Privacy & Cybersecurity Law Blog

Louisiana recently enacted Senate Bill 386, the Louisiana Data Privacy Act (“LDPA”), becoming the 22nd U.S. state to adopt a comprehensive consumer data privacy law. The LDPA follows the now-familiar controller/processor and consumer-rights framework seen in many state comprehensive data privacy laws, with certain distinctions.

Scope

The LDPA applies to any person or entity that does business in Louisiana and satisfies at least one of the following thresholds:

• has annual gross revenues exceeding $25 million;
• annually buys, receives, “sells” (for monetary or other valuable consideration), or shares for commercial purposes the personal data of 75,000 or more consumers, households, or devices; or
• derives 50% or more of its annual revenues from selling consumers’ personal data.

Notably, unlike many other state comprehensive data privacy laws, the LDPA does not apply to entities that merely “target” Louisiana residents with their products and services. Rather, it applies to entities that ”do business” in the state, which may narrow the law's reach.

Like other state comprehensive data privacy laws, the LDPA exempts certain entities and data from its scope. Exempt entities include state agencies, GLB-regulated financial institutions, HIPAA-covered entities and business associates, nonprofits and institutions of higher education. Data-level exemptions include HR-related data, PHI and NPI.

Key Obligations

The LDPA imposes several obligations on controllers, including:

• Privacy Notice: Controllers must provide a reasonably accessible and clear privacy notice that discloses the categories of personal data (including sensitive data) processed; the purposes of processing; the categories of personal data sold to third parties; the categories of third parties receiving the data; and the methods for submitting consumer rights requests.
• Data Minimization: Controllers must limit the collection of personal data to what is adequate, relevant and reasonably necessary for the disclosed purposes.
• Security Safeguards: Controllers must implement and maintain reasonable administrative, technical and physical safeguards appropriate to the volume and nature of the data.
• Vendor Contracts: Contracts between controllers and processors must include the nature and purpose(s) of processing; the types of personal data subject to processing; the duration of processing; the rights and obligations of both parties; and requirements for confidentiality, data return/deletion, audit cooperation and sub-processor oversight.
• Data Protection Assessments: Controllers must conduct and document data protection assessments for higher-risk processing activities, including targeted advertising, the sale of personal data, profiling that presents a foreseeable risk of harm and the processing of sensitive data.
• Sensitive Data: Controllers must obtain prior consent to process sensitive data.
  • Notably, unlike other state privacy laws, controllers that derive 50% or more of their annual revenues from the sale of personal data must obtain consumers’ separate consent to sell sensitive data.
• Sale of Sensitive or Biometric Data Notice:
  • Controllers that sell sensitive personal data or biometric data must post a conspicuous notice stating “NOTICE: We may sell your sensitive personal data” or “NOTICE: We may sell your biometric personal data,” as applicable.

Consumer Rights

The LDPA provides Louisiana consumers the right to:

• confirm whether the controller is processing their personal data;
• access their personal data, including in a portable copy (if available in a digital format);
• correct inaccuracies in their personal data;
• delete their personal data;
• opt out of (i) targeted advertising, (ii) the sale of personal data, and (iii) profiling that produces a legal or similarly significant effect (consumers may designate an authorized agent, including through a technology-based opt-out signal that complies with the law’s requirements (e.g., Global Privacy Control)); and
• appeal the denial of a privacy request.

Controllers must respond to privacy requests within 45 calendar days of receipt, with a single 45-day extension available.

Effective Date and Enforcement

The LDPA will take effect January 1, 2027. The Louisiana Attorney General has exclusive enforcement authority. Violations of the law constitute unfair and deceptive trade practices. A 30-day cure period applies from January 1, 2027 through July 31, 2027, after which the cure period expires.