Global Data Privacy Guide |
|
USA, Louisiana |
|
(United States)
Firm
Jones Walker LLP
Contributors
Andrew Lee |
|
What is the key legislation? | Louisiana recognizes the right to privacy in its state constitution. La. Const., Art. 1, Sec. 5; see also La. Rev. Stat. 17:3914(A) (“The legislature hereby declares that all personally identifiable information is protected as a right to privacy under the Constitution of Louisiana and the Constitution of the United States.”). Louisiana also recognizes a duty to secure personal information under La. Rev. Stat. 51:3071, et seq., the Database Security Breach Notification Act (the “Act”). When a breach results in personal information being acquired and accessed without authorization, the Act generally requires notice to affected individuals and the Office of the Attorney General. The definition of “personal information” under La. R.S. 51:3073(4)(a) is limited to Louisiana residents. However, notification is not required if the information was encrypted or redacted or there is no reasonable likelihood of harm to the affected individuals. According to regulations promulgated by the Louisiana Attorney General, failure to give timely notice to the Louisiana Attorney General may result in fines of up to $5,000 per day. La. Admin. Code 16:III § 701. Unlike other breach notification laws in states in the Gulf South, Louisiana’s law creates a private right of action for violations of the Act, including the right to recover “actual damages” for failure to give timely notice or other violations of the Act. La. Rev. Stat. 51:3074(J), 3075. Industry-specific legislation includes:
|
What data is protected? | La. Rev. Stat. 51:3073, part of the Data Security Breach Notification Act, defines protected data to be the “personal information” of a Louisiana resident. Note: Under the Act, the definition of “personal information” is limited to certain information for individual residents of Louisiana that is not encrypted or redacted. La. R.S. 51:3073(4)(a). It includes the resident’s last name and first name or first initial in combination with one or more of the following data elements:
However, the definition of “personal information” excludes “publicly available information that is lawfully made available to the general public from federal, state, or local government records.” La. R.S. 51:3073(4)(b). |
Who is subject to privacy obligations? | Any person, entity, or agency that is in possession of a Louisiana resident’s “personal information” is subject to the breach notification provisions of La. Rev. Stat. 51:3071, et seq. Note: Pursuant to La. Rev. Stat. 51:3074, Louisiana’s breach notification obligations apply to all persons and legal entities that own or license computerized data that includes Louisiana residents’ personal information. La. Rev. Stat. 51:3074(C). In cases where the breach involves computerized data that the person or agency does not own, then the person or agency must notify the owner. La. Rev. Stat. 51:3074(D). |
What are the principles applicable to personal data processing? | While Louisiana does not have a general law regulating the collection and processing of personal data, it has several targeted laws limiting the collection and use of specific types of personal data. Such laws include:
for insureds receiving a viatical settlement on their life insurance policies, La. Rev. Stat. 22:1795 limits the use and disclosure of the insured’s identity and financial and medical information. |
How is the processing of personal data regulated? | Use and disclosure of personal data are regulated on a case-by-case basis. Note: There is no statutory or regulatory scheme that expressly governs the use and disclosure of personal data. If the breach notification statute, La. Rev. Stat. 51:3071, et seq., is triggered, persons and agencies subject to that act are regulated by the Office of the Attorney General. |
How are storage, security and retention of personal data regulated? | Under La. Rev. Stat. 51:3074(A), persons subject to the statute must “implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” When disposing of records containing personal information, holders of data must destroy the records “by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.” La. Rev. Stat. 51:3074(B). Note: No regulations or guidance are currently available for interpreting these obligations. Failure to comply with these or other requirements of the law may constitute an unfair trade practice. La. R.S. 51:3074(J), regulated by the Louisiana Unfair and Deceptive Trade Practices Act, see La. Rev. Stat. 51:1405(A). Moreover:
|
