SLS 23RS-385 ORIGINAL
2023 Regular Session
SENATE BILL NO. 199
BY SENATOR WOMACK AND REPRESENTATI VE DESHOTEL
Prefiled pursuant to Article III, Section 2(A)(4)(b)(i) of the Constitution of Louisiana.
CONSUMERS/PROTECTI ON. Provides relative to the protection of data.
(2/3-CA7s2.1(A)) (8/1/23)
1 AN ACT
2 To amend and reenact R.S. 44:4.1(B)(35) and to enact Chapter 12-B of Title 51 of the
3 Louisiana Revised Statutes of 1950, to be comprised of R.S. 51:1381 through 1397,
4 relative to data privacy; to provide definitions; to provide for applicability; to
5 provide for consumer rights; to require a response to a request; to provide for the
6 responsibilities of a processor and a controller; to provide for deidentified data; to
7 provide for limitations; to provide for investigative powers; to provide for
8 enforcement; to provide for a civil fine; to provide for a data assessment; to provide
9 for a public records exception; to create an account; to require a report; and to
10 provide for related matters.
11 Be it enacted by the Legislature of Louisiana:
12 Section 1. R.S. 44:4.1(B)(35) is hereby amended and reenacted to read as follows:
13 §4.1. Exceptions
14 * * *
15 B. The legislature further recognizes that there exist exceptions, exemptions,
16 and limitations to the laws pertaining to public records throughout the revised
17 statutes and codes of this state. Therefore, the following exceptions, exemptions, and
Page 1 of 31
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 199
SLS 23RS-385 ORIGINAL
1 limitations are hereby continued in effect by incorporation into this Chapter by
2 citation:
3 * * *
4 (35) R.S. 51:710.2(B), 705, 706, 936, 1363.1, 1395, 1404, 1926, 1934, 2113,
5 2182, 2262, 2318, 2370.3, 2370.16, 2389
6 * * *
7 Section 2. Chapter 12-B of Title 51 of the Louisiana Revised Statutes of 1950,
8 comprised of R.S. 51:1381 through 1397, is hereby enacted to read as follows:
9 CHAPTER 12-B. LOUISIANA CONSUMER P RIVACY ACT
10 §1381. Short title
11 This Chapter shall be known and may be cited as the "Louisiana
12 Consumer Privacy Act".
13 §1382. Definitions
14 As used in this Chapter, the following words have the following
15 meanings:
16 (1) "Account" means the consumer privacy restricted account
17 established in R.S. 51:1396.
18 (2) "Affiliate" means an entity that satisfies either of the following
19 criteria:
20 (a) Controls, is controlled by, or is under common control with another
21 entity.
22 (b) Shares common branding with another entity.
23 (3) "Aggregated data" means information that relates to a group or
24 category of consumers that satisfies all of the following criteria:
25 (a) All individual consumer identities have been removed from the
26 information.
27 (b) The information is not linked or reasonably linkable to any
28 consumer.
29 (4) "Air carrier" means the same as that term is defined in 49 U.S.C.
Page 2 of 31
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 199
SLS 23RS-385 ORIGINAL
1 40102.
2 (5) "Authenticate" means to use reasonable means to determine that a
3 consumer's request to exercise the rights described in R.S. 51:1385 is made by
4 the consumer who is entitled to exercise those rights.
5 (6)(a) "Biometric data" means data generated by automatic
6 measurements of an individual's unique physical, physiological, or biological
7 characteristics that allow or confirm the unique identity of a specific individual.
8 (b) "Biometric data" includes data described in Subparagraph (a) of this
9 Paragraph that is generated by automatic measurements of an individual's
10 fingerprint, voiceprint, eye retinas, irises, or any other unique biological pattern
11 or characteristic that is used to identify a specific individual.
12 (c) "Biometric data" does not include any of the following:
13 (i) A physical or digital photograph.
14 (ii) A video or audio recording.
15 (iii) Information captured from a patient in a healthcare setting.
16 (iv) Information collected, used, or stored for treatment, payment, or
17 healthcare operations as those terms are defined in 45 CFR Parts 160, 162, and
18 164.
19 (7) "Business associate" means the same as that term is defined in 45
20 CFR 160.103.
21 (8) "Child" means an individual younger than thirteen years old.
22 (9)(a) "Consent" means a clear and affirmative act by a consumer that
23 unambiguously indicates the consumer's voluntary, specific, and informed
24 agreement to allow a person to process personal data related to the consumer.
25 (b) "Consent" does not include the following:
26 (i) Acceptance of general or broad terms of use or a similar document
27 that contains descriptions of personal data processing along with other
28 unrelated information.
29 (ii) Hovering over, muting, pausing, or closing a given piece of content.
Page 3 of 31
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 199
SLS 23RS-385 ORIGINAL
1 (10)(a) "Consumer" means an individual who is a resident of this state
2 acting in an individual or household context.
3 (b) "Consumer" does not include an individual acting in an employment
4 or commercial context.
5 (11) "Control" or "controlled" as used in Paragraph (2) of this Section
6 means any of the following:
7 (a) Ownership of, or the power to vote with, more than fifty percent of
8 the outstanding shares of any class of voting securities of an entity.
9 (b) Control in any manner over the election of a majority of the directors
10 or of the individuals exercising similar functions.
11 (c) The power to exercise controlling influence of the management of an
12 entity.
13 (12) "Controller" means a person doing business in this state who
14 determines the purposes for and the means by which personal data is processed,
15 regardless of whether the person makes the determination alone or with others.
16 (13) "Covered entity" means the same as that term is defined in 45 CFR
17 160.103.
18 (14) "Deidentified data" means data that satisfies all of the following
19 criteria:
20 (a) Cannot reasonably be used to infer information about, or otherwise
21 be linked to, an identified individual, device, or household.
22 (b) Is possessed by a controller who does all of the following:
23 (i) Takes reasonable measures to ensure that a person cannot associate
24 the data with an individual.
25 (ii) Publicly commits to maintain and use the data only in its deidentified
26 form and further commits to not attempt to reidentify the data.
27 (iii) Contractually obligates any recipients of the data to comply with the
28 requirements described in this Subparagraph.
29 (15) "Director" means the director of the consumer protection section
Page 4 of 31
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 199
SLS 23RS-385 ORIGINAL
1 of the Department of Justice.
