Governor Landry signed SB 386, now Act 502, on May 29, making Louisiana the 22nd U.S. state with a comprehensive consumer privacy law and the third in 2026, after Oklahoma and Alabama. Effective January 1, 2027.
The Louisiana Data Privacy Act follows the Washington Privacy Act framework but copies California’s CCPA on applicability. Coverage kicks in at $25 million in annual gross revenues, 75,000 consumers’ worth of data processed annually, or 50% or more of revenues from selling personal information. The thresholds also use CCPA’s undefined term “personal information” rather than “personal data,” the defined term used throughout the rest of the act.
Three gaps separate the LDPA from newer state laws. The sensitive data definition excludes consumer health data, neural data, and crime victim status; many newer laws cover all three. There’s no opt-in for teenagers on targeted advertising or data sales. Controllers don’t have to offer a consent revocation mechanism.
For multistate compliance teams, it’s a follower law. CCPA-style thresholds create a different coverage footprint than WPA-framework states, and the narrower sensitive data scope lets Louisiana-only programs run leaner than a California or Connecticut build. According to the FPF’s state privacy law landscape report, the patchwork has been expanding sensitive data categories and teen protections for two years. Louisiana consciously skipped that expansion: a future AG enforcement case on consumer health data won’t land here the way it would in Colorado.
The Louisiana AG enforces under the state’s Unfair Trade Practices and Consumer Protection Law, with no private right of action. The AG must give notice of alleged violations and at least 30 days to cure before initiating any investigation, through July 31, 2027. After that, investigations proceed without cure periods.
James Okafor