Louisiana has officially joined the growing list of states with comprehensive consumer data privacy legislation. On May 29, 2026, Governor Jeff Landry signed the Louisiana Data Privacy Act (LDPA), making Louisiana the 22nd U.S. state — and the third in 2026 after Oklahoma and Alabama — to enact such a law. The LDPA takes effect on January 1, 2027.
Complete Guide to the 22nd State Consumer Privacy Law and Compliance Requirements
This in-depth guide examines the key provisions of the LDPA, including applicability thresholds, consumer rights, business obligations, data protection assessments, exemptions, enforcement mechanisms, and practical compliance steps. Businesses operating in or serving Louisiana residents should begin preparation now to meet these new LDPA compliance requirements.
Overview of the Louisiana Data Privacy Act
The LDPA establishes a framework for the collection, processing, and protection of personal data by controllers and processors. It largely follows the Washington Privacy Act (WPA) model for core obligations while adopting California Consumer Privacy Act (CCPA)-style applicability thresholds. This hybrid approach creates both familiar elements and unique nuances for multi-state compliance programs.
The law aims to give Louisiana residents greater control over their personal data while imposing structured obligations on businesses. It emphasizes transparency, data minimization, security, and accountability through risk assessments.
Applicability and Thresholds
The LDPA applies to any person or entity that conducts business in Louisiana and meets at least one of the following thresholds during a calendar year:
| Threshold | Description |
|---|---|
| Revenue Threshold | Annual gross revenues exceeding $25 million. |
| Data Volume Threshold | Annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes the personal information of 75,000 or more consumers, households, or devices. |
| Sale of Data Threshold | Derives 50% or more of annual revenues from selling consumers’ personal information. |
These Louisiana data privacy thresholds closely mirror the CCPA, with a notable addition in the second prong (“receives for the business’s commercial purposes”). This can broaden applicability for certain data brokers or partners.
Note: The law applies to both controllers (entities determining the purpose and means of processing) and processors (entities processing data on behalf of controllers).
Key Definitions
Understanding core terms is essential for compliance:
- Personal Data: Information linked or reasonably linkable to an identified or identifiable individual. Excludes deidentified data and publicly available information.
- Sensitive Data: A subset requiring heightened protections (see table below).
- Sale of Personal Data: Exchange for monetary or other valuable consideration.
- Targeted Advertising: Advertising based on consumer data from activities across non-affiliated websites or online services.
- Profiling: Automated processing to evaluate, analyze, or predict certain personal aspects with legal or similarly significant effects.
Sensitive Data Categories
| Category | Details |
|---|---|
| Racial or Ethnic Origin | Personal data revealing this information. |
| Religious Beliefs | Personal data revealing these beliefs. |
| Mental or Physical Health Diagnosis | Related personal data. |
| Sexuality | Personal data revealing sexuality. |
| Citizenship or Immigration Status | Related personal data. |
| Genetic Data | Data for uniquely identifying an individual. |
| Biometric Data | Data generated for uniquely identifying an individual (includes certain automated measurements; excludes ordinary photos/videos unless used for identification). |
| Personal Data of a Known Child | Data collected from a child under 13. |
| Precise Geolocation Data | Location within a 1,750-foot radius. |
Processing sensitive data generally requires affirmative consumer consent.
Consumer Rights Under the LDPA
Louisiana residents (consumers) have robust rights regarding their personal data. Controllers must respond to authenticated requests within 45 days (extendable by another 45 days with notice).
| Right | Description |
|---|---|
| Right to Confirm & Access | Confirm processing and access personal data. |
| Right to Correct | Correct inaccuracies. |
| Right to Delete | Delete personal data provided or obtained about the consumer. |
| Right to Data Portability | Obtain a copy in a portable, readily usable format (if technically feasible). |
| Right to Opt-Out | Opt out of: (1) targeted advertising, (2) sale of personal data, (3) profiling with legal or significant effects. |
Consumers may designate authorized agents (including via technology/global device settings) for opt-outs, subject to verification and certain limitations. Pseudonymous data may be exempt from some rights if properly safeguarded.
Business and Controller Obligations
Controllers must fulfill several key duties:
- Transparency: Provide a clear, accessible privacy notice detailing categories of data processed, purposes, consumer rights, data sold/shared, and third parties involved. Specific notices required for sensitive data or sales (e.g., “NOTICE: We may sell your sensitive data”).
