Thank You!

Join our community for free to access exclusive whitepapers, reports, and regulatory information.

By signing up you agree to OneTrust DataGuidance's Terms and Conditions and Privacy Policy.

Already have an account? Log in

Louisiana - Sectoral Privacy Overview

June 2024

1. RIGHT TO PRIVACY/ CONSTITUTIONAL PROTECTION

The Louisiana Constitution, Article 1, Section 5, recognizes the right to be protected against unreasonable invasions of privacy by the State or state actors. The Louisiana Supreme Court has described the right to privacy as the right to be let alone and to be free from unnecessary public scrutiny. Capital City Press v. East Baton Rouge Parish Metro. Council, 96-1979 (La. 7/1/97), 696 So. 2d 562, 566.

In Louisiana jurisprudence, the right to privacy has been variously defined as 'the right to be let alone' and 'the right to an 'inviolate personality.'' Easter Seal Soc'y For Crippled Children and Adults of La., Inc. v. Playboy Enterprises, Inc., 530 So. 2d 643, 647 (La. App. 4 Cir. 1988), writ denied, 532 So. 2d 1390 (La. 1988).

The right to privacy embraces four different interests: the appropriation of an individual's name or likeness for the use or benefit of the defendant; unreasonable intrusion upon the plaintiff's physical solitude or seclusion; publicity which unreasonably places the plaintiff in a false light before the public; and unreasonable public disclosure of embarrassing private facts. Spellman v. Disc. Zone Gas Station, 07-496 (La. App. 5 Cir 12/27/07), 975 So. 2d 44, 47.

In ascertaining whether individuals have a constitutionally-protected, reasonable expectation of privacy, a court must determine: (i) whether the individual has an actual or subjective expectation of privacy, and (ii) whether that expectation is also of a type which society at large is prepared to recognize as being reasonable. Angelo Iafrate Constr., L.L.C. v. State, 2003-0892 (La. App. 1 Cir 05/14/04), 879 So. 2d 250, 255.

The constitutional privacy right is not absolute; it is qualified by the rights of others. The right to privacy is also limited by society’s right to be informed about legitimate subjects of public interest, Angelo Iafrate Constr., 879 So. 2d at 255, as well as the freedom of the press. Jaubert v. Crowley Post-Signal, Inc., 375 So. 2d 1386, 1390 (La. 1979).

2. KEY PRIVACY LAWS

Louisiana's Data Security Breach Notification Act, Louisiana Revised Statutes §§51:3071 to 51:3077 (La. Rev. Stat.) was enacted in 2005, became effective on January 1, 2006, and was amended effective August 1, 2018.

Pursuant to La. Rev. Stat. 51:3074 (La. Rev. Stat. 51:3074), the notification obligations under the Act apply to all persons and legal entities that own or license computerized data that includes Louisiana residents' personal information La. Rev. Stat. 51:3074(C). In cases where the breach involves computerized data that the person or agency does not own, then the person or agency must notify the owner La. Rev. Stat. 51:3074(D).

Pursuant to the Data Security Breach Notification Act, when a data breach results in 'personal information' being acquired and accessed by a third party without authorization, the Act generally requires notice to affected individuals and the Office of the Attorney General (AG). 'Personal information' includes the resident’s last name and first name or first initial, in combination with one or more of the following data elements:

• social security number;
• driver's license number or state identification card number;
• account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
• passport number; and
• biometric data, including fingerprints and other unique biological characteristics used to authenticate an individual's identity to access a system or account.

However, the definition excludes 'publicly available information that is lawfully made available to the general public from federal, state, or local government records.' La. R.S. 51:3073(4)(b).

The protection for loss of 'personal information' under La. R.S. 51:3073(4)(a) extends only to Louisiana residents. However, no notification is required if the information was encrypted or redacted or if there is no reasonable likelihood of harm to the affected individuals.

Louisiana Administrative Code, Title 16, Part III, Chapter 7, promulgated by the AG, provides additional guidance regarding data breach notification obligations. According to these regulations, failure to give timely notice to the AG may result in fines of up to $5,000 per day. La. Admin. Code 16:III § 701.

Unlike many other breach notification laws, Louisiana's law creates a private right of action for persons harmed by violations of the Act, including the right to recover 'actual damages' for failure to give timely notice under the Act. La. Rev. Stat. 51:3074(J), and La. Rev. Stat. §51:3075.

