The Louisiana Data Privacy Act (“LDPA”) will become effective on January 1, 2027. With its enactment, Louisiana becomes the 23^rd state to adopt a comprehensive data privacy law. While the LDPA follows the framework of many existing state privacy laws, it includes several distinctive features, including a seven-month cure period—signaling Louisiana’s intent to transition quickly to a stricter enforcement posture. Businesses should carefully evaluate their data practices and ensure compliance before the effective date.

Applicability and Scope

The LDPA applies to any person or entity doing business in Louisiana that satisfies one or more of the following thresholds:

• has annual gross revenues in excess of $25 million;
• annually buys, receives for commercial purposes, sells, or shares for commercial purposes the personal information of 75,000 or more consumers, households, or devices; or
• derives 50 percent or more of its annual revenues from selling consumers' personal information.

Notably, the LDPA's applicability structure includes a $25 million gross revenue floor and a 50 percent revenue threshold—either of which may exempt a broader range of businesses than comparable laws in other states.

Like most other state privacy laws (except for the California Consumer Privacy Act), "consumer" does not include an individual acting in a commercial or employment context. The term is limited to Louisiana residents acting only in an individual or household context.

The LDPA provides entity-level exemptions, including exemptions for: (1) state agencies and political subdivisions of Louisiana; (2) financial institutions and their affiliates governed by Title V of the Gramm-Leach-Bliley Act (“GLBA”); (3) covered entities and business associates governed by HIPAA; (4) nonprofit organizations; and (5) institutions of higher education.

Data-level exemptions include: (1) protected health information under HIPAA; (2) data regulated under the Fair Credit Reporting Act; (3) data regulated under the GLBA; and (4) various other categories of federally regulated data.

Sale of Personal Data

Controllers that sell personal data to third parties must clearly and conspicuously disclose such processing, as well as the manner in which consumers may exercise their right to opt out. This disclosure obligation also applies to controllers that process personal data for targeted advertising.

Definition of Sale

The LDPA defines "sale of personal data" as the exchange of personal data for monetary or other valuable consideration by the controller to a third party.

The following disclosures do not constitute a "sale" under the LDPA:

• disclosure of personal data to a processor that processes the data on the controller's behalf;
• disclosure to a third party for purposes of providing a product or service requested by the consumer;
• disclosure or transfer to an affiliate of the controller;
• disclosure of information that the consumer intentionally made available to the general public through a mass media channel and did not restrict to a specific audience;
• disclosure directed by a consumer or made when the consumer uses the controller to interact with a third party; and
• disclosure or transfer as part of a merger, acquisition, or similar activity.

Special Notice Requirements

If a controller engages in the sale of sensitive personal data, it must post the following notice in the same manner as its privacy notice:

• "NOTICE: We may sell your sensitive personal data."

If a controller engages in the sale of biometric personal data, it must post:

• "NOTICE: We may sell your biometric personal data."

Restriction on Entities Qualifying Under Revenue Threshold

A person or entity that is subject to the LDPA solely under the 50-percent-revenue-from-sales threshold may not sell sensitive personal data without first obtaining the consumer’s consent.

Controller Requirements

The LDPA outlines several responsibilities for data controllers:

• Data Minimization and Security:
  • Controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which that personal data is processed, as disclosed to the consumer.
  • Controllers must also establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data at issue.
• Transparency Obligations:
  • Controllers must provide consumers with a reasonably accessible and clear privacy notice that includes the categories of all personal data processed, the purpose for processing, a description of how consumers may exercise their rights, the categories of personal data sold to third parties, the categories of third parties with whom data is sold, and the methods by which consumers can submit requests.
• Purpose Limitation: Controllers may only process personal data for a purpose that is reasonably necessary to or compatible with the disclosed purpose for which the personal data is processed, unless the controller obtains the consumer's consent.
• Sensitive Data: “Sensitive data” includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status; genetic or biometric data processed for the purpose of uniquely identifying an individual; personal data collected from a known child; and precise geolocation data. Controllers may not process the sensitive data of a consumer without obtaining the consumer's consent, or, in the case of a known child, without processing that data in accordance with the rules, regulations, and exceptions of the Children's Online Privacy Protection Act of 1998.
• Non-Discrimination: Controllers may not discriminate against a consumer for exercising any rights under the LDPA, including by denying goods or services, charging different prices or rates, or providing a different level of quality of goods or services.
• Data Protection Assessments: The LDPA requires controllers to conduct and document data protection assessments prior to: processing personal data for targeted advertising; selling personal data; processing data for profiling where there is a reasonably foreseeable risk of harm (such as unfair or deceptive treatment, financial or physical injury, intrusion on seclusion, or other substantial injury to consumers); processing sensitive data; and engaging in any processing activities that present a heightened risk of harm to consumers. These assessments must be made available to the Attorney General upon a civil investigative demand and are confidential and exempt from public disclosure. Assessments are required for processing activities beginning January 1, 2027, and are not retroactive.

Consumer Rights

Louisiana consumers have the following rights under the LDPA:

• Right to confirm whether a controller is processing the consumer's personal data and to access such data;
• Right to correct inaccuracies in personal data;
• Right to delete personal data;
• Right to obtain a copy of personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance; and
• Right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.

The LDPA permits consumers to designate an authorized agent to submit opt-out requests on their behalf, but only for targeted advertising and sale of personal data (not profiling). The LDPA contemplates the use of opt-out preference signals, but does not expressly require controllers to recognize such signals.

The opt-out mechanism made available by controllers must not unfairly disadvantage another controller, may not use a default setting, and must require the consumer to make an affirmative, freely given, and unambiguous choice to opt out. Additionally, the mechanism must be consumer-friendly and easy to use by the average consumer.

Controllers must respond to consumer requests within 45 days, with the possibility of a 45-day extension when reasonably necessary. The controller must inform the consumer of any extension and the reason for it within the initial 45-day response period.

Enforcement

The Louisiana Attorney General has exclusive authority to enforce the LDPA. Because a violation of the LDPA constitutes an unfair and deceptive trade practice under Louisiana's Unfair Trade Practices and Consumer Protection Law, there is no private right of action.

From January 1, 2027, through July 31, 2027, the Attorney General must provide the controller with 30 calendar days' written notice before initiating an investigation. During this cure period, the Attorney General may not proceed if the controller: (1) cures the violation; (2) provides written confirmation; (3) submits supportive documentation; and (4) implements policy changes to prevent recurrence. After July 31, 2027, the Attorney General may bring enforcement actions without providing an opportunity to cure.

Koley Jessen is committed to staying informed about developments in state privacy law and will provide guidance as new information emerges. If you have questions about your business’s compliance obligations or the steps required to meet state privacy requirements, please contact a member of Koley Jessen’s Data Privacy and Security Practice Area for assistance.

^{*Special thanks to Summer Associate Yana Baravik for her contributions to this article.}

_{This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.}