Alabama Privacy Laws
Data privacy laws in Alabama and nationwide protect consumers from identity theft, fraud, and other financial harm arising from data breaches involving personal information. Victims of data breaches in Alabama have the right to recover losses incurred as a result of a breach, and the state has laws in place to protect consumers in such situations.
- June 24, 2026
Alabama State Data Privacy Laws
In 2026, Alabama became the 21st state to enact a comprehensive state consumer privacy law, and businesses must comply with new obligations under the Alabama Personal Data Protection Act by May 1, 2027. Alabama law also establishes standards for data breach notifications and other data protection regulations. These state-level regulations and laws are crucial, as there is no comprehensive federal data privacy law.
The Alabama Personal Data Protection Act of 2026
The Alabama Personal Data Protection Act (APDPA), enacted in 2026, provides protections for consumers’ personal and sensitive data. The law applies to people conducting business in the state if they control or process the personal data of at least 25,000 consumers, or derive 25% or more of their revenue from the sale of personal data. The act doesn’t apply to universities, banks, businesses with under 500 employees that don’t sell data, or nonprofits.
Under the APDPA, personal data includes any information that is linkable to an identifiable individual, excluding publicly available information. Sensitive data is information about race, ethnicity, religion, health conditions, sexual orientation, citizenship status, genetic or biometric information, precise geolocation data, or data collected from a known child.
The APDPA gives Alabama consumers rights to confirm whether a controller is processing their personal data, access that data, correct inaccuracies, delete personal data, obtain a portable copy, and opt out of processing for targeted advertising, sale of personal data, or certain profiling. Businesses must be in compliance by May 2027.
The Alabama Data Breach Notification Act of 2018
The Alabama Data Breach Notification Act of 2018 requires certain entities that have experienced data breaches to notify consumers and the state Attorney General when the breach results in the unauthorized acquisition of sensitive personally identifiable information. Covered entities, such as corporations, that determine a breach may have occurred must conduct a good-faith, prompt investigation into the nature and scope of the breach, what information was involved, and who is at risk. They must give notice of the breach to each affected individual within 45 days.
Under Alabama law, data breach notifications must include the date of the breach, a description of the information accessed, actions taken to rectify the breach, steps affected individuals can take to prevent identity theft, and contact information for the affected company. The state Attorney General must be notified of a data breach if more than 1,000 people are affected.
Alabama Consumer Protection Statutes
Alabama consumer protection laws give residents the right to truthful information, fair contracts, safe products, and remedies. The law also prohibits false advertising, bait-and-switch tactics, and misrepresentation, and provides consumers harmed by deceptive practices the right to sue for damages.
Privacy Requirements for Alabama Businesses
State laws in Alabama require data controllers, including all businesses operating in the state, to limit their collection of personal data to what is adequate, relevant, and reasonably necessary. They must also establish, implement, and maintain security practices and provide an effective opt-out mechanism.
Your Rights as an Alabama Resident
The Alabama Personal Data Protection Act of 2026 gives consumers five core rights regarding their personal data. When a consumer exercises these rights, controllers must respond within 45 days, subject to certain exceptions. The core rights include:
- The right to confirm if data is being processed or accessed
- The right to correct errors in their personal data
- The right to direct a controller to delete their personal data
- The right to obtain a copy of their personal data
- The right to opt out of data processing for targeted advertising, sale, or profiling
New cases and investigations, settlement deadlines, and news straight to your inbox.
Compensation for Victims of Data Breaches in Alabama
Victims of data breaches in Alabama may be eligible to receive multiple types of compensation, including:
- Monetary Compensation: Direct payouts for proven financial losses.
- Reimbursement: Compensation for credit monitoring or identity restoration services.
- Injunctive Relief: Court orders requiring improved security measures by the breached entity.
- Non‑Monetary Remedies: Free credit monitoring or identity theft insurance.
Notable Data Breaches in Alabama
In recent years, Alabama has seen several notable data breaches, particularly in the healthcare industry, that have led to significant settlements.
Alabama Ophthalmology Associates ($850,000 Settlement)
In January 2025, Alabama Ophthalmology Associates experienced a targeted cyberattack on its computer systems. Files containing personal information, such as Social Security numbers, health insurance information, and treatment records, may have been accessed.
In February 2026, a court granted preliminary approval of an $850,000 settlement by the company for damages caused by the 2025 breach, offering up to $5,000 per person. Victims who incurred actual, documented out-of-pocket losses due to the breach could receive up to $5,000 from the settlement, while affected individuals without documented losses are eligible for a one-time cash payment of $60.
Alabama Cardiology Group ($2.23 Million Settlement)
In July 2024, the Alabama Cardiology Group (ACG) discovered that it was the target of a third-party cyberattack that compromised consumers’ personal information. During the data breach, a third party may have gained access to the Personally Identifying information and Personal Health Information of nearly 300,000 individuals.
ACG began notifying impacted individuals in August 2024, one month after the breach. A class action lawsuit was filed against the company in December 2024, and in 2025, ACG agreed to pay a $2,225,000 settlement. Class members could submit a claim for settlement payments of up to $5,000 for reimbursement for documented losses.
Do I Have a Case?
If your rights and interests as an Alabama resident have been harmed by a data breach, you may be entitled to seek financial compensation through legal action. You may have received a data breach notification in the mail or via email if you were affected. If your data was breached, you may qualify to join a class action lawsuit or pursue an individual claim with the help of a data breach attorney.
Speak to a Data Breach Attorney in Alabama
With Alabama’s new comprehensive privacy law in place, consumers in the Yellowhammer State have greater protections than ever before, and more potential legal remedies when their personal information is compromised.
At Class Action U, our goal is to simplify the process for individuals affected by data breaches to join ongoing lawsuits by connecting them with our legal partners. If you’ve been affected by a data breach, share your information with us to see if you qualify for a class action filing. If a class action already exists for the breach that affected you, our site offers a straightforward way to sign up.
Contact Class Action U to be connected with an experienced data breach lawyer to learn more about your legal options.
New cases and investigations, settlement deadlines, and news straight to your inbox.