TL;DR: Louisiana and Vermont add broader applicability thresholds, stronger sensitive-data rules, more explicit profiling oversight, and easier consumer-rights execution, according to OneTrust’s analysis of recent state privacy legislation. Manual, state-by-state governance is becoming too brittle for privacy and identity programmes that must scale across jurisdictions and third-party relationships.
NHIMG editorial — based on content published by OneTrust: What Louisiana and Vermont Privacy Laws Reveal About the Growing Challenge of Managing State Privacy
By the numbers:
- In April 2026, Alabama became the 21st state to pass a comprehensive privacy law, Louisiana became the 22nd in May, and Vermont became the 23rd in June.
- The Louisiana Data Privacy Act applies to organisations with annual revenue of at least $25 million if they process personal data of at least 100,000 consumers.
Questions worth separating out
Q: How should privacy teams handle consumer rights requests across multiple state laws?
A: Privacy teams should treat rights requests as a governed workflow, not a ticket queue.
Q: Why do expanding state privacy laws create operational risk for privacy programmes?
A: They create operational risk because each law can change scope thresholds, sensitive-data definitions, and rights obligations differently.
Q: What do organisations get wrong about sensitive-data governance under state privacy laws?
A: They often manage sensitive data as a notice or consent problem instead of a broader control problem.
Practitioner guidance
- Map jurisdictional applicability thresholds Build a live matrix for each state law that captures revenue, consumer-count, sensitive-data, and sale-related thresholds.
- Treat rights requests as governed workflows Design consumer rights handling as an orchestrated process with identity verification, authorised-agent handling, downstream task routing, and evidence capture.
- Unify sensitive-data and profiling assessments Use one control path to review sensitive-data processing, profiling activities, and AI-related use cases so notices, assessments, and approvals stay aligned.
What's in the full article
OneTrust's full blog covers the operational detail this post intentionally leaves for the source:
- State-by-state applicability analysis for Louisiana and Vermont, including the specific thresholds that trigger each law.
- Detailed treatment of sensitive-data, profiling, and AI-related disclosure requirements that privacy teams must map into notices and assessments.
- Practical guidance on consumer-rights handling, including authorised-agent use and broker deletion workflows.
- Operational considerations for keeping privacy programmes scalable as new state laws continue to emerge.
👉 Read OneTrust’s analysis of Louisiana and Vermont privacy law expansion →
State privacy expansion: what privacy teams need to operationalize now?
Explore further
State privacy expansion is turning governance into a lifecycle problem, not a legal checklist. Louisiana and Vermont show that scope, consent, profiling, and deletion obligations now move independently across jurisdictions. That means the hard part is not interpreting one statute but maintaining a living control set as laws evolve. Privacy teams should treat legal change as an identity and data lifecycle issue, because obligations fail when inventories, workflows, and ownership do not move together.
A few things that frame the scale:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: Who is accountable when consumer rights requests depend on vendors or brokers?
A: Accountability stays with the organisation receiving the request, even when execution depends on processors, vendors, or brokers. The team must be able to prove what was requested, where it was routed, what was completed, and where external dependencies delayed fulfilment. Delegation does not transfer accountability.
👉 Read our full editorial: Louisiana and Vermont privacy laws expose the limits of manual governance