Skip to content

Louisiana Data Privacy Act (LDPA): Everything U.S. Businesses Need to Know

Resources / Blog / Louisiana Data Privacy Act (LDPA): Everything U.S. Businesses Need to Know
  • Effective January 1, 2027, the LDPA applies to businesses that either have annual gross revenues exceeding USD 25 million, process personal data of 75,000 or more Louisiana consumers annually, or derive 50 percent or more of gross revenues from personal data sales.
  • The LDPA uses an opt-out model: businesses may collect and process personal data without prior consent, provided consumers have clear means to opt out of targeted advertising, data sales, and profiling used in decisions with legal or similarly significant effects.
  • Affirmative consent is required before processing sensitive personal data, including biometric data, precise geolocation, and data belonging to children under 13.
  • Louisiana’s “sale” definition covers both monetary and other valuable considerations, bringing many common data-sharing arrangements within opt-out scope.
  • The LDPA requires businesses to accept opt-out requests submitted via authorized agent technologies, including browser settings and extensions. The technology must be activated by an affirmative consumer choice.
  • Enforcement rests with the Louisiana Attorney General. A 30-day cure period applies from January 1 and sunsets July 31, 2027.

The Louisiana Data Privacy Act (LDPA) takes effect January 1, 2027, with opt-out requirements for data sales and targeted advertising. It also has opt-out signal recognition requirements, affirmative consent for sensitive data, and AG-only enforcement with a cure period that expires July 31, 2027. Louisiana’s broader “sale” definition and mandatory opt-out preference signal support create specific operational considerations for multi-state compliance programs.

Louisiana enacted its first comprehensive consumer data privacy law with the passage of Senate Bill 386, which takes effect January 1, 2027. 

For compliance programs already operating under the privacy laws of Virginia or Texas, the LDPA’s basic architecture is familiar: opt-out model for most processing, affirmative consent for sensitive data, AG-only enforcement. 

The significant differences lie in the details. Louisiana’s definition of “sale” is broader than Oklahoma’s or Texas’s, capturing exchanges for valuable consideration beyond monetary payment. 

The law requires businesses to accept opt-out requests submitted via authorized agent technologies, including browser settings and extensions like the Global Privacy Control (GPC), though the statute specifies that the technology must rely on an affirmative consumer choice, not a default signal.

Louisiana’s cure period is explicitly time-limited: it expires after seven months, after which enforcement proceeds without the benefit of advance notice.

This guide covers who the LDPA applies to, what it requires of businesses and their processors, what rights it extends to Louisiana consumers, and the practical steps multi-state compliance programs should take to prepare.

What Is Louisiana’s Data Privacy Act (LDPA)?

The Louisiana Data Privacy Act establishes a framework of consumer rights over personal data and corresponding obligations for the businesses that collect and process it.

The law follows the Virginia Consumer Data Protection Act (VCDPA) model in broad structure, but incorporates elements drawn from California and Connecticut that distinguish it from more recent state frameworks. 

Like other U.S. state-level data privacy laws, the LDPA uses an opt-out consent model. Businesses may collect and use personal data without obtaining prior consent from each individual in most cases, provided consumers are notified about data use and rights, and given clear and accessible means to opt out of specific uses, like sales.

The law’s authorized-agent opt-out requirement and broader “sale” definition, however, mean it places more meaningful operational obligations on multi-state compliance programs than some comparable frameworks.

Key Definitions Under the LDPA

Understanding how the LDPA defines its core terms is the starting point for assessing whether and how the law applies to your organization.

Personal Data

Personal data under the LDPA is any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual. The definition includes pseudonymous data when used alongside additional information that could link it to a specific person. De-identified data and publicly available information are excluded.

Sensitive Data

Sensitive data is a subcategory of personal data subject to heightened protections. Controllers may not process it without affirmative prior consumer consent. The LDPA categorizes the following as sensitive data:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health condition or diagnosis
  • Sexual orientation or gender identity
  • Citizenship or immigration status
  • Genetic or biometric data processed for the purpose of uniquely identifying an individual
  • Personal data collected from a known child under 13 years of age
  • Precise geolocation data

Consumer

A consumer under the LDPA is a Louisiana resident acting in an individual or household context. Individuals acting in a commercial or employment capacity are excluded from the definition.

