The AGs in Baton Rouge and Burlington have obtained comprehensive state privacy laws to enforce, bringing the total to 23 such laws. Since Oklahoma and Alabama also joined the privacy law fray in early 2026, the state-law mosaic continues to expand. Of the latest entrants, “Louisiana is a bit easier, and Vermont is more challenging because of its specific requirements,” Red Clover Advisors CEO Jodi Daniels told the Cybersecurity Law Report.
The Louisiana Data Privacy Act (LDPA) largely follows a familiar template with a few divergences, while Vermont’s Data Privacy and Online Surveillance Act (VDPOSA) joins the elite group of strict states that impose several stringent requirements.
The VDPOSA, signed June 16, 2026, and effective January 1, 2028, stands out for an unusual applicability trigger, an expanded definition of PI, an explicit disclosure requirement for use of data in AI training, heightened protections for health and location data, and a right for consumers to request the specific third parties to whom their data has been sold. Louisiana’s law, signed May 29, 2026, and effective January 1, 2027, is more conventional but still presents distinct compliance considerations, including a flat revenue cutoff not seen since the CCPA. “Louisiana’s applicability thresholds, broad definition of ‘sale,’ prescriptive sensitive and biometric data notices, and sunsetting cure period are features that require companies’ specific attention,” Billee Elliott McAuliffe, data protection practice leader at Lewis Rice, told the Cybersecurity Law Report.
This article provides perspective on the distinctive aspects of these two laws and the compliance challenges that they pose, and offers practical compliance steps that companies should prioritize, with commentary from Daniels, Elliott McAuliffe and experts at Hinshaw & Culbertson, Kean Miller, and McDermott Will & Schulte.
See “Alabama and Oklahoma Introduce Virginia-Style Privacy Laws” (May 6, 2026).
Distinctive Louisiana Privacy Provisions
The LDPA deploys a business-friendly light touch while adopting some Texas toughness. Notably, the Pelican State “did not give as long a runway as most have in the past” for companies to get ready, Elliott McAuliffe highlighted.
Three California-Style Applicability Thresholds
The LDPA applies to any company “doing business in Louisiana” that collects more than $25 million, a flat-revenue cutoff otherwise seen only in California. It also covers entities that process the personal data of at least 75,000 consumers, households or devices annually, or derive at least 50 percent of revenue from selling individuals’ data.
The law’s thresholds may bring into scope regional and business-to-business companies not subject to many other state privacy laws. With the Mississippi River and port of New Orleans anchoring the state’s industry, many companies maintain small offices and pay taxes in state, Elliott McAuliffe pointed out.
Texas-Style Provisions on Notice and Sale
Borrowing from Texas, the LDPA mandates exact wording when companies sell a person’s sensitive or biometric data, such as “NOTICE: We may sell your sensitive personal data.”
The Pelican State also adopts Texas’ strict definition of consent, excluding passive interactions like “hovering over” or closing content, dismissing a dialogue box or accepting general terms of use. Like Texas’ privacy law, but unlike earlier ones in conservative-lawmaker states such as Utah and Iowa, the LDPA defines sale to include “valuable consideration.”
Global Opt-Out and Profiling Nuances
The LDPA requires recognition of universal opt-out signals from consumers’ browsers or devices to stop sales of one’s data and targeted advertising, but excuses controllers lacking “the ability to process the request,” an undefined standard.
That ambiguity carries over into the LDPA’s seemingly inconsistent treatment of “automated profiling” as it relates to Louisianians’ right to opt out under the law. The LDPA provides that Louisianians may opt out of profiling that contributes to legal or similarly significant decisions, yet the law defines profiling far more broadly to include routine assessments of personal preferences, interests, behavior and locations, triggering impact assessments even for lower-risk activities.
Business-Friendly Restraints
“Louisiana is a very business-friendly state,” and the legislators made clear they wanted to avoid mandates “that would be significantly different or substantially different from what businesses already had to contend with,” Kean Miller partner Jessica Engler told the Cybersecurity Law Report. The LDPA includes the following business-leaning provisions that buck recent trends in state privacy laws:
- children’s protections that extend only to age 13, not into teen years;
- omission of AI-specific provisions (though a separate healthcare AI transparency law now exists);
- sweeping entity-level exemptions for financial institutions, nonprofits and healthcare organizations;
- the exclusion of pseudonymous data from its classification of personal data when companies can show identifying information is separate and guarded; and
- the exemption of personal data shared in M&A transactions.
