Louisiana Enacts Comprehensive Privacy Law as ICO Pressures Big Tech on Age Assurance

Want to receive these privacy recaps in your inbox each week? Subscribe here.

Privacy regulation kept its rapid pace this week, with a new U.S. state law on the brink of enactment, a UK regulator turning up the pressure on major platforms, and a French data protection authority publishing its annual findings. From Baton Rouge to London to Paris, here is what you need to know.

Keep reading to learn more and discover my takeaways.

United states

Louisiana Legislature Passes Comprehensive Privacy Law

If SB 386 is signed by the Governor, Louisiana will become the third state this year (after Oklahoma and Alabama) and the 23rd state overall (including Florida) to enact a comprehensive privacy law. The effective date of the law is January 1, 2027, but it includes a temporary AG notice-and-cure provision running through July 31, 2027. 

TAKEAWAY

Aside from a bespoke exemption for public opinion poll conductors, nothing in the Louisiana law is truly unique or absent from other state laws. However, as is common with many recently enacted comprehensive privacy laws, the Louisiana bill is the state’s own recipe, borrowing a unique combination of ingredients from several other states. 

It tracks most closely to Texas, matching its definitions for sale, profiling, and sensitive data; its consumer rights, request methods and timelines; its sensitive data consent and purpose limitation requirements; certain notice requirements (including the previously unique Texas requirement to include the verbatim disclosure “NOTICE: We may sell your sensitive personal data” / “NOTICE: We may sell your biometric personal data”), and its GLBA and electric utility exemptions. But it borrows California‘s applicability threshold, the Oregon/Colorado definition of “targeted advertising” (including inferences), Connecticut‘s sunsetting cure period and UDAP hook, and Virginia‘s omission of certain otherwise common provisions (including those covering universal opt-out mechanisms and AG complaint mechanisms). 

As states continue to use a build-your-own methodology, drawing provisions from various comprehensive privacy laws, the feasibility of bucketing states into categories (the Connecticut model, Virginia model, etc.) for compliance purposes may be shrinking.    

Europe

ICO Says “More Needs to Be Done” to Ensure Age Assurance

The UK Information Commissioner’s Office (ICO) issued a statement on age assurance, expressing a lack of confidence that companies are implementing appropriate measures to prevent the processing of underage children’s data. 

Specifically, the statement says, “If you determine that your service is only suitable for children over a certain age, you must have effective age assurance measures in place”. It cites a lack of new, viable, and privacy-friendly age assurance solutions from TikTok, Snapchat, Facebook, Instagram, YouTube, and X thus far. 

This comes despite calls from the ICO for these companies to urgently review and strengthen their age assurance methods. The ICO also states it is ready to use the full range of regulatory powers available to it, such as formal investigations and sanctions. 

TAKEAWAY

This statement comes just two months after the ICO and Ofcom issued joint guidance outlining age assurance obligations under both the Online Safety Act and data protection law. 

Specifically, the ICO guidance section makes clear that if you operate a service unsuitable for children under a certain age (including if you have a minimum age in your terms of service), your focus should be on preventing underage children from accessing your service, because “you will have no lawful basis for processing the personal data of children who are not meant to be on your service”. 

The guidance recommends an effective age gate, using current viable technologies (such as facial age estimation, digital ID, or one-time photo matching) as the best method to minimize the risk of unlawful processing, and discourages self-declaration because it can be easily circumvented.

A LITTLE MORE PRIVACY, IF YOU PLEASE

• The CNIL Publishes its 2025 Annual Report
• Didomi is a founding member of the European CMP Association (ECMPA)
• Alabama Personal Data Protection Act (APDPA): Everything you need to know

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.