DIGEST
The digest printed below was prepared by House Legislative Services. It constitutes no part of the
legislative instrument. The keyword, one-liner, abstract, and digest do not constitute part of the law
or proof or indicia of legislative intent. [R.S. 1:13(B) and 24:177(E)]
HB 987 Reengrossed 2022 Regular Session Deshotel
Abstract: Establishes consumer rights relative to personal data processing.
Applicability
Proposed law provides that a controller is a person doing business in this state who determines the
purposes for and the means by which personal data is processed, regardless of whether the person
makes the determination alone or with others.
Proposed law provides that a processor is a person who processes personal data on behalf of a
controller.
Proposed law applies to a controller or a processor who conducts business in this state or targets a
product or service to residents of this state, has annual revenue of at least $25,000,000, and satisfies
either of the following:
(1)During a calendar year, controls or processes the personal data of at least 100,000 consumers.
(2)Derives over 50% of his gross revenue from selling personal data and controls or processes
the personal data of at least 25,000 consumers.
Proposed law does not apply to any of the following:
(1)A governmental agency or a third party who has a contract with that governmental entity and
acting on the entity's behalf.
(2)A tribe.
(3)An institution of higher education.
(4) A nonprofit corporation.
(5)A covered entity.
(6)A business associate. (7)Certain protected health information.
(8)Certain identifying information.
(9)Certain information collected, processed, sold, or regulated pursuant to federal law.
(10)Information that has become intermingled with and indistinguishable from certain exempted
information.
(11)Activity by a consumer reporting agency, a furnisher of information, or a user of a consumer
report, if the activity is subject to the federal fair credit reporting act and involves the
collection, maintenance, disclosure, sale, communication, or use of any personal data that
bears on certain enumerated factors.
(12)A financial institution governed by federal law.
(13)Data that is processed or maintained relative to employment, emergency contact information,
or administration of benefits.
(14)Personal or household processing.
(15)An air carrier.
Consumer Rights
Proposed law provides that a consumer is an individual who is a resident of this state acting in an
individual or household context
Proposed law provides that a consumer has the right to do all of the following:
(1)Confirm whether a controller is processing his data.
(2)Access his personal data.
(3)Obtain a copy of his personal data.
(4)Correct inaccuracies in the personal data.
(5)Delete the personal data.
(6)Opt out of the processing of data for the purposes of targeted advertising or the sale of
personal data.
A consumer or legal representative of the consumer may exercise the rights provided in proposed
law by submitting a request to the controller, in a means prescribed by the controller. Proposed law requires a controller to comply with a consumers request to exercise a right provided
for in proposed law and further requires the controller take action and notify the consumer of such
action within 45 days of receipt of the request. Proposed law allows the controller to extend the
response time by an additional 45 days if reasonably necessary. The controller is required to notify
the consumer if the time period for action is extended and provide a reason for the extension.
Proposed law does not require a controller to comply with the 45-day limit if he reasonably suspects
fraud and cannot authenticate the request prior to lapse of the 45 days. If a controller chooses not
to take action on a request, proposed law requires the controller to notify the consumer of the reason
for not taking action within 45 days of receiving the request.
Proposed law prohibits the controller from charging a fee for information in response to a request,
unless any of the following is true:
(1)The request is the consumer's second or subsequent request during the same 12-month
period.
(2)The request is excessive, repetitive, technically infeasible, or manifestly unfounded.
(3)The controller believes that the consumer's primary purpose in making the request was not
to exercise a right provided in proposed law.
(4)The request harasses, disrupts, or places an undue burden on the controller's business.
A controller who charges a fee based on the exceptions in proposed law bears the burden of proving
that the necessary criteria is met. Proposed law allows a controller to request additional information
from a consumer if reasonably necessary to respond to the request.
Responsibilities of Processors and Controllers
Proposed law requires a processor to adhere to the controller's instructions and assist the controller
in meeting his obligations, to the extent practicable.
Prior to processing data on behalf of a controller, proposed law requires the processor and controller
to enter into a contract. Proposed law requires that the contract contain clear instructions, a duty of
confidentiality, and certain provisions relative to subcontractors.
Proposed law requires a controller to provide consumers with a clear and accessible privacy notice
containing all of the following:
(1)The categories of data processed by the controller.
(2)The purposes for which the data is being processed.
(3)How consumers can exercise a right provided in proposed law. (4)The categories of data the controller shares with third party.
(5)The categories of third parties the controller shares data with.
Proposed law requires a controller to disclose to the consumer the manner in which he may opt out
of processing for targeted advertising or sale of his data.