What are the data subjects' rights? | Louisiana does not provide general rights to access or correction of privately held personal data. Note: Louisiana generally lacks “right of access” provisions, but it has specific acts applicable to certain school and employment records and hospital patient records. Louisiana’s Student Data Privacy Act, La. Rev. Stat. 17:3913, grants rights of access to students and their parents or guardians. While there is no law giving employees a general right to access their personnel files, Louisiana’s School Employee Personnel Files Act, La. Rev. Stat. 17:1237, allows school employees to access their personnel files. And under La. Rev. Stat. 49:1011, an employee who is confirmed positive for a drug test may request related records, including “records relating to his drug tests and any records relating to the results of any relevant certification, review, or suspension/revocation-of-certification proceedings.” Louisiana’s hospital and health records statute, La. Rev. Stat. 40:2144, provides patients with statutory rights of access to medical records. |
Are there restrictions on cross-border data transfers? | No, there are no restrictions on cross-border data transfers. |
Are there any notification requirements for data breaches? | Yes, Louisiana has enacted a breach notification act, under which Louisiana residents have the right to receive notice of breaches involving their personal information. La. R.S. 51:3074(C). The law does not specify the contents of the notice to residents, but in general notice must be made “in the most expedient time possible and without unreasonable delay but not later than 60 days from the discovery of the breach.” La. R.S. 51:3074(E). In administrative guidance, the Louisiana Attorney General has stated that notice to that office is “timely if received within 10 days of distribution of notice to Louisiana citizens.” La. Admin. Code tit.16 § III.701. Note: Under the breach notification law, there is a “breach of the security of the system” when the “security, confidentiality, or integrity of computerized data” is compromised resulting in, or “a reasonable likelihood to result in,” the “unauthorized acquisition of and access to personal information.” La. R.S. 51:3703(2). In other words, it must be reasonably likely that the personal information was both acquired and accessed without authorization. Pursuant to La. Rev. Stat. 51:3704(A), in the event of the discovery of a data breach, a person or entity (data holder) must notify Louisiana residents “whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” La. R.S. 51:3074(C). If a breach occurs to a person who does not own the data, then it must give notice of the breach to the owner or licensee of the data, who in turn must notify the affected Louisiana residents. La. R.S. 51:3074(D). Notification may be delayed if a law enforcement agency determines that delay is appropriate in order to assist in any investigation. La. R.S. 51:3074(E, F). Significantly, notification is not required if “after a reasonable investigation the person or business determines that there is no reasonable likelihood of harm” to Louisiana residents. La. R.S. 51:3074(I). |
Who is the privacy regulator? | The Office of the Attorney General has rulemaking authority under the Louisiana Database Security Breach Notification Law, La. Rev. Stat. 51:3077. |
What are the consequences of a privacy breach? | A person who suffered damages as a result of violations of Louisiana’s breach notification law and who was not timely notified may bring a civil action against the violator. The law permits civil actions “to recover actual damages resulting from the failure to disclose in a timely manner” that there was “a breach of the security system resulting in the disclosure of a person’s personal information.” La. Rev. Stat. 51:3075. Louisiana’s Unfair Trade Practices and Consumer Protection Act, La. R.S. 51:1409, also permits plaintiffs to recover “actual damages” for any “unfair or deceptive method, act, or practice declared unlawful by” the law. In a change that expands the grounds for private actions plaintiffs may bring for violations of Louisiana’s breach notification law, the amendments state that a violation of the law “shall constitute an unfair act or practice pursuant to” Louisiana’s Unfair Trade Practices and Consumer Protection Law. La. Rev. Stat. 51:3074(J) and 51:1405(A). Louisiana courts also recognize privacy torts. “A tort of invasion of privacy can occur in four ways: (1) by appropriating an individual's name or likeness; (2) by unreasonably intruding on physical solitude or seclusion; (3) by giving publicity which unreasonably places a person in a false light before the public; and (4) by unreasonable public disclosure of embarrassing private facts.” Tate v. Woman's Hosp. Found., 2010-0425 (La. 01/19/11), 56 So. 3d 194, 197 (citing Jaubert v. Crowley Post-Signal, Inc., 375 So.2d 1386 (La. 1979)). On the other hand, “when a person consents to the release of information, there is no invasion of privacy.” Id. at 198. |
