ARTICLE
25 June 2026

New Louisiana Data Privacy Act Set To Take Effect In 2027

JL
Jackson Lewis P.C.

Contributor

Jackson Lewis P.C. logo
Focused on employment and labor law since 1958, Jackson Lewis P.C.’s 1,100+ attorneys located in major cities nationwide consistently identify and respond to new ways workplace law intersects business. We help employers develop proactive strategies, strong policies and business-oriented solutions to cultivate high-functioning workforces that are engaged, stable and diverse, and share our clients’ goals to emphasize inclusivity and respect for the contribution of every employee.
Explore Firm Details
With the Governor of Louisiana’s signature on Senate Bill 386, Louisiana becomes one of the latest states to enact a comprehensive consumer privacy law, joining more than twenty states that have adopted similar...
United States Louisiana Privacy
Joseph Lazzarotti and Damon Silver
Joseph Lazzarotti’s articles from Jackson Lewis P.C. are most popular:
  • with readers working within the Telecomms, Transport and Construction & Engineering industries
Jackson Lewis P.C. are most popular:
  • within Energy and Natural Resources topic(s)
  • with Senior Company Executives and HR
  • in European Union

With the Governor of Louisiana’s signature on Senate Bill 386, Louisiana becomes one of the latest states to enact a comprehensive consumer privacy law, joining more than twenty states that have adopted similar frameworks in recent years. Like laws in Texas, Virginia, Colorado, and other states, the Louisiana Data Privacy Act (LDPA) adopts a controller/processor framework, grants consumers rights over their personal data, and authorizes enforcement by the state attorney general rather than private litigants. The Act takes effect January 1, 2027.

To whom does the law apply?

The law applies to a person or entity that does business in the state and meets at least one of these thresholds:

  • Annual gross revenues over $25 million
  • Annually buys, receives, sells, or shares for commercial purposes the personal information of 75,000 or more consumers, households, or devices.
  • Derives 50 % or more annual revenues from selling consumers’ personal information.

Notably, Louisiana’s applicability thresholds differ from many recent state privacy laws that focus primarily on the volume of consumer data processed. Instead, the LDPA incorporates revenue-based thresholds similar to those found in California’s privacy framework, applying to businesses with annual gross revenues exceeding $25 million regardless of the amount of personal data processed.

The law does not apply to various categories, including state agencies, certain financial institutions, and GLBA-regulated data, HIPAA-covered entities and business associates, nonprofits, and institutions of higher education.

Who is protected by the law?

The law protects consumers, defined as Louisiana residents acting only in an individual or household context. The law expressly excludes individuals acting in a commercial or employment context.

Under the law, a child’s parent or legal guardian may exercise the child’s consumer rights on the child’s behalf.

What data is protected by the law?

The law protects personal data, which is information that is linked or reasonably linkable to an identified or identifiable individual. It excludes deidentified data or publicly available information.

Under the law, “sensitive data” is protected and includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, citizenship or immigration status, genetic or biometric data used to uniquely identify an individual, personal data collected from a known child, and precise geolocation data. Businesses should pay particular attention to the law’s treatment of sensitive data. Like many recently enacted state privacy laws, Louisiana generally requires consumer consent before processing sensitive data.

What rights do consumers have?

Under the law, consumers may require a controller to do the following:

  • Confirm whether the controller is processing the consumer’s personal data and access that data;
  • Correct inaccuracies;
  • Delete personal data;
  • Provide a portable and, where technically feasible, readily usable copy of personal data previously provided by the consumer; and
  • Allow the consumer to opt out of processing for targeted advertising, sale of personal data, and profiling in furtherance of solely automated significant decisions. 

Controllers generally must respond within 45 calendar days, with one additional 45-day extension when reasonably necessary to such requests.

What obligations do controllers have?

Under the law, controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed purpose and must maintain reasonable administrative, technical, and physical security practices appropriate to the data.

Controllers must provide a reasonably accessible and clear privacy notice describing categories of personal data processed, processing purposes, how consumers may exercise rights and appeal decisions, categories of personal data sold, categories of third parties to whom data is sold, and request submission methods.

If a controller sells sensitive data or biometric data, it must have a specific notice to that effect.

A contract between a controller and a processor must address the processor’s data processing procedures with respect to processing performed on behalf of the controller. Similar to other state privacy laws, the LDPA requires such contracts to include certain provisions, such as:

  • clear instructions for processing data;
  • the type of data subject to processing;
  • the duration of processing; and
  • a requirement that the processor make available to the controller, on reasonable request, all information in the processor’s possession necessary to demonstrate the processor’s compliance with the requirements of the LDPA.

Controllers must also conduct and document data protection assessments for targeted advertising, the sale of personal data, certain risky profiling, the processing of sensitive data, and other activities. Controllers that already maintain privacy impact assessments under other state laws may be able to leverage existing compliance processes.

How is the law enforced?

The state attorney general may enforce the law. And violations shall constitute an unfair and deceptive trade practice pursuant to the Unfair Trade Practices and Consumer Protection law, excluding private rights of action. Note, however, that the LDPA provides a 30-day cure period that sunsets on July 31, 2027, providing organizations with a limited opportunity to address alleged violations during the law’s early implementation period.

Although the LDPA largely follows the increasingly familiar state privacy law framework, businesses should not assume existing compliance programs automatically satisfy Louisiana’s requirements. Organizations with multi-state privacy compliance programs should review their privacy notices, consumer rights request procedures, consent mechanisms for sensitive data, and data protection assessment processes before the law takes effect on January 1, 2027.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Joseph Lazzarotti
Joseph Lazzarotti
Photo of Damon Silver
Damon Silver
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More