Key Takeaways
- Louisiana’s 2026 legislative session produced three technology‑focused bills that affect cybersecurity, consumer privacy, and inter‑agency data sharing.
- Senate Bill 75 creates statewide cybersecurity standards for local governments that request state assistance after a cyber incident; non‑compliant jurisdictions may bear the cost of response and recovery services.
- Senate Bill 386 (the Louisiana Data Privacy Act) grants consumers new rights to access, correct, delete, and opt out of the use of their personal information and limits how covered businesses may collect and use data.
- Senate Bill 233 establishes the Louisiana Statewide Data Exchange Compact, a voluntary framework that standardizes privacy‑compliant data sharing among state agencies while preserving agency ownership of shared information.
- The measures align Louisiana with trends in other states such as Florida, New York, and Ohio, which are also strengthening local‑government cyber defenses and privacy oversight.
Overview of Louisiana’s 2026 Technology Legislative Package
During the 2026 legislative session, which adjourned on June 1, Louisiana lawmakers concentrated on two pressing issues: the responsibilities of local governments when faced with cyber attacks and the extent of control residents should retain over their personal data. The session culminated in three signed bills that together address cybersecurity preparedness, consumer privacy protections, and streamlined, privacy‑compliant data sharing across state agencies. Each measure reflects a growing recognition that technology policy must balance security, individual rights, and governmental efficiency.
Senate Bill 75 – Cybersecurity Standards for Local Governments Seeking State Aid
Sponsored by Senator Valarie Hodges, Senate Bill 75 directs the Governor’s Office of Homeland Security and Emergency Preparedness (GOHSEP) to develop cybersecurity standards for any local governmental subdivision that requests state assistance after a cybersecurity incident. The law mandates that these standards incorporate “technical management practices that assure cybersecurity compliance with national cybersecurity standards” and clearly outline the steps local entities must follow to qualify for aid. While the state may still provide immediate assistance regardless of compliance, the bill stipulates that reimbursement for response and recovery costs will fall on the non‑compliant locality. In effect, jurisdictions that fail to meet the forthcoming standards could be financially liable for the services they receive, creating a strong incentive to adopt robust cyber defenses before an incident occurs.
Implementation Timeline and Authority Under SB 75
Enacted in May, SB 75 gives GOHSEP the authority to draft the detailed rules that local governments will eventually be required to follow. By placing the rule‑making function within the homeland security office, the legislation centralizes the state’s cybersecurity oversight and ensures that the standards are aligned with federal guidelines and emerging threat landscapes. Localities will have a defined period to achieve compliance before the cost‑sharing provisions take effect, allowing time for training, infrastructure upgrades, and policy revisions. The bill does not prohibit assistance to non‑compliant entities; rather, it shifts the financial burden onto those jurisdictions, thereby encouraging proactive investment in cybersecurity hygiene.
Senate Bill 386 – The Louisiana Data Privacy Act
Senate Bill 386, known as the Louisiana Data Privacy Act and sponsored by Senator Patrick Connick, focuses on the private sector’s handling of consumer information. Modeled after recent privacy statutes in states such as Vermont, the law confers a suite of rights onto individuals: they may request access to their data, seek corrections, ask for deletion of specific information, obtain copies of their personal data, and opt out of certain uses, including targeted advertising and data sales. The legislation also imposes a data‑minimization principle, requiring controllers to limit collection to what is “adequate, relevant, and reasonably necessary” for the disclosed purpose. Companies that sell sensitive personal information must provide explicit notice to consumers before doing so.
Enforcement Mechanism and Effective Date
Violations of the Louisiana Data Privacy Act are treated as unfair or deceptive trade practices under state law, granting the state attorney general authority to pursue civil penalties and injunctive relief. The act was signed by the governor and is set to take effect on January 1 of the following year, giving businesses a window to update privacy notices, implement data‑subject request procedures, and adjust data‑collection practices to comply with the new standards. By aligning enforcement with existing consumer‑protection statutes, Louisiana aims to create a deterrent effect while providing clear avenues for redress when privacy rights are infringed.
