Louisiana Joins the State Privacy Law Party

Louisiana became the 22^nd state to adopt a comprehensive consumer privacy law by enacting SB 386, the Louisiana Data Privacy Act (the LDPA), codified at La. R.S. 51:1780.1–1780.5 and effective January 1, 2027. The LPDA, signed by Governor Jeff Landry on May 29, largely follows the increasingly common state privacy law model represented by the Virginia Consumer Data Protection Act and other laws based on the unsuccessful Washington Privacy Act in many respects—providing consumers with access, correction, deletion, and portability rights; establishing controller duties and processor contract requirements; imposing a sensitive-data consent rule; and mandating data protection assessments—but it also departs from the standard model in several important ways. For example, Louisiana incorporates California-style applicability thresholds based on revenue, includes some distinctive entity exemptions, requires special sale notices for sensitive and biometric data, and provides only a temporary cure process rather than a permanent one. These varying terms make the LDPA worthy of close attention even for companies with mature multistate privacy programs.

Application Thresholds

The LDPA applies only to a person or entity that does business in Louisiana and satisfies one or more of the following:

1. has annual gross revenues exceeding $25 million;
2. annually buys, receives for commercial purposes, sells, or shares for commercial purposes the personal information of 75,000 or more consumers, households, or devices; or
3. derives 50% or more of annual revenues from selling consumers' personal information.

This structure incorporating revenue and consumer data sales thresholds is more consistent with the California Consumer Privacy Act (CCPA) than with most other general state privacy acts.

The LDPA defines "consumer" as a Louisiana resident acting only in an individual or household context and expressly excludes individuals acting in a commercial or employment context. This is consistent with all other general state privacy laws to date other than the CCPA, which remains an outlier.

Exemptions

Like other comprehensive consumer privacy statutes, the LDPA contains both entity-level and data-level exemptions.

At the entity level, the law exempts: state agencies and political subdivisions, financial institutions and affiliates governed by the Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act (HIPAA) covered entities and business associates, nonprofit organizations, institutions of higher education, electric public utilities, and (uniquely among states) persons or entities registered with the secretary of state as conductors of public opinion polls.

The nonprofit entity exemption is broader than it may appear at first glance because the LDPA defines "nonprofit organization" to include not only traditional charities but also certain 501(c)(6), 501(c)(12), 501(c)(19), 501(c)(4), and political organizations.

The LDPA's data-level exemptions are extensive and include, among other things:

• Protected health information (PHI) under HIPAA, including health records, certain substance-use-disorder patient identifying information, and specified human subjects research data; Healthcare Quality Improvement Act (HCQIA) materials; patient safety work product; HIPAA-deidentified data; certain intermingled HIPAA-regulated information; limited deidentified HIPAA data sets; public health activities information.
• Data regulated by the Fair Credit Reporting Act, the Driver's Privacy Protection Act, the Family Educational Rights and Privacy Act, and the Farm Credit Act; employment-related data; and emergency-contact/benefits data used in those contexts.

The statute also excludes purely personal or household activity.

Processor Contracts

Also like other comprehensive state privacy laws, the LDPA establishes a controller-processor paradigm. A processor must adhere to the controller's instructions and assist the controller with consumer-rights responses, security obligations, breach-notification-related assistance, and providing information needed for data protection assessments.

A controller-processor contract must include clear processing instructions, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract also must require the processor to: (i) impose confidentiality obligations on persons processing the data; (ii) delete or return personal data at the controller's direction after services are completed unless retention is required by law; (iii) make information available to demonstrate compliance; (iv) allow and cooperate with reasonable assessments by the controller or its designated assessor; and (v) flow down equivalent requirements to subcontractors through written contracts.

The LDPA also expressly allows a processor, as an alternative, to arrange for a qualified independent assessor to evaluate the processor's policies and controls under an accepted framework and provide that assessment to the controller on request.

