TL;DR: Louisiana and Vermont add broader applicability thresholds, stronger sensitive-data rules, more explicit profiling oversight, and easier consumer-rights execution, according to OneTrust’s analysis of recent state privacy legislation. Manual, state-by-state governance is becoming too brittle for privacy and identity programmes that must scale across jurisdictions and third-party relationships.
At a glance
What this is: Louisiana and Vermont’s new privacy laws show how U.S. state privacy regulation is expanding in scope, sensitive-data coverage, profiling oversight, and rights-request operations.
Why it matters: Privacy, IAM, and governance teams need repeatable controls because expanding obligations increasingly cut across data inventories, consumer requests, and third-party workflows.
By the numbers:
- In April 2026, Alabama became the 21st state to pass a comprehensive privacy law, Louisiana became the 22nd in May, and Vermont became the 23rd in June.
- The Louisiana Data Privacy Act applies to organisations with annual revenue of at least $25 million if they process personal data of at least 100,000 consumers.
👉 Read OneTrust’s analysis of Louisiana and Vermont privacy law expansion
Context
Louisiana and Vermont are the latest examples of a wider shift in U.S. state privacy law: broader applicability, more explicit treatment of sensitive data, and more operational pressure on rights handling. For privacy programmes, the problem is no longer whether a single law can be interpreted correctly, but whether governance can scale as each new jurisdiction adds its own thresholds and obligations.
The identity governance connection is practical rather than abstract. Privacy rights, authorised agents, third-party relationships, and data broker obligations all depend on knowing who can act, what data they can reach, and whether requests can be executed consistently across systems. That is why state privacy expansion is increasingly an operating-model issue, not just a legal review exercise.
Key questions
Q: How should privacy teams handle consumer rights requests across multiple state laws?
A: Privacy teams should treat rights requests as a governed workflow, not a ticket queue. That means standardising identity verification, authorised-agent handling, routing to downstream systems, and audit evidence while allowing state-specific rules for notice, timing, and exclusions. The goal is consistent fulfilment across jurisdictions without rebuilding the process for every new law.
Q: Why do expanding state privacy laws create operational risk for privacy programmes?
A: They create operational risk because each law can change scope thresholds, sensitive-data definitions, and rights obligations differently. A programme that relies on manual interpretation will drift as new jurisdictions emerge. The practical risk is not only legal exposure, but inconsistent execution across data maps, notices, assessments, and third-party fulfilment paths.
Q: What do organisations get wrong about sensitive-data governance under state privacy laws?
A: They often manage sensitive data as a notice or consent problem instead of a broader control problem. In practice, sensitive data governance also affects data discovery, profiling assessments, AI disclosures, and downstream access handling. If those controls are separate, the programme becomes inconsistent as soon as a new law changes one requirement.
Q: Who is accountable when consumer rights requests depend on vendors or brokers?
A: Accountability stays with the organisation receiving the request, even when execution depends on processors, vendors, or brokers. The team must be able to prove what was requested, where it was routed, what was completed, and where external dependencies delayed fulfilment. Delegation does not transfer accountability.
Technical breakdown
Expanded applicability thresholds create governance drift
State privacy statutes are no longer converging on a single scope model. Louisiana uses revenue and processing thresholds, while Vermont uses different consumer-count and sensitive-data thresholds, which means organisations cannot assume one jurisdictional test transfers cleanly to the next. The operational issue is governance drift: a programme may look compliant in one state while silently falling into scope in another. Scope determination now depends on data volume, processing purpose, and residency logic at the same time.
Practical implication: maintain a jurisdiction-by-jurisdiction applicability matrix and tie it to data maps, not legal memos.
Sensitive data and profiling now sit in the same control plane
Both laws push privacy teams toward a combined view of sensitive-data processing, profiling, and AI-related use cases. Louisiana requires consent for sensitive data and assessments for higher-risk processing. Vermont goes further by extending sensitive-data definitions and requiring disclosure when personal data is used to train large language models. The technical pattern is the same: governance must understand data type, processing purpose, and downstream use, not just storage location.
Practical implication: classify sensitive-data flows and profiling use cases together so assessments and notices stay aligned.
Consumer-rights workflows are becoming identity workflows
Rights requests are no longer simple privacy inbox tasks. Louisiana allows consumers to use authorised agents, and Vermont adds data broker deletion obligations, which means requests may traverse multiple systems and third-party relationships before they are completed. That makes rights handling a workflow problem with identity dependencies: verification, delegation, fulfilment, and auditability all have to line up. Manual routing breaks quickly when requests are centralised but the underlying data remains distributed.
Practical implication: design rights-request orchestration with delegation, evidence capture, and third-party fulfilment tracking built in.
NHI Mgmt Group analysis
State privacy expansion is turning governance into a lifecycle problem, not a legal checklist. Louisiana and Vermont show that scope, consent, profiling, and deletion obligations now move independently across jurisdictions. That means the hard part is not interpreting one statute but maintaining a living control set as laws evolve. Privacy teams should treat legal change as an identity and data lifecycle issue, because obligations fail when inventories, workflows, and ownership do not move together.
The real operational gap is between rights availability and rights execution. When consumers can authorise agents, submit deletion requests more easily, or trigger broker obligations, the governance challenge becomes whether the organisation can prove who acted, what data was touched, and whether fulfilment completed across all downstream systems. This is a control-plane issue across privacy, IAM, and third-party access. Practitioners need to see every rights workflow as a governed access path, not a form submission.
