On May 29, 2026, Governor Landry signed into law Senate Bill 386, making Louisiana the 22nd state to enact a comprehensive consumer data privacy law following California, Virginia, Colorado, Utah, Connecticut,  Iowa, Indiana, Tennessee, Montana, Texas, Oregon,  Delaware,  New Jersey, New Hampshire,  Kentucky, Nebraska, Maryland, Minnesota, Rhode Island,  Oklahoma, and Alabama. The Act will go into effect January 1, 2027.

Applicability

The Act applies to a person or entity that does business in the state and that satisfies one or more of the following thresholds:

  1. Has annual gross revenues in excess of twenty-five million dollars.
  2. Annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes the personal information of seventy-five thousand or more consumers, households, or devices.
  3. Derives fifty percent or more of its annual revenues from selling consumers’ personal information.

Exemptions

Exemptions include, in part:

  1. A financial institution and its affiliates or data subject to Title V, Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq., and the rules and implementing regulations promulgated thereunder;
  2. A nonprofit organization;
  3. An institution of higher education;
  4. Protected health information under the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. 1320d et seq.;
  5. A covered entity or business associate as defined in the HIPAA privacy regulations;
  6. The collection, maintenance, disclosure, sale, communication, or use of any personal information to the extent that such activity is regulated by and authorized under the Fair Credit Reporting Act.

Consumer Rights

Consumers have the right to:

  1. Confirm whether a controller is processing the consumer’s personal data and to access the personal data;
  2. Correct inaccuracies in the consumer’s personal data;
  3. Delete personal data provided by or obtained about the consumer;
  4. Obtain a copy of the consumer’s personal data that the consumer previously provided to the controller;
  5. Opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.

Sensitive Data

A controller may not process sensitive data without obtaining the consumer’s consent, or, in the case of processing the sensitive data of a known child, without processing that data in accordance with the rules, regulations, and the exceptions of the Children’s Online Privacy Protection Act of 1998, 15 U.S.C. 6501 et seq.

“Sensitive data” is personal data that includes any of the following:

  1. Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status;
  2. Genetic or biometric data that is processed for the purpose of uniquely identifying an individual;
  3. Personal data collected from a known child;
  4. Precise geolocation data.

Contract Requirements

A contract between a controller and a processor must govern the processor’s data processing obligations and include:

  1. Clear instructions for processing data;
  2. The nature and purpose of processing;
  3. The type of data subject to processing;
  4. The duration of processing;
  5. The rights and obligations of both parties;
  6. A requirement that the processor shall:
    1. Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
    2. At the controller’s direction, delete or return all personal data to the controller as requested after the provision of the service is completed, unless retention of the personal data is required by law;
    3. Make available to the controller, on reasonable request, all information in the processor’s possession necessary to demonstrate the processor’s compliance with the requirements of the law;
    4. Allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor; and
    5. Engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the requirements of the processor with respect to the personal data.

Enforcement

The Attorney General has exclusive authority to enforce the Act and, from January 1 to July 31, 2027, must provide 30 days to cure any violation.

For a chart comparing the state comprehensive data privacy laws, visit RMAI’s Privacy and Data Security Resource Center (login required).

RMAI strongly recommends that its members share this Member Alert with those in their organization who are responsible for their operations, compliance, and legal matters.

This Member Alert is intended for members of the Receivables Management Association International, is for informational purposes only, and is in no way intended to provide legal advice. Members are encouraged to consult with an attorney of their choice for legal advice concerning this matter.