Louisiana Data Privacy Act (LDPA): Everything you need to know

On May 29, 2026, Louisiana Governor Jeff Landry signed the Louisiana Data Privacy Act (LDPA) into law. This makes Louisiana one of 23 states to enact comprehensive consumer data privacy legislation. The LDPA is scheduled to take effect on January 1, 2027, meaning covered companies have only a few months to comply with the new consumer data privacy law. 

‍

The LDPA’s regulatory framework mirrors many existing state consumer data privacy laws, including the Virginia Consumer Data Protection Act. Nevertheless, the LDPA contains several distinct provisions, including a 7-month cure period, which reflects Louisiana’s intent to transition quickly to a stricter consumer data privacy enforcement posture. 

‍

Didomi outlines the LDPA’s key provisions, including who the law applies to, how it differs from other state data privacy regulations, what businesses must do to comply, what rights are afforded to Louisiana residents, and what penalties may be imposed for non-compliance. We also provide guidance on core compliance obligations that Louisiana businesses should be prepared to meet in 2027.

‍

Key facts about the LDPA

‍

Who does the Louisiana data privacy law apply to?

The LDPA applies to any person or entity that conducts business in Louisiana, or produces products or services consumed by Louisiana residents, and meets at least one of three thresholds:

‍

1. Revenue threshold: Annual gross revenues exceed $25 million.
2. Data volume threshold: Annually buys, receives, sells, or shares the personal data of 75,000 or more consumers, households, or devices for commercial purposes.
3. Data monetization threshold: Derives 50 percent or more of annual revenues from the sale of consumers' personal data.

‍

The $25 million gross revenue floor and 50 percent revenue threshold are likely to exempt a broad range of small- to mid-size businesses operating in Louisiana.

‍

Exempted entities and data

Like most state-level consumer data privacy laws, the LDPA exempts broad categories of entities and data. For example, exempt entities include:

• State agencies and political subdivisions
• Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
• Covered entities and business associates governed by HIPAA
• Nonprofit organizations
• Institutions of higher education
• Electric public utilities

‍

Meanwhile, data-level exemptions include: 

• Protected health information under the Health Insurance Portability and Accountability Act (HIPAA)
• Data regulated under the Fair Credit Reporting Act (FCRA)
• Data regulated under the Gramm-Leach-Bliley Act (GLBA)
• Data regulated by the Driver's Privacy Protection Act (DPPA)
• Data regulated by the Family Educational Rights and Privacy Act (FERPA).

‍

What do covered companies have to do to comply with the Louisiana data privacy law?

The LDPA imposes several specific compliance obligations on data controllers (i.e., businesses) and processors. Businesses already deploying a compliance framework to meet the requirements of the California Consumer Privacy Act (CCPA) or the Texas Data Privacy and Security Act (TDPSA) will likely be well-positioned to comply with the Louisiana law. Below is an overview of core compliance obligations under the LDPA.

‍

Data Minimization and Purpose Limitation

Businesses must limit personal data collection to what is "adequate, relevant, and reasonably necessary" relative to disclosed processing purposes. Collecting data beyond what is needed, or repurposing it for uses the consumer was not informed about, is prohibited without obtaining consent.

‍

Transparency and Privacy Notices

Businesses must provide clear notice of: the categories of personal data processed; the purposes for processing; how consumers may exercise their rights; the categories of data shared with third parties; and the methods for submitting consumer requests. If a controller sells sensitive data or biometric data, it must post a conspicuous notice to that effect.

‍

Sensitive Data Protections

The LDPA requires affirmative opt-in consent before processing sensitive data. This category includes personal data concerning racial or ethnic origins, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship or immigration status, genetic or biometric data, children's data, and precise geolocation. 

‍

Data Security Safeguards

Businesses must implement and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data they hold. The law does not prescribe specific technical standards, leaving businesses the flexibility to calibrate their security posture to their risk profile.

‍

Data Protection Assessments

Businesses must conduct data protection assessments for processing activities presenting a heightened risk of harm, including targeted advertising, data sales, certain profiling activities, and any processing of sensitive data. 

‍

Assessments are not required retroactively for processing completed before January 1, 2027, but are required for activities that began before that date and will continue past it.

‍

Processor Contracts

All data processing relationships between controllers and processors must be governed by a written contract that specifies the nature and purpose of processing, the types of data involved, the duration of processing, and the rights and obligations of both parties. 

‍

Processors must maintain confidentiality, delete or return data at the business's direction upon completion of services, and allow reasonable compliance assessments.

‍

Deidentified Data

If a business holds anonymized data, it must take steps to keep it that way, including making a public commitment to that effect and requiring any third parties it shares the data with to do the same.

‍

What rights do Louisiana consumers have under the LDPA?

