Louisiana has become the 22nd U.S. state to enact a comprehensive consumer privacy law—and the third this year following Oklahoma and Alabama—after Governor Landry signed the Louisiana Data Privacy Act (LDPA) (SB 386) on May 29. Overall, this is a fairly standard state privacy law that follows the Washington Privacy Act framework apart from the law’s CCPA-style applicability thresholds. The law will go into effect on January 1, 2027. This blog post covers the LDPA’s scope, consumer rights, business obligations, and enforcement. 

Scope

Applicability: Like other comprehensive privacy laws based on the Washington Privacy Act (WPA) framework, this law regulates controllers’ and processors’ collection and use of personal data.

Departing from the common WPA framework, this law’s applicability thresholds are modeled on those under the California Consumer Privacy Act (CCPA). The LDPA only applies to a person or entity doing business in Louisiana that either—

1. Has annual gross revenues exceeding $25 million; 
2. Annually buys, “receives for the business’s commercial purposes,” sells, or shares for commercial purposes the “personal information” of at least 75,000 consumers, households, or devices; or 
3. Derives 50% or more of its annual revenues from selling consumers’ “personal information.”

Not only do these thresholds reflect those under the CCPA, they also use the undefined term “personal information” (which is used in the CCPA) rather than the defined term “personal data” used throughout the LDPA. One unique aspect of these applicability thresholds is that prong (2) adds the criteria “receives for the business’s commercial purposes,” which is not present in the CCPA’s text although that law defines “commercial purpose” and uses the term in other contexts. (§ 1780.2(A).)

The LDPA includes broad entity- and data-level exemptions, including for—

• State agencies or political subdivisions;
• Financial institutions, affiliates, or data subject to the GLBA; 
• Covered entities, business associates, and protected health information governed by HIPAA; 
• Health records;
• Information included in a limited data set maintained as required under 45 C.F.R. 164.514(e);  
• Nonprofits, including political organizations; 
• Institutions of higher education; 
• Information collected, used, or disclosed by a consumer reporting agency or furnisher to the extent regulated by and authorized under FCRA; 
• Personal data collected, processed, sold, or disclosed in compliance with the DPPA; 
• Personal data regulated under FERPA; and more. (§ 1780.2(B)-(C).)

Key Definitions: Personal data is defined consistently with other state laws as information that is linked or reasonably linkable to an identified or identifiable individual, and it does not include deidentified data or publicly available information. Sensitive data includes: personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status; genetic or biometric data processed for uniquely identifying an individual; personal data collected from a known child (under 13); and precise geolocation data (within a radius of 1,750’). This definition is narrower than in many of the newer state laws, which often include other categories such as consumer health data, neural data, or status as a victim of a crime. (§ 1780.1.)

This law includes many of the key definitions associated with the Connecticut-model of state laws. For example: the definition of “biometric data” includes data generated from a photograph or video or audio recording if generated to identify a specific individual; “dark patterns” are defined and prohibited for obtaining consent; and “sale” is defined broadly to include exchanges of personal data for “other valuable consideration” apart from monetary consideration. (§ 1780.1.)

Consumer Rights

Consumers will have the standard rights to: confirm whether their personal data is being processed; access their personal data; correct inaccuracies in their personal data; have their personal data deleted; obtain a copy of their personal data in a portable format (if available in a digital format); and opt-out of the processing of their personal data for the purposes of targeted advertising, the sale of personal data, and profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer. Like the laws in Tennessee and Alabama, these consumer rights (including the opt-out right) do not apply to pseudonymous data if the controller is able to demonstrate that information necessary to identify the consumer is kept separately and subject to effective technical and organizational controls that prevent the controller from accessing the information.  (§ 1780.3(A), 1780.4(O),)

Controllers must respond to consumer rights requests within 45 days, which can be extended an additional 45 days if necessary so long as the consumer is informed of the extension and the reason. If a controller declines to act on a consumer request, then it must inform the consumer of the decision, the justification, and how to appeal the decision. A controller is not required to comply with a rights request that it cannot authenticate, and that the authentication requirement extends to the consumer opt-outs as well. Some states, like Connecticut, provide that a controller does not need to authenticate an opt-out request but may deny an opt-out request if it has a good faith, reasonable and documented belief that the request is fraudulent. (§ 1780.3(B).)

In another departure from the Connecticut-style suite of state laws, the LDPA does not appear to require a controller to provide consumers with a mechanism to revoke previously given consent. 

What about Agents and OOPS? A consumer will be able to designate another person to serve as the consumer’s authorized agent to opt-out of the processing of consumer’s personal data for targeted advertising or the sale of personal data. Although the law does not reference opt-out preference signals (OOPS) or universal opt-out mechanisms (UOOM), it does provide that a consumer can “designate an authorized agent using a technology, including . . . a global setting on an electronic device,” that allows the consumer to indicate the consumer’s intent to opt out of the processing for targeted advertising, for sale of personal data, or both.” Additionally, a “technology” described in the subsection may not “unfairly disadvantage another controller,” make use of a default setting (instead requiring “an affirmative, freely given, and unambiguous choice” by the consumer), and be consumer-friendly and easy to use. These are the common requirements for an OOPS under the state comprehensive privacy laws. 

The use of a technologically-designated authorized agent by a consumer could be limited due to several exceptions under the law. A controller is not required to comply with an opt-out request from an authorized agent if: the authorized agent does not communicate the request in a clear and unambiguous manner; the controller cannot verify (with reasonable effort) that the consumer is a resident of Louisiana; the controller does not possess the ability to process the request; or the controller “does not process similar or identical requests the controller receives from consumers for the purpose of complying with similar or identical laws or regulations of another state.”(§ 1780.3(E)(5)-(6).) 

