Oklahoma and Alabama Headline a Busy Spring for Privacy Legislation

Spring has arrived, and privacy laws are sprouting alongside the crocuses. 

Oklahoma and Alabama became the 20th and 21st states to enact comprehensive consumer privacy laws in March and April. Utah, Kentucky, and Virginia amended their consumer privacy laws to expand protections for specific types of data, and Utah amended its App Store Accountability Act. And a federal comprehensive privacy proposal–the SECURE Data Act–has been introduced out of committee in Congress. This post highlights the most salient developments and practical takeaways for businesses navigating these new requirements.

Oklahoma’s and Alabama’s Comprehensive Privacy Laws

On March 20, 2026, Oklahoma Governor Kevin Stitt signed SB 546 into law, making Oklahoma the 20th state to enact a comprehensive consumer privacy law. The law takes effect on January 1, 2027, capping a seven-year legislative journey that saw previous versions of the bill pass the Oklahoma House on multiple occasions before finally clearing the state Senate. Less than a month later, Governor Kay Ivey signed into law the Alabama Personal Data Protection Act (APDPA) (HB 351) on April 16, 2026. The APDPA takes effect on May 1, 2027, and is generally one of the more business-friendly comprehensive privacy laws enacted to date.

Key Deviations From Existing State Privacy Laws

For those businesses that have already built compliance programs around other state privacy laws, bringing Oklahoma and Alabama into scope will likely be a light lift. The deviations from existing privacy laws generally serve to reduce or remove obligations rather than add new ones. One area where either law took a broader approach than some other state privacy laws is in Oklahoma’s definition of “biometric data,” which includes data generated from photographs, videos, or audio recordings when used to identify a specific individual. Some states exclude data generated from photographs, videos, or audio recordings from their definition of biometric regardless of how it’s used, although Oklahoma’s definition has become the more common approach in the past two years. 

Scope

Businesses that have not had to comply with other state privacy laws should now evaluate whether they are subject to Alabama’s APDPA, which largely broadened the scope of businesses to which the law applies. Consistent with many state comprehensive privacy laws, Oklahoma’s law applies to controllers and processors operating in the state or targeting residents that either (1) process personal data of at least 100,000 consumers, or (2) process personal data of at least 25,000 consumers and derive over 50% of gross revenue from data sales. In contrast, the APDPA applies to persons operating in Alabama or targeting Alabama residents that either (1) process personal data of more than 25,000 consumers (excluding payment-only processing), or (2) derive more than 25% of gross revenue from data sales, regardless of volume. The 25,000-consumer threshold is one of the lowest in the country, and Alabama is the first to omit a processing threshold from the sales revenue prong. While this is a low bar, it is balanced with a broad small business exemption: businesses with fewer than 500 employees and nonprofits with fewer than 100 employees are exempt unless they engage in data sales. 

Both state laws include familiar entity-level exemptions (financial institutions regulated by the Gramm-Leach-Bliley Act, entities covered by the Health Insurance Portability and Accountability Act (HIPAA), nonprofits, higher education institutions, and state agencies) and data-level exemptions (“personal health information” under HIPAA, Family Educational Rights and Privacy Act (FERPA) data, Fair Credit Reporting Act (FCRA) data, and purely personal or household data). 

Data “Sales”

The most notable narrowing of protections arises in how the two states define the “sale” of personal data. Specifically, both states narrowed the scope of what kinds of data transferred would be considered a “sale” of data from which a consumer would have the right to opt out. Oklahoma’s SB 546 adopts the narrower definition of “sale” used by some states, including Virginia, which is limited to a transfer of data for monetary consideration, but not “other valuable consideration” common in other states. As a result, covered businesses only subject to Oklahoma’s law will be able to transfer data to third parties without offering an opt-out to users in more situations.

Alabama adopted a notably distinctive definition of “sale,” reaching exchanges of personal data for monetary consideration as well as exchanges for “other valuable consideration” but only where the controller receives a material benefit and the third party is not restricted in its subsequent use of the data. At the same time, the statute created novel exclusions from “sale” for disclosures or transfers of personal data to a third party for the purpose of providing analytics services and for disclosures to a third party for the purpose of providing marketing services solely to the controller. This narrower scope may also allow businesses to rely more heavily on service provider–style arrangements without triggering “sale” restrictions in Alabama, though careful analysis will still be required to assess whether a given exchange involves a “material benefit” or permits downstream use sufficient to bring it within scope. 

Consumer Rights and Business Obligations

The consumer rights package for both states is generally standard for state-level privacy laws: access, correction, deletion, portability, and the right to opt out of targeted advertising, data sales, and certain profiling. Controllers must respond to consumer requests within 45 days (extendable by another 45). In Oklahoma, businesses must provide an appeals process with a response window of 60 days. Notable distinctions in these laws include that the APDPA does not provide consumers a right to appeal an adverse rights determination, and although it references “the ability of the controller to authenticate the identity of the consumer or authorized agent making the request,” it does not otherwise expressly provide for use of authorized agents or specify the scope of their authority. Oklahoma’s SB 546 does not provide for authorized agents to exercise consumer rights on their behalf. 

