HLS 22RS-988 REENGROSSED
2022 Regular Session
HOUSE BILL NO. 987
BY REPRESENTATIVE DESHOTEL
PRIVACY: Provides relative to the protection of data
1 AN ACT
2To amend and reenact R.S. 44:4.1(B)(35) and to enact Chapter 12-B of Title 51 of the
3 Louisiana Revised Statutes of 1950, to be comprised of R.S. 51:1381 through 1397,
4 relative to data privacy; to provide definitions; to provide for applicability; to
5 provide for consumer rights; to require a response to a request; to provide for the
6 responsibilities of a processor and a controller; to provide for deidentified data; to
7 provide limitations; to provide for investigative powers; to provide for enforcement;
8 to provide for a civil fine; to provide for a data assessment; to provide for a public
9 records exception; to create an account; to require a report; and to provide for related
10 matters.
11Be it enacted by the Legislature of Louisiana:
12 Section 1. R.S. 44:4.1(B)(35) is hereby amended and reenacted to read as follows:
13 §4.1. Exceptions
14 * * *
15 B. The legislature further recognizes that there exist exceptions, exemptions,
16 and limitations to the laws pertaining to public records throughout the revised
17 statutes and codes of this state. Therefore, the following exceptions, exemptions, and
18 limitations are hereby continued in effect by incorporation into this Chapter by
19 citation:
20 * * *
Page 1 of 30
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 22RS-988 REENGROSSED
HB NO. 987
1 (35) R.S. 51:710.2(B), 705, 706, 936, 1395, 1404, 1926, 1934, 2113, 2182,
2 2262, 2318, 2389
3 * * *
4 Section 2. Chapter 12-B of Title 51 of the Louisiana Revised Statutes of 1950,
5comprised of R.S. 51:1381 through 1397, is hereby enacted to read as follows:
6 CHAPTER 12-B. LOUISIANA CONSUMER PRIVACY ACT
7 §1381. Short title
8 This Chapter shall be known and may be cited as the "Louisiana Consumer
9 Privacy Act".
10 §1382. Definitions
11 As used in this Chapter, the following words have the following meanings:
12 (1) "Account" means the consumer privacy restricted account established in
13 R.S. 51:1396.
14 (2) "Affiliate" means an entity that satisfies either of the following criteria:
15 (a) Controls, is controlled by, or is under common control with another
16 entity.
17 (b) Shares common branding with another entity.
18 (3) "Aggregated data" means information that relates to a group or category
19 of consumers that satisfies all of the following criteria:
20 (a) All individual consumer identities have been removed from the
21 information.
22 (b) The information is not linked or reasonably linkable to any consumer.
23 (4) "Air carrier" means the same as that term is defined in 49 U.S.C. 40102.
24 (5) "Authenticate" means to use reasonable means to determine that a
25 consumer's request to exercise the rights described in R.S. 51:1385 is made by the
26 consumer who is entitled to exercise those rights.
27 (6)(a) "Biometric data" means data generated by automatic measurements of
28 an individual's unique physical, physiological, or biological characteristics that allow
29 or confirm the unique identity of a specific individual.
Page 2 of 30
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 22RS-988 REENGROSSED
HB NO. 987
1 (b) "Biometric data" includes data described in Subparagraph (a) of this
2 Paragraph that is generated by automatic measurements of an individual's fingerprint,
3 voiceprint, eye retinas, irises, or any other unique biological pattern or characteristic
4 that is used to identify a specific individual.
5 (c) "Biometric data" does not include any of the following:
6 (i) A physical or digital photograph.
7 (ii) A video or audio recording.
8 (iii) Information captured from a patient in a healthcare setting.
9 (iv) Information collected, used, or stored for treatment, payment, or
10 healthcare operations as those terms are defined in 45 CFR Parts 160, 162, and 164.
11 (7) "Business associate" means the same as that term is defined in 45 CFR
12 160.103.
13 (8) "Child" means an individual younger than thirteen years old.
14 (9)(a) "Consent" means a clear and affirmative act by a consumer that
15 unambiguously indicates the consumer's voluntary, specific, and informed agreement
16 to allow a person to process personal data related to the consumer.
17 (b) "Consent" does not include the following:
18 (i) Acceptance of general or broad terms of use or a similar document that
19 contains descriptions of personal data processing along with other unrelated
20 information.
21 (ii) Hovering over, muting, pausing, or closing a given piece of content.
22 (10)(a) "Consumer" means an individual who is a resident of this state acting
23 in an individual or household context.
24 (b) "Consumer" does not include an individual acting in an employment or
25 commercial context.
26 (11) "Control" or "controlled" as used in Paragraph (2) of this Section means
27 any of the following:
28 (a) Ownership of or the power to vote more than fifty percent of the
29 outstanding shares of any class of voting securities of an entity.
Page 3 of 30
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 22RS-988 REENGROSSED
HB NO. 987
1 (b) Control in any manner over the election of a majority of the directors or
2 of the individuals exercising similar functions.
3 (c) The power to exercise controlling influence of the management of an
4 entity.
5 (12) "Controller" means a person doing business in this state who determines
6 the purposes for and the means by which personal data is processed, regardless of
7 whether the person makes the determination alone or with others.
8 (13) "Covered entity" means the same as that term is defined in 45 CFR
9 160.103.
10 (14) "Deidentified data" means data that cannot reasonably be used to infer
11 information about, or otherwise be linked to, an identified individual, device, or
12 household.
13 (15) "Director" means the director of the consumer protection section of the
14 Department of Justice.
15 (16) "Division" means the consumer protection section of the Department
16 of Justice.
17 (17) "Governmental entity" means any board, authority, commission,
18 department, office, division, or agency of this state or any of its political
19 subdivisions.
20 (18) "Healthcare facility" means an institution providing medical services
21 or a healthcare setting, including but not limited to a hospital or other licensed
22 inpatient center, an ambulatory surgical or treatment center, a skilled nursing center,
23 a residential treatment center, a rehabilitation center, and a diagnostic, laboratory, or
24 imaging center.
25 (19) "Healthcare provider" means any person licensed, certified, or
26 registered in this state to provide healthcare services, including but not limited to
27 physicians, hospitals, home health agencies, chiropractors, pharmacies, and dentists.
