All Blog Posts

Louisiana Data Privacy Act (LDPA): A Compliance Guide for U.S. Businesses

Close
Read time
12 mins
Published
Jun 24, 2026
Share
  • Effective date: January 1, 2027. Enacted as Senate Bill 386, the third U.S. state in 2026 to pass comprehensive consumer data privacy legislation.
  • Scope: Applies to businesses that either have annual gross revenues exceeding USD 25 million, process personal data of 75,000 or more Louisiana consumers annually, or derive 50 percent or more of gross revenues from selling personal data.
  • Consent model: Opt-out for targeted advertising and data sales; affirmative consent required before processing sensitive personal data, including biometric data, precise geolocation, and data from known children under 13.
  • Consumer rights: Access, correction, deletion, portability, opt-out of targeted advertising, data sales, and profiling in furtherance of decisions with legal or similarly significant effects, and nondiscrimination.
  • Enforcement: Exclusive to the Louisiana Attorney General. Violations are classified as unfair or deceptive trade practices under Louisiana's consumer protection law. A 30-day cure period applies from January 1 through July 31, 2027 only.
  • Key distinctions: Louisiana's "sale" definition includes monetary and other valuable consideration, which is broader than several comparable state laws. The LDPA requires businesses to accept opt-out requests through authorized agent technologies. There is no private right of action.

The Louisiana Data Privacy Act (LDPA) takes effect January 1, 2027, making Louisiana the third state in 2026 to pass a comprehensive consumer privacy law. It mandates opt-out rights for targeted ads/data sales and requires affirmative consent for sensitive data. It also requires businesses to honor opt-out technology signals, including GPC-equivalent browser extensions and settings. Compliance applies to businesses meeting specific revenue or data processing thresholds.

Louisiana's comprehensive data privacy law (Senate Bill 386) passed the Louisiana Legislature unanimously and was signed by the governor in May 2026. Once enacted, the law takes effect on January 1, 2027, the same date as Oklahoma’s privacy law, giving businesses a relatively short window to prepare.

The LDPA follows the opt-out model used across most U.S. states with privacy laws to date, but includes features that set it apart. It requires businesses to honor opt-out mechanisms, such as Global Privacy Control (GPC) browser signals. 

The LDPA requires businesses to accept opt-out requests from technology-based authorized agents, including browser settings and extensions. However, the statute specifies that the technology must not operate on a default setting. The consumer must make an affirmative, freely given choice to activate the opt-out. 

Louisiana does not name GPC in the statute, and whether a given GPC implementation satisfies the affirmative-choice requirement will depend on how it is configured.

The LDPA’s definition of "sale" extends beyond monetary payments to other forms of valuable consideration. And its cure period is time-limited and quite short at only seven months. Enforcement without a mandatory cure opportunity begins on August 1, 2027.

For businesses operating websites and digital services that collect data from Louisiana residents, these provisions create specific compliance obligations that go beyond what's required in some other states.

This guide covers what the LDPA requires, who it applies to, what rights Louisiana consumers gain, and the practical steps website owners should take before the January 1, 2027 effective date.

What Is the Louisiana Data Privacy Act (LDPA)?

The Louisiana Data Privacy Act creates rights for Louisiana residents over their personal data and establishes corresponding obligations for the businesses that collect and use it.

Like other U.S. state-level data privacy laws, the LDPA uses an opt-out consent model. Businesses can generally collect and process personal data without prior consent, but must give consumers clear means to opt out of targeted advertising and data sales, and must obtain affirmative consent before processing sensitive personal data, including data belonging to known children.

Two features distinguish it from the most recent comparable state laws. First, the LDPA requires businesses to recognize opt-out signals, such as those from the GPC and equivalent Universal Opt-Out Mechanisms (UOOM). That means that if a visitor's browser is set to signal an opt-out preference, businesses must honor it. 

Second, Louisiana's broader definition of "sale" means that data exchanges for non-monetary valuable consideration, which is common in digital advertising ecosystems, may be subject to opt-out requirements under the LDPA.

Key LDPA Definitions

Understanding how the LDPA defines its core terms is essential for assessing whether and how your business is covered.

Personal Data

The LDPA defines personal data as any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual. Pseudonymous data is included when used alongside additional information that could link it to a specific person. De-identified data and publicly available information are excluded.