2 (16) "Division" means the consumer protection section of the
3 Department of Justice.
4 (17) "Governmental entity" means any board, authority, commission,
5 department, office, division, or agency of this state or any of its local political
6 subdivisions.
7 (18) "Healthcare facility" means an institution providing medical
8 services or a healthcare setting, including but not limited to a hospital or other
9 licensed inpatient center, an ambulatory surgical or treatment center, a skilled
10 nursing center, a residential treatment center, a rehabilitation center, and a
11 diagnostic, laboratory, or imaging center.
12 (19) "Healthcare provider" means any person licensed, certified, or
13 registered in this state to provide healthcare services, including but not limited
14 to physicians, hospitals, home health agencies, chiropractors, pharmacies, and
15 dentists.
16 (20) "Identified individual" or "identifiable individual" means an
17 individual who can be readily identified, either directly or indirectly, in
18 particular or by reference to an identifier such as a name, an identification
19 number, specific geolocation data, or an online identifier.
20 (21) "Institution of higher education" means a public or private
21 institution of higher education.
22 (22) "Local political subdivision" means a parish, municipality, and any
23 other unit of local government, including but not limited to a school board or
24 a special district, authorized by law to perform governmental functions.
25 (23) "Nonprofit corporation" means any of the following:
26 (a) A corporation incorporated in accordance with the laws of this state
27 and subject to the provisions of the Nonprofit Corporation Law, R.S. 12:201 et
28 seq.
29 (b) A corporation incorporated in accordance with the laws of another
Page 5 of 31
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 199
SLS 23RS-385 ORIGINAL
1 state that would be considered a nonprofit corporation if it were incorporated
2 in accordance with the laws of this state.
3 (24)(a) "Personal data" means information that is linked or reasonably
4 linkable to an identified individual or an identifiable individual.
5 (b) "Personal data" does not include deidentified data and publically
6 available information.
7 (25) "Process" means an operation or set of operations performed on
8 personal data, including but not limited to collection, use, storage, disclosure,
9 analysis, deletion, or modification of personal data.
10 (26) "Processor" means a person who processes personal data on behalf
11 of a controller.
12 (27) "Protected health information" means the same as that term is
13 defined in 45 CFR 160.103.
14 (28) "Publicly available information" means information that satisfies
15 any of the following criteria:
16 (a) Is lawfully obtained by a person from a record of a governmental
17 entity.
18 (b) Is obtained by a person who reasonably believes a consumer or a
19 widely-distributed media source has lawfully made available to the general
20 public.
21 (c) Is obtained from a person to whom the consumer disclosed the
22 information, if the consumer has not restricted the information to a specific
23 audience.
24 (29) "Right" means a consumer right described in R.S. 51:1385.
25 (30)(a) "Sale", "sell", or "sold" means the exchange of personal data for
26 monetary or other valuable consideration by a controller to a third party.
27 (b) "Sale", "sell", or "sold" does not include:
28 (i) A controller's disclosure of personal data to a processor who processes
29 the personal data on behalf of the controller.
Page 6 of 31
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 199
SLS 23RS-385 ORIGINAL
1 (ii) A controller's disclosure of personal data to an affiliate of the
2 controller.
3 (iii) Considering the context in which the consumer provided the
4 personal data to the controller, a controller's disclosure of personal data to a
5 third party if the purpose is consistent with a consumer's reasonable
6 expectations.
7 (iv) The disclosure or transfer of personal data if a consumer directs a
8 controller to do either of the following:
9 (aa) Disclose the personal data.
10 (bb) Interact with one or more third parties.
11 (v) A consumer's disclosure of personal data to a third party for the
12 purpose of providing a product or service requested by the consumer or a
13 parent or legal guardian of a child.
14 (vi) The disclosure of information, if the consumer satisfies all of the
15 following criteria:
16 (aa) Intentionally makes available to the general public via a channel of
17 mass media.
18 (bb) Does not restrict the information to a specific audience.
19 (vii) A controller's transfer of personal data to a third party as an asset
20 that is part of a proposed or actual merger, an acquisition, or a bankruptcy in
21 which the third party assumes control of all or part of the controller's assets.
22 (31)(a) "Sensitive data" means any of the following:
23 (i) Personal data that reveals any of the following:
24 (aa) An individual's racial or ethnic origin.
25 (bb) An individual's religious beliefs.
26 (cc) An individual's sex.
27 (dd) An individual's citizenship or immigration status.
28 (ee) Information regarding an individual's medical history, mental or
29 physical health condition, or medical treatment or diagnosis by a healthcare
Page 7 of 31
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 199
SLS 23RS-385 ORIGINAL
1 professional.
2 (ii) The processing of genetic personal data or biometric data, if the
3 processing is for the purpose of identifying a specific individual.
4 (iii) Specific geolocation data.
5 (iv) Biometric data.
6 (b) "Sensitive data" does not include personal data that reveals any of
7 the following, if processed in the manner provided:
8 (i) Racial or ethnic origin, if the personal data is processed by a video
9 communication service.
10 (ii) Any information regarding an individual's medical history, mental
11 or physical health condition, or medical treatment or diagnosis by a healthcare
12 professional, if the personal data is processed by a person licensed to provide
13 health care in accordance with the laws of this state.
14 (32)(a) "Specific geolocation data" means information derived from
15 technology, including global positioning system level latitude and longitude
16 coordinates, that directly identifies an individual's specific location, accurate
17 within a radius of one thousand eight hundred fifty feet or fewer.
18 (b) "Specific geolocation data" does not include either of the following:
19 (i) The content of a communication.
20 (ii) Any data generated by or connected to advanced utility metering
21 infrastructure systems or equipment for use by a utility.
22 (33)(a) "Targeted advertising" means displaying an advertisement to a
23 consumer where the advertisement is selected based on personal data obtained
24 from the consumer's activities over time and across nonaffiliated websites or
25 online applications to predict the consumer's preferences or interests.
26 (b) "Targeted advertising" does not include any of the following:
27 (i) Advertising based on a consumer's activities within a controller's
28 website or online application or any affiliated website or online application.