28 (20) "Identified individual" or "identifiable individual" means an individual
29 who can be readily identified, either directly or indirectly, in particular or by
Page 4 of 30
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 22RS-988 REENGROSSED
HB NO. 987
1 reference to an identifier such as a name, an identification number, specific
2 geolocation data, or an online identifier.
3 (21) "Institution of higher education" means a public or private institution
4 of higher education.
5 (22) "Political subdivision" means a parish, municipality, and any other unit
6 of local government, including but not limited to a school board or a special district,
7 authorized by law to perform governmental functions.
8 (23) "Nonprofit corporation" means any of the following:
9 (a) A corporation incorporated in accordance with the laws of this state and
10 subject to the provisions of the Nonprofit Corporation Law, R.S. 12:01 et seq.
11 (b) A corporation incorporated in accordance with the laws of another state
12 that would be considered a nonprofit corporation if it were incorporated in
13 accordance with the laws of this state.
14 (24)(a) "Personal data" means information that is linked or reasonably
15 linkable to an identified individual or an identifiable individual.
16 (b) "Personal data" does not include deidentified data.
17 (25) "Process" means an operation or set of operations performed on
18 personal data, including but not limited to collection, use, storage, disclosure,
19 analysis, deletion, or modification of personal data.
20 (26) "Processor" means a person who processes personal data on behalf of
21 a controller.
22 (27) "Protected health information" means the same as that term is defined
23 in 45 CFR 160.103.
24 (28) "Publicly available information" means information that satisfies any
25 of the following criteria:
26 (a) It is lawfully obtainable by a person from a record of a governmental
27 entity.
28 (b) It is obtainable by a person who reasonably believes a consumer or a
29 widely- distributed media source has lawfully made available to the general public.
Page 5 of 30
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 22RS-988 REENGROSSED
HB NO. 987
1 (c) It is obtainable from a person to whom the consumer disclosed the
2 information, if the consumer has not restricted the information to a specific audience.
3 (29) "Right" means a consumer right described in R.S. 51:1385.
4 (30)(a) "Sale", "sell", or "sold" means the exchange of personal data for
5 monetary or other valuable consideration by a controller to a third party.
6 (b) "Sale", "sell", or "sold" does not include:
7 (i) A controller's disclosure of personal data to a processor who processes the
8 personal data on behalf of the controller.
9 (ii) A controller's disclosure of personal data to an affiliate of the controller.
10 (iii) Considering the context in which the consumer provided the personal
11 data to the controller, a controller's disclosure of personal data to a third party if the
12 purpose is consistent with a consumer's reasonable expectations.
13 (iv) The disclosure or transfer of personal data if a consumer directs a
14 controller to do either of the following:
15 (aa) Disclose the personal data.
16 (bb) Interact with one or more third parties.
17 (v) A consumer's disclosure of personal data to a third party for the purpose
18 of providing a product or service requested by the consumer or a parent or legal
19 guardian of a child.
20 (vi) The disclosure of information, if the consumer satisfies all of the
21 following criteria:
22 (aa) Intentionally makes available to the general public via a channel of mass
23 media.
24 (bb) Does not restrict the information to a specific audience.
25 (vii) A controller's transfer of personal data to a third party as an asset that
26 is part of a proposed or actual merger, an acquisition, or a bankruptcy in which the
27 third party assumes control of all or part of the controller's assets.
28 (31)(a) "Sensitive data" means any of the following:
29 (i) Personal data that reveals any of the following:
Page 6 of 30
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 22RS-988 REENGROSSED
HB NO. 987
1 (aa) An individual's racial or ethnic origin.
2 (bb) An individual's religious beliefs.
3 (cc) An individual's sexual orientation.
4 (dd) An individual's citizenship or immigration status.
5 (ee) Information regarding an individual's medical history, mental or
6 physical health condition, or medical treatment or diagnosis by a healthcare
7 professional.
8 (ii) The processing of genetic personal data or biometric data, if the
9 processing is for the purpose of identifying a specific individual.
10 (iii) Specific geolocation data.
11 (iv) Biometric data.
12 (b) "Sensitive data" does not include personal data that reveals any of the
13 following, if processed in the manner provided:
14 (i) Racial or ethnic origin, if the personal data is processed by a video
15 communication service.
16 (ii) Any information regarding an individual's medical history, mental or
17 physical health condition, or medical treatment or diagnosis by a healthcare
18 professional, if the personal data is processed by a person licensed to provide health
19 care in accordance with the laws of this state.
20 (32)(a) "Specific geolocation data" means information derived from
21 technology, including global positioning system level latitude and longitude
22 coordinates, that directly identifies an individual's specific location, accurate within
23 a radius of one thousand eight hundred fifty feet or fewer.
24 (b) "Specific geolocation data" does not include either of the following:
25 (i) The content of a communication.
26 (ii) Any data generated by or connected to advanced utility metering
27 infrastructure systems or equipment for use by a utility.
28 (33)(a) "Targeted advertising" means displaying an advertisement to a
29 consumer where the advertisement is selected based on personal data obtained from
Page 7 of 30
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 22RS-988 REENGROSSED
HB NO. 987
1 the consumer's activities over time and across nonaffiliated websites or online
2 applications to predict the consumer's preferences or interests.
3 (b) "Targeted advertising" does not include any of the following:
4 (i) Advertising based on a consumer's activities within a controller's website
5 or online application or any affiliated website or online application.
6 (ii) Advertising based on the context of a consumer's current search query
7 or visit to a website or online application.
8 (iii) Advertising directed to a consumer in response to the consumer's request
9 for information, products, services, or feedback.
10 (iv) Processing personal data solely to measure or report on advertising
11 performance, advertising reach, or advertising frequency.
12 (34) "Third party" means a person other than the following:
13 (a) The consumer, controller, or processor.
14 (b) An affiliate or contractor of the controller or the processor.
15 (35) "Trade secret" means information, including a formula, pattern,
16 compilation, program, device, method, technique, or process that satisfies all of the
17 following criteria:
18 (a) Derives independent economic value, actual or potential, from not being
19 generally known or readily ascertainable by proper means by other persons who can
20 obtain economic value from the information's disclosure or use.
