Alabama’s House Bill 351 (HB 351), also known as the Alabama Personal Data Protection Act, has seamlessly cleared the state legislature and now awaits the governor’s signature, with an effective date of May 1, 2027. As the 21st comprehensive state privacy law, the bill is comparatively lighter and somewhat business-friendly in its requirements. However, it remains important for Alabama (or any of the remaining states, for that matter) to enact privacy laws, even with lighter requirements. In practice, while some organizations extend privacy rights uniformly across the U.S., others limit such protections to jurisdictions where they are legally required.

The Alabama privacy bill is expected to reduce compliance burden while preserving baseline consumer rights. Therefore, let us have a look at the bill’s unique provisions and what businesses should expect going forward.

Virginia, But Make It Alabama

HB 351 largely follows the Virginia Consumer Data Protection Act (VCDPA) model in its basic consumer rights (access, correction, deletion). However, some novelties are designed to be business-friendly and unique to Alabama’s legislative alignment.

Here are some of the provisions that make the bill structurally consistent with Virginia’s framework:

• Consumer Rights: Like Virginia’s law, HB 351 gives individuals core control over their data, to confirm whether a business is processing it, correct inaccuracies, request deletion, and opt out of targeted advertising or certain profiling.
• Enforcement: Enforcement is centralized with the Alabama Attorney General, meaning individuals cannot sue companies directly. This significantly lowers litigation risk for businesses compared to laws with private rights of action.
• Sensitive Data: Businesses must obtain opt-in consent before processing sensitive data (e.g., biometrics, precise location). This aligns with Virginia’s stricter stance versus opt-out models but remains operationally manageable for companies.

Here are the distinct variations that the act has compared to Virginia and other states:

• Broad “Sale” Exemptions: Alabama adopts a more flexible approach to what constitutes a “sale” of personal data, carving out certain data-sharing activities (e.g., disclosures to service providers for business purposes). This narrows the scope of regulated “sales,” reducing compliance obligations such as opt-out rights and contractual requirements.
• Lower but “Harder” Applicability Threshold: While the law applies to businesses processing data of 25,000 consumers (the lowest threshold in the U.S.), this represents a relatively higher proportion of Alabama’s population (~4.8%). As a result, many smaller or regional businesses are less likely to fall within scope compared to similarly structured laws in more populous states.
• Permanent Right to Cure: The bill provides a 45-day cure period for violations that does not sunset. This gives businesses an ongoing opportunity to remediate compliance issues before enforcement action is taken, in contrast to other states that have phased out cure periods over time.
• No Data Protection Impact Assessment (DPIA) Requirement: Unlike several peer state privacy laws, Alabama does not require businesses to conduct formal data protection impact assessments for high-risk processing activities, significantly reducing ongoing compliance and documentation burdens.

Lighter Law, Smarter Compliance

Alabama’s privacy law offers a framework that seeks to uphold baseline consumer privacy rights while minimizing operational and enforcement burdens on businesses. Here is how the businesses must prepare for it:

• Assess Applicability and Data Scope: Businesses should determine whether they meet the 25,000-consumer threshold and map what personal data they collect, process, and share. Even if unlikely to be in scope, documenting data flows early will simplify compliance if thresholds are met in the future.
• Review and Update Privacy Disclosures: Update privacy notices to clearly reflect data collection practices, consumer rights, and opt-out mechanisms. Ensure disclosures align with Alabama-specific definitions, particularly around what constitutes a “sale” and permitted data-sharing activities.
• Implement Consumer Rights Processes: Establish internal workflows to handle access, deletion, and opt-out requests within required timelines. This includes setting up request intake channels, identity verification processes, and response tracking.
• Leverage Vendor and Data-Sharing Flexibility: Review vendor agreements and data-sharing arrangements to align with Alabama’s broader “sale” exemptions. Businesses can optimize existing partnerships while ensuring contractual safeguards are still in place.
• Build a Cure-First Compliance Approach: Given the permanent 45-day cure period, organizations should implement monitoring and escalation processes to quickly identify and remediate potential violations before enforcement risk arises.
• Adopt Risk-Based Governance (Even Without DPIAs): Although DPIAs are not required, businesses should still adopt a lightweight, risk-based approach to evaluating high-risk processing (e.g., profiling, sensitive data use) to mitigate legal and reputational risks.

Beyond the Standard Template

Alabama’s HB 351 adopts a familiar, rights-based framework and carefully calibrates the burden on businesses. By borrowing heavily from the Virginia model and layering in business-friendly modifications, the law ensures that even the less inclined businesses extend data privacy rights to their customers. For businesses, this means compliance is not optional, but it is more manageable. Organizations that take a proactive, structured approach now will be well-positioned to navigate Alabama’s requirements without significant disruption, while still meeting evolving expectations around data privacy.