And another state steps in. On May 29, 2026, Louisiana Governor Jeff Landry signed SB 386, enacting the Louisiana Data Privacy Act (“LDPA”) and making Louisiana the 22^nd state to join the growing roster of comprehensive privacy laws.

The LDPA largely follows the now-familiar state privacy law playbook, with the standard bundle of consumer rights and business obligations. However, its applicability thresholds, short cure period, and a few key quirks introduce wrinkles for businesses preparing for 2027.

Unique Elements

The LDPA applies to any business that: (1) has annual gross revenue exceeding $25 million; (2) processes personal information of at least 75,000 Louisiana residents, households, or devices; or (3) derives at least 50% of revenue from selling personal information.

This structure departs from the consensus model and instead borrows from California’s approach. As a result, applicability may extend to some businesses that would fall outside the scope of most other state laws.

Like the Texas Data Privacy and Security Act, Louisiana requires prominent notices where a controller sells sensitive or biometric data, using prescribed language (“NOTICE: We may sell your [sensitive/biometric] personal data”).

The LDPA deviates in a few ways:

• It takes a different structural approach to consumer rights.
• It imposes distinct requirements for sensitive and biometric data.
• It comes close to requiring recognition of opt-out preference signals, such as Global Privacy Control, but ultimately stops short. While the law permits consumers to use authorized-agent technologies to communicate opt-out requests for targeted advertising and the sale of personal data, it does not require controllers to recognize or honor those signals.

Attorney General Enforcement, With a Transitioning Cure Period

Enforcement authority rests exclusively with the Louisiana Attorney General, with no private right of action.

The cure period is brief and temporary: from January 1 through July 31, 2027, the Attorney General must provide 30 days’ notice and an opportunity to cure before initiating an investigation. After that, the cure period disappears entirely and violations are immediately enforceable. 

Takeaways

The LDPA takes effect January 1, 2027, giving businesses some time to prepare. For businesses already aligned with existing state frameworks, compliance will largely involve incremental adjustments, particularly around applicability analysis, notice requirements for sensitive data sales, and timelines for enforcement readiness.

Louisiana is the third state to pass a comprehensive privacy law this year, following Oklahoma and Alabama, and while it does not fundamentally change the compliance landscape, its scope, short cure period, and specific notice requirements introduce some notable unique twists.

Looking ahead, additional states may soon join the comprehensive privacy law landscape. Massachusetts is the closest to doing so, with its Consumer Data Privacy Act advancing through both chambers with unanimous support and now awaiting reconciliation. Vermont also saw significant progress this year, with its legislature passing a comprehensive privacy bill that is currently awaiting the governor's signature. The governor vetoed a similar bill in 2024, so it remains uncertain whether this version will face the same outcome. Maine is another state to watch, with its own comprehensive bill moving through the legislative process. More broadly, proposals remain under consideration in several other states, signaling that the state-by-state expansion of privacy obligations is continuing to gain momentum.