Alabama Joins Privacy Law Surge as States Tighten Data Rules
Alabama enacted a comprehensive data privacy law as Kentucky, Virginia, and Nebraska finalized privacy statute updates.
Why it matters: Companies face a patchwork of privacy rules as states expand and amend consumer data protection laws. Legal and operations teams must quickly adapt policies and protocols to comply with new requirements and harsher enforcement provisions.
- Alabama's new privacy law, effective May 1, 2027, makes it the 21st state with such legislation.
- The Kentucky Consumer Data Protection Act took effect January 1, 2026, imposing duties like impact assessments and penalties up to $7,500 per violation.
- Virginia expanded its law with strict limits for social media platforms on minors’ usage, including required age verification.
- Nebraska enhanced its Age-Appropriate Design Code Act, boosting protections for minors online.
The U.S. consumer data privacy landscape is shifting rapidly as more states pass or update comprehensive laws. On April 16, 2026, Alabama enacted the Personal Data Protection Act (HB 351), now the 21st state with a broad privacy law. The statute applies to any entity controlling or processing the personal data of over 25,000 consumers, or deriving more than 25% of gross revenue from data sales.
- Consumers gain rights to access, correct, delete, and get a copy of their personal data, plus the ability to opt out of targeted ads and data sales (bill text). Controllers face obligations to limit data collection and bolster security measures.
- Alabama’s law—enforceable by the attorney general—features penalties up to $15,000 per violation and a 45-day right to cure beginning May 1, 2027 (JD Supra).
Consumer Reports criticized the statute for “weak definitions, broad carveouts, and insufficient enforcement mechanisms,” but lawmakers lauded it as a “common-sense framework” balancing consumer and business interests (news coverage).
Meanwhile, Kentucky’s Consumer Data Protection Act (KCDPA) became effective January 1. It applies to businesses processing data of at least 100,000 consumers per year, or 25,000 if data sales comprise over half their revenue, and requires impact assessments for high-risk activities such as targeted ads and processing sensitive data (Mondaq).
Virginia’s amended law, effective January 1, 2026, targets social media providers by mandating age verification and capping minors’ use at one hour per day without parental consent, while prohibiting punitive measures for restricted use.
Nebraska joined this trend by updating its Age-Appropriate Design Code Act to align with digital protections for minors nationally, although details remain sparse.
By the numbers:
- $15,000 — Maximum civil penalty per violation under Alabama's new statute.
- $7,500 — Maximum civil penalty per violation under Kentucky's privacy law.
- 25,000 — Minimum number of consumers' data processed for Alabama law to apply.
Yes, but: Consumer advocates argue Alabama's law lacks strong definitions and robust enforcement mechanisms.