TL;DR: Alabama’s Personal Data Protection Act is now the 21st U.S. state privacy law and sets the lowest baseline threshold of any state law at 25,000 residents, while also capturing some organizations at 25% of gross revenue from data sales, according to OneTrust. That combination makes applicability analysis and data-sharing classification more operationally sensitive than many teams assume.
NHIMG editorial — based on content published by OneTrust: Alabama becomes 21st state to pass personal data protection act
By the numbers:
- The law can also apply when an organisation derives 25% or more of gross revenue from the sale of personal data.
Questions worth separating out
Q: How should privacy teams assess whether Alabama’s APDPA applies to them?
A: Start with a dual test: covered Alabama resident data volume and revenue derived from personal data sales.
Q: Why do low-threshold state privacy laws create governance risk for multi-state programs?
A: They break the assumption that only large consumer footprints create privacy obligations.
Q: What do privacy teams get wrong about data sales and opt-out obligations?
A: They often assume every transfer to a third party is a sale or that every analytics or marketing arrangement is exempt.
Practitioner guidance
- Recalculate APDPA applicability using resident counts and revenue tests Map Alabama resident data volumes separately from employment and commercial-context records, then test whether the 25,000-person threshold or the 25% revenue threshold applies.
- Classify data-sharing arrangements by legal purpose Separate service-provider transfers, analytics support, marketing support, and monetised sales in your vendor inventory.
- Tighten identity-to-record matching for rights requests Use stronger identity verification, delegated authority checks, and record linkage controls so access, deletion, correction, and portability requests are applied to the right person.
What's in the full article
OneTrust's full blog covers the operational detail this post intentionally leaves for the source:
- The exact applicability language for Alabama residents, revenue thresholds, and consumer exclusions.
- The controller and processor obligations that privacy teams need to translate into workflows and contracts.
- The consent, notice, and opt-out nuances that affect data-sharing classifications.
- The practical preparation checklist for multi-state privacy programmes.
👉 Read OneTrust’s analysis of Alabama’s new Personal Data Protection Act →
Alabama APDPA scope rules: what privacy teams need to reassess?
Explore further
Low-threshold privacy laws turn scope analysis into an operational control, not a legal memo. Alabama’s 25,000-resident threshold means organisations can be in scope earlier than they would be under more familiar state regimes. That shifts privacy readiness from periodic review to continuous classification of data volume, purpose, and geography. Teams should treat applicability as a living control tied to inventory quality and revenue mapping.
A question worth separating out:
Q: Who is accountable when consumer rights requests fail under state privacy laws?
A: Controllers remain responsible for determining purposes and means of processing, responding to rights requests, and maintaining reasonable security practices even when processors handle parts of the workflow. Accountability therefore sits with the programme owner, not the vendor. Organisations should define ownership, evidence requirements, and escalation paths before requests begin to fail in production.
👉 Read our full editorial: Alabama APDPA raises the bar for multi-state privacy scope