Consumer Impact and Business Obligations Under SB 386
For residents, SB 386 translates into greater transparency and control over how their personal information is used, stored, and shared. Individuals can now verify what data a business holds, correct inaccuracies, and request removal of data that is no longer necessary or was obtained without proper consent. The opt‑out provision empowers consumers to limit profiling and targeted marketing, addressing growing concerns about digital surveillance. For businesses, the law necessitates a review of data‑inventory practices, the establishment of robust response mechanisms for consumer requests, and potentially costly adjustments to data‑sale operations, especially for those handling sensitive categories such as health or financial information.
Senate Bill 233 – Creating the Louisiana Statewide Data Exchange Compact
Sponsored by Senator Beth Mizell, Senate Bill 233 establishes the Louisiana Statewide Data Exchange Compact, a voluntary framework designed to standardize secure, privacy‑compliant data sharing among state agencies. The compact’s stated purpose is to create “a single legal and technical framework for secure, privacy‑compliant interagency data sharing” that facilitates the exchange of confidential information while clearly defining the responsibilities, permissible purposes, and safeguards for participating entities. By providing a uniform agreement, the compact seeks to reduce redundancies, improve inter‑agency collaboration, and ensure that data exchanges adhere to evolving privacy and security requirements.
Governance and Operational Details of the Compact
The Office of Technology Services (OTS) will serve as the compact administrator, tasked with developing a standardized participation agreement and overseeing its implementation. A committee composed of representatives from participating agencies will advise OTS, review the framework as laws and security standards evolve, and recommend updates when necessary. Participation is entirely voluntary; agencies may withdraw or pursue alternative data‑sharing arrangements if they determine the compact no longer suits their needs. Crucially, each agency retains ownership of any information it chooses to share, preserving sovereignty over its data assets while benefiting from a common set of privacy and security controls.
Implications for State Government Efficiency and Privacy
By instituting a common data‑exchange protocol, the compact aims to eliminate the patchwork of ad‑hoc agreements that often hinder timely information sharing during emergencies or routine operations. Standardized safeguards—such as encryption, access logging, and audit trails—help ensure that shared data remains protected against unauthorized disclosure or misuse. Moreover, the compact’s built‑in review mechanism allows Louisiana to adapt its data‑sharing practices in response to new legislation, technological advances, or emerging threats, fostering a resilient and future‑ready governmental data ecosystem.
National Context – How Louisiana’s Measures Compare to Other States
Louisiana’s legislative actions are part of a broader trend across the United States aimed at strengthening cybersecurity and privacy protections at the local and state levels. In Florida, lawmakers have moved to formalize a statewide assistance program that equips local governments with cybersecurity tools, services, and support resources. New York enacted a 2025 law that mandates cyber‑incident reporting, ransom‑payment disclosure, and compulsory cybersecurity training for government employees. Ohio has required local governments to adopt formal cybersecurity programs, provide employee training, and obtain public approval before any ransomware payment is made. Like these states, Louisiana’s SB 75, SB 386, and SB 233 collectively seek to raise the baseline of digital resilience, empower individuals with privacy rights, and create efficient, secure pathways for governmental data collaboration.
Conclusion
The 2026 Louisiana legislative session produced a cohesive set of technology policies that address the state’s most pressing digital challenges. Senate Bill 75 incentivizes local governments to adopt robust cybersecurity standards by linking state assistance to compliance and imposing potential cost‑recovery for non‑compliance. Senate Bill 386 enhances consumer autonomy over personal data while imposing clear limits on business data practices. Senate Bill 233 establishes a voluntary, standardized framework for privacy‑compliant data sharing among state agencies, promising improved inter‑agency cooperation without sacrificing data ownership. Together, these measures position Louisiana alongside other forward‑thinking states that are proactively safeguarding both governmental infrastructure and individual privacy in an increasingly interconnected world.