Louisiana Consumer Privacy Law (LDPA)

Primary law

The LDPA applies to a person or entity doing business in Louisiana that meets any one of three thresholds: over $25 million in annual gross revenue, annually handling the personal information of 75,000 or more consumers, households, or devices, or deriving 50 percent or more of annual revenue from selling personal information.

The provisions of this Chapter shall apply only to a person or entity that does business in the state and that satisfies one or more of the following thresholds: (1) Has annual gross revenues in excess of twenty-five million dollars. (2) Annually buys, receives for the business's commercial purposes, sells, or shares for commercial purposes the personal information of seventy-five thousand or more consumers, households, or devices. (3) Derives fifty percent or more of its annual revenues from selling consumers' personal information.

See La. R.S. 51:1780.2(A) (Act No. 502 of 2026, eff. Jan. 1, 2027).

Primary law

A consumer under the LDPA is a Louisiana resident acting only in an individual or household context — not in a commercial or employment context — so employee and B2B data fall outside the act's rights framework.

"Consumer" means an individual who is a resident of this state acting only in an individual or household context. The term does not include an individual acting in a commercial or employment context.

See La. R.S. 51:1780.1(7) (Act No. 502 of 2026, eff. Jan. 1, 2027).

Primary law

The LDPA defines personal data as any information, including sensitive data, linked or reasonably linkable to an identified or identifiable individual, excluding deidentified data and publicly available information — while the applicability thresholds use the undefined term personal information.

"Personal data" means any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual. The term does not include deidentified data or publicly available information.

See La. R.S. 51:1780.1(19) (Act No. 502 of 2026, eff. Jan. 1, 2027).

Primary law

The LDPA exempts state agencies and political subdivisions, GLBA financial institutions and GLBA-regulated data, HIPAA covered entities and business associates, nonprofit organizations, institutions of higher education, electric public utilities, and registered public-opinion poll conductors.

The provisions of this Chapter do not apply to any of the following items: (1) A state agency or a political subdivision of this state. (2) A financial institution and its affiliates or data subject to Title V, Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq., and the rules and implementing regulations promulgated thereunder. (3) A covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, 45 CFR Parts 160 and 164, established under the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. 1320d et seq. (4) A nonprofit organization. (5) An institution of higher education. (6) An electric public utility as defined in R.S. 45:121. (7) A person, association, partnership, or corporation registered with the secretary of state as a conductor of public opinion polls pursuant to R.S. 14:325.

See La. R.S. 51:1780.2(B) (Act No. 502 of 2026, eff. Jan. 1, 2027).

Primary law

The LDPA exempts protected health information under HIPAA.

Protected health information under the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. 1320d et seq.

See La. R.S. 51:1780.2(C)(1) (Act No. 502 of 2026, eff. Jan. 1, 2027).

Primary law

The LDPA exempts FCRA-regulated consumer-report activity, DPPA data, FERPA data, Farm Credit Act data, and employment, applicant, agent, and independent-contractor data used in that role.

The collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency or furnisher that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that the activity is regulated by and authorized under the Fair Credit Reporting Act, 15 U.S.C. 1681 et seq. (12) Personal data collected, processed, sold, or disclosed in compliance with the Driver's Privacy Protection Act of 1994, 18 U.S.C. 2721 et seq. (13) Personal data regulated by the Family Educational Rights and Privacy Act of 1974, 20 U.S.C. 1232g. (14) Personal data collected, processed, sold, or disclosed in compliance with the Farm Credit Act of 1971, 12 U.S.C. 2001 et seq. (15) Data processed or maintained in the course of an individual applying to, being employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role.

See La. R.S. 51:1780.2(C)(11)–(15) (Act No. 502 of 2026, eff. Jan. 1, 2027).

Primary law

From January 1, 2027, a controller must provide a reasonably accessible and clear privacy notice listing six fixed items: data categories processed, purposes, rights-and-appeal process, categories of data sold, categories of third-party buyers, and the request-submission methods.

A controller shall provide consumers with a reasonably accessible and clear privacy notice that includes all of the following: (a) The categories of personal data processed by the controller, including, if applicable, any sensitive data processed by the controller. (b) The purpose for processing personal data. (c) A process on how consumers may exercise their consumer rights pursuant to R.S. 51:1780.3, including the process by which a consumer may appeal a controller's decision with regard to the consumer's request. (d) If applicable, the categories of personal data that the controller sells to third parties. (e) If applicable, the categories of third parties with whom the controller sells personal data. (f) A description of the methods required pursuant to R.S. 51:1780.3(E) through which consumers can submit requests to exercise their consumer rights under this Chapter.