How is electronic marketing regulated? | Louisiana regulates unsolicited electronic mail sent to or from Louisiana electronic mail addresses. La. Rev. Stat. 51:2001, et seq. In Louisiana, it is a crime to send unsolicited bulk electronic mail --- defined as an electronic message sent to more than 1,000 recipients that are “developed and distributed in an effort to sell or lease consumer goods or services” – unless authorized by the electronic mail service provider. La. Rev. Stat. 14:73.1(15) and 14:73.6. Further, Electronic mail fraud is generally prohibited, La. Rev. Stat. 51:2003, with special protections for recipients of fraudulent electronic mail, text messages, or phone calls who are elderly or have special disabilities. La. Rev. Stat. 51:1409.1. Note: Under La. Rev. Stat. 51:2002, senders of unsolicited electronic must do each of the following: (1) Maintain a functioning return electronic mail address to which a recipient may send a reply indicating the recipient’s desire not to receive further commercial electronic mail advertisements from the sender at the electronic mail address at which the message was received. (2) Maintain a functioning website at which a recipient may request his removal from the sender’s mailing list. (3) Clearly and conspicuously disclose in the commercial electronic mail advertisement all of the following: (a) The recipient’s right to decline to receive further unsolicited commercial electronic mail advertisements at the electronic mail address at which the message was received. (b) The recipient’s ability to decline to receive further unsolicited commercial electronic mail advertisements by sending a message to the sender’s functioning return electronic mail address. (c) The sender’s functioning return electronic mail address. (4) Include in the subject line of the commercial electronic mail advertisement (“ADV:”) as the first four characters. (5) If the commercial electronic mail advertisement contains obscene material, include in the subject line of the commercial electronic mail advertisement (“ADV:ADLT”) as the first eight characters. |
Are there any recent developments or expected reforms? | The Louisiana Consumer Privacy Act was introduced as HB987 during the 2022 Regular Session of the Louisiana Legislature. While the bill passed out of committee, it did not come up for a vote in the House. |
Global Data Privacy Guide
Louisiana recognizes the right to privacy in its state constitution. La. Const., Art. 1, Sec. 5; see also La. Rev. Stat. 17:3914(A) (“The legislature hereby declares that all personally identifiable information is protected as a right to privacy under the Constitution of Louisiana and the Constitution of the United States.”).
Louisiana also recognizes a duty to secure personal information under La. Rev. Stat. 51:3071, et seq., the Database Security Breach Notification Act (the “Act”). When a breach results in personal information being acquired and accessed without authorization, the Act generally requires notice to affected individuals and the Office of the Attorney General. The definition of “personal information” under La. R.S. 51:3073(4)(a) is limited to Louisiana residents. However, notification is not required if the information was encrypted or redacted or there is no reasonable likelihood of harm to the affected individuals.
According to regulations promulgated by the Louisiana Attorney General, failure to give timely notice to the Louisiana Attorney General may result in fines of up to $5,000 per day. La. Admin. Code 16:III § 701. Unlike other breach notification laws in states in the Gulf South, Louisiana’s law creates a private right of action for violations of the Act, including the right to recover “actual damages” for failure to give timely notice or other violations of the Act. La. Rev. Stat. 51:3074(J), 3075.
Industry-specific legislation includes:
- Insurance: La. Rev. Stat. 22:2501, et seq.
- Student Information: La. Rev. Stat. 17:3914
- Health Information and Records: La. Rev. Stat. 40:2144
- Financial Records of Banks: La. Rev. Stat. 6:333
La. Rev. Stat. 51:3073, part of the Data Security Breach Notification Act, defines protected data to be the “personal information” of a Louisiana resident.
Note: Under the Act, the definition of “personal information” is limited to certain information for individual residents of Louisiana that is not encrypted or redacted. La. R.S. 51:3073(4)(a). It includes the resident’s last name and first name or first initial in combination with one or more of the following data elements:
- Social security number;
- Driver's license number or state identification card number;
- Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account;
- Passport number; and
- Biometric data, including fingerprints and other unique biological characteristics used to authenticate an individual’s identity to access a system or account.
However, the definition of “personal information” excludes “publicly available information that is lawfully made available to the general public from federal, state, or local government records.” La. R.S. 51:3073(4)(b).
Any person, entity, or agency that is in possession of a Louisiana resident’s “personal information” is subject to the breach notification provisions of La. Rev. Stat. 51:3071, et seq.
Note: Pursuant to La. Rev. Stat. 51:3074, Louisiana’s breach notification obligations apply to all persons and legal entities that own or license computerized data that includes Louisiana residents’ personal information. La. Rev. Stat. 51:3074(C). In cases where the breach involves computerized data that the person or agency does not own, then the person or agency must notify the owner. La. Rev. Stat. 51:3074(D).