Common types that websites collect, including names, email addresses, phone numbers, device identifiers, IP addresses, and behavioral data, fall within scope.

Sensitive Data

Sensitive data requires heightened protection. Controllers may not process it without affirmative consumer consent. Under the LDPA, sensitive data includes personal data that reveals:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health condition or diagnosis
  • Sexual orientation or gender identity
  • Citizenship or immigration status
  • Genetic or biometric data processed for the purpose of uniquely identifying an individual
  • Personal data collected from a known child (under 13 years of age)
  • Precise geolocation data

Consumer

A consumer is a Louisiana resident acting in a personal or household context. The definition excludes individuals acting in a commercial or employment capacity.

Controller

A controller is the entity that determines the purpose and means of processing personal data. Most businesses subject to the LDPA will be controllers. They bear primary responsibility for the obligations the law establishes and are responsible for any processors they engage.

Processor

A processor handles personal data on behalf of a controller under contract. This can include entities such as third-party analytics providers, advertising platforms, or cloud storage services.

Sale of Personal Data

The LDPA defines "sale" as the exchange of personal data for monetary or other valuable consideration by a controller to a third party. This is a broader definition than that used in several comparable state laws, which cover monetary consideration only.

For website owners using advertising networks, data brokers, or data-sharing arrangements involving non-monetary consideration, this broader definition may bring those arrangements within the LDPA's opt-out requirements.

Under the LDPA, consent means a clear, affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to allow the processing of their personal data.

What does not constitute consent:

  • Acceptance of general or broad terms of use alongside unrelated information
  • Hovering over, muting, pausing, or closing content
  • Consent obtained through dark patterns or manipulative design

Who Does the Louisiana Privacy Law Apply To?

The LDPA applies to persons or entities conducting business in Louisiana or producing products or services consumed by Louisiana residents, provided at least one of the following thresholds is met:

  • Annual gross revenues exceed USD 25 million
  • Annually buys, receives, sells, or shares the personal data of 75,000 or more consumers or households for commercial purposes
  • Derives 50 percent or more of annual revenues from selling personal data

Businesses with a substantial Louisiana audience should assess whether their data processing volumes or revenue meet these thresholds. The USD 25 million revenue trigger, in particular, means that larger businesses may be in scope even where Louisiana consumer data processing volumes are relatively modest.

Exemptions to the LDPA

Certain entities are exempt from the LDPA's requirements, including state agencies, political subdivisions, nonprofit organizations, higher education institutions, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), HIPAA-covered healthcare entities, and electric public utilities.

Certain data categories are also excluded regardless of who processes them, including protected health information under HIPAA, employee and job applicant data, data regulated under the Fair Credit Reporting Act (FCRA), data regulated under the Driver's Privacy Protection Act, and student data under FERPA.

What Rights Does the LDPA Grant Louisiana Consumers?

The LDPA grants Louisiana residents the following rights over their personal data, exercised through a verified consumer request:

  • Right to access: Confirm whether a controller is processing their personal data and obtain a copy of it
  • Right to correct: Have inaccuracies in their personal data corrected
  • Right to delete: Have personal data provided by or obtained about them deleted
  • Right to portability: Obtain a portable, usable copy of personal data previously provided to the controller
  • Right to opt out: Of targeted advertising, the sale of personal data, and profiling in furtherance of decisions with legal or similarly significant effects
  • Right to nondiscrimination: Cannot be penalized for exercising their rights — by being denied services, charged higher prices, or given a lower quality of service

The LDPA does not include a private right of action; enforcement is handled exclusively by the Attorney General.

Responding to Consumer Requests

Controllers must provide at least two secure methods through which consumers can submit rights requests. Consumers may not be required to create a new account solely for this purpose.

Controllers have 45 days to respond to authenticated requests, with a possible 45-day extension when reasonably necessary. Responses must be free of charge, up to twice per consumer per year.

If a request is denied, the controller must establish an appeal process and respond within 60 days. If the appeal is also denied, the consumer must be directed to the Louisiana Attorney General's complaint mechanism.

Does the LDPA Require Honoring Global Privacy Control (GPC) Signals?

