Skip to main content

On-demand webinar coming soon...


On-demand webinar coming soon...

Blog

What Louisiana and Vermont Privacy Laws Reveal About the Growing Challenge of Managing State Privacy

Louisiana and Vermont have become the latest states to pass privacy laws, continuing a broader trend toward expanding consumer rights, expanded governance requirements and additional compliance obligations for organizations.


Íñigo Echevarría
Privacy Analyst
July 2, 2026

Two men in suits sit on the steps outside a neoclassical government building at sunset.

Recent legislative activity across U.S. states demonstrates an increasing number of comprehensive privacy laws introducing new definitions, applicability thresholds, and compliance requirements. In April 2026, Alabama became the 21st state to pass a comprehensive privacy law. One month later, Louisiana became the 22nd. In June, Vermont became the 23rd.

Viewed individually, each law introduces its own definitions, thresholds, and implementation timelines. Viewed together, they tell a broader story about the direction of U.S. privacy regulation.

Consumer rights continue to expand. Sensitive data receives greater protection. Profiling and automated decision-making remain areas of focus. Data brokers face increasing scrutiny. At the same time, organizations must operationalize these requirements across a growing number of jurisdictions.

The challenge for privacy teams is becoming less about understanding a single law and more about building programs that scale as new laws continue to emerge.

Louisiana and Vermont introduce different requirements, but both reinforce several themes that are becoming increasingly common across U.S. state privacy legislation:

  • First, applicability continues to expand.
  • Second, lawmakers are paying closer attention to sensitive data and profiling.
  • Third, consumer rights are becoming easier to exercise and increasingly difficult to manage through manual processes.

Together, these trends provide a useful framework for assessing what organizations should prioritize ahead of upcoming effective dates.

 

More Organizations May Fall Within Scope

The Louisiana Data Privacy Act (LDPA) takes effect on January 1, 2027. The law applies to controllers and processors conducting business in Louisiana or targeting Louisiana residents that meet specific revenue and processing thresholds. Organizations with annual revenue of at least $25 million may fall within scope if they process personal data of at least 100,000 consumers or derive more than 50% of gross revenue from personal data sales while processing data of at least 25,000 consumers.

The Vermont Data Privacy Act (VDPA) takes effect on January 1, 2028 and introduces a different approach. The law applies to organizations operating in Vermont or targeting Vermont residents that process personal data of at least 35,000 consumers, process sensitive data relating to at least 3,000 consumers, or sell personal data relating to at least 3,000 consumers.

 The applicability thresholds differ across laws and must be assessed individually. Each new law creates another set of applicability requirements that organizations must evaluate. Businesses that previously considered themselves outside the scope of comprehensive privacy regulation may find that assumption becoming harder to maintain.

 

Sensitive Data, Profiling, and AI Governance Continue to Converge

One of the most notable developments across both laws is the continued expansion of sensitive data and profiling requirements.

Louisiana requires consent before processing sensitive data, including biometric information, genetic data, health information, precise geolocation data, and children's data. The law also requires data protection assessments for higher-risk activities such as profiling, targeted advertising, personal data sales, and sensitive data processing.

Vermont goes further in several areas. Its definition of sensitive data includes neural data, detailed financial credentials, precise geolocation information, biometric data, health data, children's data, and other categories that may extend beyond traditional definitions of sensitive data.

The law also introduces requirements tied to profiling activities that produce legal or similarly significant effects, alongside impact assessment obligations for these activities.

Vermont adds another increasingly common requirement by requiring organizations to disclose whether personal data is used for training large language models.

Taken together, these provisions point toward a growing overlap between privacy governance, AI governance, profiling oversight, and sensitive-data management.

A privacy notice that once focused primarily on collection and sharing practices may now need to address profiling activities, model training practices, and increasingly detailed sensitive-data disclosures.

 

Consumer Rights Are Becoming Easier to Exercise

Consumer rights remain a cornerstone of both laws, but recent legislative activity suggests a broader shift in how those rights are exercised.

Louisiana grants consumers rights to access, correct, delete, and obtain copies of personal data, as well as opt out of targeted advertising, personal data sales, and profiling activities that produce significant effects.

The law also allows consumers to designate authorized agents, including mechanisms through which authorized agents may exercise rights on behalf of individuals.

Vermont introduces similar consumer rights while also advancing obligations tied to data brokers through its newly enacted Delete Act.

The Vermont Delete Act (VDA) takes effect in January 2027 and requires data brokers to support consumer deletion requests through an accessible deletion mechanism. It also establishes personal data obligations for data brokers relating to deletion requests and compliance requirements.

Similar mechanisms have been introduced in other jurisdictions, although implementation approaches vary. California's Delete Request and Opt-Out Platform (DROP), similarly creates centralized mechanisms for exercising consumer deletion rights. While implementation details differ, the direction is consistent: consumer requests are becoming easier to submit, more centralized, and more operationally demanding for organizations receiving them.

This increases the importance of repeatable workflows capable of handling rights requests across systems, business units, and third-party relationships.

 

Preparing for What Comes Next

Louisiana and Vermont introduce new obligations, but they also reinforce a broader reality. The number of state privacy laws continues to grow. Requirements increasingly cover consumer rights, sensitive data governance, profiling oversight, AI-related disclosures, and data broker accountability. Effective dates vary, definitions differ, and operational obligations continue to expand.

Organizations preparing for Louisiana's January 2027 effective date and Vermont's January 2028 implementation timeline should focus on foundational capabilities that support compliance across jurisdictions.

This includes understanding where personal data resides, identifying sensitive-data processing activities, evaluating profiling use cases, maintaining accurate privacy notices, and ensuring consumer rights requests can be fulfilled consistently across systems and third-party relationships.

As new state laws continue to emerge, privacy programs built around scalable governance models will be better positioned than those relying on state-by-state compliance projects.

For deeper analysis of Louisiana, Vermont, California, Alabama, and global privacy developments, explore OneTrust DataGuidance.

To operationalize privacy requirements across jurisdictions, learn how OneTrust Privacy Automation helps organizations manage assessments, consumer rights, data governance, and regulatory compliance at scale.

 

Key Questions on Louisiana, Vermont, and Emerging State Privacy Laws

 

The Louisiana Data Privacy Act takes effect on January 1, 2027. Vermont's Data Privacy Act takes effect on January 1, 2028, while Vermont's Delete Act takes effect on January 1, 2027.

Together, the laws reinforce broader regulatory trends around sensitive-data governance, profiling oversight, consumer rights, AI-related disclosures, and data broker accountability.

Vermont includes broad sensitive-data definitions, profiling assessment requirements, disclosures related to large language model training, and a separate Delete Act focused on data broker obligations.

Louisiana includes consent requirements for sensitive data, data protection assessment obligations, technology-enabled authorized-agent mechanisms, and specific notice requirements when sensitive personal data or biometric data is sold.

Organizations should assess applicability, review sensitive-data processing activities, evaluate profiling and AI-related use cases, update privacy notices, and ensure consumer rights workflows can scale across multiple state requirements.