It's been a busy year for privacy legislation. We're only halfway through 2026, and four states have already passed new laws: Oklahoma, Alabama, Vermont, and now Louisiana.
The Louisiana Data Privacy Act (LDPA) follows the framework most comprehensive state privacy laws have settled into, with a few notable exceptions. It borrows several provisions from other states, including a couple that come almost word-for-word from California.
If you're running an ecommerce brand, you're probably reading this for one reason: to figure out whether this law affects your business. Here's what matters.
The LDPA takes effect on January 1, 2027. That may sound like plenty of time, but privacy work adds up quickly once vendor contracts, privacy notices, and data protection assessments are on the list.
The law applies to businesses operating in Louisiana that meet at least one of these thresholds. For many growing ecommerce brands, the bar is lower than it first appears.
The LDPA also includes a long list of exemptions for organizations like nonprofits, colleges and universities, political organizations, and businesses already regulated under HIPAA or the GLBA. Those exemptions matter, but they won't apply to most ecommerce brands.
If you've worked through another state privacy law, most of these requirements will feel familiar. The challenge usually isn't understanding the law. It's keeping your privacy program aligned as your storefront, vendors, and customer data workflows continue to evolve.
Your privacy notice needs to explain:
Privacy notices tend to fall behind over time. Another tracking pixel gets added, a new app connects to your storefront, or an agency updates your analytics setup. Before long, the policy no longer reflects how customer data actually moves through your business.
Louisiana also requires two notices to appear verbatim when they apply:
"NOTICE: We may sell your sensitive personal data."
"NOTICE: We may sell your biometric personal data."
Those notices are unusual, but Louisiana isn't alone. Florida and Texas have similar requirements.
Louisiana residents have the right to:
That last requirement deserves extra attention. Targeted advertising and profiling support retargeting campaigns, lookalike audiences, and many attribution strategies. When someone opts out, those preferences need to flow through to the tools and platforms that rely on customer data.
Businesses that operate exclusively online only need to provide an email address.
This requirement comes directly from California's regulations, although California is currently considering replacing it with a requirement for an online request form.
This requirement often surprises ecommerce brands, especially those selling wellness, supplement, beauty, or health-related products.
Louisiana defines sensitive data as:
Your vendor agreements need to meet the LDPA's requirements. That includes contracts with analytics platforms, email providers, fulfillment partners, review tools, and the rest of your ecommerce stack.
If those agreements haven't been reviewed recently, now's a good time to compare them against the law's requirements.
You'll need documented assessments for higher-risk processing activities, including:
Many ecommerce brands running paid social campaigns, behavioral advertising, or retargeting will fall into one or more of these categories.
The LDPA requires businesses to recognize universal opt-out signals such as Global Privacy Control.
This is one place where privacy programs often drift over time. A consent banner can look like it's working while quietly ignoring the signals browsers send automatically.
Violations of the LDPA count as unfair and deceptive trade practices under Louisiana law and can carry civil penalties of up to $5,000 per violation.
The Louisiana Attorney General has exclusive enforcement authority, and the law doesn't include a private right of action for consumers.
Through July 31, 2027, businesses receive a mandatory 30-day opportunity to correct violations. After that date, the cure period expires, and enforcement can begin immediately.
If you're already complying with another comprehensive state privacy law, the LDPA won't introduce many surprises. Most of the requirements will look familiar, with a few Louisiana-specific additions like the required notices and standalone revenue threshold.
The bigger challenge is keeping your privacy program current as your business changes. Vendors get added, tracking configurations evolve, and customer data flows shift. Over time, privacy workflows can drift away from how your business actually operates.
That's why staying compliant takes more than reading the latest law. It takes keeping your privacy operations aligned with the store you're running today, including your consent setup, vendor contracts, privacy notices, and request workflows.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.
