Louisiana Enacts Consumer Data Privacy Law

By David Stauss & Marlaina Pinto on June 3, 2026

Key point: Louisiana becomes the 22nd state — and third this year — to enact a consumer data privacy law, adopting a law similar to Texas’ law.

On May 29, 2026, Louisiana Governor Jeff Landry signed the Louisiana Data Privacy Act (SB 386) into law. Louisiana is the 22nd state to pass a broad consumer data privacy law. It is the third state — following Oklahoma and Alabama — to pass a law this year.

The new law largely tracks Texas’ law but with some notable differences we identify below.

Applicability

Although the law generally follows the Texas Data Privacy and Security Act, one of the notable ways in which it differs from that law — as well as other Washington Privacy Act model consumer data privacy laws — is its applicability standard.

The law applies to controllers and processors that conduct business in Louisiana and satisfy one or more of the following thresholds: (1) have annual gross revenue in excess of $25 million; (2) annually buy, receive for the business’s commercial purposes, sell, or share for commercial purposes the personal information of 75,000 or more consumers, households, or devices; or (3) derive 50% or more of their annual revenue from selling consumers’ personal information.

This standard appears to be borrowed from the California Consumer Privacy Act (CCPA), including the fact that it uses “personal information” (which is used in the CCPA) instead of the law’s defined term of personal data.

The ultimate takeaway is that the law may apply in unlikely ways — such as business-to-business companies — since it applies to entities based on a revenue standard without reference to the processing of personal data.

Another notable difference from Texas is that the Texas law generally does not apply to small businesses with the exception that section 541.107 states that small businesses may not engage in the sale of sensitive personal data without consent. Louisiana’s law contains a similar provision but, because it does not track the Texas applicability standard, it ends up linking this provision to section 1780.2(A)(3), which is the portion of the law’s applicability standard that applies to persons or corporations that derive 50% or more of their annual revenue from selling consumers’ personal information. Piecing this together, the law basically creates a redundant prohibition on data brokers selling sensitive data without consent.

Exemptions

The law exempts Gramm-Leach-Bliley (GLBA) financial institutions and data, Health Insurance Portability and Accountability Act (HIPAA)-covered entities and business associates, nonprofits, institutions of higher education, and public utilities. The law also contains an exemption for organizations registered with the secretary of state to conduct public opinion polls. The law contains customary data level exemptions for health-related data, Fair Credit Reporting Act (FCRA) data, Family Educational Rights and Privacy Act (FERPA) data, and employee data.

Notable Definitions

Sensitive Data

Sensitive data is defined narrowly to be: (1) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status; (2) genetic or biometric data that is processed for the purpose of uniquely identifying an individual; (3) personal data collected from a known child; and (4) precise geolocation data.

Consent

The law uses the Texas definition of consent, which includes language stating that consent does not include acceptance of general or broad terms of use or hovering over, muting, or closing content.

Personal Data

Contrary to the Texas’ definition of personal data, the Louisiana law does not state that personal data “includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual.” This becomes relevant, for example, with respect to the right to opt out of targeted advertising.

Sale

The law defines “sale of personal data” to be the exchange of personal data for monetary or other valuable consideration.

Consumer Rights

The law contains the customary consumer rights, including the rights to (1) confirm whether a controller is processing the consumer’s personal data and to access the personal data; (2) correct inaccuracies in the consumer’s personal data; (3) delete personal data provided by or obtained about the consumer; and (4) opt out of targeted advertising, the sale of personal data, and profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer. All rights, including the opt-out rights, are subject to authentication.

The law requires controllers to obtain consumer consent for the processing of sensitive data; however, it does not provide the right to revoke consent.

Children’s Privacy Rights

The law does not contain any additional privacy rights for children above 13 years of age.

Universal Opt-Out Mechanisms

The law requires controllers to recognize universal opt-out mechanisms.

Privacy Policy

The privacy policy provisions are consistent with those found in Texas’ law, including requiring controllers to provide specific notices if they sell sensitive personal data or biometric personal data.

Data Protection Impact Assessments

The law requires controllers to conduct data protection impact assessments consistent with the requirements found in similar laws.

Enforcement

Violations of the law are only enforceable by the state attorney general. The law contains a 30-day right to cure that sunsets on July 31, 2027.

The attorney general must post on its website information relating to the responsibilities of controllers and processors and consumer rights.

Effective Date

The law goes into effect January 1, 2027.