The law’s business-facing requirements align closely with those found in other state privacy frameworks, including: (i) publishing a reasonably accurate, clear, and meaningful privacy notice; (ii) limiting data collection to what is adequate, relevant, and reasonably necessary in relation to the disclosed processing purposes; (iii) obtaining consent for sensitive data processing; (iv) establishing, implementing, and maintaining reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data at issue. Unlike Oklahoma, which imposes no special consent obligation for minors above age 13, the APDPA requires controllers with actual knowledge that a consumer is at least 13 but younger than 16 to obtain opt-in consent before processing that consumer's personal data for targeted advertising or selling it. Apart from this difference, there are some notable omissions in business obligations as compared to most other states: 

• Oklahoma does not require controllers to recognize universal opt-out preference signals such as Global Privacy Control. Although the APDPA does not expressly mandate recognition of opt-out preference signals, it appears to contemplate their required use by providing that when a consumer’s opt-out preference signal conflicts with the consumer’s existing privacy settings or participation in a loyalty or similar program, the controller “shall comply with the consumer’s opt-out preference signal but may notify the consumer of the conflict and provide the choice to confirm controller-specific privacy settings or participation in such a program.”
• Unlike most states (including Oklahoma), the APDPA does not require data protection impact assessments for targeted advertising, sales of personal data, profiling, sensitive data processing, or other heightened-risk activities.

Enforcement

As with all previous comprehensive state privacy laws other than California, both states give their respective attorneys general (AGs) exclusive enforcement authority with no private right of action. Also consistent with most other states, the state AGs must provide notice to businesses and an opportunity to cure (30 days in Oklahoma, 45 days in Alabama) before bringing an action against the business. However, unlike most existing state laws, both states’ cure periods do not expire. In other words, most states included a notice and cure period for a limited time after their laws’ effective date to allow businesses time to comply with new obligations of which they may not have known about or understood. Oklahoma and Alabama extend that period indefinitely, giving businesses a continuing opportunity to correct issues before enforcement escalates. If the violation is not cured, a court may assess civil penalties of up to $7,500 per violation in Oklahoma and $15,000 per violation in Alabama. Alabama’s cap falls within the high end of the range seen across state comprehensive privacy laws, which most commonly set per-violation penalties at $7,500, but in some states reach $20,000 or more.

Other State Privacy Legislation

In March, Utah Governor Spencer Cox signed two privacy-related bills into law. First, HB 357 extends Utah’s existing consumer data privacy law to motor vehicle manufacturers regardless of the law’s general applicability thresholds. It also adds requirements for motor vehicle manufacturers to provide in-vehicle privacy controls for vehicles with a model year 2030 or later (including allowing consumers to view categories of personal information collected and categories of third parties with whom personal information is shared, opt out of sale or targeted ads, and delete of readily accessible data). This amendment goes further than Oregon’s 2025 amendment regarding motor vehicle manufacturers in adding privacy control requirements. Second, HB 498 amended the Utah App Store Accountability Act in response to litigation brought by the Computer & Communications Industry Association. A key change is removing enforcement responsibility from the state attorney general in favor of a private right of action. Other changes include adding requirements for pre-installed apps, refining age-related defaults, and establishing safe harbor provisions for developers. HB 357 takes effect January 1, 2027. HB 498 took effect upon approval, although the underlying app store requirements take effect on May 6, 2027.

In Kentucky, on April 13, Governor Andy Beshear signed HB 692 into law, which amends Kentucky’s existing consumer privacy law to require opt-in consent to collect “automatic content recognition” (ACR) data collected by smart TVs and monitors. ACR can be understood as data about a consumer’s content viewing history generated through the use of technologies like digital fingerprinting or watermark detection, but excludes (1) data collected about a consumer’s interactions with content provided by the controller’s own services, (2) data generated in the course of providing a feature or service requested by a consumer, and (3) data collected for the purpose of enforcing terms of service. To date, these are novel requirements among state privacy laws. The amendments take effect July 1, 2027.

On April 14, Virginia Governor Abigail Spanberger signed into law SB338 to amend the Virginia Consumer Data Protection Act to ban the sale of consumers’ precise geolocation data. Virginia now joins Maryland and Oregon in banning the sale of precise geolocation information, without the option of consumer consent or opt-out. 

Looking Ahead

Privacy legislation remains in active flux, as underscored by the federal SECURE Data Act introduced in the House on April 22, 2026, by the Energy and Commerce Committee’s Privacy Working Group. If enacted, the bill would create a nationwide privacy framework with uniform consumer rights and obligations similar to many state comprehensive privacy laws, be enforced by the FTC and state AGs subject to a 45-day cure period, and broadly preempt state laws “relat[ing] to the provisions of this Act.” However, federal bills preempting state privacy laws have faced steep obstacles before, and it remains to be seen how this one shakes out.