29 (ii) Advertising based on the context of a consumer's current search
Page 8 of 31
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 199
SLS 23RS-385 ORIGINAL
1 query or visit to a website or online application.
2 (iii) Advertising directed to a consumer in response to the consumer's
3 request for information, products, services, or feedback.
4 (iv) Processing personal data solely to measure or report on advertising
5 performance, advertising reach, or advertising frequency.
6 (34) "Third party" means a person other than the following:
7 (a) The consumer, controller, or processor.
8 (b) An affiliate or contractor of the controller or the processor.
9 (35) "Trade secret" means information, including a formula, pattern,
10 compilation, program, device, method, technique, or process that satisfies all of
11 the following criteria:
12 (a) Derives independent economic value, actual or potential, from not
13 being generally known or readily ascertainable by proper means by other
14 persons who can obtain economic value from the information's disclosure or
15 use.
16 (b) Is the subject of efforts that are reasonable under the circumstances
17 to maintain the information's secrecy.
18 §1383. Applicability
19 A. The provisions of this Chapter apply to any controller or processor
20 who conducts business in this state or produces a product or service that is
21 targeted to consumers who are residents of this state who satisfy both of the
22 following:
23 (1) Has an annual revenue of twenty-five million dollars or more.
24 (2) Satisfies any of the following criteria:
25 (a) During a calendar year, controls or processes the personal data of at
26 least one hundred thousand consumers.
27 (b) Derives over fifty percent of the entity's gross revenue from the sale
28 of personal data and controls or processes the personal data of twenty-five
29 thousand or more consumers.
Page 9 of 31
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 199
SLS 23RS-385 ORIGINAL
1 B. The provisions of this Chapter do not apply to any of the following:
2 (1) A governmental entity or a third party under contract with a
3 governmental entity when the third party is acting on behalf of the
4 governmental entity.
5 (2) A tribe.
6 (3) An institution of higher education.
7 (4) A nonprofit corporation.
8 (5) A covered entity.
9 (6) A business associate.
10 (7) Protected health information for purposes of the Health Insurance
11 Portability and Accountability Act of 1996, 42 U.S.C. 1320d et seq. and related
12 regulations.
13 (8) Patient identifying information for purposes of 42 CFR Part 2.
14 (9) Identifiable private information for purposes of the Federal Policy for
15 the Protection of Human Subjects, 45 CFR Part 46.
16 (10) Identifiable private information or personal data collected as part
17 of human subjects research pursuant to or under the same standards as either
18 of the following:
19 (a) The good clinical practice guidelines issued by the International
20 Council for Harmonisation of Technical Requirements for Pharmaceuticals for
21 Human Use.
22 (b) The Protection of Human Subjects as provided in 21 CFR Part 50
23 and Institutional Review Boards as provided in 21 CFR Part 56.
24 (11) Personal data used or shared in research conducted in accordance
25 with one or more of the requirements described in Paragraph (9) of this
26 Subsection.
27 (12) Information and documents created specifically for, and collected
28 and maintained by the Louisiana Department of Health.
29 (13) Information and documents created for purposes of the Health Care
Page 10 of 31
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 199
SLS 23RS-385 ORIGINAL
1 Quality Improvement Act of 1986, 42 U.S.C. 11101 et seq., and related
2 regulations.
3 (14) Patient safety work product for purposes of 42 CFR Part 3.
4 (15) Information that satisfies all of the following criteria:
5 (a) Deidentified in accordance with the requirements for deidentification
6 set forth in 45 CFR Part 164.
7 (b) Derived from any of the healthcare-related information listed in
8 Paragraphs (7) through (14) of this Subsection.
9 (16) Information originating from or indistinguishably intermingled with
10 information provided for in Paragraphs (7) through (14) of this Subsection that
11 is maintained by either of the following:
12 (a) A healthcare facility or healthcare provider.
13 (b) A program or a qualified service organization as defined in 42 CFR
14 2.11.
15 (17) Information used only for public health activities and purposes as
16 described in 45 CFR 164.512.
17 (18)(a) An activity by any of the following, if all of the criteria provided
18 in Subparagraphs (b) and (c) of this Paragraph are satisfied:
19 (i) A consumer reporting agency, as defined in 15 U.S.C. 1681a.
20 (ii) A furnisher of information, as set forth in 15 U.S.C. 1681s-2, who
21 provides information for use in a consumer report, as defined in 15 U.S.C.
22 1681a.
23 (iii) A user of a consumer report, as set forth in 15 U.S.C. 1681b.
24 (b) The activity is subject to regulation under the federal Fair Credit
25 Reporting Act, 15 U.S.C. 1681 et seq.
26 (c) The activity involves the collection, maintenance, disclosure, sale,
27 communication, or use of any personal data that bears on any of the following
28 relative to the consumer:
29 (i) Credit worthiness.
Page 11 of 31
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 199
SLS 23RS-385 ORIGINAL
1 (ii) Credit standing.
2 (iii) Credit capacity.
3 (iv) Character.
4 (v) General reputation.
5 (vi) Personal characteristics.
6 (vii) Mode of living.
7 (19) A financial institution or an affiliate of a financial institution
8 governed by, or personal data collected, processed, sold, or disclosed in
9 accordance with, Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq.
10 and related regulations.
11 (20) Personal data collected, processed, sold, or disclosed in accordance
12 with the Driver's Privacy Protection Act of 1994, 18 U.S.C. 2721 et seq.
13 (21) Personal data regulated by the Family Education Rights and
14 Privacy Act, 20 U.S.C. 1232g and related regulations.
15 (22) Personal data collected, processed, sold, or disclosed in accordance
16 with the Farm Credit Act of 1971, 12 U.S.C. 2001 et seq.
17 (23) Data that is processed or maintained in any of the following
18 manners:
19 (a) In the course of an individual applying to, being employed by, or
20 acting as an agent or independent contractor of a controller, processor, or third
21 party, to the extent the collection and use of the data are related to the
22 individual's role.
23 (b) As the emergency contact information of an individual described in
24 Subparagraph (a) of this Paragraph and used for emergency contact purposes.
25 (c) To administer benefits for another individual relating to an individual
26 described in Subparagraph (a) of this Paragraph and used for the purpose of
27 administering the benefits.
28 (24) An individual's processing of personal data for purely personal or
29 household purposes.
