On May 29, 2026, the Governor of Louisiana signed into law SB 386, the Louisiana Data Privacy Act (“LDPA”). Louisiana joins Alabama and Oklahoma as the third state to enact a comprehensive privacy law this year. The law will take effect on January 1, 2027.

The following lists key provisions in the LDPA:

  • Scope. The LDPA applies to a person or entity that does business in Louisiana and satisfies one of the following: (1) has annual gross revenues in excess of $25 million; (2) annually buys, receives, sells, or shares for the business’s commercial purposes the personal information of 75,000 or more consumers, households, or devices; (3) derives 50% or more of its annual revenues from selling consumers’ personal information.
  • Exemptions. Like other state comprehensive privacy laws, the law exempts individuals acting in a commercial or employment context, and contains several entity- and data-level exemptions, including for financial institutions and data subject to the GLBA, covered entities and business associates and protected health information governed by HIPAA, nonprofits, institutions of higher education, and data processed or maintained in the course of an individual applying to, being employed by, or acting as an agent or independent contractor of a controller, processor, or third party when that data is used in the context of that role.
  • Consumer Rights. The LDPA grants consumers the rights of access, correction, deletion, and portability, and rights to opt-out of targeted advertising, sale, or profiling in furtherance of solely automated significant decisions concerning the consumer, defined to include decisions that result in the provision or denial of certain services, including financial and lending services, employment opportunities, and education enrollment. The LDPA allows a consumer to designate an authorized agent using a technology, including a link to a website, an internet browser setting or extension, or a global setting on an electronic device, that allows the consumer to indicate their intent to opt out of the processing for targeted advertising, for sale of personal data, or both. Additionally, the law defines “sale” to include the “exchange of personal data for monetary or other valuable consideration by the controller to a third party.”
  • Data Minimization and Purpose Limitation. The data minimization and purpose limitation requirements are similar to other privacy laws. A controller must limit data collection to what is “adequate, relevant, and reasonably necessary” for the purposes disclosed to the individual and must obtain consent to process personal data for purposes that are “neither reasonably necessary to nor compatible with the disclosed purposes for which the personal data is processed.”  
  • Transparency. Controllers must provide consumers with reasonably clear and accessible privacy notices that resemble notices required under other state privacy statutes, including by disclosing the categories of personal data processed, the purposes of processing that data, the categories of personal data shared with third parties, and the process by which consumers may exercise their consumer rights and appeal the controller’s decision. Unlike most other state comprehensive privacy laws, the law includes prescriptive disclosure requirements for the sale of sensitive data and biometric data. If a controller engages in the sale of sensitive data or biometric personal data, the controller must include the following notices in the same manner as the privacy notice, respectively: “NOTICE: We may sell your sensitive personal data” and “NOTICE: We may sell your biometric personal data.”
  • Sensitive Data. Controllers must obtain consent to process sensitive data. The scope of sensitive data generally follows other state privacy laws, and includes data such as personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, genetic or biometric data that is processed for the purpose of uniquely identifying an individual, personal data collected from a known child under 13, and precise geolocation data.
  • Data Protection Assessments. Like many other state privacy laws, the LDPA requires controllers to conduct data protection assessments for certain processing activities involving personal data, including targeted advertising, processing sensitive data, certain profiling activities that present a reasonably foreseeable risk of substantial injury to consumers, and other processing activities involving personal data that present a heightened risk of harm to consumers. Data protection assessments are required for processing activities as of January 1, 2027, and are not retroactive.
  • Enforcement. The Louisiana Attorney General has authority to enforce the law as a violation of the Unfair Trade Practice and Consumer Protection Law, and the LDPA excludes any private right of action provided under the Unfair Trade Practice and Consumer Protection Law. The LDPA includes a 30-day cure period that sunsets on July 31, 2027.
Tags: Louisiana, State Privacy
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager is a recognized leader in representing companies before federal and state regulators, and is renowned for advising on minor protection, AI, and state comprehensive privacy laws.

Lindsey chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their…

Lindsey Tonsager is a recognized leader in representing companies before federal and state regulators, and is renowned for advising on minor protection, AI, and state comprehensive privacy laws.

Lindsey chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and State Attorneys General on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence; data processing for robotics, autonomous vehicles, and other connected devices; biometrics; online advertising; the collection of personal information from children, teens, and students online; e-mail marketing; disclosures of video viewing information; and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.

Read more about Lindsey TonsagerEmail
Show more Show less
Photo of Bryan Ramirez Bryan Ramirez

Bryan Ramirez is an associate in the firm’s San Francisco office and is a member of the Data Privacy and Cybersecurity Practice Group. He advises clients on a range of regulatory and compliance issues, including compliance with state privacy laws. Bryan also maintains…

Bryan Ramirez is an associate in the firm’s San Francisco office and is a member of the Data Privacy and Cybersecurity Practice Group. He advises clients on a range of regulatory and compliance issues, including compliance with state privacy laws. Bryan also maintains an active pro bono practice.

Read more about Bryan RamirezEmail
Show more Show less