Louisiana Joins the Second Line of States with Comprehensive Privacy Laws

Firm Publication

Key Takeaways

  • The Louisiana Data Privacy Act (LDPA) takes effect on January 1, 2027, and applies to businesses meeting specific thresholds for annual gross revenueconsumer data volume, or revenue derived from selling personal data. Louisiana is among a small group of states that restricts the use of sensitive data without consent.
  • The LDPA grants consumers rights to access, correct, delete, and port their personal data, as well as the right to opt out of targeted advertising and data sales. Controllers must honor universal opt-out signals, placing Louisiana alongside Colorado and California in requiring recognition of browser-based privacy mechanisms.
  • Enforcement rests exclusively with the Louisiana Attorney General, with no private right of action. A 30-day cure period applies during the first seven months, but sunsets on July 31, 2027, after which the Attorney General may pursue violations without prior notice.

Louisiana has joined the rapidly growing number of states with comprehensive consumer data privacy legislation. Senate Bill 386, the Louisiana Data Privacy Act (LDPA), was enacted during the 2026 Regular Session, signed by Governor Jeff Landry on May 29, and will take effect on January 1, 2027. The LDPA imposes obligations upon businesses that control or process personal data and grants consumers certain rights over the personal data they provide.

Though it largely mirrors other states’ data privacy laws, the LDPA is among a handful of states that limit use of sensitive information without consent and require risk assessments and reasonable security measures, a provision mostly absent in other state privacy laws.

Who Must Comply with the LDPA? 

The LDPA applies to any person or entity that does business in Louisiana and satisfies one or more of the following thresholds:

  1. Has annual gross revenues in excess of $25 million.
  2. Annually buys, receives for commercial purposes, sells, or shares for commercial purposes the personal information of 75,000 or more consumers, households, or devices.
  3. Derives 50% or more of its annual revenue from selling consumers’ personal data.

The LDPA impacts both “controllers” and “processors” of “personal data.” A “controller” is a person who, alone or jointly with others, determines the purpose and means of processing personal data. A “processor” is a person who processes personal data on behalf of a controller.

What Entities and Data Types Are Exempt from the LDPA?

The LDPA provides several entity-level exemptions, including:

  • State agencies or political subdivisions of Louisiana.
  • Financial institutions and their affiliates or data subject to Title V of the Gramm-Leach-Bliley Act (GLBA).
  • Covered entities or business associates governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
  • Nonprofit organizations.
  • Institutions of higher education.
  • Electric public utilities.
  • Persons registered as conductors of public opinion polls.

The LDPA also adopts standard data-level exemptions, including protected health information under HIPAA, health records, patient-identifying information, data regulated by the Fair Credit Reporting Act (FCRA), data regulated by the Family Educational Rights and Privacy Act (FERPA), and data collected under the Driver’s Privacy Protection Act or the Farm Credit Act. The LDPA also exempts employee or contractor data processed within an employment context.

How Does the LDPA Regulate Sensitive Data and Consent Requirements?

The LDPA requires controllers to obtain a consumer’s consent before processing sensitive data. “Sensitive data” includes:

  • Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation or citizenship or immigration status.
  • Genetic or biometric data processed for the purpose of uniquely identifying an individual.
  • Personal data collected from a known child (defined as a consumer younger than 13 years of age).
  • Precise geolocation data.

If the consumer is a known child, the controller must process such data in accordance with the Children’s Online Privacy Protection Act of 1998 (COPPA). Controllers complying with COPPA’s verifiable parental consent requirements are deemed in compliance with the LDPA’s parental consent requirements.

When Are Data Protection Assessments Required Under the LDPA?

The LDPA requires controllers to conduct and document a data protection assessment for the following processing activities:

  • Processing personal data for targeted advertising.
  • The sale of personal data.
  • Processing personal data for profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment, financial or reputational injury, intrusion upon seclusion or other substantial injury to consumers.
  • Processing sensitive data.
  • Any processing activities involving personal data that present a heightened risk of harm to consumers.

Each assessment must balance the potential benefits of the processing activity to the controller, consumers, and the public against the risks to consumer rights, taking into account safeguards that may mitigate those risks, de-identification measures, consumer expectations and the nature of the controller-consumer relationship.

These requirements apply only to processing activities that commence on or after January 1, 2027, and do not apply retroactively. Assessments conducted to comply with other applicable laws may satisfy the LDPA’s requirements if they are reasonably comparable in scope and effect. Data protection assessments are confidential and exempt from public disclosure but must be provided to the Attorney General on demand, though this does not waive attorney-client privilege or work product protection.

What Consumer Rights Does the LDPA Grant?

