Starting January 1, 2027, many companies will be subject to a new comprehensive privacy law in Louisiana. The state just adopted SB386, which applies to companies that have more than $25 million in revenue or satisfy other conditions. The compliance obligations will look familiar: Louisiana generally follows the same Virginia-style framework we saw adopted in Oklahoma and Alabama earlier this year, so the uplift will be minimal for companies building on an existing compliance program. But Louisiana adds a few important twists that will expand the scope of covered companies and create targeted compliance work.

What are the notable deviations from the norm?

Louisiana tracks most of the standard playbook—but adds three meaningful deviations:

• Application. Adds a standalone revenue trigger (>$25 million) alongside the typical volume and monetization thresholds.
• Cure Periods. Sunsets the cure period six months after the effective date.
• Disclosures. Requires specific language in a privacy policy if selling sensitive data.

The revenue trigger is the headline takeaway. Louisiana joins California as the only states where a company’s revenue alone can subject them to the law. (Utah and Tennessee require that companies meet a revenue threshold and a volume or monetization threshold.) This will pull in companies that have previously fallen outside new laws following the Virginia model—and will expand coverage over time because the revenue threshold is not indexed to inflation.

Who is subject to the law?

The law applies to companies doing business in Louisiana that meet any of the following thresholds:

• Revenue. Exceeds $25 million in revenue
• Volume. Processes personal data on at least 75,000 Louisiana residents

• Monetization. Derives 50% or more of its revenue from selling personal data

But there is also the standard set of data exemptions (e.g., PHI) and entity exemption (e.g., HIPAA covered entities). And, in completely unsurprising news, the law does not apply to employee or job-applicant data.

What are controllers’ obligations?

Louisiana focuses on familiar obligations: transparency, consumer rights and data governance. But the law isn’t all cookie-cutter. Louisiana joined Texas (and only Texas) in requiring that a privacy policy include specific language if the company sells sensitive data: “NOTICE: We may sell your sensitive personal data” or “NOTICE: We may sell your biometric personal data.”

What are consumers’ rights?

Consumers get the standard rights—access, correction, deletion and opt-out rights—along with an appeal right. Louisiana also followed the majority approach by requiring companies to honor opt-out preference signals.

How is the law enforced?

There is no private right of action. The attorney general has exclusive enforcement authority and must offer a 30-day period to cure violations—but only for the first six months after the law takes effect. A violation of the law is deemed an unfair and deceptive practice for which the attorney general can seek restitution, injunctions, restraining orders and civil penalties. The civil penalties can reach $5,000 per violation and increase to $10,000 if elderly or disabled individuals are affected.

What can companies do to get ready?

The rapidly approaching effective date coupled with a low application trigger means that companies should act now. The standard framework and lack of rulemaking mean compliance obligations are already clear. Companies with existing privacy programs will be able to leverage that existing infrastructure. But the fast-approaching effective date and short cure period gives little leeway to ramp up for companies without such infrastructure.

Next steps for companies include:

• Assess Applicability. Determine whether Louisiana brings the organization into scope—particularly because of the $25M revenue threshold.
• Update Privacy Policy. Incorporate Louisiana-specific disclosures, including any required language for sensitive-data sales.
• Align Website Practices. Extend geo-targeted compliance features (e.g., cookie banners) to Louisiana.
• Revise Consumer-Request Workflow. Ensure request intake, verification and appeals processes cover Louisiana residents.

Bottom line: This is more business as usual for compliance obligations, but with a twist. Louisiana’s revenue trigger means more companies will be pulled into the privacy law landscape, even if the compliance obligations feel familiar.