Louisiana Data Privacy Laws: Comprehensive Guide (2026)

Louisiana's primary data privacy statute is the Database Security Breach Notification Law (La. R.S. 51:3071-3077), which requires businesses to notify affected residents within 60 days of a breach. The Louisiana Data Privacy Act (SB 386) passed both legislative chambers in 2026 and, if signed, will take effect January 1, 2027.

Louisiana is the only state in the nation that derives its legal tradition from the Napoleonic Code rather than English common law. That civil-law heritage shapes how privacy torts work in Louisiana courts, where the right to privacy can arise from broad civil-code principles rather than only from discrete statutory grants. Despite that foundation, Louisiana does not yet have a comprehensive consumer data privacy statute comparable to those enacted in California, Texas, or Colorado.

That is about to change. In the 2026 Regular Session, the Louisiana Legislature passed Senate Bill 386, the Louisiana Data Privacy Act, with a 94-to-0 House vote. The bill was received from the House with amendments on May 18, 2026, and awaits the governor's signature. If signed, the Act takes effect January 1, 2027.

Until the new law takes effect, Louisiana residents rely on the 2005 Database Security Breach Notification Law (La. R.S. 51:3071-3077), the 2020 Insurance Data Security Law, a growing body of children's online safety statutes, and the full overlay of federal privacy law. Attorney General Liz Murrill, who took office in January 2024, has been active in data privacy enforcement, filing suits against Roblox in August 2025 and investigating a crisis pregnancy center for data disclosure violations in December 2024.

This guide covers every major data privacy protection available to Louisiana residents and businesses, including the pending 2027 comprehensive law, breach notification requirements, security obligations, sector-specific rules, federal coverage, and enforcement.

Louisiana Data Privacy Act (SB 386, 2026): Coming January 1, 2027

The Louisiana Legislature passed Senate Bill 386, the Louisiana Data Privacy Act, during the 2026 Regular Session. The Senate passed the bill on February 27, 2026, and the House passed it on April 8, 2026, with a final vote of 94 yes, 0 no, and 11 abstentions. The bill was received from the House with amendments on May 18, 2026, and as of May 2026 awaits the governor's signature.

If signed as expected, the Act becomes effective January 1, 2027, making Louisiana one of the most recent states to enact comprehensive consumer data privacy legislation.

Who the New Law Covers

The Act applies to any person that conducts business in Louisiana or produces products or services consumed by Louisiana residents, and that meets one or more of the following thresholds:

• Annual gross revenues exceeding $25 million
• Processing the personal data of 75,000 or more consumers, households, or devices
• Deriving 50 percent or more of annual revenues from the sale of personal data

The law does not apply to state agencies, political subdivisions, financial institutions governed by the Gramm-Leach-Bliley Act, nonprofit organizations, institutions of higher education, electric public utilities, or entities governed by HIPAA privacy and security rules.

Consumer Rights Under the Act

When the law takes effect, Louisiana residents will have the right to:

• Access: confirm whether a controller processes their personal data and obtain a copy
• Correct: request correction of inaccurate personal data
• Delete: request deletion of personal data
• Opt out: opt out of the sale of personal data, targeted advertising, and profiling that produces significant legal or similarly significant effects
• Portability: obtain their data in a portable format where technically feasible

Businesses must respond to consumer requests within 45 days, with one 45-day extension permitted when reasonably necessary.

Sensitive Data and Enforcement

The Act treats certain categories of data as sensitive, including precise geolocation data, health data, racial or ethnic origin, religious beliefs, sexual orientation, and biometric data. Controllers must obtain consent before processing sensitive data.

The Louisiana Attorney General has exclusive enforcement authority under the Act. There is no private right of action for consumers. The AG treats violations as unfair trade practices under La. R.S. 51:1401 et seq. The Act includes a 30-day temporary cure period during early enforcement. Any civil penalties collected must be directed to consumer protection purposes.

