惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

A
About on SuperTechFans
MongoDB | Blog
MongoDB | Blog
Blog — PlanetScale
Blog — PlanetScale
博客园 - 司徒正美
Stack Overflow Blog
Stack Overflow Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
aimingoo的专栏
aimingoo的专栏
B
Blog
博客园 - 聂微东
博客园_首页
D
DataBreaches.Net
F
Fortinet All Blogs
小众软件
小众软件
M
MIT News - Artificial intelligence
H
Help Net Security
Microsoft Security Blog
Microsoft Security Blog
The GitHub Blog
The GitHub Blog
大猫的无限游戏
大猫的无限游戏
Apple Machine Learning Research
Apple Machine Learning Research
Microsoft Azure Blog
Microsoft Azure Blog
I
InfoQ
F
Full Disclosure
月光博客
月光博客
酷 壳 – CoolShell
酷 壳 – CoolShell
腾讯CDC
Y
Y Combinator Blog
Google DeepMind News
Google DeepMind News
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
博客园 - 【当耐特】
Simon Willison's Weblog
Simon Willison's Weblog
云风的 BLOG
云风的 BLOG
A
Arctic Wolf
C
Cyber Attacks, Cyber Crime and Cyber Security
G
Google Developers Blog
B
Blog RSS Feed
Attack and Defense Labs
Attack and Defense Labs
W
WeLiveSecurity
N
News | PayPal Newsroom
Recent Announcements
Recent Announcements
AI
AI
人人都是产品经理
人人都是产品经理
J
Java Code Geeks
V2EX - 技术
V2EX - 技术
TaoSecurity Blog
TaoSecurity Blog
S
Security Affairs
Martin Fowler
Martin Fowler
Webroot Blog
Webroot Blog
P
Palo Alto Networks Blog
S
Schneier on Security
Latest news
Latest news

Future of Privacy Forum

Navigating Cross-Border Data Transfers in the ASEAN Region: An Analysis of Developments from 2023 to 2026 FPF Submits Comments to Inform California Children’s Social Media Protections Rulemaking Process Mandating “Evidence-Based” Suicide Detection in Chatbots Data Brokers & Beyond: Navigating New Jersey’s Data Broker & “Data Collector” Registration Law - Future of Privacy Forum FPF Hosts Frontiers Workshop on Privacy, AI, and Emerging Infrastructure FPF’s 2026 DC Privacy Forum: Leading Voices in AI, Privacy and Emerging Technology Understanding Data Embassies and Corridors Perseverance Pays Off for Vermont Privacy Efforts Future of Privacy Forum Announces 2026 Career Achievement Award Recipients - Future of Privacy Forum Future of Privacy Forum Releases Comprehensive Report On Algorithmic Personalization in Youth Online Experiences Frontier AI Goes Federal: How the Great American AI Act Compares to State Laws Comparing Enacted App Store Accountability Acts - Future of Privacy Forum No Silver Bullet, But a Silver Lining? PETs and International Data Transfers Career Choice in the AI Age: What Next for Privacy and Data Professionals? FPF Releases Practitioner Guides on Privacy Enhancing Technologies for Education Stakeholders SB 5 in Five: What to Know About Connecticut’s New AI Law Third Time’s the Charm: Connecticut Enacts Annual Privacy Update - Future of Privacy Forum Colorado Revises Its AI Act: What Changed and Why The EU Commission’s Approach to Age Verification: Mobile Apps, DSA Enforcement, and Challenging National Social Media Bans Taking stock: The Impact of the India AI Impact Summit 2026 The New(ish) Architecture of Consumer Health and Artificial Intelligence Celebrating Another Year of Privacy and AI Governance: FPF at the 2026 IAPP Global Summit - Future of Privacy Forum Adapting the Privacy Profession to Changing Times More Parties, More Risks, More Opportunity? Evolving Governance to Support Cyber Resilience Amidst Evolving Policy and Technological Change Contextualizing the Proposed SECURE Data Act in the State Privacy Landscape FPF on the Securing and Establishing Consumer Uniform Rights and Enforcement Over Data ("SECURE Data") Act The Alabama Personal Data Protection Act Brings Consumer Privacy to the Heart of Dixie The Price is Right: Responsible Uses of Personal Data in Pricing Red Lines under the EU AI Act: Restricting Real-time Remote Biometric Identification Systems for Law Enforcement Purposes The Rest of the West: Oregon and Washington Build on California Chatbot Law Red Lines under the EU AI Act: Understanding the prohibition of biometric categorization for certain sensitive characteristics 2026 Chatbot Legislation Tracker Red Lines under EU AI Act: Unpacking the prohibition of emotion recognition in the workplace and education institutions Privacy Protections Coming Sooner Rather Than Later to the Sooner State Navigating Autonomy and Privacy in Emerging AgeTech: Insights from the FPF Roundtable Incentives or Obligations? The U.S. Regulatory Approach to Voluntary AI Governance Standards Red Lines under the EU AI Act: Understanding the ban of the untargeted scraping of facial images and facial recognition databases
Privacy Becomes You, Bayou State: A Look at the Louisiana Data Privacy Act
Jordan Francis · 2026-06-04 · via Future of Privacy Forum

