Louisianans know how to let the good times roll–and nothing stops a good time dead in its tracks faster than a lack of privacy.
With Governor Jeff Landry’s signature, the Louisiana Data Privacy Act (LDPA) marks the 22nd state privacy law in the union. Starting January 1, 2027, businesses serving Louisianans will need to honor privacy rights and meet key obligations.
The LDPA follows a similar structure to the Texas Data Privacy and Security Act (TDPSA), while borrowing its applicability structure directly from California's CCPA. That combination gives the law a distinctive compliance footprint: familiar consumer rights and controller obligations for anyone who has already navigated the multi-state privacy landscape, but applicability thresholds that may catch businesses off guard.
Data privacy compliance may not be everyone’s idea of a bon temps, but it’s nevertheless essential for businesses serving residents of the Bayou State. Let’s dive in.
You're subject to the Louisiana Data Privacy Act if you do business in Louisiana and meet one or more of the following:
This three-part structure is one of the LDPA's most significant departures from other Virginia- and Texas-model state privacy laws, nearly all of which use a two-part threshold. Louisiana has instead borrowed the CCPA's three-part framework. As a result, the standalone $25 million gross revenue threshold means large businesses may be covered by the LDPA regardless of how few Louisiana consumers' data they process.
B2B companies may want to watch the LDPA closely as a result; although these companies won’t process as much personal data as, say, a consumer packaged goods company, they may still trigger applicability due to their revenue. As always, it's worth consulting your legal counsel when assessing applicability under a new law.
The 75,000-consumer volume threshold is also worth noting. Most Virginia-model laws set the primary consumer volume threshold at 100,000. Louisiana's lower threshold brings more mid-market businesses into scope.
The LDPA defines "sale" as the exchange of personal data for monetary or other valuable consideration.
This is the broader formulation used by California, Colorado, Connecticut, and Texas—and broader than Virginia's VCDPA, which limits "sale" to exchanges for monetary consideration only. Compliance teams that have mapped their data-sharing arrangements for Virginia or Oklahoma should revisit those maps for Louisiana to account for the broader definition.
The LDPA includes the following entity-level exemptions:
The law also includes standard data-level exemptions covering HIPAA-protected health information, health records, clinical trial data, public health data, FCRA-regulated consumer report data, Driver's Privacy Protection Act data, FERPA data, Farm Credit Act data, employment and contractor data, emergency contact data, and benefits administration data.
The LDPA grants Louisiana residents five core rights.
Right to Access: Consumers can confirm whether a controller is processing their personal data and request a copy.
Right to Correct: Consumers can request correction of inaccuracies in their personal data.
Right to Delete: Consumers can request deletion of personal data provided by or obtained about them. For data obtained from a source other than the consumer directly, controllers have two compliant paths: retain a suppression record (i.e., the minimum data necessary to ensure the business does not process that consumers’ data again), or opt the consumer out of further processing.
Right to Portability: If data is available in a digital format, consumers can request a portable, readily usable copy of personal data they previously provided to the controller, in a format that allows transmission to another controller.
Right to Opt Out: Consumers can opt out of the processing of their personal data for:
The LDPA also clarifies that businesses are not required to disclose trade secrets when fulfilling any requests to exercise these rights.
Additionally, businesses are only required to act on requests that can be authenticated. That means businesses ought to use reasonable means to verify that the person exercising their rights request is the same as the person the data is about (except for authorized agent requests–more on those later). This also applies to opt-out requests, which is a departure from privacy laws in states like Connecticut and California–in those jurisdictions, it’s explicitly not compliant to verify consumers’ identities before acting on opt-out requests.
It seems like this feature of the LDPA still allows businesses to process unverified opt-out requests; it just gives them more flexibility. The opt-out verification standard in the LDPA will likely require clarification from the Louisiana Attorney General.
Under data privacy laws, authorized agents are designated by an individual to make requests on their behalf.