Sensitive Personal Data and Social Media: Act 656 (Effective July 1, 2025)

Before the comprehensive law takes effect, Louisiana enacted Act 656 (HB 577) in 2024, which took effect July 1, 2025. This law prohibits social media platforms with more than one million global users from:

• Displaying targeted advertising to Louisiana users that the platform knows are under 18 years of age
• Selling the sensitive personal data of known minor users

The Louisiana Attorney General enforces Act 656, with civil penalties up to $10,000 per violation. Platforms have 45 days to cure violations after receiving notice. The AG has exclusive enforcement authority; there is no private right of action.

Louisiana Database Security Breach Notification Law (La. R.S. 51:3071-3077)

The Database Security Breach Notification Law is the cornerstone of current data privacy protection in Louisiana. Originally enacted as Acts 2005, No. 499, effective January 1, 2006, this law requires businesses and government agencies to notify Louisiana residents when their personal information is compromised in a data breach.

The law was substantially amended in 2018 by Senate Bill 361 (Act 382), which expanded the definition of personal information, imposed a hard 60-day notification deadline, added data security and destruction requirements, and created new Attorney General notification obligations.

Who Must Comply

The breach notification law applies to any person or business that conducts business in Louisiana and owns or licenses computerized data containing personal information of Louisiana residents. It also applies to any state or local government agency that owns or licenses such data.

There is no minimum size threshold. Small businesses, large corporations, and government entities are all covered if they handle the personal information of Louisiana residents in electronic form.

What Counts as Personal Information

Louisiana defines personal information as a Louisiana resident's first name or first initial and last name in combination with one or more of the following unencrypted or unredacted data elements:

• Social Security number
• Driver's license number or state identification card number
• Account number, credit card number, or debit card number combined with any required security code, access code, or password that would permit access to the individual's financial account
• Passport number
• Biometric data, including fingerprints, voice prints, eye retina or iris scans, or other unique biological characteristics used to authenticate the individual's identity

The 2018 amendments added passport numbers and biometric data to this list, making Louisiana one of the earlier states to recognize biometric identifiers as protected personal information. Information lawfully available from government records is excluded.

What Triggers a Breach Notification

A notification is required when a breach of security compromises the confidentiality or integrity of computerized data and results in, or gives a reasonable basis to conclude it resulted in, the unauthorized acquisition of and access to personal information.

Good faith acquisition by an employee or agent for a legitimate business purpose does not count as a breach, as long as the information is not used for an unauthorized purpose or subject to further unauthorized disclosure.

Notification Requirements and Timeline

When a breach occurs, the business or agency must notify affected Louisiana residents in the most expedient time possible and without unreasonable delay, but no later than 60 days from the discovery of the breach. This hard deadline was added by the 2018 amendments.

Notification can be provided through several methods:

• Written notice sent to the affected individual
• Electronic notice consistent with the federal E-Sign Act (15 U.S.C. 7001)
• Substitute notice if the cost of direct notification exceeds $100,000, the affected class exceeds 100,000 people, or the business lacks sufficient contact information. Substitute notice requires all three of the following: email notification to known addresses, conspicuous posting on the company's website, and notification to major statewide media outlets.

Attorney General Notification

When a business or agency is required to notify Louisiana residents of a breach, it must also provide written notice to the Consumer Protection Section of the Louisiana Attorney General's office. This notice must be received within 10 days of distributing notice to Louisiana residents and must include the names of all affected residents. Each day that the Attorney General does not receive the required notice constitutes a separate violation.

Law Enforcement Delay and Harm Exceptions

Notification may be delayed if a law enforcement agency determines that notification would impede a criminal investigation. Once the law enforcement agency determines notification will no longer compromise the investigation, the business must provide notice without unreasonable delay. If notification is delayed, the business must notify the Attorney General in writing within 60 days explaining the reasons.

