Cajun Compliance: Louisiana Spices Up The State Privacy Law Landscape

Louisiana has joined the ranks of states with comprehensive privacy laws, with the Louisiana Data Privacy Act (LDPA) going into effect January 1, 2027. Like other such laws, it will apply to any person or entity that does business in Louisiana and meets specific thresholds.

To be subject to the law, one or more of the following thresholds must be met: (1) annual gross revenues over $25 million; (2) annually buying, receiving, selling, or sharing the personal information of 75,000 or more consumers, households, or devices; or (3) deriving 50% or more of annual revenue from selling consumers’ personal information. Like other states, the law provides many exemptions, including for financial institutions covered by the GLBA, those covered by HIPAA, nonprofits, and institutions of higher education.

The law contains requirements that should sound familiar:

• Privacy notice. Covered companies will need to provide a clear privacy notice that includes the categories of personal data the business processes, why the business collects it, how consumers can exercise their rights, and, if applicable, the categories of data the business sells and the third parties to whom the business sells it. Selling sensitive data will require a separate notice stating: “NOTICE: We may sell your sensitive personal data.” This is also a requirement in Florida and Texas.
• Data minimization. Companies will need to collect only personal data that meets the purposes they have disclosed to consumers and is adequate, relevant, and reasonably necessary for those purposes.
• Consent for sensitive data. Businesses will need to get consent before processing sensitive data, which includes information about race, ethnicity, religion, health, sexuality, citizenship, biometrics, precise geolocation, and data from known children under 13.
• Data protection assessments. Companies will need to conduct and document assessments for processing activities that pose heightened risks, including targeted advertising, selling personal data, risky profiling, and processing sensitive data.
• Processor contracts. Companies will have written contracts with any vendors who process personal data on your behalf, covering clear processing instructions, the nature and purpose of the processing, and requirements to return or delete data when the vendor completes the services.
• Consumer rights: Individuals will have rights like confirming whether a business is processing their personal data and accessing that data/getting a portable copy; correcting inaccuracies; and having data deleted. Responses need to be provided within 45 days with one 45-day extension. Consumers also have the right to opt out of targeted advertising, the sale of personal data, and certain profiling activities. Consumers can also designate an authorized agent, including through a browser setting or device-level signal, to opt out on their behalf.
• Data security. Maintain reasonable administrative, technical, and physical security practices appropriate to the volume and nature of the data.

The Louisiana Attorney General has exclusive enforcement authority, there is no private right of action. Violations constitute unfair and deceptive trade practices under Louisiana law, but the private rights of action available under that law will not extend to LDPA violations. There will be a right to cure for the first seven months (January 1, 2027, through July 31, 2027).

Putting It into Practice. If your business operates in Louisiana and meets any of the three thresholds, now is the time to work Louisiana into your privacy program and processes.