DIGEST
The digest printed below was prepared by House Legislative Services. It constitutes no part of the
legislative instrument. The keyword, one-liner, abstract, and digest do not constitute part of the law
or proof or indicia of legislative intent. [R.S. 1:13(B) and 24:177(E)]
HB 987 Original 2022 Regular Session Deshotel
Abstract: Establishes consumer rights relative to data processing.
Proposed law shall be known and may be cited as "The Louisiana Consumer Privacy Act".
Proposed law defines "account", "affiliates", "aggregated data", "air carrier", "authenticate",
"biometric data", "business associate", "child", "consent", "consumer", "control", "controller",
"covered entity", "deidentified data", "director", "division", "governmental entity", "health care
facility", "health care provider", "identifiable individual", "institution of higher education", "local
political subdivision", "nonprofit corporation", "personal data", "process", "processor", "protected
health information", "pseudonymous data", "publicly available information", "right", "sale",
"sensitive data", "specific geolocation data", "targeted advertising", "third party", and "trade secret".
Proposed law applies to a controller or a processor who conducts business in this state or targets a
product or service to residents of this state, has annual revenue of at least $25,000,000, and satisfies
either of the following:
(1)During a calendar year, controls or processes the personal data of at least 100,000 consumers.
(2)Derives over 50% of his gross revenue from selling personal data and controls or processes
the personal data of at least 25,000 consumers.
Proposed law does not apply to any of the following:
(1)A governmental agency or a third party who has a contract with that governmental entity and
acting on the entity's behalf.
(2)A tribe.
(3)An institution of higher education.
(4) A nonprofit corporation.
(5)A covered entity. (6)A business associate.
(7)Certain protected health information.
(8)Certain identifying information.
(9)Certain information collected, processed, sold, or regulated pursuant to federal law.
(10)Information that has become intermingled with and indistinguishable from certain exempted
information.
(11)Activity by a consumer reporting agency, a furnisher of information, or a user of a consumer
report, if the activity is subject to the federal fair credit reporting act and involves the
collection, maintenance, disclosure, sale, communication, or use of any personal data that
bears on certain enumerated factors.
(12)A financial institution governed by federal law.
(13)Data that is processed or maintained relative to employment, emergency contact information,
or administration of benefits.
(14)Personal or household processing.
(15)An air carrier.
Proposed law cites federal law as the operating standard for compliance with any obligation to obtain
parental consent.
Proposed law preempts any conflicting local regulation.
Proposed law provides that a consumer has the right to do all of the following:
(1)Confirm whether a controller is processing his data.
(2)Access his personal data.
(3)Obtain a copy of his personal data.
(4)Delete the data provided to him by the controller.
(5)Opt out of the processing of data for the purposes of targeted advertising or the sale of
personal data.
A consumer or legal representative of the consumer may exercise the rights provided in proposed
law by submitting a request to the controller, in a means prescribed by the controller. Proposed law requires a controller to comply with a consumers request to exercise a right provided
for in proposed law and further requires the controller take action and notify the consumer of such
action within 45 days of receipt of the request.
Proposed law allows the controller to extend the response time by an additional 45 days if reasonably
necessary. The controller is required to notify the consumer if the time period for action is extended
and provide a reason for the extension.
Proposed law does not require a controller to comply with the 45-day limit if he reasonably suspects
fraud and cannot authenticate the request prior to lapse of the 45 days.
If a controller chooses not to take action on a request, proposed law requires the controller to notify
the consumer of the reason for not taking action within 45 days of receiving the request.
Proposed law prohibits the controller from charging a fee for information in response to a request,
unless any of the following is true:
(1)The request is the consumer's second or subsequent request during the same 12-month
period.
(2)The request is excessive, repetitive, technically infeasible, or manifestly unfounded.
(3)The controller believes that the consumer's primary purpose in making the request was not
to exercise a right provided in proposed law.
(4)The request harasses, disrupts, or places an undue burden on the controller's business.
A controller who charges a fee based on the exceptions in proposed law bears the burden of proving
that the necessary criteria is met.
Proposed law allows a controller to request additional information from a consumer if reasonably
necessary to respond to the request.
Proposed law requires a processor to adhere to the controller's instructions and assist the controller
in meeting his obligations, to the extent practicable.