Page 12 of 31
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 199
SLS 23RS-385 ORIGINAL
1 (25) An air carrier.
2 C. A controller is in compliance with any obligation to obtain parental
3 consent pursuant to this Chapter if the controller complies with the verifiable
4 parental consent mechanisms as provided in the Children's Online Privacy
5 Protection Act, 15 U.S.C. 6501 et seq. and the act's implementing regulations
6 and exemptions.
7 D. This Chapter does not require a person to take any action in conflict
8 with the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C.
9 1320d et seq. or related regulations.
10 §1384. Preemption
11 A. The provisions of this Chapter supersede and preempt any ordinance,
12 resolution, rule, or other regulation adopted by a local political subdivision
13 regarding the processing of personal data by a controller or processor.
14 B. Any reference to federal law in this Chapter includes any rules or
15 regulations promulgated pursuant to that federal law.
16 §1385. Consumer rights
17 A. A consumer has the right to do all of the following:
18 (1) Confirm whether a controller is processing the consumer's personal
19 data.
20 (2) Access the consumer's personal data.
21 (3) Obtain a copy or accurate summary of the consumer's personal data
22 that the consumer provided to the controller within the twelve months
23 preceding the consumer's request, in a format that satisfies all of the following:
24 (a) To the extent technically feasible, is portable.
25 (b) To the extent practicable, is readily usable.
26 (c) Allows the consumer to transmit the data to another controller
27 without impediment, if the processing is carried out by automated means.
28 (4) Correct inaccuracies in the consumer's personal data.
29 (5) Delete the consumer's personal data that the consumer provided to
Page 13 of 31
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 199
SLS 23RS-385 ORIGINAL
1 the controller.
2 (6) Opt out of the processing of the consumer's personal data for either
3 of the following purposes:
4 (a) Targeted advertising.
5 (b) The sale of personal data.
6 B. Nothing in this Section requires a person to cause a breach of a
7 security system as defined in R.S. 51:3073.
8 §1386. Exercising consumer rights
9 A. A consumer may exercise a right provided for in R.S. 51:1385 by
10 submitting a request to a controller, by means prescribed by the controller,
11 specifying the right the consumer intends to exercise.
12 B. In the case of processing personal data concerning a known child, the
13 parent or legal guardian of the known child shall exercise a right on the child's
14 behalf.
15 C. In the case of processing personal data concerning a consumer subject
16 to a guardianship, conservatorship, or other protective arrangement, the
17 guardian or the conservator of the consumer shall exercise a right on the
18 consumer's behalf.
19 §1387. Controller's response to request
20 A. Subject to the other provisions of this Chapter, a controller shall
21 comply with a consumer's request to exercise a right pursuant to R.S. 51:1386.
22 B.(1) Within forty-five days of receiving a request to exercise a right, the
23 controller shall do both of the following:
24 (a) Take action on the consumer's request.
25 (b) Inform the consumer of any action taken on the consumer's request.
26 (2) The controller may extend the initial forty-five-day period by an
27 additional forty-five days, if reasonably necessary due to the complexity of the
28 request or the volume of the requests received by the controller. The controller
29 may extend the period only once.
Page 14 of 31
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 199
SLS 23RS-385 ORIGINAL
1 (3) If a controller extends the initial forty-five-day period, before the
2 initial forty-five-day period expires, the controller shall do all of the following:
3 (a) Inform the consumer of the extension, including the length of the
4 extension.
5 (b) Provide the reasons the extension is reasonably necessary as
6 described in Paragraph (2) of this Subsection.
7 (4) The forty-five-day period does not apply if the controller reasonably
8 suspects the consumer's request is fraudulent, and the controller is not able to
9 authenticate the request before the forty-five-day period expires.
10 (5) If, in accordance with the provisions of this Section, a controller
11 chooses not to take action on a consumer's request, the controller shall, within
12 forty-five days after the day on which the controller receives the request, inform
13 the consumer of the reasons for not taking action.
14 C.(1) A controller may not charge a fee for information in response to a
15 request, unless the request is the consumer's second or subsequent request
16 during the same twelve-month period.
17 (2)(a) Notwithstanding Paragraph (1) of this Subsection, a controller
18 may charge a reasonable fee to cover the administrative costs of complying with
19 a request or may refuse to act on a request, if any of the following is true:
20 (i) The request is excessive, repetitive, technically infeasible, or
21 manifestly unfounded.
22 (ii) The controller reasonably believes the consumer's primary purpose
23 in submitting the request was something other than exercising a right.
24 (iii) The request, individually or as part of an organized effort, harasses,
25 disrupts, or imposes an undue burden on the resources of the controller's
26 business.
27 (b) A controller who charges a fee or refuses to act in accordance with
28 this Subsection bears the burden of demonstrating the request satisfied one or
29 more of the criteria described in Subparagraph (C)(2)(a) of this Subsection.
Page 15 of 31
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 199
SLS 23RS-385 ORIGINAL
1 D. If a controller is unable to authenticate a consumer request to exercise
2 a right described in R.S. 51:1385 using commercially-reasonable efforts, the
3 controller is not required to comply with the request and may request that the
4 consumer provide additional information reasonably necessary to authenticate
5 the request.
6 §1388. Responsibility according to role
7 A. A processor shall do both of the following:
8 (1) Adhere to the controller's instructions.
9 (2) Taking into account the nature of the processing and information
10 available to the processor, by appropriate technical and organizational
11 measures, insofar as reasonably practicable, assist the controller in meeting the
12 controller's obligations, including obligations related to the security of
13 processing personal data and notification of a breach of a security system
14 described in R.S. 51:3073.
15 B. Before a processor performs processing on behalf of a controller, the
16 processor and controller shall enter into a contract that satisfies all of the
17 following criteria:
18 (1) Clearly sets forth instructions for processing personal data, the
19 nature and purpose of the processing, the type of data subject to processing, the
20 duration of the processing, and the parties' rights and obligations.
21 (2) Requires the processor to ensure each person processing personal
22 data is subject to a duty of confidentiality with respect to the personal data.
23 (3) Requires the processor to engage any subcontractor pursuant to a
24 written contract that requires the subcontractor to meet the same obligations
25 as the processor with respect to the personal data.