See La. R.S. 51:1780.4(B)(1) (Act No. 502 of 2026, eff. Jan. 1, 2027).

Primary law

A controller that sells sensitive personal data must post a fixed, word-for-word statutory notice saying so, in the same manner as its privacy notice.

If a controller engages in the sale of personal data that is sensitive, the controller shall post the following notice in the same manner as the privacy notice described in Subsection B of this Section: "NOTICE: We may sell your sensitive personal data."

See La. R.S. 51:1780.4(B)(2) (Act No. 502 of 2026, eff. Jan. 1, 2027).

Primary law

A controller that sells biometric personal data must post a fixed, word-for-word statutory notice saying so, in the same manner as its privacy notice.

If a controller engages in the sale of personal data that is biometric data, the controller shall post the following notice in the same manner as the privacy notice described in Subsection B of this Section: "NOTICE: We may sell your biometric personal data."

See La. R.S. 51:1780.4(B)(3) (Act No. 502 of 2026, eff. Jan. 1, 2027).

Primary law

A controller that sells personal data or processes it for targeted advertising must clearly and conspicuously disclose that processing and how a consumer may opt out of it.

If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose that process and the manner in which a consumer may exercise the right to opt out of that process.

See La. R.S. 51:1780.4(C) (Act No. 502 of 2026, eff. Jan. 1, 2027).

Primary law

LUTPA declares unfair or deceptive acts or practices in the conduct of any trade or commerce unlawful, creating deceptive-practices risk when a privacy policy misstates a business's actual data practices.

Unfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce are hereby declared unlawful.

See La. R.S. 51:1405(A).

Primary law

Section 5 of the FTC Act declares unfair or deceptive acts or practices in or affecting commerce unlawful, creating deceptive-practices risk when a privacy policy misstates a business's actual data practices.

Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.

See 15 U.S.C. § 45(a)(1).

Primary law

The LDPA's list of controller prohibitions bars processing a consumer's sensitive data without consent, and requires processing a known child's sensitive data in accordance with COPPA.

Process the sensitive data of a consumer without obtaining the consumer's consent, or, in the case of processing the sensitive data of a known child, without processing that data in accordance with the rules, regulations, and the exceptions of the Children's Online Privacy Protection Act of 1998, 15 U.S.C. 6501 et seq.

See La. R.S. 51:1780.4(A)(2)(d) (Act No. 502 of 2026, eff. Jan. 1, 2027).

Primary law

Sensitive data under the LDPA includes data revealing race or ethnicity, religious beliefs, health diagnoses, sexuality, or citizenship or immigration status; genetic or biometric data processed for unique identification; a known child's data; and precise geolocation data.

"Sensitive data" means a category of personal data. The term includes any of the following: (a) Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status. (b) Genetic or biometric data that is processed for the purpose of uniquely identifying an individual. (c) Personal data collected from a known child. (d) Precise geolocation data.

See La. R.S. 51:1780.1(29) (Act No. 502 of 2026, eff. Jan. 1, 2027).

Primary law

Consent under the LDPA means a clear affirmative act signifying freely given, specific, informed, and unambiguous agreement — and excludes acceptance in general terms of use, hovering over or closing content, and agreement obtained through dark patterns.

"Consent" when referring to a consumer means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. The term includes a written statement, including a statement written by electronic means, or any other unambiguous affirmative action. The term does not include any of the following: (a) Acceptance in a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information. (b) Hovering over, muting, pausing, or closing a given piece of content. (c) Agreement obtained through the use of dark patterns.

See La. R.S. 51:1780.1(6) (Act No. 502 of 2026, eff. Jan. 1, 2027).

Primary law

An entity covered by the 50-percent-of-revenue-from-data-sales threshold may not sell sensitive personal data without the consumer's prior consent.

A person or entity described by R.S. 51:1780.2(A)(3) may not engage in the sale of personal data that is sensitive data without receiving prior consent from the consumer.

See La. R.S. 51:1780.4(P)(1) (Act No. 502 of 2026, eff. Jan. 1, 2027).

