Alabama's New Privacy Law Passed 104 to 0—Consumer Reports Urged the Governor to Veto It

What Happened

On April 17, Governor Kay Ivey signed House Bill 351, the Alabama Personal Data Protection Act, making Alabama the 21st U.S. state with a comprehensive privacy law. The bill passed unanimously: 104 to 0 in the House and 34 to 0 in the Senate. It takes effect May 1, 2027.

The law gives Alabama residents the right to access, correct, and delete their personal data, opt out of targeted advertising and data sales, and refuse profiling for automated decisions affecting credit, employment, or healthcare. It covers businesses that process data of at least 25,000 Alabama residents or derive over 25% of gross revenue from selling personal data.

The Loopholes Consumer Reports Flagged

Consumer Reports urged Governor Ivey to veto the bill, calling it a "lowest common denominator approach" riddled with loopholes. The criticism centers on three gaps:

• The analytics carveout. Alabama's definition of a "sale" explicitly exempts data shared for "providing analytics services" or "providing marketing services solely to the controller." Companies can hand your data to ad firms and analytics platforms without triggering your opt out rights, as long as the third party claims to be working on the company's behalf.
• The pseudonymous data gap. No opt out is required for targeted advertising based on pseudonymous identifiers like mobile device IDs, as long as those identifiers are stored separately from your name. Only three other states—Kentucky, Iowa, and Tennessee—have this carveout.
• The permanent cure period. Companies that violate the law always get a 45 day window to fix the problem before any penalty applies. Unlike California, which eliminated automatic cure periods, Alabama's never expires.

The law also skips data protection impact assessments entirely and includes no enhanced protections for minors, protections that states like Colorado and Connecticut require.

How Alabama Compares to Other States

Alabama's law is modeled loosely on Connecticut's privacy statute but strips out several of its stronger provisions. The state has one of the country's lowest applicability thresholds—just 25,000 consumers—but the narrow definition of "sale" and the analytics exemption undermine the rights the law claims to grant.

Enforcement falls exclusively to the state attorney general, who can seek up to $15,000 per violation. There is no private right of action, meaning individual Alabamians cannot sue companies that violate the law. Compare that to California's CCPA, which allows private lawsuits for data breaches and has raised intentional violation fines to $7,988 per incident.

The Regulatory Race to the Bottom

Alabama is the 21st state to pass a comprehensive privacy law. A year ago, there were 14. The pace is accelerating: Oklahoma passed its law earlier in 2026, and Indiana, Kentucky, and Rhode Island took effect on January 1.

But the quality of these laws varies enormously. Privacy researchers warn of a "regulatory race to the bottom" where companies gravitate toward the least restrictive compliance standard. A business that meets Alabama's requirements can technically claim to follow "state privacy law" while doing far less than California or Colorado demands. Montana's approach shows the alternative—it recently became the first state that can sue for a privacy violation without a warning period.

Without a federal privacy law, the patchwork continues to grow. Companies operating in multiple states must navigate 21 different frameworks, each with different thresholds, definitions, and enforcement mechanisms. For consumers, it means the protection you get depends entirely on where you live.

What Alabama Residents Can Do Now

Despite the loopholes, the law creates new rights that did not exist before in Alabama. Starting May 1, 2027, residents can:

• Request access to all personal data a company holds about them
• Demand deletion of that data
• Opt out of the sale of personal data (though the narrow definition limits this)
• Opt out of targeted advertising (with the pseudonymous data exception)
• File complaints with the Attorney General's office

But do not wait for the law to take effect. The analytics exemption means companies can still share your data with ad firms and call it "marketing services." Use browser extensions that block trackers, review the privacy settings on every app you install, and consider tools that limit what companies learn from your inbox. Understanding how tracking pixels work in your email is a good starting point.

Why Email Users Should Pay Attention

Privacy laws like Alabama's are supposed to cover the data companies collect through email marketing, including tracking pixels that log when you open a message and what device you are using. But the analytics exemption means an email marketer could argue that sharing your open rates and engagement data with a third party analytics firm falls outside the law's definition of a "sale." The result: your inbox data may flow freely between companies even under a state privacy law that promises you the right to opt out.

This is the gap between privacy law and privacy reality. Having the right to opt out means nothing if the law defines away the activities you most need to opt out of.