Partially. The LDPA requires businesses to accept opt-out requests submitted through authorized agent technologies, including browser settings and extensions. However, the statute does not name GPC, and it explicitly requires that any such technology rely on an affirmative consumer choice rather than a default setting. Website owners should review their GPC implementation against this requirement and seek legal advice on whether their specific configuration qualifies.

Affirmative, informed consent is required before any sensitive personal data may be processed. This covers:

  • Health information
  • Racial and ethnic origin
  • Religious beliefs
  • Immigration status
  • Sexual orientation and gender identity
  • Biometric and genetic data
  • Precise geolocation data
  • Data collected from known children under 13

Louisiana's consent standard requires a clear, affirmative act. Passive signals are not valid consent for sensitive data processing. Examples would include acceptance of broad terms, hovering, or closing content without action.

Website owners using cookie banners or consent interfaces to capture sensitive data consent should confirm those interfaces require an active, unambiguous response and do not rely on passive behavior as a proxy for consent.

The LDPA does not include a right to revoke consent once it has been given. Businesses operating under other state laws that do provide revocation rights should note that Louisiana-specific workflows may not require this functionality.

Children's Data and COPPA

The LDPA classifies personal data collected from known children under 13 as sensitive data, requiring affirmative parental or guardian consent before any processing. Processing must also comply with the federal Children's Online Privacy Protection Act (COPPA)

What Must Businesses Do to Comply with the LDPA?

The LDPA's core obligations will be familiar to businesses already complying with comparable state privacy frameworks. Key requirements include:

  • Transparency
  • Data minimization
  • Reasonable security
  • Written processor contracts (data processing agreements)
  • Data protection assessments for high-risk activities

Privacy Notice Requirements

Controllers must publish a clear, accessible privacy notice that includes:

  • Categories of personal data processed, including any sensitive data
  • Purposes for which personal data is processed
  • Categories of third parties with whom data is shared, if any
  • Whether the controller sells personal data or processes it for targeted advertising
  • How consumers can exercise their rights, including the appeal process

Businesses maintaining a website must provide a consumer request submission mechanism accessible from the site. Where sensitive or biometric data is sold specifically, a conspicuous disclosure to that effect is required.

Data Protection Assessments

Controllers must conduct data protection assessments before engaging in high-risk processing activities. These include:

  • Targeted advertising
  • Data sales
  • Certain profiling activities
  • Processing sensitive data
  • Any processing that presents a reasonably foreseeable risk of harm to consumers

Assessments are required for processing activities as of January 1, 2027 and are not retroactive. Activities that started before that date and will continue on or after it are subject to assessment requirements going forward.

Processor Contract Requirements

Where personal data is shared with third-party vendors or processors, the relationship must be governed by a written contract specifying:

  • Instructions for processing
  • Nature and purpose of processing
  • Type of data being processed
  • Duration of the processing arrangement
  • Rights and obligations of both parties

Processor agreements must require the processor to maintain confidentiality, delete or return data on request, cooperate with audits, and ensure any subprocessors it engages are bound by equivalent obligations.

Dark Patterns Prohibition

The LDPA explicitly prohibits dark patterns in consent interfaces. Consent interfaces must not be designed or manipulated to substantially subvert or impair consumer autonomy, decision-making, or choice, including any practice the FTC designates as a dark pattern.

Website owners should review consent banners, opt-out flows, and cookie preference interfaces to confirm that declining consent is no more difficult than accepting it, and that design choices are not manipulative.

Use of De-identified Data

Controllers using de-identified data retain obligations under the LDPA. They must take reasonable measures to prevent re-identification, make a public commitment not to re-identify data, and contractually require any recipients to observe equivalent restrictions.

Targeted Advertising and Data Sales Under the LDPA

The LDPA applies an opt-out model to targeted advertising and data sales. Businesses must give consumers a clear means to opt out of these activities and must disclose whether they engage in them in their privacy notices.

Importantly, the LDPA's "sale" definition covers exchanges for monetary and other valuable consideration, which is broader than several comparable state laws. Website owners should review their advertising and data-sharing arrangements carefully to assess whether they fall within Louisiana's opt-out requirements, even if those same arrangements would not be considered "sales" under other state frameworks.

LDPA Enforcement

Enforcement rests exclusively with the Louisiana Attorney General. There is no private right of action, so individual consumers cannot sue businesses directly under the LDPA.