Business Obligations

Consistent with most of the state privacy laws, controllers and processors are subject to an enumerated list of duties under the law—including transparency, data minimization, data security, non-retaliation, oversight of processors, data protection assessments, and children-specific protections—as well as a list of broad exceptions. 

Transparency: Controllers must provide consumers with a “reasonably accessible and clear privacy notice” including information such as categories of personal data processed, processing purposes, how consumers can exercise their data rights, categories of personal data sold to third parties, and categories of third parties to whom data is sold. If the controller sells personal data, processes personal data for targeted advertising, sells sensitive data, or sells biometric data, there are additional notices that must be provided in the privacy notice (e.g., “NOTICE: We may sell your sensitive data”). (§ 1780.4(B).)

Data Minimization: The LDPA includes common procedural data minimization and purpose limitation restrictions. A controller must— 

• “[L]imit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which that personal data is processed, as disclosed to the consumer” 
• Obtain the consumer’s consent to “process personal data for a purpose that is neither reasonably necessary to nor compatible with the disclosed purpose for which the personal data is processed, as disclosed to the consumer”; and 
• Obtain the consumer’s consent to process the consumer’s sensitive data. (§ 1780.4(A).)

Data Security: A controller must establish, implement, and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the data. (§ 1780.4(A)(1)(b).)

Anti-discrimination and Non-retaliation: Controllers cannot process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. Controllers also may not deny goods or services, charge different prices or rates for goods or service, or provide a different level of quality of goods or services to the consumer as retaliation for a consumer exercising any of their rights under the LDPA, subject to exceptions (e.g., if the data is necessary to provide a service or processed in connection with a bona fide loyalty program). (§ 1780.4(A).)

Processors: Processors must adhere to the instructions of a controller and assist the controller in complying with the controller’s duties or requirements under the law. Whether a person is acting as a controller or processor is a fact-based determination depending on context, but a processor remains a processor if they are adhering to a controller’s instructions with respect to a specific processing activity. There must be a valid contract in place between the controller and processor that meets statutory criteria (e.g., clear instructions for processing, deleting or returning personal data after the service is concluded). (§ 1780.4(D).)

Children’s Privacy: Consistent with most other state comprehensive privacy laws, the LDPA includes protections for children’s personal data and provisions that address COPPA compliance. “Sensitive data” includes personal data collected from a known child, and a controller must process the sensitive data of a known child in accordance with COPPA. Parents are able to exercise consumer rights on behalf of a child whose personal data is processed. Controllers and processors that comply with the verifiable parental consent requirements of COPPA are deemed to be in compliance with any requirement to obtain parental consent under the LDPA. In contrast to many of the newer state comprehensive privacy laws, the LDPA does not include opt-in rights for teenagers with respect to targeted advertising or the sale of personal data. (§§ 1780.1, 1780.2(E), 1780.3(A) & 1780.4(A).)

Data Protection Assessments: Controllers must conduct and document a data protection assessment for processing activities that present a heightened risk of harm to consumers, including processing personal data for targeted advertising, selling personal data, processing personal data for profiling that presents a reasonably foreseeable risk of substantial injury to consumers, and processing sensitive data. A controller must make a data protection assessment available to the Louisiana attorney general if requested in a civil investigative demand (although that requirement includes a cross-reference to a non-existent subsection of the law). (§ 1780.4(E).)

Exceptions: This bill includes a number of common exceptions, providing that nothing in the law shall be construed to limit a controller’s or processor’s ability to: comply with state, federal, or local laws or regulations; comply with regulatory inquiries or investigations; provide a specifically requested product or service; engage in public or peer-reviewed research in the public interest adhering to relevant safeguards; cooperating with law enforcement agencies; internal use of data for conducting research, effectuating a product recall, identifying and repairing technical errors, performing internal operations reasonably aligned with consumers’ expectations; and more. (§ 1780.4(G)-(I).) 

Miscellaneous: This law includes one unique provision related to the sale of sensitive data. Section 1780.4(P) provides that “[a] person or entity described by R.S. 51:1780.2(A)(3) may not engage in the sale of personal data that is sensitive without receiving prior consent from the consumer,” and violation of that requirement subjects a person to a penalty under the law. The cross-reference is to the applicability threshold for a person or entity that does business in the state and that derives fifty percent or more of its annual revenues from selling consumers’ “personal information.” This is an ambiguous requirement. An entity meeting that threshold would already be under the requirement to obtain consent prior to processing sensitive data, which includes selling data, so it is not clear that this is an added responsibility, unless it is meant to apply more broadly. But there is no other language in the requirement suggesting that it would apply notwithstanding the law’s broad entity-level exemptions.

Enforcement

The Louisiana Attorney General will enforce the LDPA and violations will constitute unfair and deceptive trade practices under Louisiana’s Unfair Trade Practices and Consumer Protection Law. Notably, the private rights of action under the unfair trade practices law do not extend to violations of the LDPA. For the first six months of enforcement (January 1, 2027 to July 31, 2027), the attorney general must give persons notice of alleged violations and at least 30 days to cure those violations prior to initiating an investigation. 

The attorney general is required to post online information regarding controllers’ and processors’ responsibilities and consumer rights under the law, and money received from enforcement actions will go towards funding the attorney general’s consumer protection efforts or promoting consumer protection and education. 

* * *

Looking to get up to speed on the existing state comprehensive consumer privacy laws? Check out FPF’s 2025 report, Anatomy of a State Comprehensive Privacy Law: Charting the Legislative Landscape. 

Pictured: Louisiana receiving its star on the FPF “Privacy Patchwork” quilt.