The LDPA grants consumers a robust set of rights with respect to their personal data in line with rights under other states’ laws. Under the LDPA, consumers have the right to:

  • Confirm whether a controller is processing the consumer’s personal data and access that data.
  • Correct inaccuracies in the consumer’s personal data.
  • Delete personal data provided by or obtained about the consumer.
  • Obtain a copy of the consumer’s personal data in a portable and readily usable format.
  • Opt out of the processing of personal data for targeted advertising, the sale of personal data or profiling in furtherance of decisions that produce legal or similarly significant effects.

Parents and legal guardians may exercise these rights on behalf of a known child.

Notably, consumers may designate an authorized agent to opt out of the processing of personal data for targeted advertising or sale on their behalf, including by using technology such as browser settings, extensions or global opt-out signals. This requirement to honor universal opt-out mechanisms places Louisiana alongside states such as Colorado and California and distinguishes it from more business-friendly states that do not require controllers to recognize such signals.

Controllers must respond to consumer requests within 45 days, with a single 45-day extension permitted if reasonably necessary. Consumers may submit requests up to twice annually free of charge. If a controller declines to act on a request, it must inform the consumer within 45 days and provide instructions on how to appeal.

The LDPA requires controllers to maintain an appeal process for consumers whose requests are denied, with a response deadline of 60 days. If the appeal is denied, the controller must direct the consumer to the Attorney General’s online complaint mechanism.

What Are Controller Obligations and Privacy Notice Requirements Under the LDPA?

The LDPA imposes a range of obligations on controllers. Controllers must practice data minimization, limiting the collection of personal data to what is adequate, relevant and reasonably necessary for the disclosed purposes of processing.

The LDPA also requires controllers to maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data at issue. Processing personal data for purposes that are neither reasonably necessary nor compatible with the disclosed processing purposes is prohibited unless the controller first obtains the consumer’s consent.

Controllers under the LDPA must provide consumers with a reasonably accessible and clear privacy notice that includes:

  • The categories of personal data processed, including any sensitive data.
  • The purpose(s) for processing personal data.
  • A description of how consumers may exercise their rights, including the appeal process.
  • If applicable, the categories of personal data sold to third parties and the categories of those third parties.
  • A description of the methods through which consumers can submit requests.

If a controller sells sensitive personal data, it must post the following notice: “NOTICE: We may sell your sensitive personal data.” If the controller sells biometric data specifically, it must post: “NOTICE: We may sell your biometric personal data.” Both notices must appear alongside the controller’s privacy notice. Controllers that sell personal data or process it for targeted advertising must clearly and conspicuously disclose that activity and the manner in which a consumer may opt out.

What Does the LDPA Require of Data Processors and Their Contracts?

Processors must adhere to the instructions of controllers and assist controllers in meeting their duties under the LDPA, including by using appropriate technical and organizational measures to help respond to consumer rights requests, maintaining security of processing, and providing information necessary for data protection assessments.

The LDPA requires that all processing by a processor be governed by a written contract that includes:

  • Clear instructions for processing data.
  • The nature and purpose of processing.
  • The type of data subject to processing.
  • The duration of processing.
  • The rights and obligations of both parties.
  • Requirements for confidentiality, data return or deletion, cooperation with assessments, and subcontractor flow-down obligations.

How Is the LDPA Enforced? 

The LDPA does not include a private right of action, and the Louisiana Attorney General holds exclusive enforcement authority under the LDPA. While a violation of the LDPA constitutes an unfair and deceptive trade practice under Louisiana’s Unfair Trade Practices and Consumer Protection Law, this does not appear to provide a path for private claims.

In addition, for the first seven months that the LDPA is in effect, prior to initiating any investigation, the Attorney General must provide 30 days’ written notice to the controller or processor, identifying the specific provisions alleged to have been violated. If the controller or processor cures the violation within that 30-day window, provides a written statement confirming the cure along with supportive documentation and makes changes to internal policies to prevent further violations, the Attorney General may not initiate an investigation.

Importantly, the LDPA’s cure period sunsets on July 31, 2027. After that date, the Attorney General may enforce violations without first offering an opportunity to cure, making early and thorough compliance critical.

Key Compliance Dates: LDPA Effective Date and Cure Period Sunset

  • January 1, 2027: The LDPA takes effect. Data protection assessment requirements apply to processing activities commencing on or after this date.
  • July 31, 2027: The 30-day right-to-cure period sunsets.

Our team will continue to monitor the LDPA. If you have any questions about the LDPA or other states’ privacy laws and how they could affect your business, please contact the authors.

Resource: Data Privacy Regulations by State

Data Privacy Regulations by State

The data privacy regulatory landscape continues to evolve rapidly across jurisdictions. Our privacy & data security attorneys are actively tracking new legislation and regulatory developments nationwide. We will continue to provide ongoing analysis as new regulations emerge. Access our interactive map to learn more about comprehensive state laws and consumer health data privacy requirements.