A controller must honor an authorized agent's opt-out request if it can verify, with commercially reasonable effort, the consumer's identity and the agent's authority. A controller is not required to comply if the agent fails to communicate the request clearly, the controller cannot verify the consumer is a Louisiana resident, if they lack the ability to process the request, or the controller does not process similar opt-out requests for compliance with similar laws of other states.
One of the more unique features of the LDPA is that it folds provisions around universal opt-out mechanisms (or opt-out preference signals) into its section on authorized agent requests, rather than in a distinct section like most other US privacy laws.
The LDPA requires controllers to recognize universal opt-out mechanisms, though this requirement is unusually framed through the law's authorized agent provisions.
Consumers may designate an authorized agent using a technology, including a link to a website, an internet browser setting or extension, or a global setting on an electronic device, to indicate their intent to opt out of targeted advertising or the sale of personal data. This encompasses what other laws call "universal opt-out mechanisms" or "opt-out preference signals"—including signals like the Global Privacy Control.
Because the LDPA treats universal opt-out signals as authorized agent requests, a few of the law’s specific language around authorized agent requests kick in. In the statute, the law states that businesses don’t need to honor authorized agent requests if they do not “possess the ability to process the request” and/or if they do not “process similar or identical requests [...] for the purposes of complying with similar or identical laws or regulations of another state,” among other exceptions.
It seems like this means businesses don’t need to honor opt-out preference signals if they don’t have the technical ability to accept them or if they don’t already do so for compliance with other state laws. Based on the statute’s text, a business could only be dinged for not honoring opt-out preference signals if they have multi-state compliance obligations and have a misconfigured tool for accepting such signals–which begs the question, why include this requirement at all?
The law also specifies that any opt-out preference signal ought not be a default setting–instead, it requires an affirmative, freely given consumer choice to activate. The no-default-setting requirement means a browser extension that is enabled by default would not automatically qualify—the consumer must have affirmatively chosen to activate it. That means signals from certain privacy-forward browsers like Brave, which enables opt-out by default, aren’t valid under the LDPA.
Given that consumers often choose such browsers for their default privacy settings, it’s a fairly tortured treatment of universal opt-out signals. Expect more guidance from the Louisiana Attorney General on how opt-outs ought to be handled under the law.
Controllers must respond to consumer requests within 45 days of receipt. This period can be extended by an additional 45 days when reasonably necessary, provided the controller notifies the consumer within the initial window and explains the reason.
If a controller declines a request, it must notify the consumer within 45 days with a justification and instructions for appealing. Information must be provided free of charge, up to twice annually per consumer. Fees may apply for requests that are manifestly unfounded, excessive, or repetitive, with the controller bearing the burden of demonstrating that characterization.
Controllers must establish a conspicuous appeal process, similar in accessibility to the consumer rights request process itself. Controllers must respond to appeals within 60 days in writing, with an explanation of their decision.
If an appeal is denied, the controller must direct the consumer to the Louisiana Attorney General's online complaint mechanism. Thus, denying consumers’ appeals is something of a risky process, and businesses should keep ample documentation justifying their decision.
Like the vast majority of state privacy laws, the LDPA requires controllers to limit data collection to what is adequate, relevant, and reasonably necessary for the purposes disclosed to consumers. Controllers must also establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the data they process.
The LDPA prohibits controllers from:
Controllers may, however, offer different prices or service levels as part of a bona fide loyalty, rewards, premium features, discount, or club card program in which a consumer voluntarily participates.
The LDPA's sensitive data definition tracks closely with most peer laws:
Unlike Texas's law, the LDPA's definition of personal data does not include pseudonymous data used in conjunction with additional information that reasonably links it to an identified individual. For controllers whose data practices involve pseudonymization, this distinction may affect the scope of the LDPA's opt-out requirements relative to Texas's—legal teams should assess this carefully.
Controllers must provide a reasonably accessible and clear privacy notice that includes the categories of personal data processed (including sensitive data, if applicable), the purpose for processing, how consumers can exercise their rights including the appeal process, the categories of personal data sold to third parties (if any), the categories of those third parties (if any), and the methods through which consumers can submit rights requests.