Under the LDPA, Louisiana residents have the following data subject rights:

‍

• Right to confirm whether a business is processing their personal data 
• Right to access their data
• Right to obtain a copy of personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller
• Right to delete their personal data
• Right to correct inaccuracies in personal data
• Right to opt out of having their data used for targeted advertising, sold to third parties, or used in automated decision-making that could significantly affect them, such as credit, employment, or housing decisions.

‍

Responding to a data subject request

Businesses must provide consumers with a mechanism on their website to submit data subject requests. In addition, businesses are prohibited from discriminating against consumers who exercise their rights. For example, businesses may not deny goods or services, charge different prices, or provide a lower quality of service as a result of a consumer exercising their data subject rights.

‍

Covered businesses must respond to a data subject request within 45 days of receipt, with the possibility of a 45-day extension, when reasonably necessary. The business must inform the data subject of any extension and the reason for it within the initial 45-day response period.

‍

If a covered business denies a data subject request or declines to provide the requested information, then a consumer has the right to file an appeal. The LDPA requires that the appeal process be “conspicuously available” and similar to the process for initiating a data subject request. 

‍

What can happen if a Louisiana business fails to comply with the LDPA?

If a company is alleged to have violated the LDPA, an enforcement action may only be brought by the Louisiana Attorney General’s Office. This means there is no private right of action under the LDPA. In addition, there is no independent regulatory agency dedicated to privacy enforcement.

‍

30-day cure period

The LDPA provides a 30-day “cure period” for covered businesses to correct an identified compliance violation. However, this cure period will only be available for the first seven months of 2027 (i.e., from January 1, 2027, through July 31, 2027). During this 7-month period, the Louisiana Attorney General must provide businesses with 30 calendar days' written notice before initiating an investigation.

‍

After July 31, 2027, the Louisiana Attorney General may bring enforcement actions without providing an opportunity to cure.

‍

Compliance considerations for covered businesses

With only a few months before the LDPA takes effect, covered businesses should begin preparing for compliance sooner rather than later. With that objective in mind, businesses should assess the following compliance considerations:

‍

Assess applicability

Determine whether your organization meets one of the three coverage thresholds and review whether any exemptions apply.

‍

Audit data practices

‍

Map what personal data you collect, why you collect it, with whom you share it, and for what purposes.

‍

Update privacy notices

Ensure your privacy policy reflects LDPA-required disclosures and add a consumer rights submission mechanism to your website.

‍

Review processor contracts

Ensure all data processing agreements are in writing and contain the elements required by the LDPA.

‍

Conduct data protection assessments

Identify processing activities presenting heightened risks and document assessments for those activities.

‍

How can Didomi help businesses comply with the Louisiana Data Privacy Act?

The LDPA will require businesses operating in, or serving, Louisiana residents to comply with an array of new regulatory obligations. 

‍

As a result, legal and compliance teams for covered businesses should consider auditing data inventories against the LDPA’s revenue and consumer thresholds, review privacy notices for Louisiana-specific disclosures, and confirm that consumer request workflows are configured to handle Louisiana residents when the law goes into effect.

‍

Keeping pace with the scope of these new data privacy regulations can add compliance complexity and risk to your business operations. 

‍

Learn more about our multi-regulation Consent Management Platform (CMP), which covers privacy laws and regimes in the U.S. and worldwide, and discuss your challenges with someone from our team:

‍

{{talk-to-an-expert}}

‍

Louisiana Data Privacy Act: Frequently Asked Questions (FAQs)

When does the LDPA go into effect?

The Louisiana data privacy law will go into effect on January 1, 2027. This means covered companies only have a few months to get their privacy compliance program in order and ready to meet the obligations imposed by the LDPA.

‍

Is there a private right of action under the Louisiana law?

No. Louisiana residents cannot sue a company for alleged violations of the LDPA. Enforcement authority is exclusively granted to the Louisiana Attorney General’s Office.

‍

What is the definition of a “consumer” under the LDPA?

A "consumer" under the LDPA is a Louisiana resident acting in an individual or household capacity. This definition excludes individuals acting in a commercial or employment context, meaning business-to-business data and employee data fall outside the law's scope. 

‍

What is considered to be “sensitive” data under the LDPA?

Under the Louisiana law, sensitive data is defined narrowly to include: 

• Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status
• Genetic or biometric data that is processed for the purpose of uniquely identifying an individual
• Personal data collected from a known child
• Precise geolocation data

‍

What is the difference between a controller and a processor under the LDPA?

The LDPA draws a clear distinction between controllers and processors. Controllers are defined as entities that determine the purposes and means of processing personal data. In contrast, a processor is responsible for handling personal data on behalf of a controller.