Data Minimization and Related Controller Duties

The LDPA imposes a familiar data minimization duty: Controllers must limit collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the disclosed purposes for processing. Controllers may not process personal data for purposes that are neither reasonably necessary for nor compatible with the disclosed purposes unless the controller obtains the consumer's consent. In doing so, Louisiana declined to follow the more restrictive minimization requirements of Maryland, which limits the collection of personal data to what is "reasonably necessary and proportionate" to "provide or maintain a specific product or service requested by the consumer" regardless of the consumer's consent. It also prohibits the processing of sensitive data unless it is "strictly necessary" to provide or maintain a product or service that the consumer has requested.

The statute also requires controllers to establish, implement, and maintain reasonable administrative, technical, and physical safeguards appropriate to the volume and nature of the personal data collected. In addition, controllers may not process personal data in violation of state or federal anti-discrimination laws and may not discriminate against a consumer for exercising statutory rights, subject to the law's express allowance for differences tied to opt-out choices or bona fide loyalty/rewards programs.

For sensitive data, the LDPA requires opt-in consent. A controller may not collect or process a consumer's sensitive data without the consumer's consent, and the controller must process sensitive data of a known child only in accordance with the Children's Online Privacy Protection Act.

Consumer Rights

The LDPA grants consumers the standard rights to confirm whether a controller is processing their personal data and access that data; correct inaccuracies; delete personal data provided by or obtained about the consumer; obtain a portable copy of data previously provided by the consumer, if available digitally; and opt out of processing for targeted advertising, the sale of personal data, and profiling in furtherance of decisions producing legal or similarly significant effects. Parents or legal guardians may exercise rights for a known child.

Controllers generally must respond to consumer requests within 45 days, with a single 45-day extension, where reasonably necessary, and must provide responses free of charge up to twice annually per consumer. If a controller declines to act, it must explain the basis for refusal and provide appeal instructions. Controllers may require authentication and, if they cannot authenticate using commercially reasonable efforts, they may request additional information.

The appeal process must be conspicuously available and similar to the process used to submit the original request. Controllers must resolve appeals within 60 days. If an appeal is denied, the controller must provide the consumer with the online mechanism through which the consumer may contact the Louisiana attorney general to submit a complaint.

Unlike other comprehensive privacy laws that require companies to provide at least one mechanism through which consumers can exercise their rights, the LDPA requires controllers to provide two or more secure and reliable methods for consumers to submit requests. However, an online-only controller with a direct relationship to the consumer needs to provide only an email address. The LDPA further permits a consumer to designate an authorized agent to opt out of targeted advertising and sale, and allows the designation to be made through technology such as a website link, browser setting or extension (which could include technologies like the Global Privacy Control), or device-level global setting.

Privacy Notices

The LDPA requires a controller to provide a reasonably accessible and clear privacy notice that includes the following familiar disclosures:

1. the categories of personal data processed, including any sensitive data;
2. the purposes for processing personal data;
3. how consumers may exercise their rights, including the appeal process;
4. if applicable, the categories of personal data the controller sells to third parties;
5. if applicable, the categories of third parties to whom the controller sells personal data; and
6. a description of the methods by which consumers may submit requests to exercise their rights.

The LDPA joins a more recent trend by requiring conspicuous sales notifications regarding sensitive data. If a controller sells sensitive personal data, it must post the statement: "NOTICE: We may sell your sensitive personal data." Additionally, if a controller sells biometric personal data, it must separately post: "NOTICE: We may sell your biometric personal data." If the controller sells personal data to third parties or processes personal data for targeted advertising, it must clearly and conspicuously disclose that processing and the way a consumer may opt out.

Definition of Consent

The LDPA defines "consent" as a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to that consumer. Consent may be given through a written statement, including one written electronically, or another unambiguous affirmative action.

Like other state privacy acts, the LDPA excludes from "consent": acceptance of broad or general terms of use; hovering over, muting, pausing, or closing content; and any agreement obtained through "dark patterns," which are defined as user interfaces that substantially subvert or impair user autonomy, decision-making, or choice, including any practice defined by the FTC as a "dark pattern."