Senior Policy Counsel

Louisiana has become the 22nd U.S. state to enact a comprehensive consumer privacy law—and the third this year following Oklahoma and Alabama—after Governor Landry signed the Louisiana Data Privacy Act (LDPA) (SB 386) on May 29. Overall, this is a fairly standard state privacy law that follows the Washington Privacy Act framework apart from the law’s CCPA-style applicability thresholds. The law will go into effect on January 1, 2027. This blog post covers the LDPA’s scope, consumer rights, business obligations, and enforcement. 

Scope

Applicability: Like other comprehensive privacy laws based on the Washington Privacy Act (WPA) framework, this law regulates controllers’ and processors’ collection and use of personal data.

Departing from the common WPA framework, this law’s applicability thresholds are modeled on those under the California Consumer Privacy Act (CCPA). The LDPA only applies to a person or entity doing business in Louisiana that either—

  1. Has annual gross revenues exceeding $25 million; 
  2. Annually buys, “receives for the business’s commercial purposes,” sells, or shares for commercial purposes the “personal information” of at least 75,000 consumers, households, or devices; or 
  3. Derives 50% or more of its annual revenues from selling consumers’ “personal information.”

Not only do these thresholds reflect those under the CCPA, they also use the undefined term “personal information” (which is used in the CCPA) rather than the defined term “personal data” used throughout the LDPA. One unique aspect of these applicability thresholds is that prong (2) adds the criteria “receives for the business’s commercial purposes,” which is not present in the CCPA’s text although that law defines “commercial purpose” and uses the term in other contexts. (§ 1780.2(A).)

The LDPA includes broad entity- and data-level exemptions, including for—

  • State agencies or political subdivisions;
  • Financial institutions, affiliates, or data subject to the GLBA; 
  • Covered entities, business associates, and protected health information governed by HIPAA; 
  • Health records;
  • Information included in a limited data set maintained as required under 45 C.F.R. 164.514(e);  
  • Nonprofits, including political organizations; 
  • Institutions of higher education; 
  • Information collected, used, or disclosed by a consumer reporting agency or furnisher to the extent regulated by and authorized under FCRA; 
  • Personal data collected, processed, sold, or disclosed in compliance with the DPPA; 
  • Personal data regulated under FERPA; and more. (§ 1780.2(B)-(C).)

Key Definitions: Personal data is defined consistently with other state laws as information that is linked or reasonably linkable to an identified or identifiable individual, and it does not include deidentified data or publicly available information. Sensitive data includes: personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status; genetic or biometric data processed for uniquely identifying an individual; personal data collected from a known child (under 13); and precise geolocation data (within a radius of 1,750’). This definition is narrower than in many of the newer state laws, which often include other categories such as consumer health data, neural data, or status as a victim of a crime. (§ 1780.1.)

This law includes many of the key definitions associated with the Connecticut-model of state laws. For example: the definition of “biometric data” includes data generated from a photograph or video or audio recording if generated to identify a specific individual; “dark patterns” are defined and prohibited for obtaining consent; and “sale” is defined broadly to include exchanges of personal data for “other valuable consideration” apart from monetary consideration. (§ 1780.1.)