Primary law

The LDPA separately exempts listed persons and entities, so the sensitive-data sale rule does not override otherwise applicable chapter exemptions.

The provisions of this Chapter do not apply to any of the following items: (1) A state agency or a political subdivision of this state. (2) A financial institution and its affiliates or data subject to Title V, Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq., and the rules and implementing regulations promulgated thereunder. (3) A covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, 45 CFR Parts 160 and 164, established under the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. 1320d et seq. (4) A nonprofit organization. (5) An institution of higher education. (6) An electric public utility as defined in R.S. 45:121. (7) A person, association, partnership, or corporation registered with the secretary of state as a conductor of public opinion polls pursuant to R.S. 14:325.

See La. R.S. 51:1780.2(B) (Act No. 502 of 2026, eff. Jan. 1, 2027).

Primary law

A controller must conduct and document a data protection assessment for targeted advertising, the sale of personal data, higher-risk profiling, the processing of sensitive data, and any processing presenting a heightened risk of harm to consumers.

A controller shall conduct and document a data protection assessment of each of the following processing activities involving personal data: (a) The processing of personal data for purposes of targeted advertising. (b) The sale of personal data. (c) The processing of personal data for purposes of profiling, if the profiling presents a reasonably foreseeable risk of any of the following: (i) Unfair or deceptive treatment of or unlawful disparate impact on consumers. (ii) Financial, physical, or reputational injury to consumers. (iii) A physical or other intrusion on the solitude or seclusion, or the private affairs or concerns, of consumers, if the intrusion would be offensive to a reasonable person. (iv) Other substantial injury to consumers. (d) The processing of sensitive data. (e) Any processing activities involving personal data that present a heightened risk of harm to consumers.

See La. R.S. 51:1780.4(E)(1) (Act No. 502 of 2026, eff. Jan. 1, 2027).

Primary law

Data protection assessments are required for processing activities as of January 1, 2027 and are not retroactive.

Data protection assessments are required for processing activities as of January 1, 2027, and are not retroactive.

See La. R.S. 51:1780.4(E)(7) (Act No. 502 of 2026, eff. Jan. 1, 2027).

Primary law

From January 1, 2027, processing by a processor must be governed by a written contract with fixed contents: instructions, nature and purpose, data types and duration, the parties' rights and obligations, and processor commitments to confidentiality, deletion or return, compliance demonstrations, assessments, and subcontractor flow-downs.

A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall include all of the following: (a) Clear instructions for processing data. (b) The nature and purpose of processing. (c) The type of data subject to processing. (d) The duration of processing. (e) The rights and obligations of both parties. (f) A requirement that the processor shall do all of the following: (i) Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data. (ii) At the controller's direction, delete or return all personal data to the controller as requested after the provision of the service is completed, unless retention of the personal data is required by law. (iii) Make available to the controller, on reasonable request, all information in the processor's possession necessary to demonstrate the processor's compliance with the requirements of this Chapter. (iv) Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor. (v) Engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the requirements of the processor with respect to the personal data.

See La. R.S. 51:1780.4(D)(2) (Act No. 502 of 2026, eff. Jan. 1, 2027).

Primary law

A processor must assist the controller with the security of processing and with notification of a breach of the processor's system under the existing breach-notification law, La. R.S. 51:3071 et seq.

Taking into account the nature of processing and the information available to the processor, by assisting the controller in meeting the controller's obligations in relation to the security of processing personal data, and in relation to the notification of a breach of security of the processor's system pursuant to R.S. 51:3071 et seq.

See La. R.S. 51:1780.4(D)(1)(b) (Act No. 502 of 2026, eff. Jan. 1, 2027).

Primary law

The GLBA Safeguards Rule requires a financial institution to oversee its service providers, including by requiring them by contract to implement and maintain appropriate safeguards for customer information.

Oversee service providers, by: (1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; (2) Requiring your service providers by contract to implement and maintain such safeguards; and (3) Periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards.

See 16 C.F.R. § 314.4(f)(1)–(3).

Primary law

HIPAA requires a written business-associate contract that establishes permitted uses and disclosures of protected health information, bars other uses and disclosures, requires safeguards, and requires reporting of non-contract uses, disclosures, and unsecured-PHI breaches.

A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410;

See 45 C.F.R. § 164.504(e)(2).

