Louisiana recognizes the right to privacy in its state constitution La. Const., Art. 1, Sec. 5; see also La. Rev. Stat. 17:3914(A) ("The legislature hereby declares that all personally identifiable information is protected as a right to privacy under the Constitution of Louisiana and the Constitution of the United States.").
Louisiana also recognizes a duty to secure personal information under La. Rev. Stat. 51:3071, et seq., the Louisiana Database Security Breach Notification Law (the "LDSBNL"). When a breach results in personal information being acquired and accessed without authorization, the LDSBNL generally requires notice to affected individuals and the Office of the Attorney General. The definition of "personal information" under La. R.S. 51:3073(4)(a) is limited to Louisiana residents. However, notification is not required if the information was encrypted or re is no reasonable likelihood of harm to the affected individuals.
According to regulations promulgated by the Louisiana Attorney General, failure to give timely notice to the Louisiana Attorney General may result in fines of up to $5,000 per day. La. Admin. Code 16:III § 701. Unlike other breach notification laws in states in the Gulf South, the LDSBNL creates a private right of action for violations, including the right to recover "actual damages" for failure to give timely notice or other violations of the Act. La. Rev. Stat. 51:3074(J), 3075.

Industry-specific legislation includes:

•    Insurance: La. Rev. Stat. 22:2501, et seq.
•    Student Information: La. Rev. Stat. 17:3914
•    Health Information and Records: La. Rev. Stat. 40:2144
•    Financial Records of Banks: La. Rev. Stat. 6:333

The Louisiana SOCIAL Act (Secure Online Child Interaction and Age Limitation Act) was enacted on June 28, 2023, when Governor John Bel Edwards signed Senate Bill 162 into law as Act 456. The legislation is codified in Louisiana Revised Statutes Title 51, Sections 1751-1759. The Act applies to social media platforms with more than 5 million account holders worldwide, requiring them to implement age verification measures for Louisiana users suspected of being 16 or younger, using methods such as government-issued ID or transactional data verification.
The SOCIAL Act's key provisions mandate parental consent for users under 16, restrict targeted advertising to minors, prohibit adults from direct messaging teens unless already connected on the platform, and require platforms to provide parental monitoring tools. Enforcement authority rests with Louisiana's Division of Public Protection, which can impose fines up to $2,500 per violation and civil penalties up to $10,000 for larger platforms. Originally scheduled to take effect July 1, 2024, implementation has been voluntarily delayed until December 19, 2025, pending the outcome of constitutional challenges. The Act represents Louisiana's effort to enhance online safety for minors through strict age verification and parental oversight requirements on major social media platforms.

Significant court decisions include:
Merrell v. First Lake Properties - Key Holdings
In Merrell v. 1st Lake Properties, Inc., 717 F. Supp.3d 512 (E.D. La. 2024), the Eastern District of Louisiana federal court addressed whether Louisiana's Data Security Breach Notification Law (LDSBNL) can establish a duty of care for negligence claims. In Merrell, a tenant's personal information was compromised in a data breach at defendant's property management company, resulting in three incidents of identity theft. The plaintiff filed a class action alleging negligence under Louisiana law, citing both the LDSBNL and Section 5 of the Federal Trade Commission Act as establishing the defendant's duty of care. The defendant moved to dismiss the negligence claim and to strike the LDSBNL claim. The court found that the LDSBNL articulates sufficient standards of conduct to satisfy the duty element of a Louisiana negligence claim. The court examined the statute's legislative findings and concluded that the plaintiff's allegations fell within the scope of risks the LDSBNL was designed to protect against. The court also held that references to Section 5 of the FTC Act also sufficiently support the duty element for negligence under Louisiana law. This decision establishes that data breach notification statutes can provide the legal framework for negligence duties in Louisiana, creating a pathway for plaintiffs to pursue negligence claims based on statutory data protection standards.
Tate v. Woman's Hosp. Found., 56 So. 3d 194 (La. 2011): Louisiana Supreme Court affirmed that privacy torts can occur in four ways: (1) appropriating an individual's name or likeness; (2) unreasonably intruding on physical solitude or seclusion; (3) giving publicity which unreasonably places a person in a false light; and (4) unreasonable public disclosure of embarrassing private facts.

La. Rev. Stat. 51:3073, part of the Data Security Breach Notification Act, defines protected data to be the "personal information" of a Louisiana resident[2].
Note: Under the Act, the definition of "personal information" is limited to certain information for individual residents of Louisiana that is not encrypted or redacted. La. R.S. 51:3073(4)(a). It includes the resident's last name and first name or first initial in combination with one or more of the following data elements:

•    Social security number;
•    Driver's license number or state identification card number;
•    Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account;
•    Passport number; and
•    Biometric data, including fingerprints and other unique biological characteristics used to authenticate an individual's identity to access a system or account.