Eager for Enforcement
“Companies should not assume that existing programs satisfy all of Louisiana’s requirements,” particularly regarding the privacy notice mandates, consent needs, and the nuanced approach to universal opt-out signals, Engler cautioned.
Louisiana legislators seem eager for enforcement to begin. Companies can have a 30‑day period to cure alleged violations, but only for the first seven months of enforcement. The AG will be the first to enforce a law in the deep south, beating out Alabama, Engler noted.
The LDPA grants companies a grace period to cure AG-alleged violations without penalty within 30 days but limits that accommodation to only the first seven months the law is in effect.
The Louisiana AG’s enforcement activities show a strong interest in securing children’s privacy, Engler noted, but scrutiny of health or other sensitive data may be a focus, too, reflecting predecessors’ prior participation in multistate actions.
See “State Privacy Regulators Describe Collaboration and Priorities” (Apr. 8, 2026).
Vermont’s Distinctive Provisions
In 2024, Vermont Governor Phil Scott, a Republican, vetoed the legislature’s prior privacy bill, which included a private right of action and age-appropriate design obligations. For the VDPOSA, lawmakers cut those elements and Scott signed the bill. Unlike the 2024 version, the VDPOSA “at least comes from the same family tree as the other states,” McDermott Will & Schulte partner David Saunders told the Cybersecurity Law Report.
“The consumer rights are a mix of the traditional Connecticut rights, plus the Vermont law has Minnesota’s ADMT rights and Oregon’s disclosure of third parties requirement,” he elaborated. Only the AG may enforce the law.
See our two-part series on revised privacy laws in Connecticut and Oregon: “Broader Scope and Enhanced Consumer Protections” (Jul. 23, 2025), and “Impact Assessments, Minors and More” (Jul. 30, 2025).
Two Outlier Cutoffs for Applicability
The VDPOSA applies to entities that, during the prior calendar year:
- processed the personal data of 35,000 residents (5.4 percent of the population);
- processed sensitive data of at least 3,000 residents; or
- offered for sale the data of at least 3,000 residents.
The inclusion of thresholds tied to offers to sell and sensitive data processing is unusual but could influence future legislation. They “just add to the mosaic of how you have to evaluate applicability of state laws,” Saunders said. California’s regulation for cyber audits has the only other trigger tied to sensitive data processing, he added.
Unlike the LDPA, the VDPOSA exempts a specified and limited set of financial entities and nonprofit organizations.
Broader Definition of Personal Data
The VDPOSA significantly expands the concept of personal data to include “derived data,” covering predictions, conclusions from facts and device-linked insights. “This goes beyond traditional inferences,” said Cathy Mulrow-Peattie, a partner at Hinshaw & Culbertson. “Complying with that definition will create some compliance burden for companies,” especially those that have not systematically focused on tracking inferential analytics, she told the Cybersecurity Law Report.
The shift from the use of “inferences” to “derived data” is a distinction without difference, according to Saunders. The AG hopefully will issue guidance, he said, opining that “this seems like a classic example of overcomplicating.”
Vermont, the first state with a data broker law, also defines publicly available information to exclude information “collated and combined to create a consumer profile,” which could inhibit data brokers.
See “Assistant AG Highlights Colorado’s Next Phase of Privacy Regulation” (Mar. 4, 2026).
Geofencing Protections and Expansive Definition of Sensitive Data
The VDPOSA adopts an expansive definition of sensitive data, including neural data, and imposes heightened protections for “consumer health data.” The law’s requirements around consumer health data apply to any entity that collects such data and targets Vermont residents to sell products or services, regardless of whether those entities meet the VDPOSA’s other covered entity thresholds. The VDPOSA also requires covered entities to obtain explicit consent for processing consumer health data and imposes added confidentiality obligations and restrictions on geofencing within 1,850 feet of healthcare locations.