Related Professionals
Related Services
Firm Publication

Key Takeaways

  • The Louisiana Data Privacy Act (LDPA) takes effect on January 1, 2027, and applies to businesses meeting specific thresholds for annual gross revenueconsumer data volume, or revenue derived from selling personal data. Louisiana is among a small group of states that restricts the use of sensitive data without consent.
  • The LDPA grants consumers rights to access, correct, delete, and port their personal data, as well as the right to opt out of targeted advertising and data sales. Controllers must honor universal opt-out signals, placing Louisiana alongside Colorado and California in requiring recognition of browser-based privacy mechanisms.
  • Enforcement rests exclusively with the Louisiana Attorney General, with no private right of action. A 30-day cure period applies during the first seven months, but sunsets on July 31, 2027, after which the Attorney General may pursue violations without prior notice.

Louisiana has joined the rapidly growing number of states with comprehensive consumer data privacy legislation. Senate Bill 386, the Louisiana Data Privacy Act (LDPA), was enacted during the 2026 Regular Session, signed by Governor Jeff Landry on May 29, and will take effect on January 1, 2027. The LDPA imposes obligations upon businesses that control or process personal data and grants consumers certain rights over the personal data they provide.

Though it largely mirrors other states’ data privacy laws, the LDPA is among a handful of states that limit use of sensitive information without consent and require risk assessments and reasonable security measures, a provision mostly absent in other state privacy laws.

Who Must Comply with the LDPA? 

The LDPA applies to any person or entity that does business in Louisiana and satisfies one or more of the following thresholds:

  1. Has annual gross revenues in excess of $25 million.
  2. Annually buys, receives for commercial purposes, sells, or shares for commercial purposes the personal information of 75,000 or more consumers, households, or devices.
  3. Derives 50% or more of its annual revenue from selling consumers’ personal data.

The LDPA impacts both “controllers” and “processors” of “personal data.” A “controller” is a person who, alone or jointly with others, determines the purpose and means of processing personal data. A “processor” is a person who processes personal data on behalf of a controller.

What Entities and Data Types Are Exempt from the LDPA?

The LDPA provides several entity-level exemptions, including:

  • State agencies or political subdivisions of Louisiana.
  • Financial institutions and their affiliates or data subject to Title V of the Gramm-Leach-Bliley Act (GLBA).
  • Covered entities or business associates governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
  • Nonprofit organizations.
  • Institutions of higher education.
  • Electric public utilities.
  • Persons registered as conductors of public opinion polls.

The LDPA also adopts standard data-level exemptions, including protected health information under HIPAA, health records, patient-identifying information, data regulated by the Fair Credit Reporting Act (FCRA), data regulated by the Family Educational Rights and Privacy Act (FERPA), and data collected under the Driver’s Privacy Protection Act or the Farm Credit Act. The LDPA also exempts employee or contractor data processed within an employment context.

How Does the LDPA Regulate Sensitive Data and Consent Requirements?

The LDPA requires controllers to obtain a consumer’s consent before processing sensitive data. “Sensitive data” includes:

  • Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation or citizenship or immigration status.
  • Genetic or biometric data processed for the purpose of uniquely identifying an individual.
  • Personal data collected from a known child (defined as a consumer younger than 13 years of age).
  • Precise geolocation data.

If the consumer is a known child, the controller must process such data in accordance with the Children’s Online Privacy Protection Act of 1998 (COPPA). Controllers complying with COPPA’s verifiable parental consent requirements are deemed in compliance with the LDPA’s parental consent requirements.

When Are Data Protection Assessments Required Under the LDPA?

The LDPA requires controllers to conduct and document a data protection assessment for the following processing activities:

  • Processing personal data for targeted advertising.
  • The sale of personal data.
  • Processing personal data for profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment, financial or reputational injury, intrusion upon seclusion or other substantial injury to consumers.
  • Processing sensitive data.
  • Any processing activities involving personal data that present a heightened risk of harm to consumers.

Each assessment must balance the potential benefits of the processing activity to the controller, consumers, and the public against the risks to consumer rights, taking into account safeguards that may mitigate those risks, de-identification measures, consumer expectations and the nature of the controller-consumer relationship.

These requirements apply only to processing activities that commence on or after January 1, 2027, and do not apply retroactively. Assessments conducted to comply with other applicable laws may satisfy the LDPA’s requirements if they are reasonably comparable in scope and effect. Data protection assessments are confidential and exempt from public disclosure but must be provided to the Attorney General on demand, though this does not waive attorney-client privilege or work product protection.

What Consumer Rights Does the LDPA Grant?