However, the definition of "personal information" excludes "publicly available information that is lawfully made available to the general public from federal, state, or local government records." La. R.S. 51:3073(4)(b).

Louisiana does not have a comprehensive definition of "sensitive data" outside of sector-specific laws. However, various statutes recognize certain categories as requiring enhanced protection, including student information, health information, genetic information, and financial records.

Louisiana requires entities to "implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure" under La. Rev. Stat. 51:3074(A).

For data disposal, entities must destroy records containing personal information "by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means." La. Rev. Stat. 51:3074(B).

Any person, entity, or agency that is in possession of a Louisiana resident's "personal information" is subject to the breach notification provisions of La. Rev. Stat. 51:3071, et seq.

Note: Pursuant to La. Rev. Stat. 51:3074, Louisiana's breach notification obligations apply to all persons and legal entities that own or license computerized data that includes Louisiana residents' personal information. La. Rev. Stat. 51:3074(C). In cases where the breach involves computerized data that the person or agency does not own, then the person or agency must notify the owner. La. Rev. Stat. 51:3074(D).

Louisiana does not have a comprehensive definition of "data processing" in its general privacy statutes. However, Louisiana law recognizes various forms of data handling activities:

"Electronic imaging" is defined as "the process of storing and retrieving any record, document, data, or other information through the use of electronic data processing, or computerized, digital, or optical scanning, or other electronic technology". La. Code Evid. Art. 1001.

"Data processing services" are referenced in tax statutes as services "which allow data to be generated, acquired, stored, processed, or retrieved and delivered by an electronic transmission". La. Rev. Stat. 47:301.

The Louisiana Consumer Privacy Act proposals (HB 947 and previous attempts) would have defined processing more comprehensively to include collection, use, sale, and disclosure of personal data.

While Louisiana does not have a general law regulating the collection and processing of personal data, it has several targeted laws limiting the collection and use of specific types of personal data. Such laws include:

•    for students, La. Rev. Stat. 17:3914 limits the collection, use, and disclosure of student information;

•    for employees, the "Personal Online Account Privacy Protection Act," La. Rev. Stat. 51:1951, et seq., prohibits employers from penalizing an individual for failing to disclose certain login credentials and La. Rev. Stat. 23:368(B) limits the collection, use and disclosure of employees' genetic information;

•    for persons involved in traffic accidents, La. Rev. Stat. 32:397.1 prohibits the use of public record accident reports for commercial solicitation of services to such persons who have stated that they do not wish to be solicited;

•    for financial records, La. Rev. Stat. 6:333(B) generally prohibits banks from disclosing them to non-customers (with limited exceptions);

•    for insurers, La. Rev. Stat. 22:2501, et seq. governs the collection, use, and security of consumer's nonpublic information;

•    for insurance customers, La. Rev. Stat. 22:1604(B) requires prior written consent from consumers to allow their nonpublic customer information to be used for the purpose of selling or soliciting the purchase of insurance; and

•    for insureds receiving a viatical settlement on their life insurance policies, La. Rev. Stat. 22:1795 limits the use and disclosure of the insured's identity and financial and medical information.

There is no statutory or regulatory scheme that expressly governs the use and disclosure of personal data. If the breach notification statute, La. Rev. Stat. 51:3071, et seq., is triggered, persons and agencies subject to that act are regulated by the Office of the Attorney General.

Under La. Rev. Stat. 51:3074(A), persons subject to the statute must "implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure." When disposing of records containing personal information, holders of data must destroy the records "by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means." La. Rev. Stat. 51:3074(B).

Note: No regulations or guidance are currently available for interpreting these obligations. Failure to comply with these or other requirements of the law may constitute an unfair trade practice. La. R.S. 51:3074(J), regulated by the Louisiana Unfair and Deceptive Trade Practices Act, see La. Rev. Stat. 51:1405(A). Moreover:

•    The breach notification act, La. Rev. Stat. 51:3074 prescribes actions that persons and agencies must take in the event of a data security breach. The law also includes a 5-year retention requirement for investigations that concludes that notice following a breach is unnecessary because there was no likelihood of harm. La. Rev. Stat. 51:3074(I).

•    Insurers must develop, implement, and maintain an information security program in compliance with Louisiana's Insurance Data Security Law. La. Rev. Stat. 22:2504.