Notification is also not required if, after a reasonable investigation, the business determines there is no reasonable likelihood of harm to Louisiana residents. The business must document this determination in writing, retain the documentation for five years from the date of discovery of the breach, and provide a copy to the Attorney General within 30 days if requested.

Data Security and Destruction Requirements

The 2018 amendments added two obligations beyond breach notification.

Reasonable Security Practices

Any person or business that conducts business in Louisiana and owns or licenses computerized data containing personal information must implement and maintain reasonable security procedures and practices appropriate to the nature of the information. The law does not mandate specific technologies or frameworks. The standard is reasonableness based on the sensitivity of the data involved.

Data Destruction Requirements

When personal information is no longer needed for business purposes, any holder of such data must take all reasonable steps to destroy or arrange for the destruction of the records. Acceptable methods include shredding paper records, erasing electronic data, or otherwise modifying the personal information to make it unreadable or undecipherable.

Penalties for Violating Louisiana's Breach Notification Law

Violations of the Database Security Breach Notification Law are classified as unfair trade practices under Louisiana's Unfair Trade Practices and Consumer Protection Law (La. R.S. 51:1401 et seq.). This classification gives both the government and private plaintiffs enforcement leverage.

The Louisiana Attorney General can bring actions for injunctive relief and civil penalties. Louisiana residents have a private right of action to recover actual damages from a business's failure to provide timely breach notification. Courts must award treble damages plus attorney's fees when the violation was committed knowingly after the business received notice from the AG.

AG Murrill Enforcement Actions (2024-2026)

Attorney General Liz Murrill, who took office January 8, 2024, has used state consumer protection and data privacy laws in several enforcement actions:

Roblox Lawsuit (August 2025): AG Murrill filed a consumer protection lawsuit against Roblox Corporation, alleging violations of the Louisiana Unfair Trade Practices Act. The suit claims Roblox designed its platform in ways that allow adults to reach and exploit children, lacks meaningful age verification, and misled families about safety risks. The state seeks injunctive relief and civil penalties.

Unexpected Pregnancy Center Investigation (December 2024): A watchdog group asked AG Murrill to investigate whether The Unexpected Pregnancy Center and Heartbeat International violated the Database Security Breach Notification Law by posting client health information, including full names and last menstrual periods, to the internet without authorization. As of May 2026, the investigation status has not been publicly disclosed.

Louisiana Insurance Data Security Law (R.S. 22:2501-2511)

In 2020, Louisiana enacted the Insurance Data Security Law through Act 283 (House Bill 614), effective August 1, 2020. This law is modeled on the NAIC Insurance Data Security Model Law and imposes specific cybersecurity requirements on insurance industry licensees.

Information Security Program Requirements

Every insurance licensee must develop, implement, and maintain a comprehensive written information security program designed to protect the security of nonpublic information. The program must include a risk assessment, management-level oversight, safeguards addressing identified risks, employee training, third-party service provider oversight, and regular program evaluations and updates.

Licensees were required to have the written program in place by August 1, 2021, and required third-party service providers to implement protective measures by August 1, 2022.

Cybersecurity Event Notification

Insurance licensees must notify the Louisiana Commissioner of Insurance without unreasonable delay, but no later than three business days from determining that a cybersecurity event has occurred, when either of the following is true:

• Louisiana is the licensee's state of domicile (for insurers) or home state (for producers and adjusters), and the event has a reasonable likelihood of materially harming the licensee's operations or the nonpublic information of Louisiana consumers
• The licensee reasonably believes that 250 or more Louisiana consumers are affected

The notification must describe how the information was compromised, whether lost data has been recovered, the identity of the source of the event, and whether law enforcement has been notified.

Children's Online Privacy Protections

Louisiana has been among the most active states in passing children's online safety legislation. Four laws create a layered framework for minors' digital privacy.