21 (b) Is the subject of efforts that are reasonable under the circumstances to
22 maintain the information's secrecy.
23 §1383. Applicability
24 A. The provisions of this Chapter apply to any controller or processor who
25 conducts business in this state or produces a product or service that is targeted to
26 consumers who are residents of this state if the controller or processor satisfies both
27 of the following:
28 (1) Has annual revenue of twenty-five million dollars or more.
29 (2) Satisfies any of the following criteria:
Page 8 of 30
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 22RS-988 REENGROSSED
HB NO. 987
1 (a) During a calendar year, controls or processes the personal data of at least
2 one hundred thousand consumers.
3 (b) Derives over fifty percent of the entity's gross revenue from the sale of
4 personal data and controls or processes the personal data of twenty-five thousand or
5 more consumers.
6 B. The provisions of this Chapter do not apply to any of the following:
7 (1) A governmental entity or a third party under contract with a
8 governmental entity when the third party is acting on behalf of the governmental
9 entity.
10 (2) A tribe.
11 (3) An institution of higher education.
12 (4) A nonprofit corporation.
13 (5) A covered entity.
14 (6) A business associate.
15 (7) Protected health information for purposes of the Health Insurance
16 Portability and Accountability Act of 1996, 42 U.S.C. 1320d et seq., and related
17 regulations.
18 (8) Patient identifying information for purposes of 42 CFR Part 2.
19 (9) Identifiable private information for purposes of the Federal Policy for the
20 Protection of Human Subjects, 45 CFR Part 46.
21 (10) Identifiable private information or personal data collected as part of
22 human subjects research pursuant to or under the same standards as either of the
23 following:
24 (a) The good clinical practice guidelines issued by the International Council
25 for Harmonisation.
26 (b) The Protection of Human Subjects as provided in 21 CFR Part 50 and
27 Institutional Review Boards as provided in 21 CFR Part 56.
28 (11) Personal data used or shared in research conducted in accordance with
29 one or more of the requirements described in Paragraph (9) of this Subsection.
Page 9 of 30
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 22RS-988 REENGROSSED
HB NO. 987
1 (12) Information and documents created specifically for, and collected and
2 maintained by the Louisiana Department of Health.
3 (13) Information and documents created for purposes of the Health Care
4 Quality Improvement Act of 1986, 42 U.S.C. 11101 et seq., and related regulations.
5 (14) Patient safety work product for purposes of 42 CFR Part 3.
6 (15) Information that satisfies all of the following criteria:
7 (a) Deidentified in accordance with the requirements for deidentification set
8 forth in 45 CFR Part 164.
9 (b) Derived from any of the healthcare-related information listed in
10 Paragraphs (7) through (14) of this Subsection.
11 (16) Information originating from or indistinguishably intermingled with
12 information provided for in Paragraphs (7) through (14) of this Subsection that is
13 maintained by either of the following:
14 (a) A healthcare facility or healthcare provider.
15 (b) A program or a qualified service organization as defined in 42 CFR 2.11.
16 (17) Information used only for public health activities and purposes as
17 described in 45 CFR 164.512.
18 (18)(a) An activity by any of the following, if all of the criteria provided in
19 Subparagraphs (b) and (c) of this Paragraph are satisfied:
20 (i) A consumer reporting agency, as defined in 15 U.S.C. Sec. 1681a.
21 (ii) A furnisher of information, as set forth in 15 U.S.C. Sec. 1681s-2, who
22 provides information for use in a consumer report, as defined in 15 U.S.C. Sec.
23 1681a.
24 (iii) A user of a consumer report, as set forth in 15 U.S.C. Sec. 1681b.
25 (b) The activity is subject to regulation under the federal Fair Credit
26 Reporting Act, 15 U.S.C. 1681 et seq.
27 (c) The activity involves the collection, maintenance, disclosure, sale,
28 communication, or use of any personal data that bears on any of the following
29 relative to the consumer:
Page 10 of 30
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 22RS-988 REENGROSSED
HB NO. 987
1 (i) Credit worthiness.
2 (ii) Credit standing.
3 (iii) Credit capacity.
4 (iv) Character.
5 (v) General reputation.
6 (vi) Personal characteristics.
7 (vii) Mode of living.
8 (19) A financial institution or an affiliate of a financial institution governed
9 by, or personal data collected, processed, sold, or disclosed in accordance with, Title
10 V of the Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq. and related regulations.
11 (20) Personal data collected, processed, sold, or disclosed in accordance with
12 the Driver's Privacy Protection Act of 1994, 18 U.S.C. 2721 et seq.
13 (21) Personal data regulated by the Family Education Rights and Privacy
14 Act, 20 U.S.C. 1232g and related regulations.
15 (22) Personal data collected, processed, sold, or disclosed in accordance with
16 the Farm Credit Act of 1971, 12 U.S.C. 2001 et seq.
17 (23) Data that is processed or maintained in any of the following manners:
18 (a) In the course of an individual applying to, being employed by, or acting
19 as an agent or independent contractor of a controller, processor, or third party, to the
20 extent the collection and use of the data are related to the individual's role.
21 (b) As the emergency contact information of an individual described in
22 Subparagraph (a) of this Paragraph and used for emergency contact purposes.
23 (c) To administer benefits for another individual relating to an individual
24 described in Subparagraph (a) of this Paragraph and used for the purpose of
25 administering the benefits.
26 (24) An individual's processing of personal data for purely personal or
27 household purposes.
28 (25) An air carrier.
Page 11 of 30
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 22RS-988 REENGROSSED
HB NO. 987
1 C. A controller is in compliance with any obligation to obtain parental
2 consent pursuant to this Chapter if the controller complies with the verifiable
3 parental consent mechanisms as provided in the Children's Online Privacy Protection
4 Act, 15 U.S.C. 6501 et seq. and the act's implementing regulations and exemptions.
5 D. This Chapter does not require a person to take any action in conflict with
6 the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. 1320d
7 et seq. or related regulations.
8 §1384. Preemption
9 A. The provisions of this Chapter supersede and preempt any ordinance,
10 resolution, rule, or other regulation adopted by a political subdivision regarding the
11 processing of personal data by a controller or processor.
12 B. Any reference to federal law in this Chapter includes any rules or
13 regulations promulgated pursuant to that federal law.