“A lot of secondary groups that use health information for other purposes are going to need to take a look at [the VDPOSA],” Elliott McAuliffe said, noting the growing complexity for companies using wearable or location-based technologies. “They should ensure that they have the appropriate restrictions on their apps,” she advised.
Vermont’s definition of biometric data also is broader than most states – it does not require an intent to identify the consumer. As a result, even voice or facial scans used for quality assurance could fall within the definition.
See “Navigating an Increasingly Risky Health Data Landscape: Why the NAI’s Factor Analysis Matters” (Apr. 29, 2026).
Third-Party Disclosure Requirement
The VDPOSA grants consumers the right to request a list of third parties to whom their data has been sold. If the company cannot generate a list specific to the person, it must provide a general one listing all entities to whom it sells individuals’ data.
“The third-party disclosure requirement sticks in the craw” of many companies, Saunders observed. “We have seen competitors sending their employees to make a request to figure out who their competitor is working with,” he said.
As part of companies’ concern about competition, Elliott McAuliffe noted, they do not want to reveal relationships with suppliers of cutting-edge products, particularly with AI innovations.
AI Transparency
The VDPOSA requires disclosure of whether personal data is used to train large language models, aligning with Connecticut’s 2025 amendment. “I wouldn’t be surprised to see amendments come from other states soon to match it,” Daniels said. “AI and privacy are getting intertwined” as public interest grows, she noted.
A practical challenge with third-party disclosure is “the flurry of companies and businesses adding AI models to their products and services,” Elliott McAuliffe observed. “Unless someone has taken the time to thoroughly read all of those contracts, to learn what data is being used in the model and the terms, the company might not have all the information needed to make these disclosures by January 1, 2028,” she cautioned.
Targeted Ad Restrictions for All Minors
The VDPOSA prohibits targeted advertising using data from individuals under 18 where the controller has actual knowledge of or willful disregard for age. This reflects a broader regulatory trend toward heightened protections for teenagers.
Many companies may not yet have adequate age-identification practices in place. Some organizations “did not work very hard at figuring out whether they had teenagers on their sites” following earlier laws, Elliott McAuliffe observed.
Profiling and Automated Decision Appeals
Vermonters, like Minnesotans, have the right to appeal automated decisions that produce legal or similarly significant effects. Individuals who ask must be informed of the reasoning and data inputs, and have a human reevaluate the decision, “if feasible.”
The VDPOSA also mandates separate impact assessments for such profiling. In the assessment, companies should describe data inputs, outputs, safeguards and monitoring, and probe for risks beyond the most obvious ones.
While risk assessments are valuable for companies and consumers alike, increasing complexity may reduce compliance rates. “Every time we add a new one, it becomes another way in which organizations are not fully compliant,” Elliott McAuliffe cautioned.
Practical Compliance Steps for Companies
“We are almost at the halfway point, with 23 laws in effect,” and companies are oriented to the most stringent requirements as they seek to be compliant across the board, Elliott McAuliffe reported. Vermont blends several of these stricter provisions, and Louisiana highlights important considerations, as well.
Update Privacy Notices and Consent Banners
Both the VDPOSA and LDPA add to companies’ challenges with privacy notices. Vermont’s AI disclosure and Louisiana’s prescriptive language requirements obligate companies to supplement already lengthy policies. “Every one of these laws says, ‘we want you to put this in,’” Saunders noted, even as regulators criticize excessive policy length.
Companies must also navigate timing issues, such as complying with mid-year effective dates. Alabama’s privacy law goes in effect May 1, 2027, for example. “Under certain state laws, companies must notify people when they materially change the policy,” so they must weigh the prospect of multiple emails to consumers about the privacy policy, Saunders lamented.
Privacy policy updates can align with other compliance tasks for efficiency. When updating privacy policies, many organizations wisely reset cookie banners and reobtain consent, Elliott McAuliffe observed.
To streamline privacy obligations, Daniels recommended, organizations can align compliance updates with annual review cycles for:
- updating data inventories;
- conducting risk assessments;
- reviewing vendor agreements; and
- testing consumer rights processes and cookie consent managers.
