Clym Logo
US flag

US

Louisiana Data Privacy Act

Overview

The Louisiana Data Privacy Act, enacted through Senate Bill 386 and designated Act No. 502, creates consumer privacy rights for Louisiana residents and sets duties for certain controllers and processors that handle personal data. The law gives consumers rights to access, correct, delete, obtain a portable copy of, and opt out of certain processing of personal data. It also sets rules for privacy notices, sensitive data, targeted advertising, sale of personal data, processor contracts, and data protection assessments.

Regulation Summary

  • 8 April 2026: Passed by the Senate.
  • 18 May 2026: Passed by the House with amendments.
  • 29 May 2026: Signed by the Governor and became Act No. 502.
  • 1 January 2027: Law takes effect.

The Louisiana Data Privacy Act applies to a person or entity that does business in Louisiana and satisfies at least one of these thresholds:

  • Has annual gross revenues over $25 million.
  • Annually buys, receives for commercial purposes, sells, or shares for commercial purposes the personal information of 75,000 or more consumers, households, or devices.
  • Derives 50% or more of annual revenues from selling consumers’ personal information.

The law does not apply to:

  • Louisiana state agencies or political subdivisions.
  • Financial institutions and affiliates, or data subject to the Gramm-Leach-Bliley Act.
  • HIPAA covered entities and business associates.
  • Nonprofit organizations.
  • Institutions of higher education.
  • Electric public utilities.
  • Registered conductors of public opinion polls.

The law also exempts several types of information, including protected health information, health records, certain research data, Fair Credit Reporting Act data, Driver’s Privacy Protection Act data, FERPA data, Farm Credit Act data, employment-related data, emergency contact data, benefits administration data, and personal data processed in a purely personal or household context.

Controllers must:

  • Limit personal data collection to what is adequate, relevant, and reasonably necessary for disclosed purposes.
  • Use reasonable administrative, technical, and physical data security practices.
  • Avoid processing personal data for incompatible purposes without consumer consent.
  • Avoid processing personal data in violation of anti-discrimination laws.
  • Avoid discriminating against consumers for exercising their rights.
  • Obtain consent before processing sensitive data.
  • Process known children’s sensitive data in line with the Children’s Online Privacy Protection Act.
  • Provide a clear privacy notice.
  • Disclose the sale of personal data or processing for targeted advertising.
  • Explain how consumers may opt out.

Processors must follow controller instructions and assist controllers with consumer requests, security duties, breach-related duties, and data protection assessments.

Controller-processor contracts must describe processing instructions, purpose, data type, duration, party rights and duties, confidentiality duties, deletion or return of data, assessment rights, and subcontractor obligations.

Website owners that fall within the law’s scope should:

  • Provide two or more secure and reliable methods for consumer rights requests.
  • Provide a website mechanism for consumer requests when the controller maintains a website.
  • Provide an email address for requests if the business operates only online and has a direct relationship with the consumer.
  • Avoid requiring consumers to create a new account to exercise rights.
  • Publish a clear privacy notice explaining:
    • Categories of personal data processed.
    • Purposes for processing.
    • How consumers may exercise rights.
    • How consumers may appeal a denied request.
    • Categories of personal data sold to third parties, if applicable.
    • Categories of third parties that receive sold personal data, if applicable.
    • Methods for submitting consumer rights requests.
  • Clearly disclose sales of personal data or targeted advertising.
  • Explain opt-out options.
  • Post required notices if sensitive personal data or biometric personal data may be sold.

If a controller sells sensitive personal data, the notice must state:
“NOTICE: We may sell your sensitive personal data.”

If a controller sells biometric personal data, the notice must state:
“NOTICE: We may sell your biometric personal data.”

The Louisiana Data Privacy Act includes these additional duties:

  • Controllers must respond to consumer requests within 45 calendar days.
  • Controllers may extend the response period once by another 45 days when reasonably necessary.
  • Responses must be free of charge up to twice per year per consumer.
  • Controllers must create an appeal process for denied requests.
  • Controllers must respond to appeals within 60 calendar days.
  • If an appeal is denied, the controller must provide the Attorney General complaint mechanism.
  • Contract terms that waive or limit consumer rights are void and unenforceable.
  • Consumers may use authorized agents for opt-outs from targeted advertising and sale of personal data.
  • Data protection assessments are required for targeted advertising, sale of personal data, certain profiling, sensitive data processing, and processing that presents heightened risk.
  • Data protection assessments apply to processing activities as of 1 January 2027 and are not retroactive.
  • Assessments must be provided to the Attorney General through a civil investigative demand.
  • Assessments are confidential and exempt from public inspection.
  • Controllers using deidentified data must maintain and use it without attempting to reidentify it.

Consumers have the right to:

  • Confirm whether a controller is processing their personal data.
  • Access their personal data.
  • Correct inaccuracies.
  • Delete personal data provided by or obtained about them.
  • Obtain a copy of personal data previously provided to the controller in a portable and usable format, when technically feasible.
  • Opt out of processing for:
    • Targeted advertising.
    • Sale of personal data.
    • Profiling tied to decisions with legal or similarly significant effects.

Parents or legal guardians may exercise rights on behalf of known children.

The Louisiana Attorney General enforces the Louisiana Data Privacy Act. Violations are treated as unfair and deceptive trade practices under the Louisiana Unfair Trade Practices and Consumer Protection Law, and private rights of action under R.S. 51:1409 and 1409.1 are excluded.

From 1 January 2027 through 31 July 2027, the Attorney General must provide a 30-day notice period before initiating an investigation. A person may avoid investigation during that period by curing the alleged violation, providing a written statement, submitting documentation, and changing internal policies if needed.

SB 386 does not set a separate civil penalty schedule. Under Louisiana’s Unfair Trade Practices and Consumer Protection Law, the Attorney General may seek injunctive relief, and where a court finds intent to defraud, the court may impose a civil penalty up to US$5,000 per violation. An additional penalty up to US$5,000 per violation may apply for violations committed against an elder person or a person with a disability.

Book a demo