•    Louisiana has enacted legislation of limited applicability to students, outlining requirements for the security and storage of student information, La. Rev. Stat. 17:3913 and 3996(B).

•    The Hospital Records and Retention Act, La. Rev. Stat. 40:2144 regulates the period of retention of personal health records.

Louisiana does not provide general rights to access or correction of privately held personal data.

Note: Louisiana lacks "right of access" provisions generally, but it does have specific acts applicable to certain school and employment records and hospital patient records. Louisiana's student data privacy act, La. Rev. Stat. 17:3913, grants rights of access to students and their parents or guardians. While there is no law giving employees a general right to access their personnel files, the Louisiana's School Employee Personnel Files Act, La. Rev. Stat. 17:1237, allows school employees to access their personnel files. And under La. Rev. Stat. 49:1011, an employee who is confirmed positive for a drug test may request related records, including "records relating to his drug tests and any records relating to the results of any relevant certification, review, or suspension/revocation-of-certification proceedings." Louisiana's hospital and health records statute, La. Rev. Stat. 40:2144, provides patients with statutory rights of access to medical records.

Louisiana has specific consent requirements in certain sectors:

•    Student Data: Louisiana R.S. 17:3914 requires parents to provide explicit consent rather than implied consent for the release of directory information. This means parents must be notified and written parental consent must be provided before their child's information can be shared.

•    Public Records Marketing: Under La. Rev. Stat. 44:42, no person shall use any public record that includes personally identifiable information of a Louisiana resident for marketing or solicitation purposes without the resident's consent. Marketing is prohibited unless the person has affirmatively consented by electronic or paper notification.

•    Medical Records: For medical records release, authorization must be obtained from the patient, including specific elements such as the name of the recipient, nature of information to be released, and patient signature. La. Admin. Code tit. 37, § XIII-2515.

•    Recording Consent: Louisiana is a one-party consent state for recording conversations, meaning only one party to the conversation needs to consent to recording. La. Rev. Stat. 15:1303.

Authorization requirements vary by data type and sector:

•    Healthcare: Healthcare providers must obtain patient authorization for most uses and disclosures of protected health information, with specific requirements for authorization forms including purpose, recipient information, and patient signature. La. Admin. Code tit. 37, § XIII-2515.

•    Student Information: Schools must obtain parental authorization for sharing student personally identifiable information with third parties, with specific exceptions for educational purposes. La. Rev. Stat. 17:3914; 17:112

•    Employment: The Personal Online Account Privacy Protection Act limits employers' ability to require disclosure of personal online account credentials without employee consent. La. Rev. Stat. 51:1951-1955.

•    Insurance: Insurance companies must obtain prior written consent from consumers before using their nonpublic customer information for selling or soliciting insurance. La. Rev. Stat. 22:2501, et seq.

No, there are no general restrictions on cross-border data transfers in Louisiana.

However, certain sector-specific restrictions exist:

For healthcare providers using third-party Electronic Visit Verification (EVV) vendors, Protected Health Information (PHI) cannot be sent to servers or IP addresses outside of the United States, and remote access to PHI by resources physically located outside the U.S. is strictly prohibited. La. Admin. Code tit. 50, § XXI-1141.

Under Louisiana's Database Security Breach Notification Law, there is a "breach of the security of the system" when the "security, confidentiality, or integrity of computerized data" is compromised resulting in, or "a reasonable likelihood to result in," the "unauthorized acquisition of and access to personal information." La. R.S. 51:3703(2); La. Admin. Code, tit. 16, § III-701.

The law specifically defines a “breach” as "the compromise of the security, confidentiality, or integrity of computerized data that results in, or there is a reasonable basis to conclude has resulted in, the unauthorized acquisition of and access to PI maintained by an Entity". La. R.S. 51:3073(2).

Good-faith acquisition of personal information by an employee for legitimate business purposes is not considered a breach, provided the information is not subject to unauthorized disclosure. Id.

Yes, Louisiana has enacted a breach notification act, under which Louisiana residents have the right to receive notice of breaches involving their personal information. La. R.S. 51:3074(C)[3]. The law does not specify the contents of the notice to residents, but in general notice must be made "in the most expedient time possible and without unreasonable delay but not later than 60 days from the discovery of the breach." La. R.S. 51:3074(E).

Organizations must also notify the Louisiana Attorney General within 10 days of distributing notice to Louisiana citizens. Failure to provide timely notice to the Attorney General may result in fines of up to $5,000 per day. La. Admin. Code, tit. 16, § III-701.