Violations are classified as unfair or deceptive trade practices under Louisiana's Unfair Trade Practices and Consumer Protection Law. They carry civil penalty exposure of up to USD 7,500 per violation, injunctive relief, and other remedies. 

The LDPA includes a temporary cure period from January 1 through July 31, 2027. During this window, the Attorney General must provide 30 days' written notice before initiating an investigation, and businesses may avoid enforcement by curing the violation and certifying the cure in writing. After July 31, 2027, this cure period expires, and enforcement proceeds without a mandatory notice requirement.

This time-limited cure window is a meaningful operational consideration for businesses that tend to rely on the cure period as a buffer in other state frameworks.

How Businesses Can Prepare for the LDPA

Businesses already compliant with Virginia's Consumer Data Protection Act, Texas's Data Privacy and Security Act, or similar state frameworks will find the LDPA's core structure broadly familiar. The key areas requiring specific attention are the broader "sale" definition, the mandatory GPC signal requirement, and the time-limited cure period.

The following steps should be completed before January 1, 2027:

Assess applicability: Determine whether the USD 25 million revenue, 75,000-consumer data processing, or 50 percent data-revenue thresholds apply to your business.

Review opt-out technology compliance: Confirm that your consent management setup can accept opt-out requests from browser-based authorized agents. The LDPA requires any such technology to be activated by an affirmative consumer choice, not a default signal.

Review the "sale" definition: Assess your data-sharing and advertising arrangements against the LDPA's broader definition of sale to identify any additional opt-out obligations.

Review your privacy notice: Confirm it includes LDPA-required disclosures, including opt-out rights for data sales and targeted advertising, and that a consumer request mechanism is accessible from your website.

Verify consumer request workflows: Confirm that data subject request processes, including appeal pathways, are operational and offer at least two secure submission methods.

Audit consent flows for sensitive data: Confirm affirmative consent is captured and documented for all sensitive data categories, including children's data, before processing begins.

Check consent interfaces for dark patterns: Review cookie banners and opt-out mechanisms to confirm they meet the LDPA's requirements for clear, non-manipulative design.

Confirm data protection assessment coverage: Ensure high-risk processing activities beginning on or after January 1, 2027, including ongoing activities that will continue past that date, are covered by assessments going forward.

Cookiebot CMP supports several of these steps, including GPC signal recognition, compliant opt-out flows for targeted advertising and data sales, consent documentation, and geotargeted banner configurations that adapt to the requirements of each applicable U.S. state law.

Frequently asked questions

The Louisiana Data Privacy Act takes effect on January 1, 2027. The law was passed unanimously by both chambers of the Louisiana Legislature and signed by the governor in May 2026.

Your website must comply if your business meets at least one of the following: 

  • Annual gross revenues exceeding USD 25 million
  • Processing the personal data of 75,000 or more Louisiana consumers annually
  • Deriving 50 percent or more of gross revenues from selling personal data

Not by name. The LDPA requires businesses to accept opt-out requests submitted via authorized agent technologies, including browser settings and extensions. The statute does not reference GPC specifically, and it requires any qualifying technology to be based on an affirmative consumer choice rather than a default setting. 

Whether a particular GPC implementation meets that requirement is a legal question; website owners should seek advice before relying on GPC compliance as sufficient.

The LDPA defines "sale" as the exchange of personal data for monetary or other valuable consideration, which is broader than comparable laws in Virginia or Oklahoma, which cover monetary consideration only. 

This means data-sharing arrangements involving non-monetary consideration, common in digital advertising, may be subject to Louisiana's opt-out requirements even if they are not treated as "sales" under other state frameworks.

From January 1 through July 31, 2027, the Louisiana Attorney General must provide 30 days' advance written notice before initiating an investigation. Businesses can avoid enforcement by curing the violation and certifying the cure in writing. After July 31, 2027, this cure period expires and enforcement proceeds without a mandatory notice requirement, but can be granted at the Attorney General’s discretion.

Yes. Personal data collected from known children under 13 is classified as sensitive data under the LDPA, requiring affirmative parental or guardian consent before any processing. Processing must also comply with COPPA. The law does not include specific provisions for minors aged 13 to 17.