CIPA Litigation Prevention Guide

Understand why CIPA lawsuits are rising and how to minimize privacy risk on your website.

Thank you!
Please check your email to view the guide.

Louisiana becomes 22nd state to pass a comprehensive consumer privacy law

July 2, 2026
5
 mins read
Robert Bateman
Robert Bateman
Senior Partner at Privacy Partnership law firm
Louisiana Data Privacy Act

The Governor of Louisiana signed Senate Bill 386, the Louisiana Data Privacy Act (LDPA), into law on May 29, 2026. The law takes effect January 1, 2027.

  • The LDPA grants rights of access, correction, deletion, and portability, plus opt-out rights for targeted advertising, the sale of personal data, and certain profiling
  • Controllers must obtain consent to process sensitive data and must run data protection assessments for higher-risk processing
  • The Louisiana Attorney General has exclusive enforcement authority, and there is no private right of action

Who does the LDPA apply to?

The law applies to entities doing business in Louisiana that meet at least one of the following three thresholds:

  • Annual gross revenue above $25 million
  • The buying, receiving, selling, or sharing of the personal information of 75,000 or more consumers, households, or devices for commercial purposes, or 
  • Deriving 50 percent or more of annual revenue from selling personal information.

The LDPA carries the usual entity and data-level exemptions, including for financial institutions and data covered by the Gramm-Leach-Bliley Act, HIPAA-covered entities and protected health information, nonprofits, and higher education institutions. 

Data processed in an employment or applicant context is also out of scope.

What rights does it give consumers, and where does data sharing come in?

Consumers can access, correct, delete, and obtain a portable copy of their personal data. They can also opt out of targeted advertising, the sale of personal data, and profiling that supports solely automated decisions in areas like financial services, employment, or education.

The LDPA defines "sale" broadly as the exchange of personal data for monetary or other valuable consideration to a third party. Routine flows to advertising and analytics partners can therefore amount to a sale, triggering an opt-out right.

Consumers can also designate an authorized agent to opt out, including through a browser setting or extension or a device-level global signal. This points to recognition of opt-out preference signals such as the Global Privacy Control.

What are the transparency and assessment duties?

Controllers must publish a clear and accessible privacy notice covering the categories of data processed, the purposes, the categories shared with third parties, and how consumers exercise their rights and appeal a decision.

The LDPA is slightly unusual in requiring, like Texas, specific “sale notices”. A controller that sells sensitive data must state, in the same manner as the privacy notice, that it may sell sensitive personal data, with an equivalent notice for the sale of biometric data.

Data protection assessments are required for targeted advertising, the processing of sensitive data, and profiling that presents a reasonably foreseeable risk of substantial injury. These apply from January, 1, 2027, and are not retroactive.

What should privacy teams do?

The practical question for any team with Louisiana-resident data is whether its tracking inventory captures every pixel, tag, and SDK that shares data with advertising or analytics third parties, and whether those flows are correctly treated as sales subject to opt-out.

Teams should confirm that opt-out mechanisms are frictionless and actually stop transmission, that the GPC is honored, and that sale-of-sensitive-data and sale-of-biometric-data notices are added where relevant.

Vendor contracts and the data protection assessment program will also need review before the January deadline.

Privado AI is the agentic privacy platform to reduce compliance risk at scale. Privado AI offers AI-native solutions to automate risk discovery, assessments, and data maps. Prevent privacy violations with automated website and mobile app audits that verify consent compliance in each applicable jurisdiction, including Louisiana. Populate entire assessments with agents that analyze documentation, contracts, and data flows. Build dynamic data maps by scanning web, app, backend, and third-party software.

Industry insights you won’t delete. Delivered to your inbox.

Get regular updates from Privado AI

Request free website audit

Request Privado AI demo

Robert Bateman
Robert Bateman
Senior Partner at Privacy Partnership law firm

Get regular updates from Privado AI

Request free website audit

Request Privado AI demo

Continue Reading