Notification is not required if "after a reasonable investigation the person or business determines that there is no reasonable likelihood of harm" to Louisiana residents. La. R.S. 51:3074(I). In such cases, entities must retain written documentation of this determination for 5 years.

The Office of the Attorney General has rulemaking authority under the Louisiana Database Security Breach Notification Law, La. Rev. Stat. 51:3077.

For specific sectors:

•    Louisiana Department of Insurance regulates insurance data security. La. Rev. Stat. 22:2504.
•    Louisiana Department of Education oversees student privacy matters. La. Rev. Stat. 17:3913.
•    Division of Public Protection enforces the SOCIAL Act (social media regulations). La. Rev. Stat. 51:1751, et seq.

A person who suffered damages as a result of violations of Louisiana's breach notification law and who was not timely notified may bring a civil action against the violator. The law permits civil actions "to recover actual damages resulting from the failure to disclose in a timely manner" that there was "a breach of the security system resulting in the disclosure of a person's personal information." La. Rev. Stat. 51:3075.

•    Louisiana's Unfair Trade Practices and Consumer Protection Act, La. R.S. 51:1409, also permits plaintiffs to recover "actual damages" for any "unfair or deceptive method, act, or practice declared unlawful by" the law.

•    Administrative penalties include fines of up to $5,000 per day for failure to provide timely notice to the Attorney General.

•    Louisiana courts also recognize privacy torts in four categories: (1) appropriating an individual's name or likeness; (2) unreasonably intruding on physical solitude or seclusion; (3) giving publicity which unreasonably places a person in a false light; and (4) unreasonable public disclosure of embarrassing private facts.

Louisiana regulates unsolicited electronic mail sent to or from Louisiana electronic mail addresses. La. Rev. Stat. 51:2001, et seq. In Louisiana, it is a crime to send unsolicited bulk electronic mail—defined as an electronic message sent to more than 1000 recipients that are "developed and distributed in an effort to sell or lease consumer goods or services"—unless authorized by the electronic mail service provider. La. Rev. Stat. 14:73.1 and 14:73.6.

Further, Electronic mail fraud is generally prohibited, La. Rev. Stat. 51:2003, with special protections for recipients of fraudulent electronic mail, text messages, or phone calls who are elderly or have special disabilities. La. Rev. Stat. 51:1409.1.

Senders of unsolicited commercial electronic mail must:

•    Maintain a functioning return email address for opt-out requests
•    Maintain a functioning website for removal requests
•    Clearly disclose recipient rights and contact information
•    Include "ADV:" as the first four characters in the subject line
•    Include "ADV:ADLT" for messages containing obscene material

Yes, Louisiana has several sector-specific privacy requirements:

•    Insurance: Louisiana Insurance Data Security Law (La. Rev. Stat. 22:2504) requires licensees to develop, implement, and maintain comprehensive written information security programs based on risk assessments. The law includes requirements for administrative, technical, and physical safeguards, third-party service provider oversight, and cybersecurity event reporting.

•    Healthcare: Louisiana health information statutes require compliance with HIPAA-level protections and include specific requirements for institutional review boards, data use agreements, and breach reporting. La. Rev. Stat. 40:1173.5

•    Education: Louisiana has comprehensive student privacy laws (La. Rev. Stat. 17:3914) requiring explicit parental consent for data sharing, data sharing agreements with vendors, and restrictions on data collection and use.

•    Financial Services: Banks and financial institutions are subject to specific disclosure restrictions and must comply with federal regulations. La. Rev. Stat. 6:333, 51:3076.

•    Social Media: Louisiana's SOCIAL Act and related legislation impose age verification requirements, parental consent mandates, and restrictions on targeted advertising to minors. La. Rev. Stat. 51:1751, et seq.

Louisiana does not have general requirements for appointing Data Protection Officers (DPOs). However, certain sector-specific requirements exist:

•    Insurance: Under La. Rev. Stat. 22:2504, licensees must designate one or more employees, affiliates, or outside vendors to be responsible for the information security program.

•    State Government: Louisiana's Information Security Policy requires designation of data owners, data custodians, and data handlers with specific responsibilities for data classification and protection. See https://www.doa.la.gov/media/wvmhsr1r/informationsecuritypolicy-v-1-0-3.pdf

•    Education: School systems must designate records officers and coordinators for managing student data privacy and sharing agreements. La. Rev. Stat. 17:3913.