14 §1385. Consumer rights
15 A. A consumer has the right to do all of the following:
16 (1) Confirm whether a controller is processing the consumer's personal data.
17 (2) Access the consumer's personal data.
18 (3) Obtain a copy of the consumer's personal data, that the consumer
19 previously provided to the controller, in a format that satisfies all of the following:
20 (a) To the extent technically feasible, is portable.
21 (b) To the extent practicable, is readily usable.
22 (c) Allows the consumer to transmit the data to another controller without
23 impediment, if the processing is carried out by automated means.
24 (4) Correct inaccuracies in the consumer's personal data.
25 (5) Delete the consumer's personal data.
26 (6) A consumer has the right to opt out of the processing of the consumer's
27 personal data for either of the following purposes:
28 (a) Targeted advertising.
29 (b) The sale of personal data.
Page 12 of 30
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 22RS-988 REENGROSSED
HB NO. 987
1 B. Nothing in this Section requires a person to cause a breach of a security
2 system as defined in R.S. 51:3073.
3 §1386. Exercising consumer rights
4 A. A consumer may exercise a right provided for in R.S. 51:1385 by
5 submitting a request to a controller, by means prescribed by the controller,
6 specifying the right the consumer intends to exercise.
7 B. In the case of processing personal data concerning a known child, the
8 parent or legal guardian of the known child shall exercise a right on the child's
9 behalf.
10 C. In the case of processing personal data concerning a consumer subject to
11 a guardianship, conservatorship, or other protective arrangement, the guardian or the
12 conservator of the consumer shall exercise a right on the consumer's behalf.
13 §1387. Controller's response to request
14 A. Subject to the other provisions of this Chapter, a controller shall comply
15 with a consumer's request to exercise a right pursuant to R.S. 51:1386.
16 B.(1) Within forty-five days of receiving a request to exercise a right, the
17 controller shall do both of the following:
18 (a) Take action on the consumer's request.
19 (b) Inform the consumer of any action taken on the consumer's request.
20 (2) The controller may extend the initial forty-five-day period by an
21 additional forty-five days, if reasonably necessary due to the complexity of the
22 request or the volume of the requests received by the controller. The controller may
23 extend the period only once.
24 (3) If a controller extends the initial forty-five-day period, before the initial
25 forty-five-day period expires, the controller shall do all of the following:
26 (a) Inform the consumer of the extension, including the length of the
27 extension.
28 (b) Provide the reasons the extension is reasonably necessary as described
29 in Paragraph (2) of this Subsection.
Page 13 of 30
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 22RS-988 REENGROSSED
HB NO. 987
1 (4) The forty-five-day period does not apply if the controller reasonably
2 suspects the consumer's request is fraudulent, and the controller is not able to
3 authenticate the request before the forty-five-day period expires.
4 (5) If, in accordance with the provision of this Section, a controller chooses
5 not to take action on a consumer's request, the controller shall, within forty-five days
6 after the day on which the controller receives the request, inform the consumer of the
7 reasons for not taking action.
8 D.(1) A controller may not charge a fee for information in response to a
9 request, unless the request is the consumer's second or subsequent request during the
10 same twelve-month period.
11 (2)(a) Notwithstanding Paragraph (1) of this Subsection, a controller may
12 charge a reasonable fee to cover the administrative costs of complying with a request
13 or may refuse to act on a request, if any of the following is true:
14 (i) The request is excessive, repetitive, technically infeasible, or manifestly
15 unfounded.
16 (ii) The controller reasonably believes the consumer's primary purpose in
17 submitting the request was something other than exercising a right.
18 (iii) The request, individually or as part of an organized effort, harasses,
19 disrupts, or imposes an undue burden on the resources of the controller's business.
20 (b) A controller who charges a fee or refuses to act in accordance with this
21 Subsection bears the burden of demonstrating the request satisfied one or more of the
22 criteria described in Subparagraph (a) of this Paragraph.
23 E. If a controller is unable to authenticate a consumer request to exercise a
24 right described in R.S. 51:1385 using commercially-reasonable efforts, the controller
25 is not required to comply with the request and may request that the consumer provide
26 additional information reasonably necessary to authenticate the request.
27 §1388. Responsibility according to role
28 A. A processor shall do both of the following:
29 (1) Adhere to the controller's instructions.
Page 14 of 30
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 22RS-988 REENGROSSED
HB NO. 987
1 (2) Taking into account the nature of the processing and information
2 available to the processor, by appropriate technical and organizational measures,
3 insofar as reasonably practicable, assist the controller in meeting the controller's
4 obligations, including obligations related to the security of processing personal data
5 and notification of a breach of a security system described in R.S. 51:3073.
6 B. Before a processor performs processing on behalf of a controller, the
7 processor and controller shall enter into a contract that satisfies all of the following
8 criteria:
9 (1) Clearly sets forth instructions for processing personal data, the nature and
10 purpose of the processing, the type of data subject to processing, the duration of the
11 processing, and the parties' rights and obligations.
12 (2) Requires the processor to ensure each person processing personal data
13 is subject to a duty of confidentiality with respect to the personal data.
14 (3) Requires the processor to engage any subcontractor pursuant to a written
15 contract that requires the subcontractor to meet the same obligations as the processor
16 with respect to the personal data.
17 C.(1) Determining whether a person is acting as a controller or processor
18 with respect to a specific processing of data is a fact-based determination that
19 depends upon the context in which personal data is to be processed.
20 (2) A processor that adheres to a controller's instructions with respect to a
21 specific processing of personal data remains a processor.
22 §1389. Responsibilities of controllers
23 A.(1) A controller shall provide consumers with a reasonably accessible and
24 clear privacy notice that includes all of the following:
25 (a) The categories of personal data processed by the controller.
26 (b) The purposes for which the categories of personal data are processed.
27 (c) How consumers may exercise a right.
28 (d) The categories of personal data that the controller shares with third
29 parties, if any.
Page 15 of 30
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 22RS-988 REENGROSSED
HB NO. 987
1 (e) The categories of third parties, if any, with whom the controller shares
2 personal data.