Controller and Processor

A controller is an individual or legal entity that determines, in whole or in part, the purposes and means of processing personal data.

A processor is an entity that processes personal data on behalf of a controller, typically third-party vendors such as analytics providers, cloud storage services, or advertising platforms.

The LDPA requires controller-processor relationships to be governed by a written contract (data processing agreement, or DPA) specifying processing instructions, data types, duration, and the obligations of each party.

Sale of Personal Data

The LDPA defines “sale” as the exchange of personal data for monetary or other valuable consideration by a controller to a third party. This definition is broader than that used in several comparable state laws, which limit “sale” to monetary consideration only.

For compliance teams managing multi-state programs, this distinction matters: data-sharing arrangements that fall outside opt-out requirements in Oklahoma or Virginia, for example, may be subject to them under Louisiana’s law, requiring specific assessment of those arrangements.

Certain exchanges are excluded from the definition, including disclosures to processors acting under the controller’s instructions, disclosures made at the consumer’s direction, affiliate disclosures, and disclosures as part of a merger or acquisition.

The LDPA defines consent as a clear, affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow processing.

The definition explicitly excludes:

  • Acceptance of general or broad terms of use containing data processing descriptions alongside unrelated information
  • Hovering over, muting, pausing, or closing content
  • Consent obtained through the use of dark patterns

Who Does the Louisiana Data Privacy Act Apply To?

The LDPA applies to persons or entities conducting business in Louisiana or producing products or services consumed by Louisiana residents, provided at least one of the following thresholds is met:

  • Annual gross revenues exceeding USD 25 million
  • Annually buys, receives, sells, or shares the personal data of 75,000 or more consumers or households for commercial purposes
  • Derives 50 percent or more of annual revenues from selling personal data

The inclusion of a USD 25 million annual revenue threshold distinguishes Louisiana from a number of the newer state privacy laws, which do not apply a revenue trigger. 

It brings the LDPA’s scope closer to California and Tennessee, which also apply revenue-based thresholds. For compliance teams at mid-size and larger businesses, the revenue threshold means Louisiana obligations may apply even where data processing volumes are relatively modest.

Entity-Level Exemptions

LDPA exemptions align with other state privacy frameworks, and apply to:

  • State agencies and political subdivisions
  • Nonprofit organizations
  • Higher education institutions
  • Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
  • Covered entities and business associates governed by HIPAA
  • Electric public utilities

Data-Level Exemptions

Certain data categories fall outside the LDPA’s scope regardless of the entity processing them, including:

  • Protected health information under HIPAA
  • Employee and job applicant data
  • Data regulated under the Fair Credit Reporting Act (FCRA)
  • Data regulated under the Driver’s Privacy Protection Act
  • Student data under FERPA

Consumer Rights Under the LDPA

The LDPA grants Louisiana consumers several rights over their personal data, exercised by submitting a verified request:

  • Right to access: Confirm whether a controller is processing their personal data, and obtain access to it
  • Right to correct: Have inaccuracies in their personal data corrected
  • Right to delete: Have personal data provided by or obtained about them deleted
  • Right to portability: Obtain a copy of personal data previously provided to the controller in a portable, readily usable digital format
  • Right to opt out: Of targeted advertising, the sale of personal data, and profiling in furtherance of decisions with legal or similarly significant effects
  • Right to non-discrimination: Cannot be denied goods or services, charged different prices, or provided a lower quality of service for exercising their rights

The LDPA does not provide a private right of action, and enforcement rests solely with the Attorney General. Unlike some comparable state laws, the LDPA permits consumers to designate authorized agents, including technology-based opt-out signals such as browser settings and extensions like GPC, to submit opt-out requests on their behalf. 

The statute requires that any such technology be activated by an affirmative consumer choice rather than operating as a default.

Responding to Consumer Rights Requests

Louisiana’s law requires businesses to provide at least two secure methods through which consumers can submit rights requests, and prohibits requiring consumers to create a new account solely for that purpose.