Louisiana has comprehensive record-keeping requirements across various sectors:

•    General Requirements: State and local government agencies must adhere to recordkeeping standards established by the Secretary of State, including designating records officers, developing retention schedules (renewed every five years), and following specific disposal procedures. See https://www.sos.la.gov/historicalresources/managingrecords/getforms/Pages/default.aspx

•    Breach Documentation: Entities must retain written determinations that no notification is required following a breach for 5 years from the discovery date, along with supporting documentation. La. Rev. Stat. 51:3074(I).

•    Insurance: Insurance licensees must maintain documentation of their information security programs, risk assessments, and incident response activities. La. Rev. Stat. 22:2504.

•    Healthcare: Healthcare providers must maintain detailed administrative, personnel, and patient records with specific confidentiality and security requirements. La. Admin. Code, tit. 48, § I-6869.

•    Student Records: Educational institutions must maintain comprehensive documentation of data sharing agreements, parental consents, and privacy compliance measures. La. Rev. Stat. 17:3914.

Louisiana does not currently have general DPIA requirements.

Louisiana has specific requirements for third-party vendor management:

•    Education: New data sharing restrictions require Local Education Agencies (LEAs) to have contracts or data sharing agreements with private vendors that deliver services under state contracts. These agreements must include security audit and data breach language. La. Rev. Stat. 17:3913.

•    Healthcare: Third-party Electronic Visit Verification (EVV) vendors must establish successful data bridges to state systems, with prohibition on sending PHI to servers outside the United States. La. Admin. Code, tit. 50, § XXI-1141.

•    State Government: State agencies must follow specific vendor management procedures, including proper credentialing and service agreements. https://doa.louisiana.gov/doa/osrap/vendor-information/

•    Insurance: Insurance licensees must require third-party service providers to implement measures to protect data held by the provider. LDI Bull. 2021-04; La. Rev. Stat. 22:2504.

•    General: Vendors conducting business in Louisiana must notify data owners without delay after discovery of a breach, with the data owner responsible for regulatory reporting and consumer notification. La. Rev. Stat. 22:2501, et seq.; 51:3071, et seq.

Louisiana employs various penalty structures:

•    Database Security Breach Notification Law (La. Rev. Stat. 51:3071, et seq.):

o    Up to $5,000 per day for failure to provide timely notice to Attorney General
o    Private right of action for actual damages
o    Violations constitute unfair trade practices

•    Social Media Laws (SOCIAL Act, La. Rev. Stat. 51:1741, et seq.):

o    Up to $10,000 per violation for social media platforms 
o    Up to $5,000 per person for administrative or court order violations
o    Additional civil penalties up to $10,000 for knowing violations of age verification requirements.

•    Insurance Data Security (La. Rev. Stat. 22:2504):

o    Enforcement through Louisiana Department of Insurance
o    Potential license sanctions for non-compliance

•    Student Privacy (La. Rev. Stat. 17:3914):

o    Criminal and financial penalties for knowing violations of student privacy laws

Louisiana has various ongoing compliance requirements:

•    Records Management: State agencies must renew records retention schedules every five years and conduct regular inventories. See https://www.sos.la.gov/historicalresources/managingrecords/getforms/Pages/default.aspx

•    Insurance: Annual certification requirements for information security programs, with forms due February 15 each year. La. Rev. Stat. 22:2504.

•    Student Data: Ongoing monitoring of data sharing agreements and vendor compliance, La. Rev. Stat. 17:3914.

•    Breach Response: Continuous obligation to investigate and report breaches, with 5-year retention of no-harm determinations. La. Rev. Stat. 51:3074(I).

Recent Enacted Legislation:

•    La. Rev. Stat. 51:1751, et seq., SOCIAL Act (eff. July 1, 2024, stayed): The Secure Online Child Interaction and Age Limitation Act requires social media platforms to verify user ages and obtain parental consent for minors under 16. Originally effective July 1, 2024, but enforcement stayed due to ongoing litigation.

•    La. Rev. Stat. 51:1761, et seq., HB 577 (eff. July 1, 2025): Extended Louisiana's children's data protection law, prohibiting social media platforms from displaying targeted advertising to users under 18 and selling their sensitive personal data. Effective July 1, 2025.

•    La. Rev. Stat. 51:1771, et seq., HB 570 (eff. July 1, 2026): Louisiana passed comprehensive app store legislation requiring age verification and parental consent for minors, following similar laws in Utah and Texas. Set to take effect July 1, 2026.

Louisiana Consumer Privacy Act: Multiple attempts have been made to enact comprehensive privacy legislation:

HB 987 (2022): Passed committee but did not come to a full legislative vote;
SB 199 (2023): Comprehensive privacy act similar to Virginia model (failed to advance);
HB 947 (2024): Most recent attempt, referred to House Commerce Committee but did not advance.