26 C.(1) Determining whether a person is acting as a controller or processor
27 with respect to a specific processing of data is a fact-based determination that
28 depends upon the context in which personal data is to be processed.
29 (2) A processor that adheres to a controller's instructions with respect
Page 16 of 31
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 199
SLS 23RS-385 ORIGINAL
1 to a specific processing of personal data remains a processor.
2 §1389. Responsibilities of controllers
3 A.(1) A controller shall provide consumers with a reasonably accessible
4 and clear privacy notice that includes all of the following:
5 (a) The categories of personal data processed by the controller.
6 (b) The purposes for which the categories of personal data are processed.
7 (c) How consumers may exercise a right.
8 (d) The categories of personal data that the controller shares with third
9 parties, if any.
10 (e) The categories of third parties, if any, with whom the controller
11 shares personal data.
12 (2) If a controller sells a consumer's personal data to one or more third
13 parties or engages in targeted advertising, the controller shall clearly and
14 conspicuously disclose to the consumer the manner in which the consumer may
15 exercise the right to opt out of each of the following:
16 (a) Processing for targeted advertising.
17 (b) Sale of the consumer's personal data.
18 B.(1) A controller shall establish, implement, and maintain reasonable
19 administrative, technical, and physical data security practices designed to
20 satisfy all of the following criteria:
21 (a) Protect the confidentiality and integrity of personal data.
22 (b) Reduce reasonably foreseeable risks of harm to consumers relating
23 to the processing of personal data.
24 (2) Considering the controller's business size, scope, and type, a
25 controller shall use data security practices that are appropriate for the volume
26 and nature of the personal data at issue.
27 C. Except as otherwise provided for in this Chapter, a controller shall
28 not process sensitive data collected from a consumer without doing either of the
29 following:
Page 17 of 31
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 199
SLS 23RS-385 ORIGINAL
1 (1) Presenting the consumer with clear notice and an opportunity to opt
2 out of the processing, prior to the data being processed.
3 (2) Processing the data in accordance with the Children's Online Privacy
4 Protection Act, 15 U.S.C. 6501 et seq., and the act's implementing regulations
5 and exemptions, in the case of the processing of personal data concerning a
6 known child.
7 D.(1) A controller may not discriminate against a consumer for
8 exercising a right by doing any of the following:
9 (a) Denying a good or service to the consumer.
10 (b) Charging the consumer a different price or rate for a good or service.
11 (c) Providing the consumer a different level of quality of a good or
12 service.
13 (2) This Subsection does not prohibit a controller from offering a
14 different price, rate, level, quality, or selection of a good or service to a
15 consumer, including offering a good or service for no fee or at a discount, if
16 either of the following is true:
17 (a) The consumer has opted out of targeted advertising.
18 (b) The offer is related to the consumer's voluntary participation in a
19 bona fide loyalty, rewards, premium features, discounts, or club card program.
20 E. Notwithstanding the provisions of Subsection D of this Section, a
21 controller is not required to provide a product, service, or functionality to a
22 consumer if all of the following are satisfied:
23 (1) The consumer's personal data is or the processing of the consumer's
24 personal data is reasonably necessary for the controller to provide the consumer
25 the product, service, or functionality.
26 (2) The consumer does not do either of the following:
27 (a) Provide the consumer's personal data to the controller.
28 (b) Allow the controller to process the consumer's personal data.
29 F. Any provision of a contract that purports to waive or limit a
Page 18 of 31
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 199
SLS 23RS-385 ORIGINAL
1 consumer's right in accordance with this Chapter is absolutely null.
2 §1390. Processing deidentified data
3 A. A controller of deidentified data shall:
4 (1) Take reasonable measures to ensure that a person cannot associate
5 the data with an individual.
6 (2) Publicly commit to maintain and use the data only in its deidentified
7 form and to not attempt to reidentify the data.
8 (3) Contractually obligate any recipient of the data to comply with the
9 requirements of this Subsection.
10 B. The provisions of this Chapter do not require a controller or
11 processor to do any of the following:
12 (1) Reidentify deidentified data.
13 (2) Maintain data in identifiable form or obtain, retain, or access any
14 data or technology for the purpose of allowing the controller or processor to
15 associate a consumer request with personal data.
16 (3)(a) Comply with an authenticated consumer request to exercise a right
17 as described in R.S. 51:1386, if the controller complies with Subparagraph (b)
18 of this Paragraph and either of the following is satisfied:
19 (i) The controller is not reasonably capable of associating the request
20 with the personal data.
21 (ii) It would be unreasonably burdensome for the controller to associate
22 the request with the personal data.
23 (b) For purposes of Subparagraph (a) of this Paragraph, the controller
24 does not do any of the following:
25 (i) Use the personal data to recognize or respond to the consumer who
26 is the subject of the personal data.
27 (ii) Associate the personal data with other personal data about the
28 consumer.
29 (iii) Sell or otherwise disclose the personal data to any third party other
Page 19 of 31
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 199
SLS 23RS-385 ORIGINAL
1 than a processor, except as otherwise permitted in this Chapter.
2 C. A controller who uses deidentified data shall take reasonable steps to
3 ensure the controller does all of the following:
4 (1) Complies with any contractual obligation to which the deidentified
5 data is subject.
6 (2) Promptly addresses any breach of a contractual obligation described
7 in Paragraph (1) of this Subsection.
8 §1391. Limitations
9 A. The requirements described in this Chapter do not restrict a
10 controller's or processor's ability to do any of the following:
11 (1) Comply with a federal, state, or local law, rule, or regulation.
12 (2) Comply with a civil, criminal, or regulatory inquiry, investigation,
13 subpoena, or summons by a federal, state, local, or other governmental entity.
14 (3) Cooperate with a law enforcement agency concerning activity that the
15 controller or processor reasonably and in good faith believes may violate
16 federal, state, or local laws, rules, or regulations.
17 (4) Investigate, establish, exercise, prepare for, or defend a legal claim.
18 (5) Provide a product or service requested by a consumer or a parent or
19 legal guardian of a child.
20 (6) Perform a contract to which the consumer or the parent or legal
21 guardian of a child is a party, including fulfilling the terms of a written
22 warranty or taking steps at the request of the consumer or parent or legal
23 guardian prior to entering into the contract with the consumer.
