HLS 20RS-320 ORIGINAL
2020 Regular Session
HOUSE BILL NO. 617
BY REPRESENTATIVE THOMPSON
PRIVACY/COMPUTERS: Provides relative to the protection of personally identifiable
information
1 AN ACT
2To enact R.S. 44:42 and Chapter 8-N of Title 45 of the Louisiana Revised Statutes of 1950,
3 to be comprised of R.S. 45:844.91, relative to the protection of personally
4 identifiable information; to provide for personal information contained in public
5 records; to provide for definitions; to provide for a request mechanism; to provide
6 for prohibitions; to provide for response periods; to provide for extensions; to
7 provide for notification; to provide for exceptions; to provide for remedies; to
8 provide for rule promulgation; to provide for enforcement; to provide for penalties;
9 and to provide for related matters.
10Be it enacted by the Legislature of Louisiana:
11 Section 1. R.S. 44:42 is hereby enacted to read as follows:
12 §42. Prohibited use of personally identifiable information included in public
13 records; consent
14 A. No person shall use any public record that includes the personally
15 identifiable information of a resident of this state, including the name, address, birth
16 date, or any portion thereof, to market or solicit the sale of products or services to the
17 resident without his consent.
18 B. Marketing and soliciting is prohibited, unless the person has affirmatively
19 consented by electronic or paper notification to share the personally identifiable
Page 1 of 8
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 20RS-320 ORIGINAL
HB NO. 617
1 information with a third party before the personally identifiable information is used
2 for these purposes.
3 Section 2. R.S. Chapter 8-N of Title 45 of the Louisiana Revised Statutes of 1950,
4comprised of R.S. 45:844.91, is hereby enacted to read as follows:
5 CHAPTER 8-N. PROTECTION OF CONSUMER INFORMATION
6 §844.91. Notice regarding privacy of information collected on the internet from
7 consumers
8 A. As used in this Section:
9 (1) "Consumer" means a person who seeks or acquires, by purchase or lease,
10 any good, service, money, or credit for personal, family, or household purposes from
11 the website or online service of an operator.
12 (2) "Covered information" means any of the following items of personally
13 identifiable information about a consumer that is collected by an operator, through
14 a website or online service, and maintained by the operator in an accessible format:
15 (a) A first or last name.
16 (b) A home or other physical address which includes the name of a street and
17 the name of a city or town.
18 (c) An electronic mail address.
19 (d) A telephone number.
20 (e) A social security number.
21 (f) An identifier that allows a consumer to be contacted either physically or
22 online.
23 (g) Any other information concerning a consumer that is collected from the
24 consumer through the website or online service of the operator and maintained by
25 the operator in combination with an identifier in a form that makes the information
26 personally identifiable.
27 (3) "Designated request address" means an electronic mail address, a toll-
28 free telephone number, or a website established by an operator through which a
29 consumer may submit a verified request to an operator.
Page 2 of 8
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 20RS-320 ORIGINAL
HB NO. 617
1 (4)(a) "Operator" means a person who does all of the following:
2 (i) Owns or operates a website or online service for commercial purposes.
3 (ii) Collects and maintains covered information from consumers who reside
4 in this state and use or visit the website or online service.
5 (iii) Purposefully directs activities toward this state or purposefully executes
6 a transaction or engages in any activity with this state or a resident of this state.
7 (b) The term does not include:
8 (i) A third party that operates, hosts, or manages a website or online service
9 on behalf of its operator or processes information on behalf of its operator.
10 (ii) A financial institution, or its affiliate, that is subject to the Gramm-
11 Leach-Bliley Act, 15 U.S.C. 6801 et seq., and regulations adopted pursuant thereto.
12 (iii) An entity that is subject to the Health Insurance Portability and
13 Accountability Act of 1996, P.L. 104-191, and regulations adopted pursuant thereto.
14 (iv) A manufacturer of a motor vehicle or a person who repairs or services
15 a motor vehicle who collects, generates, records, or stores covered information that
16 is retrieved from a motor vehicle in connection with a technology or service related
17 to the motor vehicle or that is provided by a consumer in connection with a
18 subscription or registration for a technology or service related to the motor vehicle.