The VDPOSA additionally requires privacy policies to appear in mobile app settings and on download pages. This is a longstanding best practice, supported by app stores, and generally considered a manageable implementation step, “though each app might have different development requirements,” Daniels noted.
See “Cookie Compliance Strategies for 2026” (Apr. 15, 2026).
Inventory Third-Party Sharing for Vermont Disclosure
With Vermont’s requirements elevating the importance of third-party data inventories, organizations should enhance systemwide tracking of data flows to prepare for necessary disclosures in 2028, Mulrow-Peattie emphasized. That task is often complicated by organizational structure. “Many companies have grown up as subsidiaries or in a diversified structure, and so they do not have a central repository for the data,” she observed.
As a result, inventories may require deeper analysis of data resources and processing. This includes scrutinizing enhanced analytics because they may be valuable enough to constitute a sale under state laws, Mulrow-Peattie advised.
See “Checklist for Framing and Assessing Third-Party Risk” (Aug. 16, 2023).
Enhance Engineering and Governance Across Multiple Areas
The VDPOSA will require improved coordination between legal, compliance and engineering teams. Organizations must refine governance and tracking regarding:
- creation and spread of derived data and analytics;
- personal data in AI model inputs;
- teen user identification;
- personal data flows to third parties;
- use of geolocation features in apps across the enterprise; and
- geofencing of health-related sites.
These areas now pose expanded risks that many companies have not fully addressed with tracking and controls.
With widespread use of fitness trackers and smart watches, some companies may face compliance struggles around the interplay of geofenced locations and data types, Elliott McAuliffe posited.
Comparable governance gaps exist in how companies track and manage inferred data. Companies’ existing monitoring of inferences may need to be adjusted for identifying and managing derived data under the VDPOSA. Many still lack visibility into how inferences are created or used, Elliott McAuliffe observed.
Even companies that already monitor inferences may need time to comply with the VDPOSA’s requirements around derived data to be ready for Vermonters’ requests, Mulrow-Peattie advised. Previous enforcement in California flags one area of focus, however. “Typically, inferential data has been raised in the healthcare context,” so Vermont enforcers probably would first invoke derived data in matters related to sensitive data, she predicted.
Impact assessments also may require governance attention. Elliott McAuliffe noted that at a 2026 panel discussion where she and colleagues informally polled attendees on who conducted all obligatory data protection assessments, “maybe a fourth of them said they did it regularly.”
Decide How to Deal With the Frustration of Outlier Provisions
The addition of privacy laws in Louisiana and Vermont underscores the fragmentation across states, thanks to both new players and amendments in states like Virginia, Montana, Oregon and Connecticut. “There’s just no one version of a state privacy law on which they can set a standard and say, ‘if we do this, we comply with all the other states,’” Saunders noted.
Many organizations now operate multiple compliance frameworks simultaneously. Some have “15 different approaches to compliance,” Saunders observed. A decisive point for some companies becomes the optics of offering different rights in different states.
See “Tips From Big Tech Leaders on Navigating Global Privacy Regulations” (Dec. 3, 2025).
Maintain Fundamental Privacy Practices
Despite growing complexity, core compliance fundamentals, including the following, should remain consistent, Engler and Mulrow-Peattie urged:
- maintaining accurate, transparent privacy policies;
- updating data maps alongside policy changes;
- ensuring robust consumer rights processes;
- strengthening vendor contract controls; and
- tracking third-party data sharing comprehensively.
Monitor the Intersection With AI Laws
Companies must track evolving AI regulations, which introduce even greater variability in parallel to privacy legislation. Saunders cautioned that AI laws differ widely in scope and applicability depending on sector, use case and functional role. “When privacy law looks like something that came before it, there’s a sigh of relief,” he said. “But the AI quilt has applicability all over the map.”
Expect Growing Regional Risks
State-level enforcement increasingly will affect mid-sized and regional companies, Mulrow-Peattie pointed out. Organizations previously below regulators’ radar must now recognize that “we are in a regulated privacy market in the United States for everyone,” she cautioned.
See “Strengthening the Business Case for Privacy Investment” (Jun. 3, 2026).