3 (2) If a controller sells a consumer's personal data to one or more third
4 parties or engages in targeted advertising, the controller shall clearly and
5 conspicuously disclose to the consumer the manner in which the consumer may
6 exercise the right to opt out of each of the following:
7 (a) Processing for targeted advertising.
8 (b) Sale of the consumer's personal data.
9 B.(1) A controller shall establish, implement, and maintain reasonable
10 administrative, technical, and physical data security practices designed to achieve all
11 of the following:
12 (a) Protect the confidentiality and integrity of personal data.
13 (b) Reduce reasonably foreseeable risks of harm to consumers relating to the
14 processing of personal data.
15 (2) Considering the controller's business size, scope, and type, a controller
16 shall use data security practices that are appropriate for the volume and nature of the
17 personal data at issue.
18 C. Except as otherwise provided for in this Chapter, a controller shall not
19 process sensitive data collected from a consumer without doing either of the
20 following:
21 (1) Presenting the consumer with clear notice and an opportunity to opt out
22 of the processing, prior to the data being processed.
23 (2) Processing the data in accordance with the Children's Online Privacy
24 Protection Act, 15 U.S.C. 6501 et seq., and the act's implementing regulations and
25 exemptions, in the case of the processing of personal data concerning a known child.
26 D.(1) A controller may not discriminate against a consumer for exercising
27 a right by doing any of the following:
28 (a) Denying a good or service to the consumer.
29 (b) Charging the consumer a different price or rate for a good or service.
Page 16 of 30
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 22RS-988 REENGROSSED
HB NO. 987
1 (c) Providing the consumer a different level of quality of a good or service.
2 (2) This Subsection does not prohibit a controller from offering a different
3 price, rate, level, quality, or selection of a good or service to a consumer, including
4 offering a good or service for no fee or at a discount, if either of the following is true:
5 (a) The consumer has opted out of targeted advertising.
6 (b) The offer is related to the consumer's voluntary participation in a bona
7 fide loyalty, rewards, premium features, discounts, or club card program.
8 E. Notwithstanding the provisions of Subsection D of this Section, a
9 controller is not required to provide a product, service, or functionality to a consumer
10 if all of the following are satisfied:
11 (1) The consumer's personal data is or the processing of the consumer's
12 personal data is reasonably necessary for the controller to provide the consumer the
13 product, service, or functionality.
14 (2) The consumer does not do either of the following:
15 (a) Provide the consumer's personal data to the controller.
16 (b) Allow the controller to process the consumer's personal data.
17 F. Any provision of a contract that purports to waive or limit a consumer's
18 right in accordance with this Chapter is absolutely null.
19 §1390. Processing deidentified data
20 A. A controller of deidentified data shall:
21 (1) Take reasonable measures to ensure that a person cannot associate the
22 data with an individual.
23 (2) Publicly commit to maintain and use the data only in its deidentified
24 form and to not attempting to reidentify the data.
25 (3) Contractually obligate any recipient of the data to comply with the
26 requirements of this Subsection.
27 B. The provisions of this Chapter do not require a controller or processor to
28 do any of the following:
29 (1) Reidentify deidentified data.
Page 17 of 30
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 22RS-988 REENGROSSED
HB NO. 987
1 (2) Maintain data in identifiable form or obtain, retain, or access any data or
2 technology for the purpose of allowing the controller or processor to associate a
3 consumer request with personal data.
4 (3)(a) Comply with an authenticated consumer request to exercise a right as
5 described in R.S. 51:1386, if the controller complies with Subparagraph (b) of this
6 Paragraph and either of the following is satisfied:
7 (i) The controller is not reasonably capable of associating the request with
8 the personal data.
9 (ii) It would be unreasonably burdensome for the controller to associate the
10 request with the personal data.
11 (b) For purposes of Subparagraph (a) of this Paragraph, the controller does
12 not do any of the following:
13 (i) Use the personal data to recognize or respond to the consumer who is the
14 subject of the personal data.
15 (ii) Associate the personal data with other personal data about the consumer.
16 (iii) Sell or otherwise disclose the personal data to any third party other than
17 a processor, except as otherwise permitted in this Chapter.
18 C. A controller who uses deidentified data shall take reasonable steps to
19 ensure the processor does all of the following:
20 (1) Complies with any contractual obligation to which the deidentified data
21 is subject.
22 (2) Promptly addresses any breach of a contractual obligation described in
23 Paragraph (1) of this Subsection.
24 §1391. Limitations
25 A. The requirements described in this Chapter do not restrict a controller's
26 or processor's ability to do any of the following:
27 (1) Comply with a federal, state, or local law, rule, or regulation.
28 (2) Comply with a civil, criminal, or regulatory inquiry, investigation,
29 subpoena, or summons by a federal, state, local, or other governmental entity.
Page 18 of 30
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 22RS-988 REENGROSSED
HB NO. 987
1 (3) Cooperate with a law enforcement agency concerning activity that the
2 controller or processor reasonably and in good faith believes may violate federal,
3 state, or local laws, rules, or regulations.
4 (4) Investigate, establish, exercise, prepare for, or defend a legal claim.
5 (5) Provide a product or service requested by a consumer or a parent or legal
6 guardian of a child.
7 (6) Perform a contract to which the consumer or the parent or legal guardian
8 of a child is a party, including fulfilling the terms of a written warranty or taking
9 steps at the request of the consumer or parent or legal guardian prior to entering into
10 the contract with the consumer.
11 (7) Take immediate steps to protect an interest that is essential for the life or
12 physical safety of the consumer or of another individual.
13 (8)(a) Detect, prevent, protect against, or respond to a security incident,
14 identity theft, fraud, harassment, malicious or deceptive activity, or any illegal
15 activity.
16 (b) Investigate, report, or prosecute a person responsible for an action
17 described in Subparagraph (a) of this Paragraph.
18 (9)(a) Preserve the integrity or security of systems.
19 (b) Investigate, report, or prosecute a person responsible for harming or
20 threatening the integrity or security of systems, as applicable.
21 (10) If the controller discloses the processing in a notice described in R.S.
22 51:1389, engage in public or peer-reviewed scientific, historical, or statistical
23 research in the public interest that adheres to all other applicable ethics and privacy
24 laws.
25 (11) Assist another person with an obligation described in this Section.
