It has been a busy spring for data privacy in the Southeast. On April 17, 2026, Alabama Governor Kay Ivey signed the Alabama Personal Data Protection Act (HB 351). Weeks later, on May 11, 2026, Governor Kemp signed Georgia’s SB 111. There is an important caveat there: although the Senate-passed version of SB 111 carried the title “Georgia Consumer Privacy Protection Act,” the House substituted the bill’s entire text with unrelated amendments to the rural hospital tax credit. The Senate agreed to the substitute on April 2, and the version Kemp ultimately signed has nothing to do with consumer privacy. Legislative tracking services continue to display the original title, which has caused understandable confusion, but Georgia did not enact a comprehensive privacy law this session.
That leaves the Southeast with three states currently operating under a comprehensive privacy statute: Florida (in effect since 2024), Tennessee (in effect since 2025), and Alabama (taking effect in 2027). Georgia remains a state to watch, with sponsors expected to introduce a successor measure when the new General Assembly convenes in 2027. And in keeping with the national trend, each state’s “omnibus” law (or proposed law) takes a slightly different approach with qualifying thresholds and defined terms. This article provides a short summary of what businesses operating in the region need to know and what they should be working on today.
Link to Who Is Covered: Three Enacted Laws and Three Thresholds (and a Note on Georgia) Who Is Covered: Three Enacted Laws and Three Thresholds (and a Note on Georgia)
The biggest difference among the three enacted statutes is the way each defines businesses that must comply.
Florida’s Digital Bill of Rights (FDBR), which took effect on July 1, 2024, has the narrowest scope by a wide margin. The FDBR imposes obligations on controllers with annual global revenue of more than $1 billion that also meet one of three additional criteria: derive 50% or more of annual revenue from selling online ads, operate a consumer smart speaker with an integrated virtual assistant, or operate an app store with at least 250,000 applications. By design, the majority of the FDBR’s controller obligations apply only to the largest tech and platform companies. As a practical matter, most Southern businesses will never need to worry about Florida’s controller obligations, though enforcement has now begun. The Florida AG’s October 2025 action against Roku is a useful reminder that the FDBR is no longer dormant for the companies that do qualify.
Tennessee’s Information Protection Act (TIPA), which took effect on July 1, 2025, takes a middle approach. TIPA applies only to entities with more than $25 million in annual revenue that also meet one of two conditions: control or process the personal information of at least 175,000 Tennessee consumers, or control or process the personal information of at least 25,000 Tennessee consumers while deriving more than 50% of gross revenue from the sale of personal information. The 175,000-consumer threshold is the highest of any state privacy law to date and significantly narrows the law’s application for most companies.
The Alabama Personal Data Protection Act (APDPA) takes a different tack. It applies to entities that process the personal data of more than 25,000 Alabama consumers (excluding payment transaction data), or that derive more than 25% of gross revenue from the sale of personal data. There is no minimum revenue threshold, and the 25% revenue prong applies regardless of how many consumers’ data the entity processes. Alabama exempts businesses with fewer than 500 employees (provided they are not selling personal data) and nonprofits with fewer than 100 employees under similar conditions. This employee-count exemption is notably broader than most state omnibus laws and echoes the approach of the Texas TDPSA’s small-business exception keyed to the SBA definition.
For reference, Georgia’s failed SB 111 would have applied to entities conducting business in Georgia with more than $25 million in annual revenue that also met one of two consumer-count thresholds (25,000 plus 50%-of-revenue from sale, or 175,000), broadly in line with the Virginia model. Any 2027 successor is likely to look substantially similar.
The definition of “consumer” in each of the enacted statutes continues to exclude individuals acting in an employment or commercial context.
Link to The NIST Safe Harbor: A Tennessee Feature Worth Watching in Georgia The NIST Safe Harbor: A Tennessee Feature Worth Watching in Georgia
One provision sets Tennessee apart from its Southeastern neighbors. Controllers and processors are allowed to assert an affirmative defense to violations if they maintain a written privacy program that reasonably conforms to the current NIST Privacy Framework. Georgia’s failed SB 111 contained a parallel provision, and the NIST safe harbor is widely expected to be a feature of any Georgia successor measure as well.
For businesses already aligned with NIST standards, TIPA offers a meaningful compliance advantage. For Georgia-based businesses without a documented privacy program, the prospect of a future Georgia statute with a NIST safe harbor offers a forward-looking reason to begin building one now. Even absent a Georgia statute, a NIST-aligned program supports compliance under TIPA for Tennessee residents and provides defensible risk-management posture under Georgia’s evolving common law data protection standards.
Link to Cure Periods and Enforcement Cure Periods and Enforcement
All three enacted statutes grant enforcement authority exclusively to the state Attorney General, with no private right of action. Cure periods and penalties vary:
Alabama provides a permanent 45-day cure period before the AG may initiate enforcement. Civil penalties may reach $15,000 per violation.
Tennessee provides a 60-day cure period. Courts may impose civil penalties of up to $7,500 per violation, with treble damages available for willful or knowing violations.
Florida provides a 45-day cure period at the AG’s discretion. The cure period is unavailable for violations involving a known child. Civil penalties run up to $50,000 per violation and are tripled (to $150,000) for violations involving known children, failure to delete or correct after request, or continued sale or sharing after opt-out.
For comparison, Georgia’s failed SB 111 would have required a 60-day cure period and authorized penalties of up to $7,500 per violation, with treble damages for knowing or willful violations.
Link to Data Protection Assessments Data Protection Assessments
Florida and Tennessee both require controllers to conduct data protection assessments for high-risk processing activities, including targeted advertising, the sale of personal information, certain profiling activities, processing of sensitive data, and other processing posing a “heightened risk of harm to consumers.”
