Louisiana Enacts Nation’s Twenty-Second State Comprehensive Privacy Law

Louisiana Enacts Nation’s Twenty-Second State Comprehensive Privacy Law

Blog WilmerHale Privacy and Cybersecurity Law

On May 29, 2026, Louisiana Governor Jeff Landry signed the Louisiana Data Privacy Act (LDPA) into law, making Louisiana the twenty-second state to enact a comprehensive privacy law and the third to do so this year, following Oklahoma and Alabama. The LDPA takes effect January 1, 2027, giving covered businesses approximately seven months to prepare for compliance.

The LDPA applies to entities that conduct business in Louisiana and either (1) have an annual gross revenue exceeding $25 million; (2) annually buy, receive, sell or share the personal information of 75,000 or more consumers, households or devices; or (3) derive 50% or more of their annual revenue from selling consumers’ personal information. The law broadly defines “sale” to include exchanges of personal data for “monetary or other valuable consideration,” consistent with the Connecticut-style approach and broader than the monetary-only definitions seen in states like Oklahoma.

Consistent with other state comprehensive privacy laws, the LDPA includes standard entity-wide exemptions for entities covered by the Gramm-Leach-Bliley Act (GLBA), as well as for covered entities and business associates regulated by the Health Insurance Portability and Accountability Act (HIPAA), and exempts personal data processed in a “commercial” or “employment” context. The LDPA also features business-friendly enforcement provisions: It does not contain a private right of action, does not establish rulemaking authority for the Louisiana Attorney General (AG) and provides a temporary 30-day cure period. Notably, however, the cure period sunsets after July 31, 2027. The LDPA specifies that the cure period applies before the AG may initiate an investigation—a departure from other state comprehensive privacy law provisions that establish a cure period “prior to initiating an action” (see, e.g., Tennessee and Virginia). Because of these provisions and others, companies that have taken steps to comply with comprehensive privacy law requirements in other states can likely adapt their compliance programs for Louisiana with some modifications.

In this post, we summarize notable provisions of the LDPA and highlight key takeaways for companies looking to understand how this law will affect their privacy compliance obligations. To stay up to date on the latest state privacy law developments, please subscribe to the WilmerHale Privacy and Cybersecurity Law Blog.

KEY TAKEAWAYS

  • Broadly Defines Sale: The LDPA defines “sale” broadly to include the exchange of personal data for “monetary or other valuable consideration” by the controller to a third party. This approach is consistent with the Connecticut-style framework for privacy laws and is broader than the monetary-only definition seen in some states.
  • Exemptions: The LDPA exempts HIPAA-covered entities, business associates and protected health information (PHI) from its scope, as well as financial institutions subject to the GLBA. This is broader than the “information-level” exemption that exists under certain state laws. Additionally, the LDPA exempts commercial and employment information from its scope, which is consistent with most of the other state comprehensive privacy laws (excluding California).
  • Business-Friendly: The LDPA includes business-friendly enforcement provisions, as it does not contain a private right of action and does not establish rulemaking authority for any state entity. While the Act provides a temporary cure period with a sunset, the cure period applies before the AG may initiate an investigation, as opposed to an enforcement action, which means businesses have notice and the opportunity to cure at an earlier stage of the enforcement process.

KEY PROVISIONS

  • Key Definitions
    • Consumer: The LDPA defines “consumer” as Louisiana residents acting “only in an individual or household context.” The Act explicitly excludes individuals acting in a commercial or employment context.
    • Sale of personal data: The LDPA defines “sale” to include exchanges of personal data “for monetary or other valuable consideration.” The law excludes disclosures or transfers of personal data to affiliates, third-party service or product providers and processors that process personal data on behalf of the controller, as well as disclosures directed by the consumer or made when interacting with a third party.
    • Sensitive data: The LDPA defines “sensitive data” to include (a) “personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status”; (b) “genetic or biometric data that is processed for the purpose of uniquely identifying an individual”; (c) “personal data collected from a known child” (where a controller has actual knowledge or willfully disregards that a child is under the age of 13); and (d) “precise geolocation data.”
  • Applicability Thresholds: The LDPA applies to entities that conduct business in Louisiana and either (1) have more than $25 million in annual gross revenue; (2) annually buy, receive for business commercial purposes, sell or share for commercial purposes the personal information of at least 75,000 consumers, households or devices; or (3) derive at least 50% of their annual revenue from selling consumers’ personal information.
  • Exemptions: The LDPA exempts various entities and information types, including state entities and state political subdivisions; institutions of higher education; financial institutions and data subject to the GLBA; electric public utilities as defined by state law; HIPAA-covered entities, business associates, PHI, and other health and medical research-related information; information governed by the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act and the Farm Credit Act; persons registered as conductors of public opinion polls; nonprofit organizations; and certain employment-related information.
  • Entities that comply with the Children’s Online Privacy Protection Act’s verifiable parental consent requirements are deemed to comply with the LDPA’s parental consent requirements.
  • Consumer Data Rights: The LDPA creates a fairly standard set of data rights for consumers, including (1) the right to confirm whether a controller is processing the consumer’s personal data and access the personal data, (2) the right to correct inaccuracies in the consumer’s personal data, (3) the right to delete personal data, (4) the right to data portability, and (5) the right to opt-out of the processing of their personal data for purposes of targeted advertising, the sale of personal data or “profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.”
  • Opt-In for Sensitive Data Processing: The LDPA prohibits controllers from processing sensitive data without obtaining consumers’ consent.
  • Privacy Notices: The LDPA requires controllers to provide consumers with a “reasonably accessible and clear privacy notice” that includes the categories of personal data processed, the purpose for processing, a process for consumers to exercise their rights (including how to appeal a decision), categories of personal data shared with third parties, categories of third parties with which data is shared and a description of the methods through which a consumer can submit requests. Controllers that sell sensitive or biometric data must also provide separate notices for those data types.
  • Data Processing Agreements for Processors: The LDPA imposes requirements on processors, such as requiring that a contract govern the processor’s execution of data processing activities on behalf of the controller.
  • Enforcement and Violations:
    • AG enforcement: The LDPA grants the AG exclusive enforcement authority.
    • No private right of action: Violations of the Act constitute unfair and deceptive trade practices under Louisiana’s Unfair Trade Practices and Consumer Protection Law (LUTPA). Important to note, however, is that private rights of action under the LUTPA are expressly excluded from this Act. Instead, the AG may bring injunctive relief to restrain or enjoin the practice and/or may request that the court impose a civil penalty.
    • No rulemaking authority: The LDPA does not grant the state AG, or any other entity, rulemaking authority.
    • Temporary cure period: From January 1, 2027, through July 31, 2027, the LDPA requires that the AG provide entities with a 30-day cure period before initiating an investigation.
    • Civil penalties: The LDPA allows the AG to request that the court impose civil penalties of up to $5,000 for violations of the LUTPA.
  • Effective Date: The LDPA will take effect January 1, 2027.

Authors

Related Solutions

We help companies protect data, comply with evolving regulations, and respond to investigations and litigation.

More from this series

Explore the Full Series

Notice

Unless you are an existing client, before communicating with WilmerHale by e-mail (or otherwise), please read the Disclaimer referenced by this link. (The Disclaimer is also accessible from the opening of this website). As noted therein, until you have received from us a written statement that we represent you in a particular manner (an "engagement letter") you should not send to us any confidential information about any such matter. After we have undertaken representation of you concerning a matter, you will be our client, and we may thereafter exchange confidential information freely.

Thank you for your interest in WilmerHale.

I Accept Cancel