State Privacy Laws: Louisiana
A summary of privacy laws in Louisiana.
Overview
The Louisiana Data Privacy Act (LDPA) makes Louisiana the 22nd state to enact a comprehensive consumer data privacy law. Signed in May 2026 and effective January 1, 2027, it has the shortest runway of the four laws enacted in 2026. The LDPA generally follows the established state privacy framework but stands out for its California-style thresholds (including a standalone revenue trigger) and for requiring specific, verbatim notice language from businesses that sell sensitive or biometric data.
Key Dates
- Signed into law: May 29, 2026
- Effective date: January 1, 2027
Thresholds
The LDPA applies to entities that conduct business in Louisiana and meet at least one of the following:
- annual gross revenue exceeding $25 million; or
- annually buy, receive, sell, or share the personal information of 75,000 or more consumers, households, or devices; or
- derive 50% or more of annual revenue from selling consumers' personal information.
Consumer Rights
- The right to confirm whether a controller is processing their personal data and to access that data.
- The right to correct inaccuracies in their personal data.
- The right to delete their personal data.
- The right to obtain a portable copy of their personal data.
- The right to opt out of the processing of their personal data for the purposes of targeted advertising, the sale of their personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.
- The right to appeal a controller's denial of a request.
Sensitive Data
The law defines sensitive data to include personal data revealing:
- Racial or ethnic origin
- Religious beliefs
- A mental or physical health diagnosis
- Sex life or sexual orientation
- Citizenship or immigration status
- Genetic or biometric data processed to uniquely identify an individual
- Personal data collected from a known child (under 13 years of age)
- Precise geolocation data
Penalties
Violations are enforced exclusively by the Louisiana Attorney General as unfair or deceptive trade practices, with civil penalties of up to $5,000 per violation. There is no private right of action. A 30-day right to cure is available, but it sunsets on July 31, 2027, meaning businesses will have only seven months of cure availability after the law takes effect.
Configure Your Consent Banner for LDPA
Regions are used to customize the behavior and experience based on an individual user’s location. As an example, this allows you to provide different experiences to users based on regional differences (like GDPR in the EU vs. LDPA in Louisiana). When a user visits your site, we will automatically determine their location and will match them to the most granular region rule that you have setup in Concord. This can go down to the state/province level, which allows for different experiences for different laws (like LDPA in Louisiana).
Recommended Consent Settings
Based on the current laws, we recommend the following regional settings:
- Consent Mode: Implied
- Blocking Mode: Strict
- Google Consent Mode V2: Advanced
- Consent Duration: 12 months
- Enable Limit Sensitive Information: Enabled
- Enable Do Not Sell Consent: Enabled
- Enable Global Privacy Control: Enabled
For step-by-step instruction on how to configure your consent banner for different geographical regions within the Concord app, see our help document Configure Your Consent Banner for Different Geographical Regions.
While you can get as granular as you want, we typically recommend a single global policy that meets the strictest guidelines across regions, or higher splits (like separate GDPR and United States regions, only adding additional regions for stricter states like California if needed). If you have any questions on how and why to configure your regions in certain ways, please reach out to our support team.