Proposed law requires a controller to create and maintain reasonable and appropriate data security
practices that protect the confidentiality and integrity of personal data and reduce harm to consumers.
Proposed law prohibits a controller from processing sensitive data without first notifying the
consumer of his right to opt out. Proposed law defers to federal law if the personal data belongs to
a child.
Proposed law prohibits a controller from discriminating against a consumer for exercising a right
provided in proposed law. However, does not require a controller to provide a product, service, or
functionality to a consumer in certain circumstances.
Proposed law requires a controller of deidentified data to take reasonable measures to ensure that a
person cannot associate the data with an individual, publicly commit to maintain and use the data
only in its deidentified form, and contractually obligate any data recipient to comply with proposed
law.
Proposed law does not require a controller or processor to do any of the following, as long as the
controller does not engage in certain prohibited activity:
(1)Reidentify certain data.
(2)Maintain data in an identifiable form.
(3)Comply with a request that is not reasonably associated with the personal data or it would
be unreasonably burdensome to do so.
Proposed law requires a controller who uses deidentified data to take reasonable steps to ensure that
the processor complies with all contractual obligations relative to that data and to promptly address
any breach of the contract.
Limitations of Proposed Law
Proposed law provides that proposed law does not restrict a controller or processor from doing any
of the following:
(1)Complying with any law or legal order.
(2)Cooperating with law enforcement. (3)Participating in a legal claim.
(4)Providing a requested service or product.
(5)Performing a contract.
(6)Protecting an interest essential for life or physical safety.
(7)Taking necessary steps in response to certain incidents.
(8)Taking actions relative to the integrity or security of systems.
(9)Engaging in certain research.
(10)Assisting another person in exercising a right provided in proposed law.
(11)Processing personal data for certain purposes.
(12)Retaining a consumer's email address to comply with his request.
Proposed law does not apply if compliance by the controller or processor would result in a violation
of an evidentiary rule or privilege or would adversely affect the privacy rights of any person.
Data Protection Assessment
Proposed law requires a controller to conduct and document a data protection assessment prior to
engaging in processing that presents a heightened risk of harm to a consumer.
Proposed law provides a list of processing activities that are considered to present a heightened risk
of harm to a consumer.
Proposed law provides that data protection assessments are confidential and exempt from the Public
Records Law.
Investigations and Enforcement
Proposed law requires the consumer protection section of the Dept. of Justice (section) establish and
administer a system to receive consumer complaints.
Proposed law allows the section to investigate complaints and refer the matter to the attorney general
if a violation is substantiated.
The attorney general has the exclusive authority to enforce proposed law.
Proposed law requires the attorney general to provide notice and explanation to a controller or processor at least 30 days prior to initiating an enforcement action.
If the controller or processor cures the noticed violation within 30 days of receipt of notice and
provides attestation to the attorney general, proposed law prohibits the attorney general from
initiating the action.
The attorney general may recover actual damages to the consumer and up to $7,500 per violation of
proposed law.
Proposed law creates the Consumer Privacy Account (account) where all monies received from an
action arising out of proposed law are to be deposited.
The money in the account may be used for investigative and administrative costs, recovery of costs
and attorney's fees, and consumer and business education programs.
If the balance in the account exceeds $4,000,000 at the close of any fiscal year, all funds in excess
of $4,000,000 are to be deposited into the general fund.
Proposed law requires the section and the attorney general to submit a report evaluating and
summarizing various aspects of proposed law. The report is to be submitted to the House and Senate
commerce committees before July 1, 2025.
Miscellaneous Provisions
Proposed law cites federal law as the operating standard for compliance with any obligation to obtain
parental consent.
Proposed law preempts any conflicting regulation adopted by a political subdivision.
Proposed law does not allow any person to disclose a trade secret.
A violation of proposed law does not provide a basis for a private cause of action.
Effective Dec. 31, 2023.
(Amends R.S. 44:4.1(B)(35); Adds R.S. 51:1381-1397)
Summary of Amendments Adopted by House
The Committee Amendments Proposed by House Committee on Commerce to the original bill:
1. Modify the definition of "biometric data", "consent", "deidentified data", "identifiable
individual", "personal data", "sensitive data", and "specific geolocation data".
2. Remove all references to "pseudonymous data". 3. Create a consumer right to change inaccuracies on a person's data.
4. Add a requirement that controllers conduct a data protection assessment prior to
engaging in processing activities that present a heightened risk of harm to a customer.
5. Provide for a public records exception.
6. Make technical changes.
The Committee Amendments Proposed by House Committee on House and Governmental
Affairs to the engrossed bill:
1. Make technical changes.