Act 656 (HB 577) -- Targeted Advertising Ban (Effective July 1, 2025)

Act 656, enacted June 18, 2024, prohibits social media platforms with more than one million global users from displaying targeted advertising to Louisiana users that the platform has actual knowledge are under 18, or from selling those users' sensitive personal data. The AG enforces the law with civil penalties up to $10,000 per violation and a 45-day cure period. The law took effect July 1, 2025.

Kids Online Protection and Anti-Grooming Act (Act 236, HB 37) -- Effective June 1, 2026

Governor Edwards signed Act 236 on June 11, 2025. The law creates a comprehensive duty of care for online platforms that contract with minors under 16 in Louisiana. Covered platforms must prohibit adults from connecting with or messaging minors without consent, restrict sharing of a minor's precise geolocation, and limit account visibility. The Act took effect June 1, 2026.

Protection of Children on Applications Act (Act 481, HB 570) -- Effective July 1, 2026

Louisiana enacted Act 481 during the 2025 Regular Session, making Louisiana the third state to require app store age verification. Application stores must verify users' age categories using commercially available methods, including real-time systems authorized by the Office of Motor Vehicles. When the store determines a user is a minor, the developer must require the account to be affiliated with a parent account and obtain verifiable parental consent before allowing downloads, purchases, or in-app purchases. The Act takes effect July 1, 2026.

COPPA (Federal) -- Children Under 13

The federal Children's Online Privacy Protection Act applies to operators of websites and online services directed at children under 13, including those serving Louisiana children. COPPA requires verifiable parental consent before collecting personal information from children and gives parents the right to review and delete their child's data.

Federal Privacy Laws That Apply in Louisiana

Because Louisiana does not yet have a comprehensive state privacy law in force, federal statutes provide much of the privacy framework for Louisiana residents in specific sectors.

TAKE IT DOWN Act (Pub. L. 119-12, Effective May 2025)

President Trump signed the TAKE IT DOWN Act on May 19, 2025. The law prohibits the nonconsensual publication of intimate images, including AI-generated deepfakes. Its criminal prohibitions took effect immediately. Covered platforms had one year to establish a notice-and-removal process; the FTC began enforcing those platform obligations on May 19, 2026. Platforms must remove reported nonconsensual intimate images within 48 hours of receiving notice. Failure to comply constitutes an unfair or deceptive act or practice under the FTC Act, with potential civil penalties of $53,088 per violation.

Health Insurance Portability and Accountability Act (HIPAA)

The HIPAA Privacy Rule protects the medical records and personal health information of patients. It applies to healthcare providers, health plans, and healthcare clearinghouses in Louisiana, as well as their business associates. HIPAA requires covered entities to implement safeguards for protected health information and gives patients rights to access and control their medical data.

Gramm-Leach-Bliley Act (GLBA)

The GLBA requires financial institutions operating in Louisiana to explain their information-sharing practices to customers and to safeguard sensitive data. Financial institutions must provide annual privacy notices and give customers the right to opt out of having their information shared with certain third parties.

Fair Credit Reporting Act (FCRA)

The FCRA regulates how consumer reporting agencies collect, distribute, and use credit information for Louisiana residents. The law gives consumers the right to access their credit reports, dispute inaccurate information, and place fraud alerts or credit freezes on their accounts.

Family Educational Rights and Privacy Act (FERPA)

FERPA protects the privacy of student education records at schools that receive federal funding, which includes virtually all public schools and most colleges and universities in Louisiana. Parents and eligible students have the right to access education records and to consent to disclosures of personally identifiable information.

FTC Act Section 5

The Federal Trade Commission Act prohibits unfair or deceptive acts or practices in commerce, including deceptive privacy practices. The FTC has used this authority to bring enforcement actions against companies that fail to honor their privacy commitments or engage in unfair data practices.

