State Privacy Law Update: Alabama Enacts the APDPA and France’s CNIL Plans Multi-Property Consent Guidance

Want to receive these privacy recaps in your inbox each week? Subscribe here.

Alabama has passed HB351, the Alabama Personal Data Protection Act, positioning the state as the 22nd to enact a comprehensive privacy law with a distinctive hybrid model that borrows from both pro-business and prescriptive state frameworks. Meanwhile, France’s CNIL has announced plans to release guidance on multi-property consent collection, potentially signaling a conditional shift toward accepting cross-domain consent– a development with significant implications for media groups and multi-brand environments operating under GDPR.

Keep reading to learn more and discover my takeaways.

United States

Alabama Sends Comprehensive Privacy Law to Governor.

The Alabama legislature passed HB351 to enact the Alabama Personal Data Protection Act (APDPA). If signed by the Governor, the APDPA will take effect on May 1, 2027, making Alabama the 22nd state with an active comprehensive privacy law (if Florida is included).

TAKEAWAY

Although most of the APDPA mirrors other state comprehensive privacy laws, several notable aspects make it unique: 

1. The law’s scope and applicability thresholds are, in different respects, both significantly narrower and significantly broader than those of other laws. Alabama has a much lower threshold than most states (applying to entities that either process the personal data of at least 25,000 consumers or derive at least 25% of their revenue from selling personal data). However, it also exempts businesses with fewer than 500 employees, provided those businesses aren’t selling data, and it includes far more granular and industry-specific exemptions.

 2. The definition of the sale of personal data is also both broad and narrow compared to other states. It adopts a broad definition of sale similar to California or Colorado (extending beyond monetary consideration) but uniquely includes an express carve-out for analytics services and marketing service providers acting on behalf of the controller.

 3. The APDPA includes a statutory mechanism to resolve conflicts between opt-out preference signals and loyalty programs by allowing the controller to notify the consumer of the conflict and provide the consumer with a choice to resolve the conflict. Although California regulations permit this option, Alabama is the first state to expressly adopt it in its statute.

 4. Like other aspects of the law, the APDPA’s enforcement and penalties walk a fine line between business-friendly and stricter regimes. It includes higher penalties (up to $15K per violation, compared to the typical $7,500 per violation in most other laws) but mandates a 45-day cure period. Overall, Alabama represents a new hybrid model that simultaneously borrows from both the more pro-business and prescriptive state laws, while introducing new elements that further thread that needle.  

Europe

CNIL to Provide Multi-Property Consent Collection Guidance.

As part of a broader listing of planned resources for 2026, the French data protection authority (CNIL) announced its plans to provide guidance on multi-property consent collection, specifically, “the conditions allowing the collection of a single consent for several sites or media, in particular when they belong to the same group.”  The announcement notes that “the challenge is to provide a framework that limits multiple requests for internet users, particularly in media groups or multi-brand environments, while protecting users’ privacy and freedom of choice.” 

TAKEAWAY

Historically, the CNIL has consistently emphasized that consent must be specific to a clearly identified controller, linked to a defined context, and informed with a concrete list of actors and purposes. Nothing here suggests the CNIL is abandoning those core principles. However, this announcement may reflect a practical shift toward explicitly accepting cross-domain consent, likely on a conditional basis. 
This follows recent guidance from the CNIL allowing for multi-device consent, but only in authenticated environments with strict symmetry and transparency requirements. If that guidance is any indication, we can likely expect multi-property consent guidance to involve a combination of similarly tight parameters around the user relationship, corporate perimeter, first-layer disclosures, symmetrical choice, and conflict resolution (e.g., between local and shared choices and between cookie and other consents).

A LITTLE MORE PRIVACY, IF YOU PLEASE

• CalPrivacy Seeks Preliminary Comments on DROP Audits
• Delaware Court Approves $190 Million Settlement in Meta Cambridge Analytica Lawsuit
• Rhode Island Data Transparency and Privacy Protection Act: Everything businesses need to know
• What is the best consent banner format in Europe in 2026?
  
  
  

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.