Media Centre

Louisiana to Join US States with Comprehensive Privacy Legislation

Ariel Yosefi Liron Adar

25 May 2026

On 21 May 2026, Senate Bill 386, introducing the Louisiana Data Privacy Act, was sent to the Governor for signature following unanimous House passage and Senate concurrence with House amendments.

Upon the Governor’s signature, the act will take effect on 1 January 2027, making Louisiana the 22nd US state to enact comprehensive data privacy legislation, further reflecting the continued expansion of the US state privacy law landscape (see, for example, our recent updates on similar developments in Alabama and Oklahoma earlier this year).

Scope of Application and Exemptions

The act applies to controllers that conduct business in Louisiana and satisfy one or more of the following thresholds:

  • Have annual gross revenues exceeding USD 25 million;
  • Annually buy, receive, sell or share for commercial purposes the personal data of 75,000 or more Louisianian consumers, households or devices; or
  • Derive 50% or more of annual revenues from the sale of consumers’ personal data.

Notably, unlike many other US state privacy laws, the act does not expressly refer to entities targeting Louisiana residents, and instead only applies to entities that conduct business in Louisiana and satisfy the relevant thresholds. As a result, the extent to which the act may apply to certain out-of-state entities may require further analysis.

The act excludes from its scope certain entities and categories of data already subject to sector-specific regulation. Exempt entities include, for example, state agencies, financial institutions, financial institution and its affiliates or data subject to the Gramm-Leach-Bliley Act, covered entities and business associates subject to the Health Insurance Portability and Accountability Act (“HIPAA“), nonprofit organizations and institutions of higher education. In addition, the act exempts certain categories of regulated data, including protected health information under HIPAA and other data regulated under federal laws such as the Fair Credit Reporting Act and the Family Educational Rights and Privacy Act.

Controller Obligations

Consistent with other US state privacy laws, the act imposes several obligations on controllers, including:

  • Implementing and maintaining reasonable administrative, technical and physical safeguards to protect the confidentiality, integrity and accessibility of personal data;
  • Adhering to data minimization principles, limiting the collection of personal data to what is reasonably necessary for the disclosed purposes;
  • Providing a clear and accessible privacy notice to consumers;
  • Where sensitive personal data or biometric data is sold, providing a conspicuous notice (in the same manner as the privacy notice) including statements such as “NOTICE: We may sell your sensitive personal data/biometric personal data” (as applicable);
  • Obtaining consumer consent prior to processing sensitive personal data (such as data revealing racial or ethnic origin, religious beliefs, mental or physical health condition, sexual orientation, genetic or biometric data and precise geolocation data, among others);
  • Ensuring that all processing by third-party processors is governed by a binding contract that includes the obligations set forth in the act;
  • Conducting and documenting data protection assessments for higher-risk processing activities (such as targeted advertising or the sale of personal data); and
  • Refraining from discriminating against consumers who exercise their rights under the act.

Controllers must also provide consumers with means to opt out of targeted advertising, the sale of personal data and certain profiling activities, including through a link on the controller’s website or an online mechanism for submitting opt-out requests (a requirement conceptually similar to that found in California’s privacy framework). Consumers may designate an authorized agent to opt out on their behalf, including through technologies such as a browser setting, extension or global device setting indicating the consumer’s intent to opt out.

Consumer Rights

The act grants consumers a range of rights with respect to their personal data, including:

  • The right to confirm whether a controller is processing their personal data and to access such data;
  • The right to correct inaccuracies in personal data;
  • The right to delete personal data provided by or obtained about the consumer;
  • The right to obtain a copy of personal data in a portable and readily usable format; and
  • The right to opt out of the processing of personal data for targeted advertising, the sale of personal data and profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

Controllers must respond to consumer requests within 45 days of receipt (with a possible extension of an additional 45 days where reasonably necessary). The act also requires controllers to establish an appeal mechanism for consumers whose requests are denied.

Enforcement

The act grants enforcement authority to the Louisiana Attorney General, classifies violations as unfair or deceptive trade practices under the state’s consumer protection framework, and does not provide a private right of action. Unlike certain other US state privacy laws, the act does not expressly prescribe civil penalties per violation, although penalties may apply under the state’s general consumer protection regime.

During an initial transitional period (from 1 January 2027 to 31 July 2027), the Attorney General must provide 30 days’ prior written notice identifying the alleged violations before initiating an investigation. No enforcement action may be initiated during this period if the violation is cured within the 30-day period, supported by written confirmation, relevant documentation and measures to prevent recurrence. After 31 July 2027, this cure opportunity will no longer be available.

Companies operating in the US consumer market should assess their exposure to this additional data protection regime in Louisiana and evaluate any resulting compliance obligations in advance of the act’s entry into force on 1 January 2027. Please feel free to contact us if you have any questions regarding the act and its practical implications.

Related Practice Areas

Related Lawyers

More news

Colorado Scales Back its AI Act Ahead of Enforcement Deadline
Herzog contributes Israel chapter to Chambers Tax Controversy 2026 Guide
Age Verification Laws Herzog’s Guide to the Evolving Legal Landscape
JOIN OUR
Newsletter

    © 2020, All rights reserved, Herzog Law
    Site by Gootte

    The information contained in this web site is provided for informational purposes only and should not be construed as legal advice on any subject matter and should not be relied upon as such. Herzog accepts no responsibility for any consequences whatsoever arising from use of the information contained in this web site. The accessing of information contained in this web site shall under no circumstances be considered as creating an attorney-client relationship between Herzog and any party accessing this web site. Contacting through email any lawyer named in this web site or sending information without prior agreement of Herzog shall not be construed as automatically creating an attorney-client relationship between Herzog and the party sending an email or information. The material contained in this web site has been created by and remains the property of Herzog. No reproduction, transmission, publication or any other form of dissemination shall be permitted unless the prior written consent of Herzog has been obtained. This web site may contain links to other web sites operated by third parties. Herzog does not sponsor, approve or endorse the content of any such web site and is not responsible for the materials appearing in such sites.