American Privacy Rights Act (APRA)

Congress introduced the American Privacy Rights Act in 2024 as a bicameral comprehensive federal privacy bill. APRA did not pass in 2024. A revised version was introduced in 2025 as APRA 2.0, but as of May 2026 it has not been enacted. Federal comprehensive privacy legislation remains pending; the enactment of Louisiana's own Data Privacy Act in 2026 illustrates the continued state-level momentum regardless of federal action.

Louisiana's Unfair Trade Practices and Consumer Protection Law

Louisiana's Unfair Trade Practices and Consumer Protection Law (La. R.S. 51:1401 et seq.) serves as a supplementary privacy enforcement tool. While not a privacy statute, it prohibits unfair methods of competition and unfair or deceptive acts or practices in trade or commerce.

The Attorney General can use this law against businesses that make false promises in privacy policies or misrepresent how consumer data is used. Individual consumers can also bring private actions to recover actual damages. Courts must award treble damages plus attorney's fees when a business knowingly violates the law after receiving notice from the AG.

Violations of the Database Security Breach Notification Law are explicitly treated as unfair trade practices, and the incoming Louisiana Data Privacy Act will also tie its enforcement to this framework.

Louisiana's Civil-Law Tradition and Privacy Torts

Louisiana is the only US state that operates under a civil-law tradition derived from the Napoleonic Code rather than English common law. In privacy tort cases, Louisiana courts can draw on broad civil-code principles to recognize privacy interests that common-law states would address only through discrete tort doctrines.

This civil-law foundation means that Louisiana residents may have stronger baseline claims for unauthorized data disclosure and misuse than residents of comparable states operating under common law, independent of specific statutes. Plaintiffs in Louisiana privacy actions should consult a licensed Louisiana attorney to assess claims under both statutory and civil-code frameworks.

Louisiana Wiretap Statute (La. R.S. 15:1303)

Louisiana is a one-party consent state for the interception of wire, electronic, and oral communications. Under La. R.S. 15:1303, it is not unlawful for a person to intercept a communication when that person is a party to the communication, or when one of the parties to the communication has given prior consent, unless the interception is for the purpose of committing a criminal or tortious act. This one-party consent rule applies to private communications where participants have a reasonable expectation of privacy.

Criminal penalties for unlawful interception under Louisiana's Electronic Surveillance Act include two to ten years of imprisonment at hard labor and a fine of $10,000. Civil remedies include actual damages, $100 per day or $1,000 (whichever is greater), potential punitive damages, and attorney's fees.

For more detail on Louisiana recording consent rules, see the Louisiana Recording Laws guide.

How to Exercise Your Rights or Report a Violation

Breach Complaints -- Louisiana Attorney General

File a complaint with the Louisiana Attorney General's Consumer Protection Section for data breaches or unfair data practices. The AG can investigate and bring enforcement actions under the breach notification law and the Unfair Trade Practices statute.

FTC Complaints

For privacy violations involving deceptive practices, file a complaint with the Federal Trade Commission at reportfraud.ftc.gov.

HIPAA Complaints

For violations involving medical information, file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights.

Private Legal Action

Louisiana residents who suffer actual damages from a business's failure to comply with the breach notification law can pursue a civil lawsuit. Successful plaintiffs may recover actual damages, attorney's fees, and costs. Treble damages are available if the violation was knowing.

More Louisiana Laws

Explore related Louisiana legal guides on this site:

• Louisiana AI Meeting Recording Laws
• Louisiana Alimony Laws
• Louisiana At-Will Employment Laws
• Louisiana Car Accident Laws
• Louisiana Car Seat Laws
• Louisiana Child Custody Laws
• Louisiana Child Support Laws
• Louisiana Common Law Marriage Laws
• Louisiana Deepfake Laws
• Louisiana Divorce Laws
• Louisiana Dog Bite Laws
• Louisiana Emancipation Laws
• Louisiana Expungement Laws
• Louisiana Hit and Run Laws
• Louisiana Landlord-Tenant Laws
• Louisiana Lemon Laws