No | No | Limited (breaches) | No |
| Cure period | 30 days | 30 days (sunsets 2025) | None | 30 days |
| Opt-out preference signals | Not required | Not required | Required (GPC) | Not required |
The lower consumer threshold of 25,000 (compared to Virginia\'s 100,000) means more businesses would be covered under Alabama\'s law. However, the removal of opt-out preference signal requirements and the 30-day cure period make it less consumer-friendly than California or Maryland.
What Businesses Should Do Now
Regardless of whether HB 351 was enacted in this session, businesses should prepare:
- Monitor the final status — check our tracker of how many states have privacy laws for updates
- Assess your Alabama exposure — if you collect data from Alabama consumers, use our calculator to understand your potential obligations
- Review your compliance program — if you already comply with Virginia, Connecticut, or other standard-model laws, Alabama compliance will be straightforward
- Plan for 2027 enactment — even if the bill died in 2026, expect it to return. Businesses have time to prepare
Alabama joins a growing list of states that have either enacted or actively considered comprehensive privacy legislation. With six new state privacy laws taking effect in 2026 and more bills advancing, the US is steadily moving toward a patchwork of state-level privacy regulations that businesses must navigate.
Frequently Asked Questions
Did Alabama pass a privacy law in 2026?
HB 351, the Alabama Personal Data Protection Act, passed the Alabama House and advanced through Senate committee with amendments. The Alabama Regular Session ended on March 27, 2026. As of late March 2026, the final status — whether the bill received a full Senate vote and was signed by Governor Ivey — has not been widely confirmed. We will update this article when the final status is known.
When would the Alabama privacy law take effect?
If HB 351 was enacted, it would take effect on May 1, 2027, giving businesses approximately one year to prepare for compliance.
Does the Alabama privacy law require businesses to honor Global Privacy Control (GPC)?
No. The Senate amendments to HB 351 reportedly removed the requirement for businesses to recognize opt-out preference signals like GPC. However, if you operate in states that do require GPC recognition — such as California, Colorado, Connecticut, or Montana — you should implement GPC support regardless. Use our GPC Compliance Checker to see which states require it.
How is the Alabama privacy law enforced?
HB 351 provides for enforcement exclusively by the Alabama Attorney General. There is no private right of action, meaning individual consumers cannot file lawsuits against businesses for privacy violations. Businesses would receive a 30-day cure period to fix any alleged violations before the AG can pursue penalties.
How many states now have comprehensive privacy laws?
As of March 2026, 21 states have enacted comprehensive consumer data privacy laws (including Oklahoma, which was signed in March 2026). If Alabama\'s HB 351 was enacted, it would be the 22nd. See our full list on the state privacy law map and our article on how many states have data privacy laws.
Last updated: March 29, 2026.Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.