Controllers must respond to authenticated requests within 45 days, with a possible 45-day extension when reasonably necessary, provided the consumer is notified within the initial period. Responses must be free of charge, up to twice per year per consumer.

Controllers must establish an appeal process for denied requests, with a 60-day response window. If an appeal is denied, the consumer must be directed to the Louisiana Attorney General’s complaint mechanism.

Authorized Agent Opt-Out Signals Under the LDPA

Under the LDPA, consumers may designate an authorized agent to submit opt-out requests on their behalf using technology, including a link to a website, a browser setting or extension, or a global device setting. This provision functionally encompasses GPC and similar opt-out signals.

However, the statute includes a material constraint: the technology must require an affirmative, freely given, and unambiguous consumer choice. It may not operate via a default setting. Whether a given implementation for opt-out signal recognition satisfies this affirmative-choice requirement will depend on configuration, and businesses should seek legal guidance before treating any default-enabled signal as compliant under the LDPA.

Oklahoma and Alabama, the two states that passed privacy laws in 2026 prior to Louisiana, do not include comparable authorized-agent opt-out technology provisions. Among states that do, requirements vary.

In September 2025, the California Privacy Protection Agency and state attorneys general in Connecticut and Colorado announced a joint investigative sweep targeting businesses failing to honor opt-out signals, with targets identified through technical monitoring rather than consumer complaints. Businesses should ensure their opt-out infrastructure is operationally configured and maintained, not merely nominally implemented.

The LDPA requires affirmative consent before processing any category of sensitive personal data. Sensitive categories include:

Health information

Racial and ethnic origin

Religious beliefs

Immigration status

Sexual orientation

Gender identity

Biometric and genetic data

Precise geolocation

Personal data belonging to known children under 13

Louisiana’s consent standard requires a clear, affirmative act, and excludes passive signals such as acceptance of broad terms of use, hovering, and closing content — these do not constitute valid consent for sensitive data processing.

Children’s Data

The LDPA requires that processing of personal data belonging to known children under 13 comply with the Children’s Online Privacy Protection Act (COPPA), and classifies children’s data as sensitive, requiring affirmative parental or guardian consent prior to any processing. This is fairly standard among the U.S. state privacy laws. 

The LDPA does not include specific provisions for teenagers under age 16 as some state-level laws do, such as Alabama’s privacy law requiring direct consent from minors ages 13–15 for data sale or targeted advertising. 

Business Obligations Under the LDPA

The LDPA’s core controller and processor obligations are consistent with comparable state frameworks:

  • Data minimization: Collect and process only what is adequate, relevant, and reasonably necessary for the disclosed purpose
  • Transparency: Provide a reasonably accessible privacy notice disclosing processing activities and consumer rights
  • Reasonable security: Implement appropriate administrative, technical, and physical safeguards
  • Processor contracts: Govern all processor relationships with a written agreement
  • Data protection assessments: Conduct assessments for high-risk processing activities

Privacy Notice Requirements

Controllers must publish a privacy notice that is reasonably accessible and clear to visitors. The notice must include:

  • Categories of personal data processed, including sensitive data
  • Purposes for processing
  • Categories of third parties with whom data is shared
  • Whether the controller sells personal data or processes it for targeted advertising
  • How consumers may exercise their rights, including the appeal process

Controllers maintaining a website must also provide a consumer request submission mechanism accessible from the website. Those selling sensitive or biometric data specifically must post a conspicuous disclosure.

Data Protection Assessment Obligations

Businesses must conduct data protection assessments for high-risk activities, including:

  • Targeted advertising
  • Data sales
  • Profiling that produces legal or significant effects
  • Processing sensitive data
  • Processing that presents a reasonably foreseeable risk of consumer harm

Assessments apply to processing activities that were ongoing before January 1, 2027 and will continue after that date, as well as to new activities commencing on or after that date. Assessments are confidential and production to the Attorney General does not waive privilege.