3. HEALTH DATA

A patient's health data (diagnosis, treatment, or health) held by a health maintenance organization generally must be kept confidential (La. Rev. Stat. §22:265). In addition:

• La. Rev. Stat. §40:1171.4 provides for the confidentiality of HIV test results;
• Louisiana's hospital and health records statute, La. Rev. Stat. §40:2144 , provides patients with statutory rights of access to medical records; and
• Louisiana Code of Evidence Article 510 provides for a healthcare provider–patient privilege, which may be waived in cases involving child abuse or molestation.

4. FINANCIAL DATA

Louisiana Insurance Data Security Law

For insurance customers, La. Rev. Stat. §22:1604(B) requires a Louisiana consumer resident's prior written consent before the consumer's nonpublic customer information may be accessed, released, or shared by an insurer in the course of selling or soliciting the purchase of insurance.

For insureds receiving a viatical settlement on their life insurance policies, La. Rev. Stat. §22:1795 limits the use and disclosure of the insured's identity and financial and medical information.

Disclosure of customer financial records

Louisiana-based financial institutions are bound by the privacy restrictions and procedural requirements regarding third-party financial information requests found in La. Rev. Stat. §6:333 (Bank Privacy Act) may require personal service upon any person whose financial information is being requested via subpoena or otherwise in the course of a legal proceeding.

5. EMPLOYMENT DATA

La. Rev. Stat. §23:368(B) limits the collection, use and disclosure of employees’ genetic information.

The La. Rev. Stat. §§51:1951 to 51:1955 (Personal Online Account Privacy Protection Act) prohibits employers from penalizing an individual employee for failing to disclose certain login credentials. The employer may, however:

• request or require an employee or employee applicant 'to disclose any username, password, or other authentication information to the employer to gain access to or operate […]':
  • an 'electronic communications device' that is 'supplied in whole or in part by the employer'; or
  • an account or service affiliated with the employer's business purposes;

  6. ONLINE PRIVACY AND ONLINE BEHAVIOURAL ADVERTISING

  As stated in the previous section, the Personal Online Account Privacy Protection Act, prohibits employers from penalizing an individual for failing to disclose certain login credentials. Other provisions relate to employee privacy, as set forth in the section on employment data above.

  The Personal Online Account Privacy Protection Act also addresses student online privacy and provides that an educational institution is prohibited from doing the following:

  • request or require a student or prospective student to disclose any username, password, or other authentication information that allows access to the student's or prospective student's personal online account; and
  • expel, discipline, fail to admit, or otherwise penalize or threaten to penalize a student or prospective student for failure to disclose any specified information.

  The educational institution may, however:

  • request or require an employee or employee applicant to disclose user login credentials to gain access to, or to operate, an institution-supplied communications device, or an account or service provided by the institution;
  • view all public-domain/stored student information; and
  • restrict access to certain websites on institution-supplied hardware, software, or internet connection.

  7. UNSOLICITED COMMERCIAL COMMUNICATIONS

  Email marketing

  Louisiana regulates unsolicited electronic mail sent to or from Louisiana electronic mail addresses through La. Rev. Stat. §51:2001 et seq.. In Louisiana, it is a crime to send unsolicited bulk electronic mail, defined as an electronic message sent to more than 1,000 recipients that is 'developed and distributed in an effort to sell or lease consumer goods or services', unless authorized by the electronic mail service provider (§14:73.1(15) and §14:73.6 of La. Rev. Stat. Title 14). Further, electronic mail fraud is generally prohibited (La. Rev. Stat. §51:2003), with special protections for recipients of fraudulent electronic mail, text messages, or phone calls who are elderly or have special disabilities (La. Rev. Stat. §51:1409.1).

  Pursuant to La. Rev. Stat. §51:2002, senders of unsolicited electronic communications must do each of the following:

  • maintain a functioning return electronic mail address to which a recipient may send a reply indicating the recipient's desire not to receive further commercial electronic mail advertisements from the sender at the electronic mail address at which the message was received;
  • maintain a functioning website at which a recipient may request their removal from the sender's mailing list;
  • clearly and conspicuously disclose in the commercial electronic mail advertisement all of the following:
    • the recipient's right to decline to receive further unsolicited commercial electronic mail advertisements at the electronic mail address at which the message was received;
    • the recipient's ability to decline to receive further unsolicited commercial electronic mail advertisements by sending a message to the sender's functioning return electronic mail address; and
    • the sender's functioning return electronic mail address;

    8. PRIVACY POLICIES

    Louisiana does not have data protection laws specific to privacy policies, nor does Louisiana law explicitly require organizations to post online privacy policies.