19 (5)(a) "Sale" means the exchange of covered information for monetary
20 consideration by the operator to a person for the person to license or sell the covered
21 information to additional persons.
22 (b) The term does not include:
23 (i) The disclosure of covered information by an operator to a person who
24 processes the covered information on behalf of the operator.
25 (ii) The disclosure of covered information by an operator to a person with
26 whom the consumer has a direct relationship for the purposes of providing a product
27 or service requested by the consumer.
28 (iii) The disclosure of covered information by an operator to a person for
29 purposes that are consistent with the reasonable expectations of a consumer
Page 3 of 8
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 20RS-320 ORIGINAL
HB NO. 617
1 considering the context in which the consumer provided the covered information to
2 the operator.
3 (iv) The disclosure of covered information to a person who is an affiliate of
4 the operator.
5 (v) The disclosure or transfer of covered information to a person as an asset
6 that is part of a merger, acquisition, bankruptcy, or other transaction in which the
7 person assumes control of all or part of the assets of the operator.
8 (6) "Verified request" means a request submitted by a consumer to an
9 operator for the purposes provided for in Subsection B of this Section, for which an
10 operator can reasonably verify the authenticity of the request.
11 B.(1) Each operator shall establish a designated request address through
12 which a consumer may submit a verified request.
13 (2) A consumer may, at any time, submit a verified request through a
14 designated request address to an operator directing the operator not to make any sale
15 of any covered information the operator has collected or will collect about the
16 consumer.
17 (3) An operator who has received a verified request submitted by a consumer
18 may not make any sale of any covered information the operator has collected or will
19 collect about the consumer.
20 (4) An operator shall respond to a verified request submitted by a consumer
21 within sixty days after the date the request is submitted. An operator may extend the
22 period by up to thirty days if the operator determines that an extension is reasonably
23 necessary. An operator who extends the period shall notify the consumer of the
24 extension.
25 C. An operator shall make available, in a manner reasonably accessible to
26 consumers whose covered information the operator collects through its website or
27 online service, a notice that:
28 (1) Identifies the categories of covered information that the operator collects
29 through its website or online service about consumers who use or visit the website
Page 4 of 8
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 20RS-320 ORIGINAL
HB NO. 617
1 or online service and the categories of third parties with whom the operator may
2 share the covered information.
3 (2) Provides a description of the process, if applicable, for a consumer who
4 uses or visits the website or online service to review and request changes to any of
5 his covered information that is collected through the website or online service.
6 (3) Describes the process by which the operator notifies consumers who use
7 or visit the website or online service of material changes to the notice.
8 (4) Discloses whether a third party may collect covered information about
9 a consumer's online activities over time and across different websites or online
10 services when the consumer uses the operator's website or online service.
11 (5) States the effective date of the notice.
12 D. This Section does not apply to an operator who meets all of the following
13 criteria:
14 (1) The operator is located in this state.
15 (2) The operator's revenue is derived primarily from a source other than the
16 sale or lease of goods, services, or credit on websites or online services.
17 (3) The operator's website or online service has fewer than twenty-thousand
18 unique visitors per year.
19 E.(1) An operator may remedy any failure to comply with this Section within
20 thirty days after being informed of the failure.
21 (2) An operator violates this Section if the operator:
22 (a) Knowingly and willfully fails to remedy a failure to comply within thirty
23 days after being informed of the failure.
24 (b) Makes available a notice which constitutes a knowing and material
25 misrepresentation or omission that is likely to mislead a consumer acting reasonably
26 under the circumstances to the detriment of the consumer.
27 F.(1) The office of consumer protection, within the Department of Justice,
28 shall adopt rules to enforce this Section. If there is reason to believe that an operator,
Page 5 of 8
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 20RS-320 ORIGINAL
HB NO. 617
1 directly or indirectly, has violated or is violating this Section, the office of consumer
2 protection may institute an appropriate legal proceeding against the operator.
3 (2) The district court, upon a showing that the operator, directly or indirectly,
4 has violated or is violating this Section, may:
5 (a) Issue a temporary or permanent injunction,
6 (b) Impose a civil penalty not to exceed five thousand dollars for each
7 violation.