Sensitive-data governance and AI governance are now converging in state privacy law. Vermont’s disclosure around large language model training makes that overlap explicit, while Louisiana reinforces assessment-based oversight for higher-risk processing. The category boundary between privacy notices, profiling controls, and AI disclosures is disappearing. Privacy programmes that still separate these domains will struggle to keep notices, assessments, and data-use registers consistent.
Manual state-by-state compliance will not scale as the regulatory surface keeps expanding. Each new law adds a distinct mix of thresholds, definitions, and operational duties, which means point-in-time project management will lag behind change. The enduring model is jurisdiction-aware governance with repeatable data discovery, request handling, and evidence collection. Practitioners should build for portability across laws, not one-off compliance wins.
Governance maturity will be measured by how well teams can execute, not just explain. The laws described here reward organisations that can locate personal data, segment sensitive processing, trace third-party dependencies, and fulfil consumer requests consistently. The implication is clear: privacy and identity teams must align around operational ownership, because compliance breaks at the handoff points, not in the policy statement.
From our research:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
- For the broader governance picture, explore Top 10 NHI Issues to connect identity sprawl, lifecycle control, and operational accountability.
What this signals
Rights execution will increasingly look like access governance. As more states add authorised-agent mechanisms and broker deletion requirements, privacy teams will need the same orchestration discipline that IAM and IGA teams use for lifecycle control. The practical shift is from policy interpretation to workflow assurance, especially where fulfilment crosses business units and vendors.
Sensitive-data operations and AI governance are converging faster than most programmes are prepared for. Vermont’s treatment of LLM training disclosures is a clear sign that privacy notices, profiling reviews, and model-use registers can no longer be managed as separate workstreams. Teams should expect more evidence requests that combine data lineage, processing purpose, and AI usage in one review.
With 72% of organisations having experienced or suspecting an NHI breach, according to our 2024 ESG Report: Managing Non-Human Identities, governance programmes that still rely on manual coordination will struggle to keep pace with expanding state privacy obligations. The same operational weakness shows up when rights requests, third-party dependencies, and data inventories are managed in silos. The answer is not more paperwork, but more traceable execution.
For practitioners
- Map jurisdictional applicability thresholds Build a live matrix for each state law that captures revenue, consumer-count, sensitive-data, and sale-related thresholds. Reconcile the matrix against current data inventories so new scope changes are visible before the next effective date.
- Treat rights requests as governed workflows Design consumer rights handling as an orchestrated process with identity verification, authorised-agent handling, downstream task routing, and evidence capture. Track completion across internal systems and third-party relationships, not just intake status.
- Unify sensitive-data and profiling assessments Use one control path to review sensitive-data processing, profiling activities, and AI-related use cases so notices, assessments, and approvals stay aligned. Separate review paths create drift and increase the chance of contradictory obligations.
- Inventory third-party dependencies for fulfilment Identify where deletion, correction, or access requests depend on vendors, brokers, processors, or platform partners. Build escalation and attestation steps into the workflow so external dependencies do not become fulfilment blockers.
Key takeaways
- Louisiana and Vermont show that state privacy regulation is expanding in scope, sensitive-data coverage, and operational complexity at the same time.
- The hardest part of compliance is no longer reading the law, but executing rights, consent, and assessment workflows consistently across systems and third parties.
- Privacy programmes that align governance, identity, and workflow controls will handle future state laws more effectively than state-by-state project fixes.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0 and NIST SP 800-63 set the technical controls, while GDPR and ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access and authorisation governance maps to controlled request fulfilment and delegation handling. |
| NIST SP 800-63 | SP 800-63C | Authorised-agent rights handling depends on federated delegation and verification logic. |
| GDPR | Art.12 | The article’s rights-request workflows closely resemble regulated consumer rights operations. |
| ISO/IEC 27001:2022 | A.5.15 | Access control governance is relevant where rights workflows cross systems and third parties. |
Use Art.12-style service expectations to keep request handling understandable, traceable, and timely.
Key terms
- Applicability Threshold: The set of business, revenue, or processing conditions that determine whether a privacy law applies to an organisation. In practice, thresholds must be monitored continuously because scope can change as data volumes, consumer counts, or targeting criteria evolve across jurisdictions.
- Authorised Agent: A person or entity permitted to submit a privacy request on someone else’s behalf. The control challenge is verifying that the delegate has valid authority, tracking the request through fulfilment, and preserving evidence so accountability remains with the organisation handling the request.
- Sensitive Data Governance: The control discipline for identifying, classifying, approving, and monitoring high-risk personal data. It goes beyond consent and notice because the same data may affect assessments, profiling restrictions, AI disclosures, and downstream access obligations across multiple systems.
- Profiling Oversight: The review and control of automated analysis that evaluates or predicts behaviour, preferences, or significant outcomes. Strong profiling oversight ties together assessment, disclosure, and decision-making controls so analytics do not drift beyond the organisation’s approved privacy posture.
What's in the full article
OneTrust's full blog covers the operational detail this post intentionally leaves for the source:
- State-by-state applicability analysis for Louisiana and Vermont, including the specific thresholds that trigger each law.
- Detailed treatment of sensitive-data, profiling, and AI-related disclosure requirements that privacy teams must map into notices and assessments.
- Practical guidance on consumer-rights handling, including authorised-agent use and broker deletion workflows.
- Operational considerations for keeping privacy programmes scalable as new state laws continue to emerge.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-07-02.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org