On May 29, 2026, Louisiana Governor Jeff Landry signed the Louisiana Data Privacy Act (LDPA) into law. With that signature, Louisiana became the 22nd state in the country to adopt a comprehensive consumer data privacy law. The law takes effect on January 1, 2027, which gives businesses a clear runway to get their houses in order before the rules become enforceable.
If you live in Louisiana, this law is designed to give you more say over the personal information companies collect about you. If you run a business there, it sets out a new set of responsibilities. Here is a plain-English look at what the LDPA does and why it matters.
Why This Matters
Every day, companies gather enormous amounts of information about the people they interact with. Your name, email address, location, browsing habits, and shopping history all have value, and businesses use that data to advertise to you, build profiles, and make decisions. For years, much of this happened behind the scenes with little input from the people whose data was being collected.
A wave of state privacy laws, starting with California in 2018, has tried to shift some of that control back to consumers. Louisiana is the latest state to join that movement. The basic idea is simple: you should know what is being collected, have a say in how it is used, and be able to push back when you want to.
Who the Law Covers
The LDPA does not apply to every business. Like most state privacy laws, it sets thresholds so that small operations are not buried under heavy compliance costs. Generally, the law applies to companies that conduct business in Louisiana, handle the personal data of a significant number of state residents, or derive a meaningful share of their revenue from selling personal data.
It is worth noting that these laws typically carve out certain organizations and types of information already governed by other federal rules, such as financial institutions covered by federal banking law and health information covered by medical privacy statutes. The practical takeaway is that the law focuses on the everyday commercial collection of a consumer’s personal information.
Consumer’s New Rights
The heart of the LDPA is a set of rights that belong to the consumer. While the exact wording is in the statute, these laws generally allow residents to do the following:
- A consumer can ask a company to tell them what personal information it has collected about them.
- A consumer can request a copy of that information in a usable format so they can take it elsewhere.
- A consumer can ask a business to correct incorrect information.
- A consumer can ask a business to delete the personal information it holds about them.
- And importantly, a consumer can tell a company to stop selling their personal data or using it for targeted advertising.
In short, the law gives a consumer the tools to look behind the curtain and, in many cases, to say no.
What Businesses Have to Do
The flip side of consumer rights is business responsibility. Companies covered by the LDPA will need to make some real operational changes.
They must be transparent. That usually means publishing a clear privacy notice explaining what data they collect, why they collect it, and with whom they share it. They must provide consumers with a straightforward way to exercise their rights, such as an online form or another contact method, and respond within a set timeframe.
They must also limit their use of data. A recurring theme in modern privacy law is that businesses should only collect what they reasonably need and should not quietly repurpose data for unrelated uses. Sensitive categories of information, such as health details, precise location, or data revealing things like race or religion, typically receive extra protection and may require your clear permission before a company can use them.
Finally, businesses are expected to keep data secure with reasonable safeguards and to hold their vendors to similar standards through contracts.
How the Law Is Enforced
A common question is whether a consumer can personally sue a company for violating the law. Most state privacy laws place enforcement in the hands of the state attorney general rather than allowing individual lawsuits, and many give businesses a chance to fix problems before facing penalties. This structure aims to encourage compliance while avoiding a flood of litigation. Companies that ignore the rules, however, can face significant financial penalties.
What Businesses Should Do
For business owners, the message is to start now rather than waiting until the deadline. The period between now and January 1, 2027, is intended to be the time for you to bring your policies, procedures, and practices into compliance. That means taking inventory of the data you collect, reviewing your privacy notices, establishing a process to handle consumer requests, tightening your security practices, and reviewing your vendor contracts. Getting ahead of these tasks is far easier than scrambling at the last minute.
The Bigger Picture
Louisiana’s new law does not exist in a vacuum. With nearly half the states now having comprehensive privacy laws, the country is steadily moving toward a baseline expectation that consumers deserve transparency and control. For individuals, that is a welcome shift. For businesses, it is a reminder that privacy is no longer optional or limited to a few states.
The LDPA gives both sides time to adjust. Consumers gain new rights they can begin to exercise in 2027, and businesses gain a defined window to prepare. Used wisely, that window benefits everyone.
If your business needs assistance evaluating its data privacy policies and practices, the compliance team at Troutman Amin LLP is available to help. To deserve to win, you need to be prepared to win.