Primary law

From January 1, 2027, Louisiana consumers may confirm and access, correct, delete, and obtain a portable copy of their personal data, and opt out of targeted advertising, data sales, and profiling for decisions with legal or similarly significant effects.

A controller shall comply with an authenticated consumer request to exercise the right to do any of the following: (a) Confirm whether a controller is processing the consumer's personal data and to access the personal data. (b) Correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data. (c) Delete personal data provided by or obtained about the consumer. (d) If the data is available in a digital format, obtain a copy of the consumer's personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance. (e) Opt out of the processing of the personal data for purposes of: (i) Targeted advertising. (ii) The sale of personal data. (iii) Profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.

See La. R.S. 51:1780.3(A)(2) (Act No. 502 of 2026, eff. Jan. 1, 2027).

Primary law

A controller must respond to a rights request within 45 days (extendable once by 45 days with notice and a reason), must explain refusals within the same window with appeal instructions, and must answer free of charge up to twice annually per consumer.

A controller shall respond to the consumer request without undue delay, which may not be later than the forty-fifth calendar day after the date of receipt of the request. The controller may extend the response period once by an additional forty-five days when reasonably necessary, taking into account the complexity and number of the consumer's requests, so long as the controller informs the consumer of the extension within the initial forty-five day response period, together with the reason for the extension. (3) If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, which may not be later than the forty-fifth calendar day after the date of receipt of the request, of the justification for declining to take action and provide instructions on how to appeal the decision in accordance with Subsection C of this Section. (4) A controller shall provide information in response to a consumer request free of charge, up to twice annually per consumer.

See La. R.S. 51:1780.3(B)(2)–(4) (Act No. 502 of 2026, eff. Jan. 1, 2027).

Primary law

A controller must inform the consumer in writing of the outcome of an appeal within 60 days of receipt, with a written explanation of the reasons.

A controller shall inform the consumer in writing of any action taken or not taken in response to an appeal under this Section not later than the sixtieth calendar day after the date of receipt of the appeal, including a written explanation of the reason or reasons for the decision.

See La. R.S. 51:1780.3(C)(3) (Act No. 502 of 2026, eff. Jan. 1, 2027).

Primary law

A consumer may designate an authorized agent — including through a browser setting, extension, or global device setting — to opt out of targeted advertising and data sales; the controller must comply when it can verify the consumer and agent authority, unless the request is unclear, Louisiana residency cannot be verified, the controller cannot process the request, or the controller does not process similar requests under similar other-state laws.

A consumer may designate another person to serve as the consumer's authorized agent and act on the consumer's behalf to opt out of the processing of the consumer's personal data pursuant to Items (A)(2)(e)(i) and (ii) of this Section. A consumer may designate an authorized agent using a technology, including a link to a website, an internet browser setting or extension, or a global setting on an electronic device, that allows the consumer to indicate the consumer's intent to opt out of the processing for targeted advertising, for sale of personal data, or both. A controller shall comply with an opt-out request received from an authorized agent under this Subsection if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. A controller is not required to comply with an opt-out request received from an authorized agent under this Subsection if any one of the following applies: (a) The authorized agent does not communicate the request to the controller in a clear and unambiguous manner. (b) The controller is not able to verify, with commercially reasonable effort, that the consumer is a resident of this state. (c) The controller does not possess the ability to process the request. (d) The controller does not process similar or identical requests the controller receives from consumers for the purpose of complying with similar or identical laws or regulations of another state.

See La. R.S. 51:1780.3(E)(5) (Act No. 502 of 2026, eff. Jan. 1, 2027).

Primary law

The opt-out technology may not use a default setting and must require the consumer's affirmative, freely given, and unambiguous choice to opt out.

The technology described by this Subsection: (a) Shall not unfairly disadvantage another controller. (b) May not make use of a default setting, but shall require the consumer to make an affirmative, freely given, and unambiguous choice to indicate the consumer's intent to opt out of any processing of a consumer's personal data.

See La. R.S. 51:1780.3(E)(6) (Act No. 502 of 2026, eff. Jan. 1, 2027).

Primary law

Any contract provision that waives or limits a consumer right under the LDPA is contrary to public policy and void and unenforceable.

Any provision of a contract or agreement that waives or limits in any way a consumer right described in this Section is contrary to public policy and is void and unenforceable.

See La. R.S. 51:1780.3(D) (Act No. 502 of 2026, eff. Jan. 1, 2027).