Consumer Rights

Consumers will have the standard rights to: confirm whether their personal data is being processed; access their personal data; correct inaccuracies in their personal data; have their personal data deleted; obtain a copy of their personal data in a portable format (if available in a digital format); and opt-out of the processing of their personal data for the purposes of targeted advertising, the sale of personal data, and profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer. Like the laws in Tennessee and Alabama, these consumer rights (including the opt-out right) do not apply to pseudonymous data if the controller is able to demonstrate that information necessary to identify the consumer is kept separately and subject to effective technical and organizational controls that prevent the controller from accessing the information.  (§ 1780.3(A), 1780.4(O),)

Controllers must respond to consumer rights requests within 45 days, which can be extended an additional 45 days if necessary so long as the consumer is informed of the extension and the reason. If a controller declines to act on a consumer request, then it must inform the consumer of the decision, the justification, and how to appeal the decision. A controller is not required to comply with a rights request that it cannot authenticate, and that the authentication requirement extends to the consumer opt-outs as well. Some states, like Connecticut, provide that a controller does not need to authenticate an opt-out request but may deny an opt-out request if it has a good faith, reasonable and documented belief that the request is fraudulent. (§ 1780.3(B).)

In another departure from the Connecticut-style suite of state laws, the LDPA does not appear to require a controller to provide consumers with a mechanism to revoke previously given consent. 

What about Agents and OOPS? A consumer will be able to designate another person to serve as the consumer’s authorized agent to opt-out of the processing of consumer’s personal data for targeted advertising or the sale of personal data. Although the law does not reference opt-out preference signals (OOPS) or universal opt-out mechanisms (UOOM), it does provide that a consumer can “designate an authorized agent using a technology, including . . . a global setting on an electronic device,” that allows the consumer to indicate the consumer’s intent to opt out of the processing for targeted advertising, for sale of personal data, or both.” Additionally, a “technology” described in the subsection may not “unfairly disadvantage another controller,” make use of a default setting (instead requiring “an affirmative, freely given, and unambiguous choice” by the consumer), and be consumer-friendly and easy to use. These are the common requirements for an OOPS under the state comprehensive privacy laws. 

The use of a technologically-designated authorized agent by a consumer could be limited due to several exceptions under the law. A controller is not required to comply with an opt-out request from an authorized agent if: the authorized agent does not communicate the request in a clear and unambiguous manner; the controller cannot verify (with reasonable effort) that the consumer is a resident of Louisiana; the controller does not possess the ability to process the request; or the controller “does not process similar or identical requests the controller receives from consumers for the purpose of complying with similar or identical laws or regulations of another state.”(§ 1780.3(E)(5)-(6).) 

Business Obligations

Consistent with most of the state privacy laws, controllers and processors are subject to an enumerated list of duties under the law—including transparency, data minimization, data security, non-retaliation, oversight of processors, data protection assessments, and children-specific protections—as well as a list of broad exceptions. 

Transparency: Controllers must provide consumers with a “reasonably accessible and clear privacy notice” including information such as categories of personal data processed, processing purposes, how consumers can exercise their data rights, categories of personal data sold to third parties, and categories of third parties to whom data is sold. If the controller sells personal data, processes personal data for targeted advertising, sells sensitive data, or sells biometric data, there are additional notices that must be provided in the privacy notice (e.g., “NOTICE: We may sell your sensitive data”). (§ 1780.4(B).)

Data Minimization: The LDPA includes common procedural data minimization and purpose limitation restrictions. A controller must— 

  • “[L]imit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which that personal data is processed, as disclosed to the consumer” 
  • Obtain the consumer’s consent to “process personal data for a purpose that is neither reasonably necessary to nor compatible with the disclosed purpose for which the personal data is processed, as disclosed to the consumer”; and 
  • Obtain the consumer’s consent to process the consumer’s sensitive data. (§ 1780.4(A).)

Data Security: A controller must establish, implement, and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the data. (§ 1780.4(A)(1)(b).)