The LDPA also includes two Louisiana-specific notice requirements that go beyond what any other Virginia-model state privacy law currently mandates:
These notices must be posted in the same manner as the law's general privacy notice. Controllers whose privacy centers or websites currently address sensitive or biometric data sales only through general policy language will need to implement these explicit, prescribed disclosures.
The LDPA also includes a provision requiring that persons or entities that derive 50% or more of annual revenue from selling personal data obtain prior consumer consent before selling sensitive data. This requirement is effectively redundant with the law's general requirement to obtain consent for processing sensitive data—both lead to the same outcome for data brokers—but it is present in the statute text and worth noting. Effectively, it demonstrates that data brokers should pay special attention to securing consent when processing sensitive data.
The LDPA does not contain any heightened privacy protections for teenagers between 13 and 17. Protections for children under 13 are addressed through the law's COPPA compliance provisions, but there is no analog to the teen data protections found in California, Connecticut, or Colorado.
The LDPA requires controllers to conduct and document data protection assessments for certain high-risk processing activities—placing it with Virginia, Colorado, Connecticut, and Oklahoma, and in contrast to Alabama's APDPA, which does not require them.
Assessments are required before:
Data protection assessments are confidential and not subject to public inspection. The Louisiana Attorney General may request them via civil investigative demand, and sharing an assessment with the AG does not waive attorney-client privilege. A single assessment may cover a comparable set of similar processing operations, and assessments conducted for other laws—such as GDPR Data Protection Impact Assessments—may satisfy the LDPA's requirements if they have a reasonably comparable scope.
Assessments are required for processing activities that commence on or after January 1, 2027 and are not retroactive.
Processors must adhere to controller instructions and assist with fulfilling consumer rights requests and data security obligations.
Controller-processor contracts must be written and binding, and must clearly set forth: instructions for processing data; the nature and purpose of processing; the type of data subject to processing; the duration of processing; and the rights and obligations of both parties.
Contracts must also require processors to:
As an alternative to controller-administered audits, a processor may arrange for a qualified, independent assessor to conduct a framework-based assessment of its policies and technical and organizational measures. The processor must provide the resulting report to the controller on request.
The Louisiana Attorney General has exclusive authority to enforce the LDPA. Violations constitute unfair and deceptive trade practices under Louisiana's Unfair Trade Practices and Consumer Protection Law (UTPCL)—which means the LDPA does not create its own standalone civil penalty framework, but instead routes through existing enforcement infrastructure.
Private rights of action available under the UTPCL are explicitly excluded for LDPA violations.
Because the LDPA routes through the UTPCL and excludes the UTPCL’s private right of action provisions, LDPA violations amount to $5,000 each with the possibility of up to an additional $5,000 if the violation is committed against an elder person or a person with a disability. (See R.S. 51:1407)
The LDPA includes a cure period, but it is temporary.
From January 1, 2027 through July 31, 2027, the AG must provide 30 days' written notice identifying the alleged violation before initiating an investigation. During that window, a controller can avoid investigation by: curing the violation within 30 days; providing written confirmation of the cure; submitting supporting documentation; and making any necessary internal policy changes to prevent recurrence.
Don’t make the mistake of assuming compliance can be put off until your organization receives a cure notice–plenty of enforcement actions in the US have come about because the violator couldn’t or wouldn’t cure their violation during the cure period. Cure periods are designed for plugging gaps; not building a privacy program from scratch.
After July 31, 2027, the cure period sunsets entirely.