Processor Contract Requirements

Processor agreements must specify:

  • Processing instructions
  • Nature and purpose of processing
  • Data types
  • Processing duration
  • Rights and obligations of both parties

Agreements must also require confidentiality, data return or deletion on request, audit cooperation, and equivalent obligations for any subprocessors engaged.

The LDPA explicitly prohibits dark patterns in consent interfaces. Dark patterns include user interfaces designed or manipulated to substantially subvert or impair consumer autonomy, decision-making, or choice, including any practice the FTC designates as a dark pattern.

Businesses should audit consent interfaces and opt-out flows before the law takes effect.

De-Identified Data Obligations

Controllers using de-identified data retain obligations under the LDPA despite the exclusion of such data from its scope. They must take reasonable measures to prevent re-identification, make a public commitment not to re-identify data, and contractually bind recipients to equivalent restrictions.

Targeted Advertising and Data Sales Under the LDPA

Louisiana adopts an opt-out model for targeted advertising and data sales. As discussed above, the LDPA’s “sale” definition, which covers monetary and other valuable considerations, is broader than comparable laws in some other states.

For compliance teams managing multi-state programs, this means that certain data-sharing arrangements assessed as falling outside opt-out obligations in other states may require separate review against Louisiana’s standard.

Businesses should also assess whether their existing opt-out mechanisms and privacy notice disclosures adequately cover the LDPA’s scope, particularly for arrangements involving non-monetary valuable consideration.

LDPA Enforcement and Penalties

The Louisiana Attorney General has exclusive enforcement authority under the LDPA. There is no private right of action. Violations are classified as unfair or deceptive trade practices under Louisiana’s Unfair Trade Practices and Consumer Protection Law, which is similar to how they’re handled in Colorado, New Hampshire, and Maryland. They carry civil penalty exposure of up to USD 7,500 per violation, injunctive relief, and other remedies. 

The LDPA includes a temporary cure period from January 1 through July 31, 2027. This is a shorter cure period than is common among comparable state privacy laws, which more typically run for a year from the effective date.

During this window, the Attorney General must provide 30 days’ written notice before initiating an investigation, and enforcement may be avoided by curing the violation in writing, notifying affected consumers, and implementing policy changes to prevent recurrence. 

After July 31, 2027, this cure period expires permanently. After that date, any opportunity to cure is entirely at the Attorney General’s discretion.

How to Prepare for the LDPA

For businesses already operating under other state frameworks, the LDPA’s core structure will be largely familiar. The areas requiring specific attention are the broader “sale” definition, the mandatory GPC requirement, and the time-limited cure period.

Multi-state compliance programs should prioritize the following before January 1, 2027:

Applicability assessment: Confirm whether the USD 25 million revenue, 75,000-consumer, or 50 percent revenue-from-data-sales thresholds apply

Authorized-agent opt-out review: Verify that consent infrastructure can detect and process opt-out requests from technology-based authorized agents, including browser settings and extensions, and confirm that only signals activated by an affirmative consumer choice are treated as valid

Sale definition review: Audit data-sharing arrangements against the LDPA’s broader definition to identify additional opt-out obligations

Privacy notice review: Confirm notices include required disclosures and that a consumer request mechanism is accessible from the website

Consumer request workflows: Verify processes, including appeal pathways, are operational and include at least two secure submission methods

Sensitive data consent audit: Confirm affirmative consent is captured and documented for all sensitive data categories, including children’s data, before processing begins

Consent interface review: Check for dark patterns in consent UIs and opt-out mechanisms

Data protection assessments: Confirm high-risk processing activities, including those that were ongoing before January 1, 2027, are covered

Processor contract review: Verify vendor agreements meet the written contract requirements

The Usercentrics Consent Management Platform, with geotargeting capabilities, can support several of these steps by enabling state-specific opt-out flows, opt-out signal detection, consent documentation, and banner configurations that adapt to each applicable law’s requirements.

Prepare your compliance program for the LDPA

Usercentrics supports opt-out workflows, opt-out signal detection, consent documentation, and geotargeted configurations across U.S. state privacy laws. See it in action today.

William Newmark
Senior Legal Counsel, Usercentrics
Stay in the loop

Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.