Louisiana Data Privacy Act explained
Louisiana's Data Privacy Act (SB 386) takes effect Jan 1, 2027. Businesses must support consumer data rights, honor GPC signals, and get consent for sensitive data.
Louisiana Data Privacy Act: What Your Business Needs to Know Before January 2027
Louisiana is the latest US state to pass a comprehensive consumer privacy law. Senate Bill 386, the Louisiana Data Privacy Act, has cleared both chambers of the legislature and is awaiting Governor Jeff Landry's signature. Once signed, it takes effect January 1, 2027.
If your business collects data about Louisiana residents and meets the thresholds below, you have new legal obligations. Here is everything you need to know, including how the law compares to CCPA and what to do before the deadline.
Key takeaways | |
|---|---|
Law name | Louisiana Data Privacy Act (SB 386) |
Status | Passed House and Senate; awaiting the Governor's signature |
Effective date | January 1, 2027 |
Applies to | Businesses with $25M+ revenue, 75,000+ consumer records, or 50%+ revenue from selling data |
Enforcement | Louisiana Attorney General only, no private right of action |
Cure period | 30 days (January 1 through July 31, 2027 only) |
GPC required | Yes, businesses must honor Global Privacy Control browser signals |
Sensitive data | Requires explicit consumer consent before processing |
What is the Louisiana Data Privacy Act?
The Louisiana Data Privacy Act is a state law that gives Louisiana residents the right to see, correct, delete, and opt out of the sale of their personal data. It applies to businesses operating in Louisiana that meet at least one revenue or data threshold. The Louisiana Attorney General enforces it. It takes effect January 1, 2027.
Louisiana SB 386 creates Chapter 20-B of Title 51 of Louisiana's Revised Statutes (sections 1776 through 1780). It follows the broad structure of other state privacy laws passed in recent years, granting consumers a set of enumerated rights and placing corresponding obligations on the businesses that collect their data. The law is part of a rapidly growing body of US state privacy legislation. As of 2026, more than 20 US states have enacted comprehensive consumer privacy laws, with more advancing through legislatures. Louisiana joins states including California, Virginia, Colorado, Connecticut, Texas, Oregon, and Montana in creating enforceable consumer data rights.
Who does the Louisiana Data Privacy Act apply to?
The law covers for-profit businesses that do business in Louisiana AND satisfy at least one of the following thresholds:
Threshold | Criteria | Example |
|---|---|---|
Revenue | Annual gross revenues exceeding $25 million | Regional retail chain with $30M in annual sales |
Data volume | Processes personal data of 75,000 or more consumers or households annually | E-commerce brand with a large Louisiana customer base |
Data sales revenue | Derives 50% or more of annual revenues from selling personal data | Data broker or lead generation company |
Meeting just one threshold is enough to bring your business within scope.
Who is exempt? State agencies, nonprofits, financial institutions regulated under the Gramm-Leach-Bliley Act, HIPAA-covered healthcare entities, institutions of higher education, and electric public utilities are all excluded. Certain data categories are also exempt, including protected health information, employee and contractor data, and data regulated under the Fair Credit Reporting Act.
What rights do Louisiana consumers have?
The Louisiana Data Privacy Act creates five enforceable consumer rights. Every covered business must build processes to facilitate them.
Right | What it means | Your obligation |
|---|---|---|
Access | Confirm whether you process their data and see what you hold | Respond within 45 days |
Correct | Request corrections to inaccurate personal data | Update records within 45 days |
Delete | Request deletion of personal data you collected or obtained | Delete or opt out from further processing |
Portability | Receive a portable copy of data they previously provided to you | Provide in machine-readable format |
Opt out | Opt out of targeted advertising, data sale, or certain profiling | Honor GPC signals; provide clear opt-out mechanism |
Businesses must respond within 45 calendar days, extendable once by 45 more days. Responses are free of charge up to twice annually per consumer. Businesses must offer at least two secure submission methods and cannot require consumers to create a new account to exercise their rights.