Anti-discrimination and Non-retaliation: Controllers cannot process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. Controllers also may not deny goods or services, charge different prices or rates for goods or service, or provide a different level of quality of goods or services to the consumer as retaliation for a consumer exercising any of their rights under the LDPA, subject to exceptions (e.g., if the data is necessary to provide a service or processed in connection with a bona fide loyalty program). (§ 1780.4(A).)

Processors: Processors must adhere to the instructions of a controller and assist the controller in complying with the controller’s duties or requirements under the law. Whether a person is acting as a controller or processor is a fact-based determination depending on context, but a processor remains a processor if they are adhering to a controller’s instructions with respect to a specific processing activity. There must be a valid contract in place between the controller and processor that meets statutory criteria (e.g., clear instructions for processing, deleting or returning personal data after the service is concluded). (§ 1780.4(D).)

Children’s Privacy: Consistent with most other state comprehensive privacy laws, the LDPA includes protections for children’s personal data and provisions that address COPPA compliance. “Sensitive data” includes personal data collected from a known child, and a controller must process the sensitive data of a known child in accordance with COPPA. Parents are able to exercise consumer rights on behalf of a child whose personal data is processed. Controllers and processors that comply with the verifiable parental consent requirements of COPPA are deemed to be in compliance with any requirement to obtain parental consent under the LDPA. In contrast to many of the newer state comprehensive privacy laws, the LDPA does not include opt-in rights for teenagers with respect to targeted advertising or the sale of personal data. (§§ 1780.1, 1780.2(E), 1780.3(A) & 1780.4(A).)

Data Protection Assessments: Controllers must conduct and document a data protection assessment for processing activities that present a heightened risk of harm to consumers, including processing personal data for targeted advertising, selling personal data, processing personal data for profiling that presents a reasonably foreseeable risk of substantial injury to consumers, and processing sensitive data. A controller must make a data protection assessment available to the Louisiana attorney general if requested in a civil investigative demand (although that requirement includes a cross-reference to a non-existent subsection of the law). (§ 1780.4(E).)

Exceptions: This bill includes a number of common exceptions, providing that nothing in the law shall be construed to limit a controller’s or processor’s ability to: comply with state, federal, or local laws or regulations; comply with regulatory inquiries or investigations; provide a specifically requested product or service; engage in public or peer-reviewed research in the public interest adhering to relevant safeguards; cooperating with law enforcement agencies; internal use of data for conducting research, effectuating a product recall, identifying and repairing technical errors, performing internal operations reasonably aligned with consumers’ expectations; and more. (§ 1780.4(G)-(I).) 

Miscellaneous: This law includes one unique provision related to the sale of sensitive data. Section 1780.4(P) provides that “[a] person or entity described by R.S. 51:1780.2(A)(3) may not engage in the sale of personal data that is sensitive without receiving prior consent from the consumer,” and violation of that requirement subjects a person to a penalty under the law. The cross-reference is to the applicability threshold for a person or entity that does business in the state and that derives fifty percent or more of its annual revenues from selling consumers’ “personal information.” This is an ambiguous requirement. An entity meeting that threshold would already be under the requirement to obtain consent prior to processing sensitive data, which includes selling data, so it is not clear that this is an added responsibility, unless it is meant to apply more broadly. But there is no other language in the requirement suggesting that it would apply notwithstanding the law’s broad entity-level exemptions.

Enforcement

The Louisiana Attorney General will enforce the LDPA and violations will constitute unfair and deceptive trade practices under Louisiana’s Unfair Trade Practices and Consumer Protection Law. Notably, the private rights of action under the unfair trade practices law do not extend to violations of the LDPA. For the first six months of enforcement (January 1, 2027 to July 31, 2027), the attorney general must give persons notice of alleged violations and at least 30 days to cure those violations prior to initiating an investigation. 

The attorney general is required to post online information regarding controllers’ and processors’ responsibilities and consumer rights under the law, and money received from enforcement actions will go towards funding the attorney general’s consumer protection efforts or promoting consumer protection and education. 

* * *

Looking to get up to speed on the existing state comprehensive consumer privacy laws? Check out FPF’s 2025 report, Anatomy of a State Comprehensive Privacy Law: Charting the Legislative Landscape

image

Pictured: Louisiana receiving its star on the FPF “Privacy Patchwork” quilt.