With the Governor of Louisiana’s signature on Senate Bill 386, Louisiana becomes one of the latest states to enact a comprehensive consumer privacy law, joining more than twenty states that have adopted similar frameworks in recent years. Like laws in Texas, Virginia, Colorado, and other states, the Louisiana Data Privacy Act (LDPA) adopts a controller/processor framework, grants consumers rights over their personal data, and authorizes enforcement by the state attorney general rather than private litigants. The Act takes effect January 1, 2027.

To whom does the law apply?

The law applies to a person or entity that does business in the state and meets at least one of these thresholds:

  • Annual gross revenues over $25 million
  • Annually buys, receives, sells, or shares for commercial purposes the personal information of 75,000 or more consumers, households, or devices.
  • Derives 50 % or more annual revenues from selling consumers’ personal information.

Notably, Louisiana’s applicability thresholds differ from many recent state privacy laws that focus primarily on the volume of consumer data processed. Instead, the LDPA incorporates revenue-based thresholds similar to those found in California’s privacy framework, applying to businesses with annual gross revenues exceeding $25 million regardless of the amount of personal data processed.

The law does not apply to various categories, including state agencies, certain financial institutions, and GLBA-regulated data, HIPAA-covered entities and business associates, nonprofits, and institutions of higher education.

Who is protected by the law?

The law protects consumers, defined as Louisiana residents acting only in an individual or household context. The law expressly excludes individuals acting in a commercial or employment context.

What data is protected by the law?

The law protects personal data, which is information that is linked or reasonably linkable to an identified or identifiable individual. It excludes deidentified data or publicly available information.

Under the law, “sensitive data” is protected and includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, citizenship or immigration status, genetic or biometric data used to uniquely identify an individual, personal data collected from a known child, and precise geolocation data. Businesses should pay particular attention to the law’s treatment of sensitive data. Like many recently enacted state privacy laws, Louisiana generally requires consumer consent before processing sensitive data.

What rights do consumers have?

Under the law, consumers may require a controller to do the following:

  • Confirm whether the controller is processing the consumer’s personal data and access that data;
  • Correct inaccuracies;
  • Delete personal data;
  • Provide a portable and, where technically feasible, readily usable copy of personal data previously provided by the consumer; and
  • Allow the consumer to opt out of processing for targeted advertising, sale of personal data, and profiling in furtherance of solely automated significant decisions. 

Controllers generally must respond within 45 calendar days, with one additional 45-day extension when reasonably necessary to such requests.

What obligations do controllers have?

Under the law, controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed purpose and must maintain reasonable administrative, technical, and physical security practices appropriate to the data.

Controllers must provide a reasonably accessible and clear privacy notice describing categories of personal data processed, processing purposes, how consumers may exercise rights and appeal decisions, categories of personal data sold, categories of third parties to whom data is sold, and request submission methods.

If a controller sells sensitive data or biometric data, it must have a specific notice to that effect.

A contract between a controller and a processor must address the processor’s data processing procedures with respect to processing performed on behalf of the controller. Similar to other state privacy laws, the LDPA requires such contracts to include certain provisions, such as:

  • clear instructions for processing data;
  • the type of data subject to processing;
  • the duration of processing; and
  • a requirement that the processor make available to the controller, on reasonable request, all information in the processor’s possession necessary to demonstrate the processor’s compliance with the requirements of the LDPA.

Controllers must also conduct and document data protection assessments for targeted advertising, the sale of personal data, certain risky profiling, the processing of sensitive data, and other activities. Controllers that already maintain privacy impact assessments under other state laws may be able to leverage existing compliance processes.

How is the law enforced?

The state attorney general may enforce the law. And violations shall constitute an unfair and deceptive trade practice pursuant to the Unfair Trade Practices and Consumer Protection law, excluding private rights of action. Note, however, that the LDPA provides a 30-day cure period that sunsets on July 31, 2027, providing organizations with a limited opportunity to address alleged violations during the law’s early implementation period.

Although the LDPA largely follows the increasingly familiar state privacy law framework, businesses should not assume existing compliance programs automatically satisfy Louisiana’s requirements. Organizations with multi-state privacy compliance programs should review their privacy notices, consumer rights request procedures, consent mechanisms for sensitive data, and data protection assessment processes before the law takes effect on January 1, 2027.

If you have questions about Louisiana’s new privacy law or related issues, please reach out to a member of our Privacy, AI, and Cybersecurity practice group to discuss.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Joseph J. Lazzarotti Joseph J. Lazzarotti

Joseph J. Lazzarotti is a principal in the Tampa, Florida, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the…

Joseph J. Lazzarotti is a principal in the Tampa, Florida, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Photo of Damon W. Silver Damon W. Silver

Damon W. Silver is a principal in the New York City, New York, office of Jackson Lewis P.C. and co-leader of the firm’s Privacy, AI & Cybersecurity practice group. He is a Certified Information Privacy Professional (CIPP/US).

Damon helps clients across various industries—with…

Damon W. Silver is a principal in the New York City, New York, office of Jackson Lewis P.C. and co-leader of the firm’s Privacy, AI & Cybersecurity practice group. He is a Certified Information Privacy Professional (CIPP/US).

Damon helps clients across various industries—with a focus on financial services, healthcare, and education—handle their data safely. He works with them to pragmatically navigate the challenges they face from cyberattacks, technological developments including AI, a fast-evolving data privacy and security legal compliance landscape, and an active and innovative plaintiffs’ bar.

Damon recognizes that needs vary from one client to the next. Large, mature organizations, for instance, may need assistance managing multi-jurisdictional and multi-faceted compliance obligations. Others may be in a stage of development where their greatest need is to triage what must be done now and what can more safely be left for later. Damon takes the time to understand each client’s circumstances and priorities and then works with it to develop tailored approaches to effectively managing risk without unnecessarily hindering business operations.