For organizations already managing multi-state compliance, the following comparison may be useful.
|
Feature |
Louisiana LDPA |
|||
|
Applicability threshold |
$25M revenue OR 75K consumers/households/devices OR 50% revenue from data sales |
100K consumers OR 25K + 50% revenue from data sales |
No volume threshold; SBA small-business exemption |
$25M revenue OR 100K+ consumers OR 50% revenue from data sales |
|
"Sale" definition |
Monetary + other valuable consideration |
Monetary consideration only |
Monetary + other valuable consideration |
Monetary + other valuable consideration |
|
Sensitive data consent |
Affirmative opt-in |
Affirmative opt-in |
Affirmative opt-in |
Opt-out (most categories); opt-in for consumers under 16 |
|
Data protection assessments |
Required |
Required |
Required |
Required (CPPA rulemaking) |
|
Universal opt-out / GPC |
Yes—via authorized agent framework |
No |
Yes |
Yes |
|
Standalone sensitive/biometric data sale notice |
Yes |
No |
Yes (same prescribed language) |
No—"Do Not Sell or Share" link required |
|
Appeal process required |
Yes (60 days) |
Yes |
Yes |
No |
|
Cure period |
30 days (Jan 1–Jul 31, 2027 only; sunsets) |
30 days (permanent) |
30 days (permanent) |
Expired |
|
Enforcement structure |
UTPCL + AG exclusive |
AG exclusive |
AG exclusive |
AG + CPPA dual enforcement |
|
Private right of action |
No (explicitly excluded) |
No |
No |
Limited (data breaches only) |
The LDPA's closest peer is Texas—both use a broad "sale" definition, both require universal opt-out mechanisms, and both mandate prescribed notices for sensitive and biometric data sales. Louisiana's most significant departures from the Texas model are its California-style three-part applicability threshold, its sunsetting cure period, and its routing through the UTPCL rather than a standalone penalty framework. For organizations already compliant with the Texas DPSA, the heaviest compliance lift for Louisiana will be addressing applicability under the revenue threshold and implementing the opt-out authorized agent workflow.
With the January 1, 2027 effective date on the horizon, here is where to focus.
Check your applicability—especially if you're a large business. The $25 million gross revenue threshold may cover your organization regardless of how many Louisiana consumers' data you process. Run all three thresholds against your business before assuming you're out of scope.
Update your data map. Identify personal and sensitive data collected from Louisiana residents. Keep in mind that the LDPA defines “sales” of data as including transfers for other valuable considerations–not just for monetary compensation.
Plan for data protection assessments. Prioritize targeted advertising, data sales, and sensitive data processing. Existing GDPR DPIAs or assessments conducted for other state laws may satisfy the requirement if they have comparable scope—review them before conducting new ones from scratch.
Review and update your privacy notice. Confirm your notice covers all required disclosures. Pay particular attention to the LDPA's standalone notice requirements: if you sell sensitive personal data or biometric personal data, you need separate posted notices using the law's prescribed language. Standard privacy policy language will not satisfy this requirement.
Build your consumer request workflow. You'll need at least two secure methods for submitting rights requests; your team must be able to respond within 45 days; and you'll need a 60-day appeal process.
Implement consent, authorized agent, and universal opt-out handling. You'll need a workflow for receiving opt-out requests submitted via your website banner and/or subject rights portal, transmitted via browser settings, extensions, or device-level signals, verifying consumer identity and agent authority, and processing or properly declining those requests.
Audit your processor agreements. Verify your DPAs include all required elements. This is a great exercise for mapping your data flows as well.
Plan around the cure period sunset. The 30-day cure window is available only from January 1 through July 31, 2027, and it will not protect you from enforcement on violations that are too deep or too systemic to cure within 30 days. Don't build your compliance program around the assumption that you'll receive a warning first.
Train your team. Ensure that privacy, legal, and customer-facing staff understand the new rights framework, the 45-day response window, the 60-day appeal obligation, and the enforcement timeline.
Louisiana's passage of the LDPA continues a pattern that is by now well established: comprehensive consumer data privacy protection has become a genuinely national standard, extending into every region of the country. For organizations with existing multi-state compliance programs, the LDPA's consumer rights framework and core controller obligations will be familiar.
However, its California-style applicability threshold may catch some businesses off guard. Additionally, the complexity of its treatment of opt-outs, consumer identity verification, universal opt-out mechanisms, and more mean that AG guidance will be important to track to understand how to comply.
If you want to keep up to date with the latest in data privacy laws, including new state privacy laws, regulator guidance, and resources to support compliance, sign up for the Privacy Insider newsletter.