8 G. This Section does not establish a private right of action against an
9 operator. This Section is not exclusive and is in addition to any other remedies
10 provided by law.
DIGEST
The digest printed below was prepared by House Legislative Services. It constitutes no part
of the legislative instrument. The keyword, one-liner, abstract, and digest do not constitute
part of the law or proof or indicia of legislative intent. [R.S. 1:13(B) and 24:177(E)]
HB 617 Original 2020 Regular Session Thompson
Abstract: Requires certain operators of websites to establish and maintain a mechanism by
which a consumer may direct the operator not to sell any personally identifiable
information the operator has collected about the consumer through the website; the
operator, after receiving the request, cannot sell the consumer's information and must
notify the consumer.
Proposed law prohibits a person from using any public record, that contains personally
identifiable information of a resident of the state, to market or solicit the sale of products or
services to the resident without his consent.
Proposed law requires affirmative consent to be given by the resident, by electronic or paper
notification, to share the information with a third party before the information is used.
Proposed law defines "consumer", "covered information", "designated request address",
"operator", "sale", and "verified request".
Proposed law requires each operator to establish a designated request address through which
a consumer may submit a verified request.
Proposed law allows a consumer to submit a verified request directing the operator not to
make any sale of any covered information about the consumer.
Proposed law prohibits an operator, who has received a verified request submitted by a
consumer, from making any sale of any covered information the operator has collected or
will collect about the consumer.
Proposed law requires an operator to respond to a verified request submitted by a consumer
within 60 days of the request being submitted.
Page 6 of 8
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 20RS-320 ORIGINAL
HB NO. 617
Proposed law allows an operator to extend the 60 day period provided for in proposed law
by up to 30 days, if the operator determines that an extension is reasonably necessary.
Proposed law requires an operator who utilizes the extension provided for in proposed law
to notify the consumer of the extension.
Proposed law requires an operator to make available to consumers, whose covered
information is collected through the operator's website, a notice providing the following:
(1)Identification of the categories of covered information that the operator collects
through its website or online service about consumers who visit or use the website
or online service, and the categories of third parties who the operator may share the
information with.
(2)A description of the process, if applicable, for a consumer who visits the website or
online service to review and request changes to any of his or her covered information
that is collected through the website or online service.
(3)A description of the process by which the operator notifies consumers who use or
visit the website or online service of material changes to the notice.
(4)A disclosure of whether or not a third party may collect covered information about
a consumer's online activities over time and across different websites or online
services when the consumer uses the operator's website or online services.
(5)The effective date of the notice.
Proposed law does not apply to an operator who meets all of the following criteria:
(1)The operator is located in this state.
(2)The operator's revenue is derived primarily from a source other than the sale or lease
of goods, services, or credit on websites or online services.
(3)The operator's website or online service has fewer than 20,000 unique visitors per
year.
Proposed law allows an operator to remedy any failure to comply with proposed law within
30 days after being informed of the failure.
An operator violates proposed law if the operator does any of the following:
(1)Knowingly and willfully fails to remedy a failure to comply within 30 days after
being informed of the failure.
(2)Makes available a notice, which constitutes a knowing and material
misrepresentation or omission, that is likely to mislead a consumer, acting
reasonably under the circumstances, to the detriment of the consumer.
Proposed law requires office of consumer protection, within the Department of Justice, to
adopt rules to enforce proposed law.
Proposed law allows the office of consumer protection, to institute an appropriate legal
proceeding, if it is reasonably believed that an operator has, directly or indirectly, violated
proposed law.
Proposed law allows the district court, upon a showing that an operator has directly or
indirectly violated this proposed law to do either of the following:
Page 7 of 8
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 20RS-320 ORIGINAL
HB NO. 617
(1)Issue a temporary or permanent injunction.
(2)Impose a civil penalty not to exceed $5,000 for each violation.
Proposed law does not establish a private right of action against an operator.
Proposed law is not exclusive and is in addition to any other remedies in present law.
(Adds R.S. 44:42 and R.S. 45:844.91)
Page 8 of 8
CODING: Words in struck through type are deletions from existing law; words underscored
are additions.