- Data Minimization & Purpose Limitation: Collect and process only adequate, relevant, and reasonably necessary data. Obtain consent for incompatible secondary purposes or sensitive data processing.
- Data Security: Implement reasonable administrative, technical, and physical safeguards appropriate to the data’s volume and nature.
- Non-Retaliation / Non-Discrimination: Cannot discriminate against consumers exercising rights (with limited exceptions for bona fide loyalty programs or service necessities).
- Processor Contracts: Binding agreements outlining instructions, assistance with rights and obligations, deletion/return of data, and audit rights.
- Children’s Privacy: Comply with COPPA for known children; sensitive data from children requires appropriate handling.
Data Protection Assessments
Controllers must conduct and document data protection assessments for high-risk activities, including:
- Processing for targeted advertising.
- Sale of personal data.
- Profiling presenting reasonably foreseeable risk of substantial injury.
- Processing of sensitive data.
These assessments must be made available to the Attorney General upon request in certain circumstances. Assessments for pre-effective date processing continuing after January 1, 2027, are also required.
Exemptions
The LDPA includes broad entity-level and data-level exemptions, such as:
- State agencies and political subdivisions.
- Financial institutions and data subject to GLBA.
- HIPAA-covered entities, business associates, and protected health information.
- Nonprofits and institutions of higher education.
- Data regulated by FCRA, DPPA, FERPA, and certain health records.
- Employee/employment-related data in many contexts.
Additional exceptions apply to compliance with laws, public health/safety, research, and internal operations.
Enforcement and Penalties
The Louisiana Attorney General has exclusive enforcement authority. Violations constitute unfair trade practices under Louisiana’s Unfair Trade Practices and Consumer Protection Law, but there is **no private right of action**.
A temporary 30-day cure period applies from January 1, 2027, through July 31, 2027. After this date, the Attorney General may pursue enforcement without mandatory cure. Penalties can be significant given the UDAP framework.
Louisiana vs Other State Privacy Laws
The LDPA shares similarities with other frameworks but has distinct features:
| Aspect | LDPA (Louisiana) | CCPA/CPRA (California) | Typical WPA States (e.g., Virginia, Colorado) |
|---|---|---|---|
| Applicability Thresholds | CCPA-style ($25M / 75k / 50% sale) | Same as LDPA | Often 100k consumers processed or 50% sale of 25k+ |
| Sensitive Data Consent | Affirmative consent required | Opt-in for sensitive data in many cases | Varies; often consent or heightened notice |
| Cure Period | 30 days (temporary through July 2027) | 30 days in some contexts | Varies by state |
| Private Right of Action | No | Yes (limited) | No |
This positions the LDPA as relatively business-friendly while aligning with national trends toward stronger consumer protections.
Practical Compliance Steps for Businesses
To prepare for the January 1, 2027 effective date:
- Determine Applicability: Assess whether your organization meets any thresholds for Louisiana-specific activities.
- Map Data Flows: Inventory personal and sensitive data collection, processing, sharing, and sale practices.
- Update Privacy Notices: Revise notices and consent mechanisms to meet LDPA transparency and sensitive data requirements.
- Implement Rights Processes: Build or update systems for handling consumer requests, authentication, and appeals within required timelines.
- Conduct Assessments: Develop templates and processes for data protection assessments on high-risk activities.
- Review Vendor Contracts: Update processor agreements to include necessary provisions.
- Train Teams: Educate compliance, legal, marketing, and product teams on new obligations.
- Monitor Updates: Track Attorney General guidance and potential amendments.
Captain Compliance Takeaway: The LDPA adds another layer to the U.S. state privacy patchwork. Organizations with robust existing programs (e.g., under CCPA or GDPR) will have a strong foundation but must address Louisiana-specific nuances, particularly thresholds, sensitive data consent, and the temporary cure period. Proactive gap assessments and policy updates will minimize compliance risks and demonstrate accountability.
Looking Ahead
As the 22nd state privacy law, the LDPA reinforces the importance of a comprehensive, multi-state privacy strategy. With an effective date of January 1, 2027, businesses have a limited window to align operations. Captain Compliance recommends conducting a targeted readiness assessment to integrate LDPA requirements efficiently into existing programs.
