Alabama
💡 Last Updated October 2025. Written with contributions from both human authors and LLMs. If you find incorrect or outdated information let us know at support@optery.com.
Data brokers are selling your personal information. Optery finds it and removes it for you.
What the APDPA does for you
Under the Alabama Personal Data Protection Act (APDPA), you have the right to know what personal data companies collect about you, correct inaccuracies, request deletion, obtain a portable copy, and opt out of the sale of your data, targeted advertising, and automated profiling decisions. These rights apply to Alabama residents dealing with covered businesses. The law takes effect May 1, 2027.
Your rights under the APDPA
Right to Know
You can ask a company whether it is processing your personal data and request access to that data. The company must respond within 45 days (with a possible 45-day extension) and provide information free of charge once per 12-month period.
Exceptions: Does not apply if confirming or providing access would require the controller to reveal a trade secret; Does not apply to deidentified or publicly available information; Does not apply to certain categories of data exempt under federal law (e.g., HIPAA, FCRA, FERPA).
Source: HB351 § 5(a)(1)
Right to Delete
You can ask a company to delete your personal data. The company must honor authenticated deletion requests within 45 days (with a possible 45-day extension).
Exceptions: Does not apply if the controller obtained the data from a source other than you and the controller retains only a minimal record needed to ensure your data stays deleted; Does not apply to data needed to comply with a legal obligation; Does not apply to data needed to complete a transaction you requested; Does not apply to deidentified data; Does not apply if retaining data is required by law or contract.
Source: HB351 § 5(a)(3), § 5(d)(5)
Right to Correct
You can ask a company to fix inaccuracies in your personal data, taking into account the nature of the data and why it's being processed.
Exceptions: Does not apply to deidentified or publicly available information.
Source: HB351 § 5(a)(2)
Right to Opt Out of Sales
You can tell a company to stop selling your personal data to third parties. Companies that sell personal data must provide a clear and conspicuous link on their website so you can opt out.
Exceptions: Does not apply to transfers to processors acting on the controller's behalf; Does not apply to disclosures necessary to provide a service you requested; Does not apply to transfers to affiliates of the controller; Does not apply to transfers in a merger or acquisition context; Does not apply to transfers for analytics or marketing services solely to the controller.
Source: HB351 § 5(a)(5)(b), § 6(b)
Right to Opt Out of Processing
You can opt out of having your personal data used for targeted advertising — meaning ads selected based on your activity across different websites or apps over time.
Exceptions: Does not apply to ads based on activity within the controller's own website or app; Does not apply to ads based on your current search query or website visit; Does not apply to ads shown in direct response to your request for information; Does not apply to processing solely to measure or report advertising performance.
Source: HB351 § 5(a)(5)(a), § 6(b)
Right to Opt Out of Automated Decisions
You can opt out of profiling when it is used in solely automated decisions that have significant effects on you, such as decisions about credit, housing, insurance, employment, education, criminal justice, healthcare, or access to basic necessities.
Exceptions: Only applies to solely automated processing — not decisions that include meaningful human review; Only applies when profiling is used to further significant decisions as defined by the statute.
Source: HB351 § 5(a)(5)(c), § 2(22)
Right to Data Portability
You can request a copy of the personal data you previously provided to a company in a portable, machine-readable format so you can transfer it to another company.
Exceptions: Only applies to data you previously provided to the controller; Only applies when processing is carried out by automated means; Does not apply if providing the data would require the controller to reveal a trade secret.
Source: HB351 § 5(a)(4)
Right to Non-Discrimination
A company cannot deny you goods or services, charge you different prices, or give you a lower quality of service simply because you exercised your privacy rights.
Exceptions: A company does not have to provide a service that requires data processing if you opt out of that processing; Companies may offer different prices or features through bona fide loyalty, rewards, premium features, discount, or club card programs you voluntarily join.
Source: HB351 § 7(b)(5)
Right to Limit Sensitive Data
Companies must obtain your consent before processing your sensitive personal data, which includes things like your race or ethnicity, health conditions, precise location, biometric data used to identify you, sexual orientation, immigration status, religious beliefs, and data about children.
Exceptions: Processing of children's data must comply with COPPA rather than requiring consent under this act; Sensitive data processing may be permitted without consent for certain legal, safety, or public health purposes.
Source: HB351 § 7(b)(2), § 2(21)
How to exercise your rights
- See which data brokers have your information. Optery scans 200+ brokers to show you what’s exposed. Start a free scan →
- Submit a APDPA deletion or opt-out request. Covered businesses have 45 days to respond (HB351 § 5(d)), with up to 45 additional days if they invoke the extension provision.
- Let Optery automate the whole process. We submit opt-out and deletion requests on your behalf, track compliance, and resubmit whenever brokers re-add your data. Sign up free →
Authorized agents
The APDPA does not mention authorized agents (Alabama Personal Data Protection Act (HB 351, effective May 1, 2027)). This means data brokers are not required to honor privacy requests submitted by someone other than you personally. Optery can help you submit requests directly — we prepare everything for you; you hit send.
Enforcement and penalties
The APDPA is enforced by Alabama Attorney General. If a business violates the law, the Alabama Attorney General first sends a notice giving the business 45 days to fix the problem. If the business doesn't correct the violation and provide a written statement that it has been fixed, the AG can seek a court injunction and civil penalties of up to $15,000 per violation.
Who does the APDPA apply to?
This law applies to businesses that do business in Alabama (or target Alabama residents) and either: (1) control or process personal data of more than 25,000 Alabama consumers (not counting data processed solely for completing a payment transaction), OR (2) derive more than 25% of their gross revenue from selling personal data. Certain entities are exempt, including government agencies, financial institutions governed by Gramm-Leach-Bliley, HIPAA-covered entities, small businesses with fewer than 500 employees that don't sell personal data, and small nonprofits with fewer than 100 employees that don't sell personal data.
Frequently asked questions
When does the Alabama Personal Data Protection Act take effect?
The APDPA becomes effective on May 1, 2027 (HB351 § 12). That means businesses have until then to comply, and you'll be able to start exercising your rights under this law starting on that date.
Which businesses does this law apply to?
The law applies to businesses that do business in Alabama or target Alabama residents and either process the personal data of more than 25,000 Alabama consumers OR derive more than 25% of gross revenue from selling personal data (HB351 § 3). Many entities are exempt, including government agencies, HIPAA-covered health entities, Gramm-Leach-Bliley financial institutions, small businesses with fewer than 500 employees that don't sell personal data, and small nonprofits with fewer than 100 employees that don't sell personal data (HB351 § 4).
How long does a company have to respond to my data request?
A company must respond to your request within 45 days of receiving it (HB351 § 5(d)(1)(a)). If the company needs more time due to the complexity or number of your requests, it can extend the response period by another 45 days, but it must notify you of the extension and explain the reason within the initial 45-day window.
Can I sue a company directly if it violates my privacy rights under this law?
No — the APDPA does not give individual consumers the right to sue directly. Only the Alabama Attorney General can enforce the law (HB351 § 11). If you believe your rights have been violated, you can contact the Alabama Attorney General's office to report the issue.
What happens if a company violates my privacy rights?
The Alabama Attorney General must first issue the company a notice of violation and give it 45 days to fix the problem (HB351 § 11(b)(1)–(2)). If the company fails to correct the violation within that period, the AG can seek a court injunction and civil penalties of up to $15,000 per violation. If the company fixes the issue and provides a written statement promising it won't happen again, no legal action can be taken.