26 (12) Process personal data to do any of the following:
27 (a) Conduct internal analytics or other research to develop, improve, or
28 repair a controller's or processor's product, service, or technology
29 (b) Identify and repair technical errors that impair existing or intended
30 functionality.
Page 19 of 30
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 22RS-988 REENGROSSED
HB NO. 987
1 (c) Effectuate a product recall.
2 (13) Process personal data to perform an internal operation that is either of
3 the following:
4 (a) Reasonably aligned with the consumer's expectations based on the
5 consumer's existing relationship with the controller.
6 (b) Otherwise compatible with processing to aid the controller or processor
7 in providing a product or service specifically requested by a consumer or a parent or
8 legal guardian of a child or the performance of a contract to which the consumer or
9 a parent or legal guardian of a child is a party.
10 (14) Retain a consumer's email address to comply with the consumer's
11 request to exercise a right.
12 B. This Chapter does not apply if a controller's or processor's compliance
13 with this Chapter does any of the following:
14 (1) Violates an evidentiary privilege provided in the laws of this state.
15 (2) As part of a privileged communication, prevents a controller or processor
16 from providing personal data concerning a consumer to a person covered by an
17 evidentiary privilege provided in the laws of this state.
18 (3) Adversely affects the privacy or other rights of any person.
19 C. A controller or processor is not in violation of this Chapter if all of the
20 following are true:
21 (1) The controller or processor discloses personal data to a third-party
22 controller or processor in compliance with this Chapter.
23 (2) The third party processes the personal data in violation of this Chapter.
24 (3) The disclosing controller or processor did not have actual knowledge of
25 the third party's intent to commit a violation of this Chapter.
26 D. If a controller processes personal data in accordance with an exemption
27 described in Subsection C of this Section, the controller bears the burden of
28 demonstrating that the processing qualifies for the exemption.
29 E. Nothing in this Chapter requires a controller, processor, third party, or
30 consumer to disclose a trade secret.
Page 20 of 30
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 22RS-988 REENGROSSED
HB NO. 987
1 §1392. No private cause of action
2 A violation of this Chapter does not provide a basis for, nor is a violation of
3 this Chapter subject to, a private right of action pursuant to this Chapter or any other
4 law.
5 §1393. Investigative powers
6 A. The division shall establish and administer a system to receive consumer
7 complaints regarding a controller's or processor's alleged violation of this Chapter.
8 B.(1) The division may investigate a consumer complaint to determine
9 whether the controller or processor violated or is violating this Chapter.
10 (2) If the director has reasonable cause to believe that substantial evidence
11 exists that a person identified in a consumer complaint is in violation of this Chapter,
12 the director shall refer the matter to the attorney general.
13 (3) Upon request, the division shall provide consultation and assistance to
14 the attorney general in enforcing this Chapter.
15 §1394. Enforcement powers of the attorney general
16 A. The attorney general has the exclusive authority to enforce this Chapter.
17 B. Upon referral from the division, the attorney general may initiate an
18 enforcement action against a controller or processor for a violation of this Chapter.
19 C.(1) At least thirty days before the day on which the attorney general
20 initiates an enforcement action against a controller or processor, the attorney general
21 shall provide the controller or processor with all of the following:
22 (a) Written notice identifying each provision of this Chapter the attorney
23 general alleges the controller or processor has violated or is violating.
24 (b) An explanation of the basis for each allegation.
25 (2) The attorney general may not initiate an action if the controller or
26 processor does all of the following:
27 (a) Cures the noticed violation within thirty days after the day on which the
28 controller or processor receives the written notice described in Paragraph (1) of this
29 Subsection.
Page 21 of 30
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 22RS-988 REENGROSSED
HB NO. 987
1 (b) Provides the attorney general an express written statement that attests to
2 both of the following:
3 (i) The violation has been cured.
4 (ii) No further violation of the cured violation will occur.
5 (3) The attorney general may initiate an action against a controller or
6 processor who does either of the following:
7 (a) Fails to cure a violation after receiving the notice described in Paragraph
8 (1) of this Subsection.
9 (b) After curing a noticed violation and providing a written statement in
10 accordance with Paragraph (2) of this Subsection, continues to violate this Chapter.
11 (4) In an action described in this Section, the attorney general may recover
12 all of the following:
13 (a) Actual damages to the consumer.
14 (b) For each violation described in Paragraph (3) of this Subsection, a civil
15 fine in an amount not to exceed seven thousand five hundred dollars.
16 D. All money received from an action pursuant to this Chapter shall be
17 deposited into the Consumer Privacy Account established in R.S. 51:1396.
18 E. If more than one controller or processor are involved in the same
19 processing in violation of this Chapter, the liability for the violation shall be
20 allocated among the controllers or processors according to the principles of
21 comparative fault.
22 §1395. Data protection assessments
23 A. A controller shall not conduct processing that presents a heightened risk
24 of harm to a consumer without conducting and documenting a data protection
25 assessment of each of its processing activities that involve personal data acquired on
26 or after the effective date of this Chapter that present a heightened risk of harm to a
27 consumer.
28 B. For purposes of this Section, "processing that presents a heightened risk
29 of harm to a consumer" includes all of the following:
Page 22 of 30
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 22RS-988 REENGROSSED
HB NO. 987
1 (1) Processing personal data for purposes of targeted advertising or for
2 profiling if the profiling presents a reasonably foreseeable risk of any of the
3 following:
4 (a) Unfair or deceptive treatment of consumers.
5 (b) Unlawful disparate impact on consumers.
6 (c) Financial or physical injury to consumers.
7 (d) An intrusion, physical or otherwise, upon the solitude or seclusion, or the
8 private affairs or concerns of consumers, if the intrusion would be offensive to a
9 reasonable person.
10 (e) Other substantial injury to consumers.
11 (2) Selling personal data.
12 (3) Processing sensitive data.
13 C. Data protection assessments shall identify and weigh the benefits that
14 may flow, directly and indirectly, from the processing to the controller, the
15 consumer, other stakeholders, and the public against the potential risks to the rights
16 of the consumer associated with the processing, as mitigated by safeguards that the
17 controller can employ to reduce the risks. The controller shall factor into this
18 assessment the use of deidentified data and the reasonable expectations of
19 consumers, as well as the context of the processing and the relationship between the
20 controller and the consumer whose personal data will be processed.