How Louisiana compares to other US state privacy laws
Louisiana SB 386 does not exist in isolation. More than 20 US states now have active comprehensive consumer privacy laws. Here is how Louisiana stacks up against the major ones:
State | Law | Effective date | GPC required | Cure period | Private right of action |
|---|---|---|---|---|---|
California | Jan 1, 2023 | Yes | No (repealed 2023) | Limited (breach only) | |
Virginia | Jan 1, 2023 | No | 30 days (permanent) | No | |
Colorado | Jul 1, 2023 | Yes | 60 days (expired Jul 2025) | No | |
Connecticut | Jul 1, 2023 | Yes | 60 days (expired Dec 2024) | No | |
Texas | Jul 1, 2024 | Yes | 30 days (permanent) | No | |
Oregon | Jul 1, 2024 | Yes | 30 days (expired Jan 2025) | No | |
Montana | Oct 1, 2024 | No | 60 days (permanent) | No | |
Louisiana | LDPA | Jan 1, 2027 | Yes | 30 days (Jan–Jul 2027 only) | No |
One pattern is clear: GPC is becoming the industry standard. As of 2026, 12 US states require businesses to honor GPC opt-out signals, up from just one (California) in 2020. Louisiana joins this majority. If you have not implemented GPC signal detection, you are now out of step with the direction of US privacy law as a whole.
A second pattern: cure periods are shrinking. Early laws gave businesses long grace windows. Louisiana's cure window exists only for the first seven months of the law, then closes permanently. The direction is toward stricter enforcement, not more leniency.
Louisiana Data Privacy Act vs CCPA: key differences
CCPA is the most searched consumer privacy law in the US. Here is a direct comparison between Louisiana's law and California's framework.
Feature | Louisiana LDPA | California CCPA/CPRA |
|---|---|---|
Revenue threshold | $25M+ annual revenue | $25M+ annual revenue |
Consumer threshold | 75,000+ consumers or households | 100,000+ consumers or households |
Data sales revenue threshold | 50% or more of revenue from data sales | 50% or more of revenue from data sales |
GPC required | Yes | Yes (from Jan 1, 2023) |
Right to access | Yes | Yes |
Right to correct | Yes | Yes (added by CPRA) |
Right to delete | Yes | Yes |
Right to opt out of data sale | Yes | Yes |
Right to opt out of targeted ads | Yes | Yes (added by CPRA) |
Sensitive data protections | Explicit consent required before processing | Right to limit use and disclosure |
Cure period | 30 days (Jan–Jul 2027 only) | None |
Private right of action | No | Limited (data breaches only) |
Enforcement body | Louisiana Attorney General | AG + California Privacy Protection Agency |
Enforcement fines | $5,000 per violation | Up to $2,500 per violation; $7,500 intentional |
The practical upshot: if your business is already operating under CCPA, the Louisiana Data Privacy Act will feel familiar. The core rights framework is similar. The main differences are that Louisiana uses a consent model for sensitive data (California uses an opt-out limitation model), Louisiana has no dedicated privacy enforcement agency, and Louisiana's threshold for data volumes is 75,000 rather than California's 100,000. Businesses already compliant with CCPA/CPRA will have less ground to cover, but they are not automatically covered for Louisiana.
Common privacy compliance failures: what the data shows
Understanding the most common failure points helps you prioritize. Here is what enforcement data and platform observations reveal:
1. GPC signals ignored or mishandled
Failure to honor GPC signals is the most common compliance failure Clym observes across its platform in 2026. This aligns with broader enforcement trends: California, Colorado, and Connecticut conducted a coordinated GPC enforcement sweep in September 2025, resulting in multiple fines. Tractor Supply was fined $1.35 million in September 2025, specifically for failing to honor consumer opt-out mechanisms.
The scale of the GPC gap is significant. As of March 2026, 648,833 domains have implemented GPC globally, yet the retention rate sits at just 47.8%, meaning roughly half of sites that once implemented GPC support have let it lapse. Many businesses add GPC support during a compliance push, then fail to maintain it through website updates and tech stack changes.
2. Consent banners firing before consent is given
Misconfigured consent banners that fire tracking cookies before the user has clicked accept are the second most common issue Clym identifies when auditing new clients. This is a technical error with direct legal consequences: loading a tracking script before consent is obtained is a clear violation of consent-first requirements.
3. Data subject request response failures
Businesses without dedicated DSR workflows routinely miss the 45-day response deadline. The volume of requests is often underestimated. Once a law takes effect and consumers are aware of their rights, request volumes increase, particularly for deletion and opt-out requests. Manual handling at any meaningful scale is not sustainable.
4. Dark patterns in consent interfaces
Consent obtained through dark patterns is explicitly invalid under the Louisiana Data Privacy Act. The law uses the FTC's definition of dark patterns. This includes interfaces designed to make opting out harder than opting in, confusing toggle logic, pre-ticked checkboxes, and 'consent walls' that block access unless users accept tracking.
How Clym can support your Louisiana Data Privacy Act preparation
The Louisiana Data Privacy Act creates obligations that are hard to manage manually at scale. Clym is a consent management and privacy compliance platform that addresses the core technical requirements from a single dashboard, supporting 150+ global regulations, including US state laws.