Alabama does not require data protection assessments, an omission that sets it apart from most comprehensive state privacy laws.
Georgia’s failed SB 111 would have required data protection assessments along the same lines as Tennessee and the broader Virginia model.
Link to Universal Opt-Out Signals Universal Opt-Out Signals
For now, unlike what we have seen in California and Colorado, none of the enacted Southeastern laws require the recognition of universal opt-out mechanisms or other website functionality associated with opt-out preference signals or GPC controls.
Link to Definition of “Sale” Definition of “Sale”
The way each state defines the “sale” of personal data affects which disclosures and sharing arrangements trigger opt-out rights.
Alabama attempts to split the difference between narrow and broad definitions. The law covers exchanges of personal data for monetary or “valuable consideration” where the controller receives a material benefit and the third party is not restricted in its subsequent use of the data. The definition excludes disclosures to processors, affiliates, third parties providing requested products or services, and several other categories. Alabama’s approach may limit unintended consequences while still capturing targeted advertising arrangements where ad tech partners can reuse data beyond the scope of services rendered.
Tennessee and Florida each follow variations of the Virginia model, generally defining sale as an exchange of personal data for monetary or other valuable consideration, with carve-outs for processor relationships, mergers, and consumer-directed disclosures.
Link to Children’s Data Protections Children’s Data Protections
The three enacted statutes address children’s data to varying degrees. Alabama requires consent before processing the data of consumers ages 13 to 15 for targeted advertising or sale, addressing the gap between COPPA (which covers children under 13) and adulthood. Tennessee aligns with familiar COPPA thresholds and requirements and requires consent before processing sensitive data of known children. Florida imposes notably stricter requirements: it requires affirmative authorization before processing the personal data of minors between 13 and 17, prohibits targeted advertising directed to any known child under 18, and triples civil penalties for violations involving known children. The Roku enforcement action turns largely on these children’s data provisions.
Link to Effective Dates Effective Dates
Businesses preparing for compliance should note the following timelines:
Florida: Already in effect (July 1, 2024)
Tennessee: Already in effect (July 1, 2025)
Alabama: Takes effect May 1, 2027
Georgia: SB 111 substituted in House; watch the 2027 session for a successor measure
Link to Practical Observations Practical Observations
For businesses operating across the Southeast, several themes emerge.
Florida remains a narrow concern for most companies. Its $1 billion revenue threshold means most businesses will not be subject to its controller obligations. That said, the FDBR is no longer untested. The AG’s office has begun pursuing enforcement actions, particularly around children’s data, and companies that do meet the thresholds should not assume the law will remain dormant.
Tennessee is the most consequential statute in the Southeast for most mid-to-large businesses currently. The applicability thresholds are high, but the law is in force and the NIST safe harbor is a meaningful incentive to formalize a privacy program.
Alabama’s lower thresholds will capture more mid-sized businesses than Tennessee. The absence of a revenue floor combined with the 25,000-consumer threshold means companies that fall below Tennessee’s requirements may still need to comply in Alabama. The 500-employee exemption provides relief for smaller operations not engaged in data sales, though the 25% revenue-from-sales prong applies regardless of company size and could pull in even small data brokers.
Georgia has not yet enacted a comprehensive privacy law, but Georgia-based businesses should not mistake their home state’s silence for an absence of obligations. Georgia organizations with consumers in Tennessee, Alabama (once effective), or any of the other states with comprehensive privacy laws are subject to those statutes when applicable thresholds are met. Georgia’s own data breach notification statute remains in force, federal sectoral regimes (HIPAA, GLBA, FERPA, FCRA) continue to apply, and Georgia courts have been actively developing common law data protection standards. A Georgia statute also remains a real prospect for the 2027 session, and the structural features of any successor measure (Virginia-model thresholds, NIST safe harbor, DPA requirement) are likely to track what SB 111 proposed.
Link to What Should Companies Do Now? What Should Companies Do Now?
Assess your collection and processing activities. Businesses with collection and processing activities that meet applicable thresholds should assess their data practices now. With Alabama’s effective date in 2027 and Tennessee already in force, businesses should inventory their data collection, evaluate their processing purposes, and review their vendor contracts. Take a careful look at each state’s threshold numbers and remember that mobile applications and website forms can accumulate personal information for state residents quickly in a calendar year.
Consider creation (or enhancement) of a NIST-aligned privacy program. In addition to being an exceptional outline for enhanced compliance and data protection generally, businesses subject to Tennessee already have a valuable opportunity for a potential affirmative defense, and any Georgia successor is likely to offer the same. These programs take time to scope and build. My recommendation is to begin engaging internal stakeholders and external legal and technical resources now rather than waiting on the legislative calendar.
Conduct data protection assessments. DPAs are required for controllers in Tennessee involved in targeted advertising, the sale of personal information, certain types of profiling, or the processing of sensitive data. Florida imposes similar requirements at its higher threshold. Even absent an Alabama or Georgia statutory requirement, the exercise necessarily involves a useful evaluation of all activities associated with the collection, processing, and sharing of personal information. As with building a NIST-aligned program, this takes time to accomplish, and it is best to get started on the groundwork now.
Georgia-based businesses, in particular, should resist the temptation to treat Georgia’s lack of a statute as the end of the inquiry. Most Georgia businesses of any meaningful size will hold personal information of residents of one or more states that do have comprehensive laws, and the most efficient compliance posture is to design a program that addresses the most demanding applicable standard rather than retrofit for each new state as it arrives.
There are still several discrete differences across the region, but companies with personnel or operations in the Southeast should take this opportunity to reassess their footprint of regional privacy compliance and regulatory requirements.