
Understand why CIPA lawsuits are rising and how to minimize privacy risk on your website.
Thank you!
Please check your email to view the guide.

The Governor of Louisiana signed Senate Bill 386, the Louisiana Data Privacy Act (LDPA), into law on May 29, 2026. The law takes effect January 1, 2027.
The law applies to entities doing business in Louisiana that meet at least one of the following three thresholds:
The LDPA carries the usual entity and data-level exemptions, including for financial institutions and data covered by the Gramm-Leach-Bliley Act, HIPAA-covered entities and protected health information, nonprofits, and higher education institutions.
Data processed in an employment or applicant context is also out of scope.
Consumers can access, correct, delete, and obtain a portable copy of their personal data. They can also opt out of targeted advertising, the sale of personal data, and profiling that supports solely automated decisions in areas like financial services, employment, or education.
The LDPA defines "sale" broadly as the exchange of personal data for monetary or other valuable consideration to a third party. Routine flows to advertising and analytics partners can therefore amount to a sale, triggering an opt-out right.
Consumers can also designate an authorized agent to opt out, including through a browser setting or extension or a device-level global signal. This points to recognition of opt-out preference signals such as the Global Privacy Control.
Controllers must publish a clear and accessible privacy notice covering the categories of data processed, the purposes, the categories shared with third parties, and how consumers exercise their rights and appeal a decision.
The LDPA is slightly unusual in requiring, like Texas, specific “sale notices”. A controller that sells sensitive data must state, in the same manner as the privacy notice, that it may sell sensitive personal data, with an equivalent notice for the sale of biometric data.
Data protection assessments are required for targeted advertising, the processing of sensitive data, and profiling that presents a reasonably foreseeable risk of substantial injury. These apply from January, 1, 2027, and are not retroactive.
The practical question for any team with Louisiana-resident data is whether its tracking inventory captures every pixel, tag, and SDK that shares data with advertising or analytics third parties, and whether those flows are correctly treated as sales subject to opt-out.
Teams should confirm that opt-out mechanisms are frictionless and actually stop transmission, that the GPC is honored, and that sale-of-sensitive-data and sale-of-biometric-data notices are added where relevant.
Vendor contracts and the data protection assessment program will also need review before the January deadline.
Privado AI is the agentic privacy platform to reduce compliance risk at scale. Privado AI offers AI-native solutions to automate risk discovery, assessments, and data maps. Prevent privacy violations with automated website and mobile app audits that verify consent compliance in each applicable jurisdiction, including Louisiana. Populate entire assessments with agents that analyze documentation, contracts, and data flows. Build dynamic data maps by scanning web, app, backend, and third-party software.