21 D. A controller shall make the data protection assessment available to the
22 attorney general upon request. The attorney general may evaluate the data protection
23 assessment for compliance with the duties provided for in this Chapter. Data
24 protection assessments are confidential and exempt from public inspection and
25 copying in accordance with the Public Records Law as provided in R.S. 44:1 et seq.
26 The disclosure of a data protection assessment pursuant to a request from the
27 attorney general pursuant to this Subsection does not constitute a waiver of any
28 attorney-client privilege or work-product protection that might otherwise exist with
29 respect to the assessment and any information contained in the assessment.
Page 23 of 30
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 22RS-988 REENGROSSED
HB NO. 987
1 E. A single data protection assessment may address a comparable set of
2 processing operations that include similar activities.
3 F. Data protection assessment requirements apply to processing activities
4 created or generated after December 1, 2023.
5 §1396. Consumer privacy restricted account
6 A. There is created a restricted account known as the "Consumer Privacy
7 Account".
8 B. The account shall be funded by money received through civil enforcement
9 actions pursuant to this Chapter.
10 C. Upon appropriation, the division or the attorney general may use money
11 deposited into the account for any of the following:
12 (1) Investigative and administrative costs incurred by the division in
13 investigating consumer complaints alleging violations of this Chapter.
14 (2) Recovery of costs and attorney fees accrued by the attorney general in
15 enforcing this Chapter.
16 (3) Providing consumer and business education regarding any of the
17 following:
18 (a) Consumer rights pursuant to this Chapter.
19 (b) Compliance with the provisions of this Chapter for controllers and
20 processors.
21 D. If the balance in the account exceeds four million dollars at the close of
22 any fiscal year, the state treasurer shall transfer the amount that exceeds four million
23 dollars into the state general fund.
24 §1397. Attorney general report
25 A. The attorney general and the division shall compile a report composed of
26 all of the following:
27 (1) An evaluation of the liability and enforcement provisions of this Chapter,
28 including the effectiveness of the attorney general's and the division's efforts to
29 enforce this Chapter.
Page 24 of 30
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 22RS-988 REENGROSSED
HB NO. 987
1 (2) A summary of the data protected and not protected by this Chapter
2 including, with reasonable detail, a list of the types of information that are publicly
3 available from local, state, and federal government sources.
4 B. The attorney general and the division may update the report as new
5 information becomes available.
6 C. The attorney general and the division shall submit the report to the House
7 Committee on Commerce and Senate Committee on Commerce, Consumer
8 Protection, and International Affairs before July 1, 2025.
9 Section 3. This Act shall become effective on December 31, 2023.
DIGEST
The digest printed below was prepared by House Legislative Services. It constitutes no part
of the legislative instrument. The keyword, one-liner, abstract, and digest do not constitute
part of the law or proof or indicia of legislative intent. [R.S. 1:13(B) and 24:177(E)]
HB 987 Reengrossed 2022 Regular Session Deshotel
Abstract: Establishes consumer rights relative to personal data processing.
Applicability
Proposed law provides that a controller is a person doing business in this state who
determines the purposes for and the means by which personal data is processed, regardless
of whether the person makes the determination alone or with others.
Proposed law provides that a processor is a person who processes personal data on behalf
of a controller.
Proposed law applies to a controller or a processor who conducts business in this state or
targets a product or service to residents of this state, has annual revenue of at least
$25,000,000, and satisfies either of the following:
(1)During a calendar year, controls or processes the personal data of at least 100,000
consumers.
(2)Derives over 50% of his gross revenue from selling personal data and controls or
processes the personal data of at least 25,000 consumers.
Proposed law does not apply to any of the following:
(1)A governmental agency or a third party who has a contract with that governmental
entity and acting on the entity's behalf.
(2)A tribe.
(3)An institution of higher education.
Page 25 of 30
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 22RS-988 REENGROSSED
HB NO. 987
(4) A nonprofit corporation.
(5)A covered entity.
(6)A business associate.
(7)Certain protected health information.
(8)Certain identifying information.
(9)Certain information collected, processed, sold, or regulated pursuant to federal law.
(10)Information that has become intermingled with and indistinguishable from certain
exempted information.
(11)Activity by a consumer reporting agency, a furnisher of information, or a user of a
consumer report, if the activity is subject to the federal fair credit reporting act and
involves the collection, maintenance, disclosure, sale, communication, or use of any
personal data that bears on certain enumerated factors.
(12)A financial institution governed by federal law.
(13)Data that is processed or maintained relative to employment, emergency contact
information, or administration of benefits.
(14)Personal or household processing.
(15)An air carrier.
Consumer Rights
Proposed law provides that a consumer is an individual who is a resident of this state acting
in an individual or household context
Proposed law provides that a consumer has the right to do all of the following:
(1)Confirm whether a controller is processing his data.
(2)Access his personal data.
(3)Obtain a copy of his personal data.
(4)Correct inaccuracies in the personal data.
(5)Delete the personal data.
(6)Opt out of the processing of data for the purposes of targeted advertising or the sale
of personal data.
A consumer or legal representative of the consumer may exercise the rights provided in
proposed law by submitting a request to the controller, in a means prescribed by the
controller.
Proposed law requires a controller to comply with a consumers request to exercise a right
provided for in proposed law and further requires the controller take action and notify the
consumer of such action within 45 days of receipt of the request. Proposed law allows the
controller to extend the response time by an additional 45 days if reasonably necessary. The
controller is required to notify the consumer if the time period for action is extended and
provide a reason for the extension. Proposed law does not require a controller to comply
Page 26 of 30
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 22RS-988 REENGROSSED
HB NO. 987
with the 45-day limit if he reasonably suspects fraud and cannot authenticate the request
prior to lapse of the 45 days. If a controller chooses not to take action on a request, proposed
law requires the controller to notify the consumer of the reason for not taking action within
45 days of receiving the request.
Proposed law prohibits the controller from charging a fee for information in response to a
request, unless any of the following is true:
(1)The request is the consumer's second or subsequent request during the same 12-
month period.
(2)The request is excessive, repetitive, technically infeasible, or manifestly unfounded.