24 (7) Take immediate steps to protect an interest that is essential for the
25 life or physical safety of the consumer or of another individual.
26 (8)(a) Detect, prevent, protect against, or respond to a security incident,
27 identity theft, fraud, harassment, malicious or deceptive activity, or any illegal
28 activity.
29 (b) Investigate, report, or prosecute a person responsible for an action
Page 20 of 31
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 199
SLS 23RS-385 ORIGINAL
1 described in Subparagraph (a) of this Paragraph.
2 (9)(a) Preserve the integrity or security of systems.
3 (b) Investigate, report, or prosecute a person responsible for harming or
4 threatening the integrity or security of systems, as applicable.
5 (10) If the controller discloses the processing in a notice described in R.S.
6 51:1389, engage in public or peer-reviewed scientific, historical, or statistical
7 research in the public interest that adheres to all other applicable ethics and
8 privacy laws.
9 (11) Assist another person with an obligation described in this Section.
10 (12) Process personal data to do any of the following:
11 (a) Conduct internal analytics or other research to develop, improve, or
12 repair a controller's or processor's product, service, or technology.
13 (b) Identify and repair technical errors that impair existing or intended
14 functionality.
15 (c) Effectuate a product recall.
16 (13) Process personal data to perform an internal operation that is either
17 of the following:
18 (a) Reasonably aligned with the consumer's expectations based on the
19 consumer's existing relationship with the controller.
20 (b) Otherwise compatible with processing to aid the controller or
21 processor in providing a product or service specifically requested by a consumer
22 or a parent or legal guardian of a child or the performance of a contract to
23 which the consumer or a parent or legal guardian of a child is a party.
24 (14) Retain a consumer's email address to comply with the consumer's
25 request to exercise a right.
26 B. This Chapter does not apply if a controller's or processor's
27 compliance with this Chapter does any of the following:
28 (1) Violates an evidentiary privilege provided in the laws of this state.
29 (2) As part of a privileged communication, prevents a controller or
Page 21 of 31
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 199
SLS 23RS-385 ORIGINAL
1 processor from providing personal data concerning a consumer to a person
2 covered by an evidentiary privilege provided in the laws of this state.
3 (3) Adversely affects the privacy or other rights of any person.
4 C. A controller or processor is not in violation of this Chapter if all of the
5 following are true:
6 (1) The controller or processor discloses personal data to a third-party
7 controller or processor in compliance with this Chapter.
8 (2) The third party processes the personal data in violation of this
9 Chapter.
10 (3) The disclosing controller or processor did not have actual knowledge
11 of the third party's intent to commit a violation of this Chapter.
12 D. If a controller processes personal data in accordance with an
13 exemption described in Subsection C of this Section, the controller bears the
14 burden of demonstrating that the processing qualifies for the exemption.
15 E. Nothing in this Chapter requires a controller, processor, third party,
16 or consumer to disclose a trade secret.
17 §1392. No private cause of action
18 A violation of this Chapter does not provide a basis for, nor is a violation
19 of this Chapter subject to, a private right of action pursuant to this Chapter or
20 any other law.
21 §1393. Investigative powers
22 A. The division shall establish and administer a system to receive
23 consumer complaints regarding a controller's or processor's alleged violation
24 of this Chapter.
25 B.(1) The division may investigate a consumer complaint to determine
26 whether the controller or processor violated or is violating this Chapter.
27 (2) If the director has reasonable cause to believe that substantial
28 evidence exists that a person identified in a consumer complaint is in violation
29 of this Chapter, the director shall refer the matter to the attorney general.
Page 22 of 31
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 199
SLS 23RS-385 ORIGINAL
1 (3) Upon request, the division shall provide consultation and assistance
2 to the attorney general in enforcing this Chapter.
3 §1394. Enforcement powers of the attorney general
4 A. The attorney general has the exclusive authority to enforce this
5 Chapter.
6 B. Upon referral from the division, the attorney general may initiate an
7 enforcement action against a controller or processor for a violation of this
8 Chapter.
9 C.(1) At least thirty days before the day on which the attorney general
10 initiates an enforcement action against a controller or processor, the attorney
11 general shall provide the controller or processor with all of the following:
12 (a) Written notice identifying each provision of this Chapter the attorney
13 general alleges the controller or processor has violated or is violating.
14 (b) An explanation of the basis for each allegation.
15 (2) The attorney general may not initiate an action if the controller or
16 processor does all of the following:
17 (a) Cures the noticed violation within thirty days after the day on which
18 the controller or processor receives the written notice described in Paragraph
19 (1) of this Subsection.
20 (b) Provides the attorney general an express written statement that
21 attests to both of the following:
22 (i) The violation has been cured.
23 (ii) No further violation of the cured violation will occur.
24 (3) The attorney general may initiate an action against a controller or
25 processor who does either of the following:
26 (a) Fails to cure a violation after receiving the notice described in
27 Paragraph (1) of this Subsection.
28 (b) After curing a noticed violation and providing a written statement in
29 accordance with Paragraph (2) of this Subsection, continues to violate this
Page 23 of 31
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 199
SLS 23RS-385 ORIGINAL
1 Chapter.
2 (4) In an action described in this Section, the attorney general may
3 recover all of the following:
4 (a) Actual damages to the consumer.
5 (b) For each violation described in Paragraph (3) of this Subsection, a
6 civil fine in an amount not to exceed seven thousand five hundred dollars.
7 D. All money received from an action pursuant to this Chapter shall be
8 deposited into the Consumer Privacy Account established in R.S. 51:1395.
9 E. If more than one controller or processor are involved in the same
10 processing in violation of this Chapter, the liability for the violation shall be
11 allocated among the controllers or processors according to the principles of
12 comparative fault.
13 §1395. Data protection assessments
14 A. A controller shall not conduct processing that presents a heightened
15 risk of harm to a consumer without conducting and documenting a data
16 protection assessment of each of its processing activities that involve personal
17 data acquired on or after the effective date of this Chapter that present a
18 heightened risk of harm to a consumer.
19 B. For purposes of this Section, "processing that presents a heightened
20 risk of harm to a consumer" includes all of the following:
21 (1) Processing personal data for purposes of targeted advertising or for
22 profiling if the profiling presents a reasonably foreseeable risk of any of the
23 following:
24 (a) Unfair or deceptive treatment of consumers.