The LDPA grants consumers a robust set of rights with respect to their personal data in line with rights under other states’ laws. Under the LDPA, consumers have the right to:

  • Confirm whether a controller is processing the consumer’s personal data and access that data.
  • Correct inaccuracies in the consumer’s personal data.
  • Delete personal data provided by or obtained about the consumer.
  • Obtain a copy of the consumer’s personal data in a portable and readily usable format.
  • Opt out of the processing of personal data for targeted advertising, the sale of personal data or profiling in furtherance of decisions that produce legal or similarly significant effects.

Parents and legal guardians may exercise these rights on behalf of a known child.

Notably, consumers may designate an authorized agent to opt out of the processing of personal data for targeted advertising or sale on their behalf, including by using technology such as browser settings, extensions or global opt-out signals. This requirement to honor universal opt-out mechanisms places Louisiana alongside states such as Colorado and California and distinguishes it from more business-friendly states that do not require controllers to recognize such signals.

Controllers must respond to consumer requests within 45 days, with a single 45-day extension permitted if reasonably necessary. Consumers may submit requests up to twice annually free of charge. If a controller declines to act on a request, it must inform the consumer within 45 days and provide instructions on how to appeal.

The LDPA requires controllers to maintain an appeal process for consumers whose requests are denied, with a response deadline of 60 days. If the appeal is denied, the controller must direct the consumer to the Attorney General’s online complaint mechanism.

What Are Controller Obligations and Privacy Notice Requirements Under the LDPA?

The LDPA imposes a range of obligations on controllers. Controllers must practice data minimization, limiting the collection of personal data to what is adequate, relevant and reasonably necessary for the disclosed purposes of processing.

The LDPA also requires controllers to maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data at issue. Processing personal data for purposes that are neither reasonably necessary nor compatible with the disclosed processing purposes is prohibited unless the controller first obtains the consumer’s consent.

Controllers under the LDPA must provide consumers with a reasonably accessible and clear privacy notice that includes:

  • The categories of personal data processed, including any sensitive data.
  • The purpose(s) for processing personal data.
  • A description of how consumers may exercise their rights, including the appeal process.
  • If applicable, the categories of personal data sold to third parties and the categories of those third parties.
  • A description of the methods through which consumers can submit requests.

If a controller sells sensitive personal data, it must post the following notice: “NOTICE: We may sell your sensitive personal data.” If the controller sells biometric data specifically, it must post: “NOTICE: We may sell your biometric personal data.” Both notices must appear alongside the controller’s privacy notice. Controllers that sell personal data or process it for targeted advertising must clearly and conspicuously disclose that activity and the manner in which a consumer may opt out.

What Does the LDPA Require of Data Processors and Their Contracts?

Processors must adhere to the instructions of controllers and assist controllers in meeting their duties under the LDPA, including by using appropriate technical and organizational measures to help respond to consumer rights requests, maintaining security of processing, and providing information necessary for data protection assessments.

The LDPA requires that all processing by a processor be governed by a written contract that includes:

  • Clear instructions for processing data.
  • The nature and purpose of processing.
  • The type of data subject to processing.
  • The duration of processing.
  • The rights and obligations of both parties.
  • Requirements for confidentiality, data return or deletion, cooperation with assessments, and subcontractor flow-down obligations.

How Is the LDPA Enforced? 

The LDPA does not include a private right of action, and the Louisiana Attorney General holds exclusive enforcement authority under the LDPA. While a violation of the LDPA constitutes an unfair and deceptive trade practice under Louisiana’s Unfair Trade Practices and Consumer Protection Law, this does not appear to provide a path for private claims.

In addition, for the first seven months that the LDPA is in effect, prior to initiating any investigation, the Attorney General must provide 30 days’ written notice to the controller or processor, identifying the specific provisions alleged to have been violated. If the controller or processor cures the violation within that 30-day window, provides a written statement confirming the cure along with supportive documentation and makes changes to internal policies to prevent further violations, the Attorney General may not initiate an investigation.

Importantly, the LDPA’s cure period sunsets on July 31, 2027. After that date, the Attorney General may enforce violations without first offering an opportunity to cure, making early and thorough compliance critical.

Key Compliance Dates: LDPA Effective Date and Cure Period Sunset

  • January 1, 2027: The LDPA takes effect. Data protection assessment requirements apply to processing activities commencing on or after this date.
  • July 31, 2027: The 30-day right-to-cure period sunsets.

Our team will continue to monitor the LDPA. If you have any questions about the LDPA or other states’ privacy laws and how they could affect your business, please contact the authors.

Resource: Data Privacy Regulations by State

Data Privacy Regulations by State

The data privacy regulatory landscape continues to evolve rapidly across jurisdictions. Our privacy & data security attorneys are actively tracking new legislation and regulatory developments nationwide. We will continue to provide ongoing analysis as new regulations emerge. Access our interactive map to learn more about comprehensive state laws and consumer health data privacy requirements.

In Case You Missed It: