State Privacy Laws: Alabama
A summary of privacy laws in Alabama.
Overview
The Alabama Personal Data Protection Act (APDPA) makes Alabama one of the states to adopt a comprehensive consumer data privacy law in 2026. The APDPA follows the pattern established by the majority of state privacy frameworks and does not introduce provisions that meaningfully depart from the existing state privacy consensus. For organizations already compliant with laws like Virginia's VCDPA or Colorado's CPA, Alabama's requirements are unlikely to demand significant new operational changes, though its 25,000-consumer threshold is among the lowest in the country, bringing more mid-sized businesses into scope.
Key Dates
- Signed into law: April 16, 2026
- Effective date: May 1, 2027
Thresholds
The APDPA applies to entities that conduct business in Alabama, or produce products or services targeted to Alabama residents, and meet at least one of the following:
- control or process the personal data of more than 25,000 consumers (excluding data processed solely to complete a payment transaction); or
- derive more than 25% of gross revenue from the sale of personal data.
Consumer Rights
- The right to confirm whether a controller is processing their personal data and to access that data.
- The right to correct inaccuracies in their personal data.
- The right to delete their personal data.
- The right to obtain a portable copy of their personal data.
- The right to opt out of the processing of their personal data for the purposes of targeted advertising, the sale of their personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.
Sensitive Data
The law defines sensitive data to include personal data revealing:
- Racial or ethnic origin
- Religious beliefs
- A mental or physical health condition or diagnosis
- Sex life or sexual orientation
- Citizenship or immigration status
- Genetic or biometric data processed to uniquely identify an individual
- Personal data collected from a known child (under 13 years of age)
- Precise geolocation data
Penalties
Violations are enforced exclusively by the Alabama Attorney General, with civil penalties of up to $15,000 per violation. There is no private right of action. A 45-day right to cure applies and does not sunset.
Configure Your Consent Banner for APDPA
Regions are used to customize the behavior and experience based on an individual user’s location. As an example, this allows you to provide different experiences to users based on regional differences (like GDPR in the EU vs. APDPA in Alabama). When a user visits your site, we will automatically determine their location and will match them to the most granular region rule that you have setup in Concord. This can go down to the state/province level, which allows for different experiences for different laws (like APDPA in Alabama).
Recommended Consent Settings
Based on the current laws, we recommend the following regional settings:
- Consent Mode: Implied
- Blocking Mode: Strict
- Google Consent Mode V2: Advanced
- Consent Duration: 12 months
- Enable Limit Sensitive Information: Enabled
- Enable Do Not Sell Consent: Enabled
- Enable Global Privacy Control: Enabled
For step-by-step instruction on how to configure your consent banner for different geographical regions within the Concord app, see our help document Configure Your Consent Banner for Different Geographical Regions.
While you can get as granular as you want, we typically recommend a single global policy that meets the strictest guidelines across regions, or higher splits (like separate GDPR and United States regions, only adding additional regions for stricter states like California if needed). If you have any questions on how and why to configure your regions in certain ways, please reach out to our support team.
Global Privacy Laws: Singapore PDPA
The Personal Data Protection Act (PDPA) is Singapore’s comprehensive data protection regulation, broadly aligning with global privacy standards. It aims to regulate personal data processing, protect individuals’ privacy and fundamental rights, and provide legal certainty for data handling.
State Privacy Laws: California
A summary of privacy laws in California.