Definition of Sensitive Data

The LDPA defines "sensitive data" as a category of personal data that includes: (1) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship/immigration status; (2) genetic or biometric data processed for the purpose of uniquely identifying an individual; (3) personal data collected from a known child; and (4) precise geolocation data.

The statute defines precise geolocation data as information derived from technology that directly identifies an individual's specific location within a radius of 1,750 feet. It defines a child as an individual younger than 13 and a known child where the controller has actual knowledge of, or willfully disregards, the child's age.

Definition of a "Sale"

The LDPA defines "sale of personal data" as the exchange of personal data for monetary or other valuable consideration by the controller to a third party. Louisiana thereby aligns more closely with the broader monetary "or other valuable consideration" standard in the CCPA and most other states, rather than the narrower standard in some states limited to monetary consideration only.

As in other privacy statutes, the LDPA excludes several categories of disclosures from the definition of "sale," including disclosures to a processor, disclosures to provide a product or service requested by the consumer, transfers to an affiliate, disclosures of information intentionally made public by the consumer through mass media, disclosures directed by the consumer or made when the consumer uses the controller to interact with a third party, and transfers as part of a merger, acquisition, or similar transaction.

Louisiana also includes a noteworthy special rule: A person or entity covered solely because it derives 50% or more of annual revenue from selling personal information may not sell sensitive data without first obtaining the consumer's prior consent.

Data Protection Assessments

The LDPA requires controllers to conduct and document data protection assessments for processing involving: targeted advertising; the sale of personal data; profiling that presents a reasonably foreseeable risk of unfair/deceptive treatment, unlawful disparate impact, financial/physical/reputational injury, offensive intrusion upon solitude or seclusion, or other substantial injury; processing of sensitive data; and any processing activity involving personal data that presents a heightened risk of harm to consumers.

The assessment must weigh the direct or indirect benefits of the processing to the controller, consumer, stakeholders, and the public against the potential risks to consumer rights, as mitigated by safeguards, and must take into account the use of deidentified data, the reasonable expectations of consumers, the context of the processing, and the relationship between the controller and the consumer.

Assessments are confidential, and disclosure to the attorney general does not waive attorney-client privilege or work-product protection. Assessments are required only for processing activities as of January 1, 2027, and are not retroactive.

Attorney General Enforcement, Penalties, and Cure Period

Like all other state privacy acts but the CCPA, the LDPA is enforced exclusively by the Louisiana attorney general. Each violation constitutes an unfair and deceptive trade practice under the Louisiana Unfair Trade Practices and Consumer Protection Law, but the LDPA expressly excludes the private rights of action provided in La. R.S. 51:1409 and 1409.1.

The LDPA does have a cure mechanism, but only for a limited time. Beginning January 1, 2027, and ending July 31, 2027, before bringing an action, the attorney general must provide written notice at least 30 days before initiating an investigation identifying the provisions allegedly violated. The attorney general may not initiate the investigation if the person cures within 30 days, provides a written statement that the violation was cured, submits supporting documentation, and makes internal policy changes if necessary to prevent recurrence.

Looking Ahead

For companies with mature privacy programs, the LDPA seems familiar but nevertheless will require some adjustments. The statute's hybrid design means that a company cannot simply lift an Oklahoma, Virginia, or Tennessee implementation and assume parity. The threshold analysis, sale definition, special sale notices, authorized-agent mechanics, temporary cure structure, and Louisiana-specific exemptions all warrant a dedicated gap assessment before the statute takes effect on January 1, 2027.

+++

David Rice is a partner in DWT's Seattle office. Nancy Libin is a partner in the firm's Washington, D.C. office. She is co-chair of the technology, communications, privacy & security practice and is the chair of the privacy & security practice. John Seiver is senior counsel, also based in the firm's Washington, D.C. office. For any questions or more insights, please reach out to the authors or another member of our privacy & security team and sign up for our alerts.