While Louisiana does not have a general law regulating the collection and processing of personal data, it has several targeted laws limiting the collection and use of specific types of personal data. Such laws include:
- for students, La. Rev. Stat. 17:3914 limits the collection, use, and disclosure of student information;
- for employees, the “Personal Online Account Privacy Protection Act,” La. Rev. Stat. 51:1951, et seq., prohibits employers from penalizing an individual for failing to disclose certain login credentials and La. Rev. Stat. 23:368(B) limits the collection, use and disclosure of employees’ genetic information;
- for persons involved in traffic accidents, La. Rev. Stat. 32:397.1 prohibits the use of public record accident reports for commercial solicitation of services to such persons who have stated that they do not wish to be solicited;
- for financial records, La. Rev. Stat. 6:333(B) generally prohibits banks from disclosing them to non-customers (with limited exceptions);
- for insurers, La. Rev. Stat. 22:2501, et seq. governs the collection, use, and security of consumer’s nonpublic information;
- for insurance customers, La. Rev. Stat. 22:1604(B) requires prior written consent from consumers to allow their nonpublic customer information to be used for the purpose of selling or soliciting the purchase of insurance; and
for insureds receiving a viatical settlement on their life insurance policies, La. Rev. Stat. 22:1795 limits the use and disclosure of the insured’s identity and financial and medical information.
Use and disclosure of personal data are regulated on a case-by-case basis.
Note: There is no statutory or regulatory scheme that expressly governs the use and disclosure of personal data. If the breach notification statute, La. Rev. Stat. 51:3071, et seq., is triggered, persons and agencies subject to that act are regulated by the Office of the Attorney General.
Under La. Rev. Stat. 51:3074(A), persons subject to the statute must “implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” When disposing of records containing personal information, holders of data must destroy the records “by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.” La. Rev. Stat. 51:3074(B).
Note: No regulations or guidance are currently available for interpreting these obligations. Failure to comply with these or other requirements of the law may constitute an unfair trade practice. La. R.S. 51:3074(J), regulated by the Louisiana Unfair and Deceptive Trade Practices Act, see La. Rev. Stat. 51:1405(A). Moreover:
- The breach notification act, La. Rev. Stat. 51:3074 prescribes actions that persons and agencies must take in the event of a data security breach. The law also includes a 5-year retention requirement for investigations that concludes that notice following a breach is unnecessary because there was no likelihood of harm. La. Rev. Stat. 51:3074(I).
- Insurers must develop, implement, and maintain an information security program in compliance with Louisiana’s Insurance Data Security Law. La. Rev. Stat. 22:2504.
- Louisiana has enacted legislation of limited applicability to students, outlining requirements for the security and storage of student information, La. Rev. Stat. 17:3913 and 3996(B)(27).
- the Hospital Records and Retention Act, La. Rev. Stat. 40:2144 regulates the period of retention of personal health records.
Louisiana does not provide general rights to access or correction of privately held personal data.
Note: Louisiana generally lacks “right of access” provisions, but it has specific acts applicable to certain school and employment records and hospital patient records. Louisiana’s Student Data Privacy Act, La. Rev. Stat. 17:3913, grants rights of access to students and their parents or guardians. While there is no law giving employees a general right to access their personnel files, Louisiana’s School Employee Personnel Files Act, La. Rev. Stat. 17:1237, allows school employees to access their personnel files. And under La. Rev. Stat. 49:1011, an employee who is confirmed positive for a drug test may request related records, including “records relating to his drug tests and any records relating to the results of any relevant certification, review, or suspension/revocation-of-certification proceedings.” Louisiana’s hospital and health records statute, La. Rev. Stat. 40:2144, provides patients with statutory rights of access to medical records.
No, there are no restrictions on cross-border data transfers.
Yes, Louisiana has enacted a breach notification act, under which Louisiana residents have the right to receive notice of breaches involving their personal information. La. R.S. 51:3074(C). The law does not specify the contents of the notice to residents, but in general notice must be made “in the most expedient time possible and without unreasonable delay but not later than 60 days from the discovery of the breach.” La. R.S. 51:3074(E). In administrative guidance, the Louisiana Attorney General has stated that notice to that office is “timely if received within 10 days of distribution of notice to Louisiana citizens.” La. Admin. Code tit.16 § III.701.
