Louisiana Moves Closer to Becoming the 22nd US State With a Privacy Law

Louisiana is moving toward its first comprehensive consumer privacy law with Senate Bill No. 386 (SB 386), which proposes to establish the Louisiana Data Privacy Act (LDPA). Once approved by the Governor, the law is expected to take effect on January 1, 2027. Like many modern U.S. state privacy laws, the LDPA follows an opt-out framework rather than requiring blanket prior consent for all personal data processing.

The Louisiana privacy law aims to give Louisiana residents greater control over their personal data while imposing clear responsibilities on businesses that collect, process, or use such information. This guide explains who it applies to, what consumer rights it creates, the compliance obligations for businesses, and how enforcement will work.

The Louisiana Data Privacy Act is a state consumer privacy law. It grants Louisiana consumers the right to access, correct, delete, and opt out of certain uses of their personal data, while requiring businesses (referred to as controllers) to implement meaningful data protections and transparency obligations.

The Louisiana privacy law is structurally similar to opt-out-based state privacy laws that have emerged across the United States since 2021. Unlike the California Consumer Privacy Act, the LDPA does not create a private right of action: enforcement rests exclusively with the Louisiana Attorney General.

The Louisiana data privacy law applies to any person or entity that conducts business in Louisiana and, during a calendar year, meets at least one of the following thresholds:

• Earns annual gross revenues exceeding $25 million
• Processes the personal data of 75,000 or more consumers, households, or devices
• Derives 50% or more of annual revenues from selling consumers’ personal information

One notable difference from many other state privacy laws is that the LDPA applies to businesses operating in Louisiana, rather than businesses that simply target Louisiana residents.

Who is exempt?

Certain entities are excluded from the LDPA’s scope entirely:

• State agencies and political subdivisions of Louisiana
• Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
• HIPAA covered entities and business associates
• Nonprofit organizations
• Institutions of higher education
• Electric public utilities under R.S. 45:121
• Political poll conductors under R.S. 14:325

Certain categories of data are also exempt, such as HIPAA-protected health information, patient-identifying substance abuse records, human subjects research data, and data used solely for employment and benefits administration purposes.

Personal data

It means any information that is linked or reasonably linkable to an identified or identifiable individual. This covers a broad range of identifiers, including names, email addresses, IP addresses, online identifiers, device identifiers, and location data.

Personal data does not include publicly available information or de-identified data, provided the controller takes reasonable measures to ensure the data cannot be re-associated with an individual.

Sensitive data

The Louisiana Data Privacy Act defines sensitive data as a sub-category of personal data requiring heightened protection. It includes:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health diagnosis
• Sexuality
• Citizenship or immigration status
• Genetic data
• Biometric data processed for the purpose of uniquely identifying an individual
• Personal data of a known child
• Precise geolocation data

Processing sensitive data requires affirmative opt-in consent from the consumer. For personal data belonging to known children, controllers must comply with the Children’s Online Privacy Protection Act (COPPA) as the applicable consent standard.

Louisiana residents have the following rights in relation to their personal data, exercisable by submitting a verified request to a controller. Controllers must respond within 45 days, with a 45-day extension available where reasonably necessary.

Right to access and confirm

Consumers may ask whether a controller is processing their personal data and, if so, request access to the specific personal data the controller holds about them.

Right to correction

Consumers may request that a controller correct inaccuracies in their personal data, taking into account the nature and purposes of the processing.

Right to deletion

Consumers may request that a controller delete personal data they have provided or that the controller has collected about them.

Right to data portability

Where technically feasible, consumers may request their personal data in a portable, readily usable format that allows them to transmit it to another controller without hindrance.

Right to opt out of sale and targeted advertising

Consumers may opt out of the processing of their personal data for:

• The sale of personal data to third parties
• Targeted advertising based on their personal data
• Profiling in furtherance of decisions that produce legal or similarly significant effects

The Louisiana Data Privacy Act requires controllers to provide a privacy notice. The notice must include:

• The categories of personal data processed, including any sensitive data
• The purposes for processing personal data
• How consumers can exercise their rights under the LDPA
• How consumers can appeal a controller’s decision regarding a rights request
• The categories of personal data sold to third parties, if applicable
• The categories of third parties with whom personal data is sold, if applicable
• The methods consumers can use to submit rights requests

The LDPA requires controllers to obtain consumer consent before processing sensitive data. For known children, controllers must process sensitive data in accordance with the Children’s Online Privacy Protection Act (COPPA).

The law defines consent as a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data.

Consent may include a written statement or another unambiguous affirmative action. However, the LDPA expressly states that consent does not include:

• Acceptance of broad or general terms of use containing unrelated information
• Hovering over, muting, pausing, or closing content
• Consent obtained through dark patterns

Below are the key business obligations under the proposed Louisiana Data Privacy Act (LDPA).