Primary law

Any person or agency that owns or licenses computerized data containing personal information must notify Louisiana residents whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

Any person that owns or licenses computerized data that includes personal information, or any agency that owns or licenses computerized data that includes personal information, shall, following discovery of a breach in the security of the system containing such data, notify any resident of the state whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

See La. R.S. 51:3074(C).

Primary law

Breach notice must be made in the most expedient time possible and without unreasonable delay, and no later than sixty days from discovery of the breach.

The notification required pursuant to Subsections C and D of this Section shall be made in the most expedient time possible and without unreasonable delay but not later than sixty days from the discovery of the breach, consistent with the legitimate needs of law enforcement, as provided in Subsection F of this Section, or any measures necessary to determine the scope of the breach, prevent further disclosures, and restore the reasonable integrity of the data system.

See La. R.S. 51:3074(E).

Primary law

Personal information under the breach law is a resident's name combined with an unencrypted, unredacted Social Security number, driver's license or state ID number, financial-account or card number with access code, passport number, or biometric data.

"Personal information" means the first name or first initial and last name of an individual resident of this state in combination with any one or more of the following data elements, when the name or the data element is not encrypted or redacted: (i) Social security number. (ii) Driver's license number or state identification card number. (iii) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. (iv) Passport number. (v) Biometric data.

See La. R.S. 51:3073(4)(a).

Primary law

Any person conducting business in Louisiana that owns or licenses computerized personal information must implement and maintain reasonable security procedures and practices appropriate to the nature of the information.

Any person that conducts business in the state or that owns or licenses computerized data that includes personal information, or any agency that owns or licenses computerized data that includes personal information, shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

See La. R.S. 51:3074(A).

Primary law

Any person conducting business in Louisiana, or owning or licensing computerized personal information, must take reasonable steps to destroy no-longer-retained records containing personal information by making it unreadable or undecipherable.

Any person that conducts business in the state or that owns or licenses computerized data that includes personal information, or any agency that owns or licenses computerized data that includes personal information shall take all reasonable steps to destroy or arrange for the destruction of the records within its custody or control containing personal information that is no longer to be retained by the person or business by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.

See La. R.S. 51:3074(B).

Primary law

Notice is not required if a reasonable investigation determines there is no reasonable likelihood of harm to Louisiana residents — but the written determination must be retained for five years and produced to the Attorney General on written request.

Notification as provided in this Section shall not be required if after a reasonable investigation, the person or business determines that there is no reasonable likelihood of harm to the residents of this state. The person or business shall retain a copy of the written determination and supporting documentation for five years from the date of discovery of the breach of the security system. If requested in writing, the person or business shall send a copy of the written determination and supporting documentation to the attorney general no later than thirty days from the date of receipt of the request.

See La. R.S. 51:3074(I).

Primary law

The breach-notification chapter took effect only upon the Attorney General's promulgation of implementing rules.

The provisions of this Chapter shall not take effect until rules are promulgated by the attorney general's office.

See La. R.S. 51:3077.

Primary law

The breach law provides a private civil action to recover actual damages resulting from an untimely failure to disclose a breach.

A civil action may be instituted to recover actual damages resulting from the failure to disclose in a timely manner to a person that there has been a breach of the security system resulting in the disclosure of a person's personal information.

See La. R.S. 51:3075.

Primary law

The Attorney General has the exclusive duty to enforce the LDPA.

The attorney general shall enforce the provisions of this Chapter.

See La. R.S. 51:1780.5(A) (Act No. 502 of 2026, eff. Jan. 1, 2027).

Primary law

Every LDPA violation constitutes an unfair and deceptive trade practice under LUTPA — but the act expressly excludes LUTPA's private rights of action, and enforcement proceeds are earmarked for consumer protection.

Any violation of the provisions of this Chapter shall constitute an unfair and deceptive trade practice pursuant to the Unfair Trade Practices and Consumer Protection Law, R.S. 51:1401 et seq., excluding private rights of action as provided in R.S. 51:1409 and 1409.1. Notwithstanding any other provision of law to the contrary, any monies received related to the attorney general's enforcement of this Chapter shall be used by the attorney general for consumer protection efforts or to promote consumer protection and education.

See La. R.S. 51:1780.5(C) (Act No. 502 of 2026, eff. Jan. 1, 2027).