    9. DATA DISPOSAL/CYBERSECURITY/DATA SECURITY

    The Louisiana Database Security Breach Notification Act, discussed in the section on key privacy laws above, requires that persons subject to that statute 'shall take all reasonable steps to destroy or arrange for the destruction of the records within its custody or control containing personal information that is no longer to be retained by the person or business by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.' The statute does not specify what records or data qualify as 'no longer to be retained' by the person or entity holding the data.

    La. Rev. Stat. §14:73.7 establishes the crime of 'computer tampering', which criminalizes the unlawful destruction of data, and prohibits the following acts taken knowingly and without the authorization of the owner of a computer:

    • accessing, or causing to be accessed, a computer or any part of a computer or any program or data contained within a computer;
    • copying or otherwise obtaining any program or data contained within a computer;
    • damaging or destroying a computer, or altering, deleting, or removing any program or data contained within a computer, or eliminating or reducing the ability of the owner of the computer to access or utilize the computer or any program or data contained within the computer; and
    • introducing or attempting to introduce any electronic information of any kind and in any form into one or more computers, either directly or indirectly, and either simultaneously or sequentially, with the intention of damaging or destroying a computer, or altering, deleting, or removing any program or data contained within a computer, or eliminating or reducing the ability of the owner of the computer to access or utilize the computer or any program or data contained within the computer.

    10. OTHER SPECIFIC JURISDICTIONAL REQUIREMENTS

    Right of publicity

    Louisiana has a criminal right of publicity statute that provides protection only to deceased soldiers (La. Rev. Stat. §14:102.21). The statute for soldiers expressly limits liability to circumstances in which the 'name, portrait, or picture' of a deceased soldier is used.

    Louisiana law does not protect the post mortem rights of other persons, such that claims under the state's misappropriation tort have thus far been held not to survive death (Frigon v. Universal Pictures, 255 So.3d 591 (La. App. 2018), writ denied, 262 So.3d 896 (La. 2019)).

    The state only recognizes a privacy-based tort of misappropriation (Jaubert v. Crowley Post-Signal, Inc., 375 So. 2d 1386 (La. 1979)).

    One intermediate Louisiana appellate court has held that consent to the use of one's name or likeness is time-limited. In the context of a photograph, the court held that ten years after consent was given, continued consent could no longer be presumed (McAndrews v. Roy, 131 So. 2d 256 (La. Ct. App. 1961)).

    Student data

    Lousinana's Student Data Privacy Act, La. Rev. Stat. §17:3913 governs the transfer of personally identifiable student information. The statute grants rights of access to students and their parents or guardians, and it requires public schools to make available to the public information about the transfer of personally identifiable student information including:

    • a profile of each authorized recipient of such information;
    • a copy of the signed agreement between the governing authority of the public school and the authorized recipient;
    • a complete listing of all of the data elements authorized to be transferred;
    • a statement of the intended use of the information, including references to legal authority or legal requirements associated with the transfer of such information;
    • the name and contact information of the individual serving as the primary point of contact for inquiries about the agreement; and
    • a process by which parents of students attending public schools may register a complaint related to the unauthorized transfer of personally identifiable student information.

    For students, La. Rev. Stat. §17:3914 l limits the collection, use, and disclosure of student information. This statute requires school administrators to assign unique identifiers to all students and to collect and track parental consent to share personal information with third parties, including state agencies. It also provides for limitations on the collection and sharing of student information.

    A 2022 amendment to La. Rev. Stat. §17:3914 provides for the mandatory anonymizing of student social security numbers.

    Wiretapping

    Louisiana recording law stipulates that it is a one-party consent recording state. Consequently, to use any device to record, obtain, use, or share communications, without the consent of at least one person taking part in the communication is a criminal offense punishable by a fine of not more than $10,000 or imprisonment of two to 10 years. This applies to recordings of communications whether via wire, oral, or electronic (La. Rev. Stat §15:1303.).

    Voyeurism

    Louisiana forbids the recording or sharing of an illegally-obtained recording under its video voyeurism laws (La. Rev. Stat. §14:283). To be found liable under this statute, the purpose of the recording must be for a lewd or lascivious purpose, and the person being recorded must have a reasonable expectation of privacy.