(3)The controller believes that the consumer's primary purpose in making the request
was not to exercise a right provided in proposed law.
(4)The request harasses, disrupts, or places an undue burden on the controller's
business.
A controller who charges a fee based on the exceptions in proposed law bears the burden of
proving that the necessary criteria is met. Proposed law allows a controller to request
additional information from a consumer if reasonably necessary to respond to the request.
Responsibilities of Processors and Controllers
Proposed law requires a processor to adhere to the controller's instructions and assist the
controller in meeting his obligations, to the extent practicable.
Prior to processing data on behalf of a controller, proposed law requires the processor and
controller to enter into a contract. Proposed law requires that the contract contain clear
instructions, a duty of confidentiality, and certain provisions relative to subcontractors.
Proposed law requires a controller to provide consumers with a clear and accessible privacy
notice containing all of the following:
(1)The categories of data processed by the controller.
(2)The purposes for which the data is being processed.
(3)How consumers can exercise a right provided in proposed law.
(4)The categories of data the controller shares with third party.
(5)The categories of third parties the controller shares data with.
Proposed law requires a controller to disclose to the consumer the manner in which he may
opt out of processing for targeted advertising or sale of his data.
Proposed law requires a controller to create and maintain reasonable and appropriate data
security practices that protect the confidentiality and integrity of personal data and reduce
harm to consumers.
Proposed law prohibits a controller from processing sensitive data without first notifying the
consumer of his right to opt out. Proposed law defers to federal law if the personal data
belongs to a child.
Proposed law prohibits a controller from discriminating against a consumer for exercising
a right provided in proposed law. However, does not require a controller to provide a
product, service, or functionality to a consumer in certain circumstances.
Page 27 of 30
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 22RS-988 REENGROSSED
HB NO. 987
Proposed law requires a controller of deidentified data to take reasonable measures to ensure
that a person cannot associate the data with an individual, publicly commit to maintain and
use the data only in its deidentified form, and contractually obligate any data recipient to
comply with proposed law.
Proposed law does not require a controller or processor to do any of the following, as long
as the controller does not engage in certain prohibited activity:
(1)Reidentify certain data.
(2)Maintain data in an identifiable form.
(3)Comply with a request that is not reasonably associated with the personal data or it
would be unreasonably burdensome to do so.
Proposed law requires a controller who uses deidentified data to take reasonable steps to
ensure that the processor complies with all contractual obligations relative to that data and
to promptly address any breach of the contract.
Limitations of Proposed Law
Proposed law provides that proposed law does not restrict a controller or processor from
doing any of the following:
(1)Complying with any law or legal order.
(2)Cooperating with law enforcement.
(3)Participating in a legal claim.
(4)Providing a requested service or product.
(5)Performing a contract.
(6)Protecting an interest essential for life or physical safety.
(7)Taking necessary steps in response to certain incidents.
(8)Taking actions relative to the integrity or security of systems.
(9)Engaging in certain research.
(10)Assisting another person in exercising a right provided in proposed law.
(11)Processing personal data for certain purposes.
(12)Retaining a consumer's email address to comply with his request.
Proposed law does not apply if compliance by the controller or processor would result in a
violation of an evidentiary rule or privilege or would adversely affect the privacy rights of
any person.
Data Protection Assessment
Proposed law requires a controller to conduct and document a data protection assessment
prior to engaging in processing that presents a heightened risk of harm to a consumer.
Proposed law provides a list of processing activities that are considered to present a
heightened risk of harm to a consumer.
Page 28 of 30
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 22RS-988 REENGROSSED
HB NO. 987
Proposed law provides that data protection assessments are confidential and exempt from
the Public Records Law.
Investigations and Enforcement
Proposed law requires the consumer protection section of the Dept. of Justice (section)
establish and administer a system to receive consumer complaints.
Proposed law allows the section to investigate complaints and refer the matter to the attorney
general if a violation is substantiated.
The attorney general has the exclusive authority to enforce proposed law.
Proposed law requires the attorney general to provide notice and explanation to a controller
or processor at least 30 days prior to initiating an enforcement action.
If the controller or processor cures the noticed violation within 30 days of receipt of notice
and provides attestation to the attorney general, proposed law prohibits the attorney general
from initiating the action.
The attorney general may recover actual damages to the consumer and up to $7,500 per
violation of proposed law.
Proposed law creates the Consumer Privacy Account (account) where all monies received
from an action arising out of proposed law are to be deposited.
The money in the account may be used for investigative and administrative costs, recovery
of costs and attorney's fees, and consumer and business education programs.
If the balance in the account exceeds $4,000,000 at the close of any fiscal year, all funds in
excess of $4,000,000 are to be deposited into the general fund.
Proposed law requires the section and the attorney general to submit a report evaluating and
summarizing various aspects of proposed law. The report is to be submitted to the House
and Senate commerce committees before July 1, 2025.
Miscellaneous Provisions
Proposed law cites federal law as the operating standard for compliance with any obligation
to obtain parental consent.
Proposed law preempts any conflicting regulation adopted by a political subdivision.
Proposed law does not allow any person to disclose a trade secret.
A violation of proposed law does not provide a basis for a private cause of action.
Effective Dec. 31, 2023.
(Amends R.S. 44:4.1(B)(35); Adds R.S. 51:1381-1397)
Summary of Amendments Adopted by House
The Committee Amendments Proposed by House Committee on Commerce to the
original bill:
1. Modify the definition of "biometric data", "consent", "deidentified data",
"identifiable individual", "personal data", "sensitive data", and "specific
geolocation data".
Page 29 of 30
CODING: Words in struck through type are deletions from existing law; words underscored
are additions. HLS 22RS-988 REENGROSSED
HB NO. 987
2. Remove all references to "pseudonymous data".
3. Create a consumer right to change inaccuracies on a person's data.
4. Add a requirement that controllers conduct a data protection assessment prior to
engaging in processing activities that present a heightened risk of harm to a
customer.
5. Provide for a public records exception.
6. Make technical changes.
The Committee Amendments Proposed by House Committee on House and
Governmental Affairs to the engrossed bill:
1. Make technical changes.
Page 30 of 30
CODING: Words in struck through type are deletions from existing law; words underscored
are additions.