Consent management and GPC detection
Clym's consent management platform deploys a configurable consent banner that detects and honors GPC signals automatically, without requiring manual handling of individual browser-level opt-out requests. Clym's RealtimeCompliance™ technology identifies third-party scripts and cookies present on your site, so you know what is loading and when. It also integrates with the Global Privacy Platform (GPP) framework, which means that consent signals communicate correctly to ad platforms and analytics tools.
If you are not currently certain whether your website honors GPC, Clym's GPC platform is built specifically to close that gap.
Data subject request management
Clym's data subject request management gives consumers a structured submission portal and gives your team a tracked response workflow with deadline monitoring. Every request is logged and documented, giving you an audit trail for the Attorney General if ever needed. The 45-day clock is tracked automatically.
Privacy notice generation
Clym generates and/or hosts your privacy notice, covering the data categories you process, your third-party sharing practices, how consumers can exercise their rights, and your appeals process. When regulations change, your notice updates accordingly.
Multi-regulation coverage
If your business operates in multiple states, Clym manages your obligations across state lines from a single platform. You do not run separate tools for California, Texas, Colorado, and Louisiana. One dashboard, one consent configuration layer, updated as new laws take effect.
Conclusion
The Louisiana Data Privacy Act is straightforward in its core requirements: know what data you hold, give consumers the ability to access and control it, honor opt-out signals, including GPC, get consent for sensitive data, update your privacy notice, and document your processing activities. None of these obligations is unreasonable. But all of them require deliberate action.
The effective date of January 1, 2027, looks far away. It is not. Building consumer rights infrastructure, auditing your consent setup, and reviewing processor contracts takes time. Businesses that start now have the runway to do this properly. Businesses that wait until Q4 2026 will be scrambling.
Louisiana is also not the last state on this trajectory. The pattern across 20+ state laws is clear: more consumer rights, GPC as standard, shrinking cure periods, and increasing enforcement appetite. Your privacy compliance programme needs to be built to scale across states, not rebuilt for each one.
Frequently asked questions
The Louisiana Data Privacy Act takes effect on January 1, 2027, once Governor Jeff Landry signs SB 386 into law. Businesses operating in Louisiana that meet one or more of the coverage thresholds have until that date to put the required processes and technical controls in place.
The law applies to businesses that meet at least one of three thresholds: annual gross revenues exceeding $25 million, processing data on 75,000 or more consumers annually, or deriving 50% or more of annual revenue from selling personal data. Businesses below all three thresholds are not covered.
Both laws grant similar consumer rights (access, correction, deletion, opt-out) and require businesses to honor GPC signals. The main differences: Louisiana uses a consent model for sensitive data while CCPA uses a limitation model; Louisiana has no dedicated enforcement agency; and Louisiana's consumer threshold is 75,000, versus California's 100,000. Businesses already CCPA-compliant will have less ground to cover, but Louisiana compliance is not automatic.
No. The Louisiana Data Privacy Act contains no private right of action. Only the Louisiana Attorney General can enforce the law. Violations are treated as unfair and deceptive trade practices under Louisiana's existing consumer protection statute.
From January 1 through July 31, 2027, the Attorney General must notify a business in writing at least 30 days before opening a formal investigation. If the business cures the violation, notifies affected consumers, and submits documentation within that period, the investigation does not proceed. After July 31, 2027, this cure window closes permanently.
Global Privacy Control is a browser signal that communicates a user's opt-out preference to every website they visit. The Louisiana Data Privacy Act treats this as a valid universal opt-out mechanism for data sales and targeted advertising. If a Louisiana consumer has GPC enabled, your site must detect and honor it. As of 2026, 12 US states require GPC support. Clym's consent management platform handles GPC detection automatically.
Sensitive data includes racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexuality, citizenship or immigration status, genetic or biometric data, data collected from children under 13, and precise geolocation within a 1,750-foot radius. Businesses must obtain explicit consumer consent before collecting or processing any of these categories.
As of 2026, more than 20 US states have enacted comprehensive consumer privacy laws. The major ones include California (CPRA), Virginia (VCDPA), Colorado (ColoPA), Connecticut (CTDPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Delaware, New Hampshire, New Jersey, Maryland, Minnesota, and Indiana. Louisiana's law joins this group when it takes effect in January 2027.
Adam is the Head of Digital Marketing at Clym, where he leverages his diverse expertise in marketing to support businesses with their compliance needs and drive awareness about data privacy and web accessibility. As one of the company’s original team members, Adam has been instrumental in shaping its journey from the very beginning. When he’s not diving into marketing strategies, Adam can be found cheering on his favorite sports teams or enjoying fishing.