Prior to performing on behalf of a controller, proposed law requires the processor and controller to
enter into a contract. Proposed law requires that the contract contain clear instructions, a duty of
confidentiality, and certain provisions relative to subcontractors.
Proposed law provides for the determination of a person as a controller or processor.
Proposed law requires a controller to provide consumers with a clear and accessible privacy notice
containing all of the following: (1)The categories of data processed by the controller.
(2)The purposes for which the data is being processed.
(3)How consumers can exercise a right provided in proposed law.
(4)The categories of data the controller shares with third party.
(5)The categories of third parties the controller shares data with.
Proposed law requires a controller to disclose to the consumer the manner in which he may opt out
of processing for targeted advertising or sale of his data.
Proposed law requires a controller to create and maintain reasonable and appropriate data security
practices that protect the confidentiality and integrity of personal data and reduce harm to consumers.
Proposed law prohibits a controller from processing sensitive data without first notifying the
consumer of his right to opt out. Proposed law defers to federal law if the personal data belongs to
a child.
Proposed law prohibits a controller from discriminating against a consumer for exercising a right
provided in proposed law.
Proposed law does not require a controller to provide a product, service, or functionality to a
consumer in certain circumstances.
Proposed law cannot be waived or limited through a contractual provision.
Proposed law does not require a controller or processor to do any of the following, as long as the
controller does not engage in certain prohibited activity:
(1)Reidentify certain data.
(2)Maintain data in an identifiable form.
(3)Comply with a request that is not reasonably associated with the personal data or it would
be unreasonably burdensome to do so.
The rights provided in proposed law are not applicable to pseudonymous data in certain
circumstances.
Proposed law requires a controller who uses pseudonymous or deidentified data to take reasonable
steps to ensure that he complies with all contractual obligations relative to that data and to promptly
address any breach of the contract. Proposed law does not restrict a controller or processor from doing any of the following:
(1)Complying with any law or legal order.
(2)Cooperating with law enforcement.
(3)Participating in a legal claim,
(4)Providing a requested service or product.
(5)Performing a contract.
(6)Protecting an interest essential for life or physical safety.
(7)Taking necessary steps in response to certain incidents.
(8)Taking actions relative to the integrity or security of systems.
(9)Engaging in certain research.
(10)Assisting another person in exercising a right provided in proposed law.
(11)Processing personal data for certain purposes.
(12)Retaining a consumer's email address to comply with his request.
Proposed law does not apply if compliance by the controller or processor would result in a violation
of an evidentiary rule or privilege or would adversely affect the privacy rights of another.
A controller or processor is not in violation of proposed law if he provides data to a third party in
accordance with proposed law and the third party then processes the data in violation of proposed
law, if he had no knowledge of the intent to commit a violation.
If a controller or processor processes data pursuant to an exception in proposed law, he bears the
burden of proving that the necessary criteria are met.
Proposed law does not allow any person to disclose a trade secret.
A violation of proposed law does not provide a basis for a private cause of action.
Proposed law requires that a system to receive consumer complaints be established and administered
by the Consumer Protection Division within the Dept. of Justice (division).
Proposed law allows the division to investigate complaints and refer the matter to the attorney
general if a violation is substantiated. The attorney general has the exclusive authority to enforce proposed law.
Proposed law requires the attorney general to provide notice and explanation to a controller or
processor at least 30 days prior to initiating an enforcement action.
If the controller or processor cures the noticed violation within 30 days of receipt of notice and
provides attestation to the attorney general, proposed law prohibits the attorney general from
initiating the action.
Proposed law allows the attorney general to initiate an action if the controller continues to violate
proposed law after remedying the problem and providing notice.
The attorney general may recover actual damages to the consumer and up to $7,500 per violation of
proposed law.
If a controller and processor are involved in the same violation of proposed law, comparative fault
is used to allocate liability.
Proposed law creates the Consumer Privacy Account (account) where all monies received from an
action arising out of proposed law are to be deposited.
The money in the account may be used for investigative and administrative costs, recovery of costs
and attorney's fees, and consumer and business education programs.
If the balance in the account exceeds $4,000,000 at the close of any fiscal year, all funds in excess
of $4,000,000 are to be deposited into the general fund.
Proposed law requires the division and the attorney general to submit a report evaluating and
summarizing various aspects of proposed law. The report is to be submitted to the House and Senate
commerce committees before July 1, 2025.
Effective December 31, 2023.
(Adds R.S. 51:1381-1396)