25 (b) Unlawful disparate impact on consumers.
26 (c) Financial or physical injury to consumers.
27 (d) An intrusion, physical or otherwise, upon the solitude or seclusion,
28 or the private affairs or concerns of consumers, if the intrusion would be
29 offensive to a reasonable person.
Page 24 of 31
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 199
SLS 23RS-385 ORIGINAL
1 (e) Other substantial injury to consumers.
2 (2) Selling personal data.
3 (3) Processing sensitive data.
4 C. Data protection assessments shall identify and weigh the benefits that
5 may flow, directly and indirectly, from the processing to the controller, the
6 consumer, other stakeholders, and the public against the potential risks to the
7 rights of the consumer associated with the processing, as mitigated by
8 safeguards that the controller can employ to reduce the risks. The controller
9 shall factor into this assessment the use of deidentified data and the reasonable
10 expectations of consumers, as well as the context of the processing and the
11 relationship between the controller and the consumer whose personal data will
12 be processed.
13 D. A controller shall make the data protection assessment available to
14 the attorney general upon request. The attorney general may evaluate the data
15 protection assessment for compliance with the duties provided for in this
16 Chapter. Data protection assessments are confidential and exempt from public
17 inspection and copying in accordance with the Public Records Law as provided
18 in R.S. 44:1 et seq. The disclosure of a data protection assessment pursuant to
19 a request from the attorney general pursuant to this Subsection does not
20 constitute a waiver of any attorney-client privilege or work-product protection
21 that might otherwise exist with respect to the assessment and any information
22 contained in the assessment.
23 E. A single data protection assessment may address a comparable set of
24 processing operations that include similar activities.
25 F. Data protection assessment requirements apply to processing activities
26 created or generated after December 1, 2024.
27 §1396. Consumer privacy restricted account
28 A. There is created a restricted account known as the "Consumer
29 Privacy Account".
Page 25 of 31
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 199
SLS 23RS-385 ORIGINAL
1 B. The account shall be funded by money received through civil
2 enforcement actions pursuant to this Chapter.
3 C. Upon appropriation, the division or the attorney general may use
4 money deposited into the account for any of the following:
5 (1) Investigative and administrative costs incurred by the division in
6 investigating consumer complaints alleging violations of this Chapter.
7 (2) Recovery of costs and attorney fees accrued by the attorney general
8 in enforcing this Chapter.
9 (3) Providing consumer and business education regarding any of the
10 following:
11 (a) Consumer rights pursuant to this Chapter.
12 (b) Compliance with the provisions of this Chapter for controllers and
13 processors.
14 D. If the balance in the account exceeds four million dollars at the close
15 of any fiscal year, the state treasurer shall transfer the amount that exceeds four
16 million dollars into the state general fund.
17 §1397. Attorney general report
18 A. The attorney general and the division shall compile a report composed
19 of all of the following:
20 (1) An evaluation of the liability and enforcement provisions of this
21 Chapter, including the effectiveness of the attorney general's and the division's
22 efforts to enforce this Chapter.
23 (2) A summary of the data protected and not protected by this Chapter
24 including, with reasonable detail, a list of the types of information that are
25 publicly available from local, state, and federal government sources.
26 B. The attorney general and the division may update the report as new
27 information becomes available.
28 C. The attorney general and the division shall submit the report to the
29 House Committee on Commerce and Senate Committee on Commerce,
Page 26 of 31
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 199
SLS 23RS-385 ORIGINAL
1 Consumer Protection, and International Affairs before July 1, 2026.
2 Section 3. This Act shall become effective on December 31, 2024.
The original instrument and the following digest, which constitutes no part
of the legislative instrument, were prepared by Xavier I. Alexander.
DIGEST
SB 199 Original 2023 Regular Session Womack
Proposed law shall be known and may be cited as "The Louisiana Consumer Privacy Act".
Proposed law provides for definitions.
Proposed law applies to a controller or a processor who conducts business in this state or
targets a product or service to residents of this state, has annual revenue of at least
$25,000,000, and satisfies either of the following:
(1)During a calendar year, controls or processes the personal data of at least 100,000
consumers.
(2)Derives over 50% of gross revenue from selling personal data and controls or
processes the personal data of at least 25,000 consumers.
Proposed law does not apply to any of the following:
(1)A governmental agency or a third party who has a contract with a governmental
entity and acting on the entity's behalf.
(2)A tribe.
(3)An institution of higher education.
(4)A nonprofit corporation.
(5)A covered entity.
(6)A business associate.
(7)Certain protected health information.
(8)Certain identifying information.
(9)Certain information collected, processed, sold, or regulated pursuant to federal law.
(10)Information that has become intermingled with and indistinguishable from certain
exempted information.
(11)Activity by a consumer reporting agency, a furnisher of information, or a user of a
consumer report, if the activity is subject to the federal Fair Credit Reporting Act and
involves the collection, maintenance, disclosure, sale, communication, or use of any
personal data that bears on certain enumerated factors.
(12)A financial institution governed by federal law.
(13)Data that is processed or maintained relative to employment, emergency contact
information, or administration of benefits.
Page 27 of 31
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 199
SLS 23RS-385 ORIGINAL
(14)Personal or household processing.
(15)An air carrier.
Proposed law cites federal law as the operating standard for compliance with any obligation
to obtain parental consent.
Proposed law preempts any conflicting local regulation.
Proposed law provides that a consumer has the right to do all of the following:
(1)Confirm whether a controller is processing his data.
(2)Access his personal data.
(3)Obtain a copy or accurate summary of his personal data.
(4)Correct inaccuracies in the personal data.
(5)Delete the personal data that was supplied by the consumer.
(6)Opt out of the processing of data for the purposes of targeted advertising or the sale
of personal data.
Proposed law provides that a consumer or legal representative of the consumer may exercise
the rights provided in proposed law by submitting a request to the controller, in a means
prescribed by the controller.
Proposed law requires a controller to comply with a consumers request to exercise a right
provided for in proposed law and further requires the controller take action and notify the
consumer of such action within 45 days of receipt of the request.
Proposed law allows the controller to extend the response time by an additional 45 days if
reasonably necessary. The controller is required to notify the consumer if the time period for
action is extended and provide a reason for the extension.
