Louisiana enacted the Louisiana Data Privacy Act (SB 386), creating a comprehensive framework governing the collection and use of consumer personal data.
The law establishes consumer rights, controller obligations, and enforcement mechanisms, similar to other state privacy laws.
This update applies to businesses meeting specified thresholds that conduct business in Louisiana, and the law takes effect on January 1, 2027.
What Employers Need to Do
- Determine whether the business meets applicability thresholds, including revenue or data volume criteria.
- Identify consumer-facing data practices, including data collection through websites, apps, or marketing activities.
- Develop or update privacy notices and disclosures to meet statutory requirements.
- Implement processes for consumer rights requests, including access, deletion, and opt-out.
- Assess high-risk processing activities, including targeted advertising and sensitive data use.
Overview
Louisiana adopted a comprehensive consumer data privacy framework, effective January 1, 2027. The law applies to businesses that meet specific revenue or data-processing thresholds.
It introduces consumer rights, controller obligations, and enforcement mechanisms similar to other state privacy laws.
Scope and Coverage
- The law applies to businesses that conduct business in Louisiana and meet at least one threshold:
- annual gross revenue over $25 million
- processing personal data of 75,000 or more consumers, households, or devices
- deriving 50% or more of revenue from selling personal data
- It applies to personal data collected for commercial purposes.
- Enforcement authority is exclusive to the Louisiana Attorney General, with no private right of action.
Consumer Scope (Not Workplace-Focused)
- A “consumer” is defined as a Louisiana resident acting in an individual or household context.
- The law does not cover individuals acting in a commercial or employment context.
- It also expressly exempts employment-related data, including applicant, employee, and contractor data.
Consumer Rights
- Consumers may access, correct, delete, and obtain a portable copy of their personal data.
- Consumers may opt out of:
- targeted advertising
- sale of personal data
- certain profiling activities with significant effects
- Controllers must provide a process to respond to requests within 45 days, with one possible 45-day extension.
Controller Obligations
- Controllers must follow data minimization and purpose limitation principles.
- Businesses must implement reasonable security measures and provide clear privacy notices.
- Controllers must establish processes for handling consumer requests and appeals.
Sensitive Data and High-Risk Processing
- Processing sensitive data requires consumer consent.
- Sensitive data includes items such as:
- Racial or ethnic origin, religion, or health data
- genetic or biometric identifiers
- citizenship or immigration status
- precise geolocation data
- Controllers must conduct data protection assessments for high-risk processing activities.
Why This Matters
This law is aimed primarily at consumer data, not most workplace data, because it excludes individuals acting in an employment or commercial context and exempts key categories of employment-related data.
However, it is still important for employers that operate consumer-facing businesses, because the law may apply to customer, website, or marketing data, requiring new practices for transparency, data handling, and consumer rights management.
Key Risks for Employers
- Assuming the law does not apply because HR data is excluded, while overlooking consumer-facing data activities.
- Failing to implement consumer rights request processes, including timelines and appeals.
- Processing sensitive data without obtaining valid consumer consent.
- Inadequate or unclear privacy notices and disclosures.
- Noncompliance with data protection assessment requirements for high-risk activities.
Additional Information
The law includes a temporary 30-day cure period between January 1, 2027 and July 31, 2027, allowing businesses to address alleged violations before enforcement actions proceed.
After that period, enforcement may proceed without a mandatory cure opportunity, increasing potential compliance risk.
Source References
Need help understanding how changes to employment laws will affect your business?
Learn more about how Vensure's Louisiana PEO services can help you navigate complex employment laws and keep your business compliant.
This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.