Data minimisation 

Controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the purposes disclosed to the consumer.

Purpose limitation

You can only use personal data for the purposes they originally told consumers about. If they want to use the data for a new or unrelated purpose, they must first get the consumer’s consent.

Implement data security 

Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. These safeguards must be appropriate to the volume and nature of the personal data involved.

Provide clear opt-out mechanisms

Businesses that sell personal data or use personal data for targeted advertising must provide consumers with a clear way to opt out of those activities. Consumers must also be allowed to opt out of profiling activities that produce legal or similarly significant effects.

The LDPA further allows consumers to submit opt-out requests through authorized agents using technologies such as browser settings, browser extensions, website links, or global device settings. Businesses must comply with such requests where they can verify the consumer’s identity and the agent’s authority using commercially reasonable efforts.

However, unlike some other U.S. state privacy laws, like Colorado’s, the LDPA does not expressly mandate support for Global Privacy Control (GPC) signals by name.

Do not discriminate 

Refrain from discriminating against consumers for exercising their rights under the Louisiana consumer privacy law. This includes denying goods or services, charging different prices or rates, or providing a different level or quality of goods or services.

Obtain consent before processing sensitive data

Ensure that you obtain consumer consent before processing sensitive data. For known children, sensitive data must be processed in accordance with COPPA rules, regulations, and exceptions.

Maintain transparency

Publish a reasonably accessible and clear privacy notice. Also, if you sell personal data or process personal data for targeted advertising, you must clearly and conspicuously disclose those practices and explain how consumers can opt out.

If a controller sells sensitive personal data or biometric personal data, it must also post the required notice in the same manner as its privacy notice, stating either “NOTICE: We may sell your sensitive personal data” or “NOTICE: We may sell your biometric personal data,” as applicable.

Respond to consumer rights requests

Provide at least two secure and reliable methods for consumers to exercise their rights under the LDPA. Respond to consumer requests without undue delay and no later than 45 calendar days after receiving the request. This period may be extended once by an additional 45 days when reasonably necessary, provided the controller informs the consumer within the initial response period.

Responses must generally be provided free of charge up to twice annually per consumer, although a controller may charge a reasonable fee or decline to act if a request is manifestly unfounded, excessive, or repetitive.

Controllers must also establish a conspicuously available appeal process similar to the original request process and respond to appeals in writing within 60 calendar days. If an appeal is denied, the controller must provide the consumer with the Attorney General’s online complaint mechanism.

Data protection assessments

Conduct and document data protection impact assessments for processing activities involving targeted advertising, sale of personal data, profiling with significant effects on consumers, processing of sensitive data, and any other processing presenting heightened risk. They are required for processing activities conducted from 1 January 2027 onward.

Data processing agreements

Formalize all data processing arrangements with processors through written contracts that specify:

• nature and purpose of processing
• type of data involved
• duration of processing
• rights and obligations of both parties
• confidentiality requirements
• data deletion or return procedures
• obligations to pass through requirements to any sub-processors.

Data breach notification

The LDPA does not establish a separate breach notification regime. Instead, it requires processors to assist controllers with data security obligations and breach notifications under Louisiana’s existing breach notification law (Database Security Breach Notification Law).

Businesses must therefore continue to comply with Louisiana’s general data breach notification requirements in the event of a security incident.

The Louisiana Attorney General has exclusive authority to enforce the LDPA. Violations are treated as unfair and deceptive trade practices under Louisiana law, and the LDPA does not provide a private right of action for consumers.

The LDPA itself does not specify a separate civil penalty amount. Instead, penalties would be imposed under the Louisiana Unfair Trade Practices and Consumer Protection Law.

From January 1, 2027 through July 31, 2027, businesses receive a mandatory 30-day cure period before the Attorney General may initiate an investigation. To avoid enforcement, the business must cure the violation, provide a written confirmation, submit supporting documentation, and update internal policies if necessary. After July 31, 2027, this mandatory cure period no longer applies.

• Confirm whether your organization meets the revenue, data volume, or data-sale thresholds for LDPA coverage
• Map what personal data you collect, how it is used, where it is stored, and with whom it is shared
• Practice data minimization and purpose limitation
• Publish a privacy notice
• Post the required notice if selling sensitive or biometric personal data
• Enable users to opt out of targeted advertising, data sales, and profiling
• Implement mechanisms to manage consent and opt-out requests
• Provide at least two secure methods for submitting requests
• Honour consumer requests promptly
• Obtain affirmative opt-in consent for sensitive data.
• Maintain data processing agreements
• Conduct data protection assessments 
• Maintain reasonable administrative, technical, and physical security safeguards