Press "Enter" to skip to content
Louisiana Data Privacy Act

Louisiana Becomes 22nd State to Enact a Comprehensive Consumer Data Privacy Law

Published June 16, 2026 by Eric Rosenkoetter

Louisiana Data Privacy ActLouisiana Gov. Jeff Landry recently signed into law Senate Bill 386, making Louisiana the 22nd state to enact a comprehensive consumer data privacy law following California, Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, Tennessee, Montana, Texas, Oregon, Delaware, New Jersey, New Hampshire, Kentucky, Nebraska, Maryland, Minnesota, Rhode Island, Oklahoma and Alabama. The Louisiana Data Privacy Act will go into effect Jan. 1, 2027.

APPLICABILITY

The Act applies to a person or entity that does business in the state and that satisfies one or more of the following thresholds:

  1. Has annual gross revenues in excess of twenty-five million dollars;
  2. Annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes the personal information of seventy-five thousand or more consumers, households, or devices;
  3. Derives fifty percent or more of its annual revenues from selling consumers’ personal information.

 EXEMPTIONS

Exemptions include, in part:

  1. A financial institution and its affiliates or data subject to Title V, Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq., and the rules and implementing regulations promulgated thereunder;
  2. A nonprofit organization;
  3. An institution of higher education;
  4. Protected health information under the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. 1320d et seq.;
  5. A covered entity or business associate as defined in the HIPAA privacy regulations;
  6. The collection, maintenance, disclosure, sale, communication, or use of any personal information to the extent that such activity is regulated by and authorized under the Fair Credit Reporting Act.

CONSUMER RIGHTS

Consumers have the right to:

  1. Confirm whether a controller is processing the consumer’s personal data and accessing the personal data;
  2. Correct inaccuracies in the consumer’s personal data;
  3. Delete personal data provided by or obtained about the consumer;
  4. Obtain a copy of the consumer’s personal data that the consumer previously provided to the controller;
  5. Opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.

SENSITIVE DATA

A controller may not process sensitive data without obtaining the consumer’s consent, or, in the case of processing the sensitive data of a known child, without processing that data in accordance with the rules, regulations, and the exceptions of the Children’s Online Privacy Protection Act of 1998, 15 U.S.C. 6501 et seq.

“Sensitive data” is personal data that includes any of the following:

  1. Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status;
  2. Genetic or biometric data that is processed for the purpose of uniquely identifying an individual;
  3. Personal data collected from a known child;
  4. Precise geolocation data.

CONTRACT REQUIREMENTS

A contract between a controller and a processor must govern the processor’s data processing obligations and include:

  1. Clear instructions for processing data;
  2. The nature and purpose of processing;
  3. The type of data subject to processing;
  4. The duration of processing;
  5. The rights and obligations of both parties;
  6. Ensure that each processor of personal data is subject to a duty of confidentiality with respect to the personal data;
  7. A requirement that the processor shall:
    1. Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
    2. At the controller’s direction, delete or return all personal data to the controller as requested after the provision of the service is completed, unless retention of the personal data is required by law;
    3. Make available to the controller, on reasonable request, all information in the processor’s possession necessary to demonstrate the processor’s compliance with the requirements of the law;
    4. Allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor; and
    5. Engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the requirements of the processor with respect to the personal data.

ENFORCEMENT

The Attorney General has exclusive authority to enforce the Act and, from Jan. 1 to July 31, 2027, must provide 30 days to cure any violation.

IMPRESSION

The Act is sensible legislation that balances the rights of consumers with the impact on businesses.  The Act follows the pattern of many post-California comprehensive data privacy laws and should not present overly burdensome compliance challenges for those that must comply with one or more of the other comprehensive consumer data privacy laws.

Photo: travelview/stock.adobe.com

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, and is focused on advising clients with respect to federal and state consumer financial protection laws and data privacy and security, and he is a Certified Information Privacy Professional though the International Association of Privacy Professionals. He also brings to the table experience as a litigator, chief compliance and ethics officer, director of legislative affairs, federal lobbyist, and administrative hearings officer. Eric earned his Juris Doctor from Washington University School of Law, and his Bachelor of Business Administration from Southern Methodist University. He is a member of the International Association of Privacy Professionals, the Receivables Management Association International (RMAI), and ACA International. He is admitted to practice law in Texas and Missouri and in the U.S. District Courts for the Northern, Southern, Eastern, and Western Districts of Texas. For more information, see https://mauricewutscher.com/attorneys/eric-rosenkoetter/

Published in Data Privacy and Security

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.