Louisiana Data Privacy Act Becomes Law: SB 386 Signed as Act 502
Louisiana Data Privacy Act Becomes Law: SB 386 Signed as Act 502
Louisiana Governor Jeff Landry signed SB 386 into law as Act No. 502 on May 29, 2026, enacting the Louisiana Data Privacy Act at R.S. 51:1780.1 through 1780.5. The Act gives residents rights to access, correct, delete, and port their personal data, and to opt out of targeted advertising and data sales, effective January 1, 2027.
Information last verified on June 3, 2026. This is a developing story; we update it as the record changes.
Jurisdiction scope: This article addresses Louisiana's new comprehensive consumer data privacy statute, the Louisiana Data Privacy Act (La. R.S. 51:1780.1 et seq.). It does not address the privacy laws of other states or federal sectoral laws. For the broader landscape, see US state data privacy laws.
What Happened
Louisiana Governor Jeff Landry signed Senate Bill 386 into law as Act No. 502 on May 29, 2026, creating the Louisiana Data Privacy Act. The Act enacts Chapter 20-B of Title 51 of the Louisiana Revised Statutes of 1950, comprised of R.S. 51:1780.1 through 1780.5. Senator Patrick Connick authored the measure. The House passed it 94-0 on May 18, 2026, and the Senate concurred in House amendments 34-0 on May 20, 2026, before it reached the governor. The Act takes effect January 1, 2027 (La. Acts 2026, No. 502, Section 2). The enacting clause states its purpose directly:
"To enact Chapter 20-B of Title 51 of the Louisiana Revised Statutes of 1950, to be comprised of R.S. 51:1780.1 through 1780.5, relative to consumer data privacy; creates the Louisiana Data Privacy Act." Source: La. SB 386 (2026 Regular Session), Enrolled, Act No. 502
With this signing, Louisiana joins roughly two dozen states that have enacted comprehensive consumer privacy statutes, a tally that varies depending on which laws and counting methods a given tracker uses.
What the Law Actually Says
The Louisiana Data Privacy Act grants residents a defined set of consumer rights under R.S. 51:1780.3. A consumer may confirm whether a controller is processing their personal data and access it, correct inaccuracies, delete personal data provided by or obtained about them, and, where the data exists in a digital format, obtain a portable and readily usable copy that the consumer previously provided. Consumers may also opt out of processing for targeted advertising, the sale of personal data, and profiling that produces a legal or similarly significant effect.
Coverage is narrower than the rights suggest. Under R.S. 51:1780.2(A), the Act applies only to a person or entity doing business in the state that meets at least one threshold: annual gross revenues over $25 million; annually buying, receiving, selling, or sharing for commercial purposes the personal information of 75,000 or more consumers, households, or devices; or deriving 50% or more of annual revenues from selling personal information. These are CCPA-style thresholds rather than the lower 100,000-consumer trigger common to the Virginia-model statutes most states adopted.
Enforcement rests solely with the Louisiana Attorney General (La. R.S. 51:1780.5(A)). A violation constitutes an unfair and deceptive trade practice under the Unfair Trade Practices and Consumer Protection Law, R.S. 51:1401 et seq., "excluding private rights of action as provided in R.S. 51:1409 and 1409.1." From January 1 through July 31, 2027, the Attorney General must give written notice at least 30 days before initiating an investigation and may not proceed if the alleged violator cures within that window (La. R.S. 51:1780.5(D)).
Before this Act, Louisiana had no comprehensive consumer-privacy statute. Its data-protection regime was anchored by the Database Security Breach Notification Law, R.S. 51:3071 et seq., which governs notice after a breach rather than ongoing consumer rights. For that prior framework, see our explainer on the Louisiana data breach notification law, and for the state's full privacy picture, see Louisiana data privacy laws.
Analysis: Why This Matters
The following is analysis from the Recording Law Editorial Team.
The headline is that Louisiana now has a comprehensive consumer-privacy statute where it previously had only breach-notification rules. The substance, read against the text, is more measured. The consumer rights in R.S. 51:1780.3 track the now-standard package other states adopted: access, correction, deletion, portability, and opt-outs for targeted advertising, sale, and profiling. On that axis, Louisiana is squarely within the national mainstream.
What distinguishes the Act is the coverage gate. The thresholds in R.S. 51:1780.2(A) borrow the California model, $25 million in revenue or 75,000 consumers, households, or devices, rather than the lower consumer-count triggers in the Virginia-model laws most states passed. That design narrows the universe of covered businesses compared with a pure consumer-count standard, while still reaching large national platforms doing business in the state.
Enforcement is also notably centralized. By routing violations through the Unfair Trade Practices and Consumer Protection Law and expressly excluding private rights of action (R.S. 51:1780.5(C)), the legislature placed the entire enforcement burden on the Attorney General. The temporary cure period running through July 31, 2027 (R.S. 51:1780.5(D)) signals a transitional, compliance-first posture in the law's first seven months of force. We are describing what the statute provides, not predicting how the Attorney General will exercise that authority.
How This Affects You
For Louisiana residents, the practical change arrives January 1, 2027, when the rights in R.S. 51:1780.3 become exercisable against covered controllers. Until then, the Act is enacted but not yet in force, so the access, deletion, and opt-out mechanisms it describes are not yet available. Residents who want to understand what data a business holds today still rely on the prior regime and any federal sectoral protections that apply.
For businesses, the question is whether you meet a threshold in R.S. 51:1780.2(A). An entity doing business in Louisiana that clears the $25 million revenue mark, the 75,000-record mark, or the 50%-of-revenue-from-data-sales mark falls within scope; one below all three generally does not. Covered entities have until January 1, 2027 to align practices, with the additional 30-day cure window available during the first half of that year. Because enforcement sits with the Attorney General and there is no private right of action, the compliance risk runs to the state rather than to consumer lawsuits. This is general information about the statute's structure, not advice about any specific organization's obligations.
This is general legal information, not legal advice. It covers Louisiana and reflects sources verified on June 3, 2026. Laws change and this story is developing; consult a lawyer licensed in your jurisdiction about your specific situation.
Related articles
- Louisiana data privacy laws
- Louisiana data breach notification law
- US state data privacy laws
- AI and data privacy
Last updated: 2026-06-03. This is a developing story; details verified as of June 3, 2026.
Sources and References
- Louisiana SB 386 (2026 Regular Session), BillInfo and status history, Act No. 502(legis.la.gov).gov
- Louisiana SB 386 (2026 Regular Session), Enrolled text enacting La. R.S. 51:1780.1 through 1780.5(legis.la.gov).gov
- Louisiana Database Security Breach Notification Law, La. R.S. 51:3071 et seq.(legis.la.gov).gov