Proposed law does not require a controller to comply with the 45-day limit if he reasonably
suspects fraud and cannot authenticate the request prior to lapse of the 45 days. If a
controller chooses not to take action on a request, proposed law requires the controller to
notify the consumer of the reason for not taking action within 45 days of receiving the
request.
Proposed law prohibits the controller from charging a fee for information in response to a
request, unless any of the following is true:
(1)The request is the consumer's second or subsequent request during the same 12-
month period.
(2)The request is excessive, repetitive, technically infeasible, or manifestly unfounded.
(3)The controller believes that the consumer's primary purpose in making the request
was not to exercise a right provided in proposed law.
(4)The request harasses, disrupts, or places an undue burden on the controller's
business.
Proposed law provides that a controller who charges a fee based on the exceptions in
proposed law bears the burden of proving that the necessary criteria is met.
Page 28 of 31
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 199
SLS 23RS-385 ORIGINAL
Proposed law allows a controller to request additional information from a consumer if
reasonably necessary to respond to the request.
Proposed law requires a processor to adhere to the controller's instructions and assist the
controller in meeting his obligations, to the extent practicable.
Proposed law requires that prior to performing on behalf of a controller, the processor and
controller enter into a contract. Proposed law requires that the contract contain clear
instructions, a duty of confidentiality, and certain provisions relative to subcontractors.
Proposed law provides for the determination of a person as a controller or processor.
Proposed law requires a controller to provide consumers with a clear and accessible privacy
notice containing all of the following:
(1)The categories of data processed by the controller.
(2)The purposes for which the data is being processed.
(3)How consumers can exercise a right provided in proposed law.
(4)The categories of data the controller shares with third party.
(5)The categories of third parties the controller shares data with.
Proposed law requires a controller to disclose to the consumer the manner in which he may
opt out of processing for targeted advertising or sale of his data.
Proposed law requires a controller to create and maintain reasonable and appropriate data
security practices that protect the confidentiality and integrity of personal data and reduce
harm to consumers.
Proposed law prohibits a controller from processing sensitive data without first notifying the
consumer of his right to opt out. Proposed law defers to federal law if the personal data
belongs to a child.
Proposed law prohibits a controller from discriminating against a consumer for exercising
a right provided in proposed law.
Proposed law does not require a controller to provide a product, service, or functionality to
a consumer in certain circumstances.
Proposed law cannot be waived or limited through a contractual provision.
Proposed law does not require a controller or processor to do any of the following, as long
as the controller does not engage in certain prohibited activity:
(1)Reidentify certain data.
(2)Maintain data in an identifiable form.
(3)Comply with a request that is not reasonably associated with the personal data or it
would be unreasonably burdensome to do so.
Proposed law requires a controller who uses deidentified data to take reasonable steps to
ensure that he complies with all contractual obligations relative to that data and to promptly
address any breach of the contract.
Page 29 of 31
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 199
SLS 23RS-385 ORIGINAL
Proposed law does not restrict a controller or processor from doing any of the following:
(1)Complying with any law or legal order.
(2)Cooperating with law enforcement.
(3)Participating in a legal claim,
(4)Providing a requested service or product.
(5)Performing a contract.
(6)Protecting an interest essential for life or physical safety.
(7)Taking necessary steps in response to certain incidents.
(8)Taking actions relative to the integrity or security of systems.
(9)Engaging in certain research.
(10)Assisting another person in exercising a right provided in proposed law.
(11)Processing personal data for certain purposes.
(12)Retaining a consumer's email address to comply with his request.
Proposed law does not apply if compliance by the controller or processor would result in a
violation of an evidentiary rule or privilege or would adversely affect the privacy rights of
another.
Proposed law provides that a controller or processor is not in violation of proposed law if
he provides data to a third party in accordance with proposed law and the third party then
processes the data in violation of proposed law, if he had no knowledge of the intent to
commit a violation. If a controller or processor processes data pursuant to an exception in
proposed law, he bears the burden of proving that the necessary criteria are met.
Proposed law requires a controller to conduct and document a data protection assessment
prior to engaging in processing that presents a heightened risk of harm to a consumer.
Proposed law provides a list of processing activities that are considered to present a
heightened risk of harm to a consumer.
Proposed law provides that data protection assessments are confidential and exempt from
the Public Records Law.
Proposed law does not allow any person to disclose a trade secret.
Proposed law provides that a violation of proposed law does not provide a basis for a private
cause of action.
Proposed law requires that a system to receive consumer complaints be established and
administered by the consumer protection section within the Dept. of Justice.
Proposed law allows the section to investigate complaints and refer the matter to the attorney
general if a violation is substantiated. Further provides the attorney general has the exclusive
authority to enforce proposed law.
Proposed law requires the attorney general to provide notice and explanation to a controller
Page 30 of 31
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions. SB NO. 199
SLS 23RS-385 ORIGINAL
or processor at least 30 days prior to initiating an enforcement action. If the controller or
processor cures the noticed violation within 30 days of receipt of notice and provides
attestation to the attorney general, proposed law prohibits the attorney general from initiating
the action.
Proposed law allows the attorney general to initiate an action if the controller continues to
violate proposed law after remedying the problem and providing notice. The attorney general
may recover actual damages to the consumer and a civil fine of up to $7,500 per violation
of proposed law.
Proposed law provides that if a controller and processor are involved in the same violation
of proposed law, comparative fault is used to allocate liability.
Proposed law creates the Consumer Privacy Account (account) where all monies received
from an action arising out of proposed law are to be deposited. Further provides that the
money in the account may be used for investigative and administrative costs, recovery of
costs and attorney fees, and consumer and business education programs. If the balance in the
account exceeds $4,000,000 at the close of any fiscal year, all funds in excess of $4,000,000
are to be deposited into the general fund.
Proposed law requires the section and the attorney general to submit a report evaluating and
summarizing various aspects of proposed law. The report is to be submitted to the House and
Senate commerce committees before July 1, 2026.
Effective December 31, 2024.
(Amends R.S. 44:4.1(B)(35); adds R.S. 51:1381-1397)
Page 31 of 31
Coding: Words which are struck through are deletions from existing law;
words in boldface type and underscored are additions.