Note: Under the breach notification law, there is a “breach of the security of the system” when the “security, confidentiality, or integrity of computerized data” is compromised resulting in, or “a reasonable likelihood to result in,” the “unauthorized acquisition of and access to personal information.” La. R.S. 51:3703(2). In other words, it must be reasonably likely that the personal information was both acquired and accessed without authorization. Pursuant to La. Rev. Stat. 51:3704(A), in the event of the discovery of a data breach, a person or entity (data holder) must notify Louisiana residents “whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” La. R.S. 51:3074(C). If a breach occurs to a person who does not own the data, then it must give notice of the breach to the owner or licensee of the data, who in turn must notify the affected Louisiana residents. La. R.S. 51:3074(D). Notification may be delayed if a law enforcement agency determines that delay is appropriate in order to assist in any investigation. La. R.S. 51:3074(E, F). Significantly, notification is not required if “after a reasonable investigation the person or business determines that there is no reasonable likelihood of harm” to Louisiana residents. La. R.S. 51:3074(I).
The Office of the Attorney General has rulemaking authority under the Louisiana Database Security Breach Notification Law, La. Rev. Stat. 51:3077.
A person who suffered damages as a result of violations of Louisiana’s breach notification law and who was not timely notified may bring a civil action against the violator. The law permits civil actions “to recover actual damages resulting from the failure to disclose in a timely manner” that there was “a breach of the security system resulting in the disclosure of a person’s personal information.” La. Rev. Stat. 51:3075. Louisiana’s Unfair Trade Practices and Consumer Protection Act, La. R.S. 51:1409, also permits plaintiffs to recover “actual damages” for any “unfair or deceptive method, act, or practice declared unlawful by” the law. In a change that expands the grounds for private actions plaintiffs may bring for violations of Louisiana’s breach notification law, the amendments state that a violation of the law “shall constitute an unfair act or practice pursuant to” Louisiana’s Unfair Trade Practices and Consumer Protection Law. La. Rev. Stat. 51:3074(J) and 51:1405(A).
Louisiana courts also recognize privacy torts. “A tort of invasion of privacy can occur in four ways: (1) by appropriating an individual's name or likeness; (2) by unreasonably intruding on physical solitude or seclusion; (3) by giving publicity which unreasonably places a person in a false light before the public; and (4) by unreasonable public disclosure of embarrassing private facts.” Tate v. Woman's Hosp. Found., 2010-0425 (La. 01/19/11), 56 So. 3d 194, 197 (citing Jaubert v. Crowley Post-Signal, Inc., 375 So.2d 1386 (La. 1979)). On the other hand, “when a person consents to the release of information, there is no invasion of privacy.” Id. at 198.
Louisiana regulates unsolicited electronic mail sent to or from Louisiana electronic mail addresses. La. Rev. Stat. 51:2001, et seq. In Louisiana, it is a crime to send unsolicited bulk electronic mail --- defined as an electronic message sent to more than 1,000 recipients that are “developed and distributed in an effort to sell or lease consumer goods or services” – unless authorized by the electronic mail service provider. La. Rev. Stat. 14:73.1(15) and 14:73.6. Further, Electronic mail fraud is generally prohibited, La. Rev. Stat. 51:2003, with special protections for recipients of fraudulent electronic mail, text messages, or phone calls who are elderly or have special disabilities. La. Rev. Stat. 51:1409.1.
Note: Under La. Rev. Stat. 51:2002, senders of unsolicited electronic must do each of the following: (1) Maintain a functioning return electronic mail address to which a recipient may send a reply indicating the recipient’s desire not to receive further commercial electronic mail advertisements from the sender at the electronic mail address at which the message was received. (2) Maintain a functioning website at which a recipient may request his removal from the sender’s mailing list. (3) Clearly and conspicuously disclose in the commercial electronic mail advertisement all of the following: (a) The recipient’s right to decline to receive further unsolicited commercial electronic mail advertisements at the electronic mail address at which the message was received. (b) The recipient’s ability to decline to receive further unsolicited commercial electronic mail advertisements by sending a message to the sender’s functioning return electronic mail address. (c) The sender’s functioning return electronic mail address. (4) Include in the subject line of the commercial electronic mail advertisement (“ADV:”) as the first four characters. (5) If the commercial electronic mail advertisement contains obscene material, include in the subject line of the commercial electronic mail advertisement (“ADV:ADLT”) as the first eight characters.
The Louisiana Consumer Privacy Act was introduced as HB987 during the 2022 Regular Session of the Louisiana Legislature. While the bill passed out of committee, it did not come up for a vote in the House.