Primary law

From January 1, 2027 through July 31, 2027 only, the Attorney General must give 30 days' written notice before investigating and may not proceed if the business cures, certifies the cure in writing, documents it, and adjusts internal policy — a cure right that sunsets after July 31, 2027.

Beginning January 1, 2027, and ending July 31, 2027, before bringing an action pursuant to this Section, the attorney general shall notify a person in writing, not later than the thirtieth calendar day before initiating an investigation, identifying the specific provisions of this Chapter the attorney general alleges is being violated. The attorney general shall not initiate an investigation against the person if the person does all of the following: (1) Cures the alleged violation identified by the attorney general within the thirty-day period. (2) Provides the attorney general with a written statement that the person cured the alleged violation. (3) Submits supportive documentation to the attorney general to show how the privacy violation was cured. (4) Changes are made to the internal policy, if necessary, to ensure that no such further violations occur.

See La. R.S. 51:1780.5(D) (Act No. 502 of 2026, eff. Jan. 1, 2027).

Primary law

LUTPA authorizes the Attorney General to obtain injunctions without bond, and a court-imposed civil penalty whose stated $5,000-per-violation figure is textually tied to a finding that the practice was entered into with the intent to defraud.

These courts are authorized to issue temporary restraining orders or preliminary and permanent injunctions to restrain and enjoin violations of this Chapter, and such restraining orders or injunctions shall be issued without bond. B. In addition to the remedies provided herein, the attorney general may request and the court may impose a civil penalty against any person found by the court to have engaged in any method, act, or practice in Louisiana declared to be unlawful under this Chapter. In the event the court finds the method, act, or practice to have been entered into with the intent to defraud, the court has the authority to impose a penalty not to exceed five thousand dollars for each violation.

See La. R.S. 51:1407(A)–(B).

Primary law

A violation of the breach-notification chapter constitutes an unfair act or practice under LUTPA, putting breach failures in the Attorney General's LUTPA toolkit today.

A violation of a provision of this Chapter shall constitute an unfair act or practice pursuant to R.S. 51:1405(A).

See La. R.S. 51:3074(J).

Primary law

The LDPA makes violations LUTPA unfair trade practices while expressly excluding LUTPA's private rights of action, so consumers cannot sue under the act.

Any violation of the provisions of this Chapter shall constitute an unfair and deceptive trade practice pursuant to the Unfair Trade Practices and Consumer Protection Law, R.S. 51:1401 et seq., excluding private rights of action as provided in R.S. 51:1409 and 1409.1.

See La. R.S. 51:1780.5(C) (Act No. 502 of 2026, eff. Jan. 1, 2027).

Primary law

The breach-notification law provides a private civil action to recover actual damages resulting from an untimely failure to disclose a breach — a private right of action the LDPA does not displace.

A civil action may be instituted to recover actual damages resulting from the failure to disclose in a timely manner to a person that there has been a breach of the security system resulting in the disclosure of a person's personal information.

See La. R.S. 51:3075.

Primary law

LUTPA gives any person who suffers an ascertainable loss from an unfair or deceptive practice an individual (non-representative) action for actual damages, trebled where the practice was knowingly used after Attorney General notice, plus attorney fees and costs.

Any person who suffers any ascertainable loss of money or movable property, corporeal or incorporeal, as a result of the use or employment by another person of an unfair or deceptive method, act, or practice declared unlawful by R.S. 51:1405, may bring an action individually but not in a representative capacity to recover actual damages. If the court finds the unfair or deceptive method, act, or practice was knowingly used, after being put on notice by the attorney general, the court shall award three times the actual damages sustained. In the event that damages are awarded under this Section, the court shall award to the person bringing such action reasonable attorney fees and costs.

See La. R.S. 51:1409(A).

Primary law

On top of LUTPA damages, a court may award up to $10,000 per violation where deceptive information is knowingly sent to an elder person or person with a disability by telephone, email, or text-message marketing.

In addition to any damages to which a person is entitled pursuant to R.S. 51:1409, the court may award damages not to exceed ten thousand dollars per violation if a person knowingly sends deceptive information to any elder person or person with a disability, as those terms are defined in R.S. 51:1402, who suffers damage or injury as a result of an offense or violation described in this Chapter through marketing by telephone, electronic mail, or text messaging.

See La. R.S. 51:1409.1(B).