Bill Summary – FastDemocracy

Abstract: Provides relative to the protection of data by certain persons and entities.
Proposed law shall be known and may be cited as "The Louisiana Consumer Privacy Act".
Proposed law provides for definitions.
Proposed law applies to a controller or a processor who conducts business in this state or targets a
product or service to residents of this state, has annual revenue of at least $25,000,000, and satisfies
either of the following:
(1)    During a calendar year, controls or processes the personal data of at least 100,000 consumers.
(2)    Derives over 50% of gross revenue from selling personal data and controls or processes the
       personal data of at least 25,000 consumers.
Proposed law does not apply to any of the following:
(1)    A governmental agency or a third party who has a contract with a governmental entity and
       acting on the entity's behalf.
(2)    A tribe.
(3)    An institution of higher education.
(4)    A nonprofit corporation.
(5)    A covered entity.
(6)    A business associate.
(7)    Certain protected health information.
(8)    Certain identifying information.
(9)    Certain information collected, processed, sold, or regulated pursuant to federal law.
(10)   Information that has become intermingled with and indistinguishable from certain exempted
       information.
(11)   Activity by a consumer reporting agency, a furnisher of information, or a user of a consumer
       report, if the activity is subject to the federal Fair Credit Reporting Act and involves the
       collection, maintenance, disclosure, sale, communication, or use of any personal data that
       bears on certain enumerated factors.
(12)   A financial institution governed by federal law.
(13)   Data that is processed or maintained relative to employment, emergency contact information,
       or administration of benefits.
(14)   Personal or household processing.
(15)   An air carrier.
Proposed law cites federal law as the operating standard for compliance with any obligation to obtain
parental consent.
Proposed law preempts any conflicting local regulation.
Proposed law provides that a consumer has the right to do all of the following:
(1)    Confirm whether a controller is processing his data.
(2)    Access his personal data.
(3)    Obtain a copy or accurate summary of his personal data.
(4)    Correct inaccuracies in the personal data.
(5)    Delete the personal data that was supplied by the consumer.
(6)    Opt out of the processing of data for the purposes of targeted advertising or the sale of
       personal data.
Proposed law provides that a consumer or legal representative of the consumer may exercise the
rights provided in proposed law by submitting a request to the controller, in a means prescribed by
the controller.
Proposed law requires a controller to comply with a consumers request to exercise a right provided
for in proposed law and further requires the controller take action and notify the consumer of such
action within 45 days of receipt of the request.
Proposed law allows the controller to extend the response time by an additional 45 days if reasonably
necessary. The controller is required to notify the consumer if the time period for action is extended
and provide a reason for the extension.
Proposed law does not require a controller to comply with the 45-day limit if he reasonably suspects
fraud and cannot authenticate the request prior to lapse of the 45 days. If a controller chooses not to
take action on a request, proposed law requires the controller to notify the consumer of the reason
for not taking action within 45 days of receiving the request.
Proposed law prohibits the controller from charging a fee for information in response to a request,
unless any of the following is true:
(1)    The request is the consumer's second or subsequent request during the same 12-month
       period.
(2)    The request is excessive, repetitive, technically infeasible, or manifestly unfounded.
(3)    The controller believes that the consumer's primary purpose in making the request was not
       to exercise a right provided in proposed law.
(4)    The request harasses, disrupts, or places an undue burden on the controller's business.
Proposed law provides that a controller who charges a fee based on the exceptions in proposed law
bears the burden of proving that the necessary criteria are met.
Proposed law allows a controller to request additional information from a consumer if reasonably
necessary to respond to the request.
Proposed law requires a processor to adhere to the controller's instructions and assist the controller
in meeting his obligations, to the extent practicable.
Proposed law requires that prior to performing on behalf of a controller, the processor and controller
enter into a contract. Proposed law requires that the contract contain clear instructions, a duty of
confidentiality, and certain provisions relative to subcontractors.
Proposed law provides for the determination of a person as a controller or processor.
Proposed law requires a controller to provide consumers with a clear and accessible privacy notice
containing all of the following:
(1)    The categories of data processed by the controller.
(2)    The purposes for which the data is being processed.
(3)    How consumers can exercise a right provided in proposed law.
(4)    The categories of data the controller shares with a third party.
(5)    The categories of third parties the controller shares data with.
Proposed law requires a controller to disclose to the consumer the manner in which he may opt out
of processing for targeted advertising or sale of his data.
Proposed law requires a controller to create and maintain reasonable and appropriate data security
practices that protect the confidentiality and integrity of personal data and reduce harm to consumers.
Proposed law prohibits a controller from processing sensitive data without first notifying the
consumer of his right to opt out. Proposed law defers to federal law if the personal data belongs to
a child.
Proposed law prohibits a controller from discriminating against a consumer for exercising a right
provided in proposed law.
Proposed law does not require a controller to provide a product, service, or functionality to a
consumer in certain circumstances.
Proposed law cannot be waived or limited through a contractual provision.
Proposed law does not require a controller or processor to do any of the following, as long as the
controller does not engage in certain prohibited activity:
(1)    Reidentify certain data.
(2)    Maintain data in an identifiable form.
(3)    Comply with a request that is not reasonably associated with the personal data or it would
       be unreasonably burdensome to do so.
Proposed law requires a controller who uses deidentified data to take reasonable steps to ensure that
he complies with all contractual obligations relative to that data and to promptly address any breach
of the contract.
Proposed law does not restrict a controller or processor from doing any of the following:
(1)    Complying with any law or legal order.
(2)    Cooperating with law enforcement.
(3)    Participating in a legal claim,
(4)    Providing a requested service or product.
(5)    Performing a contract.
(6)    Protecting an interest essential for life or physical safety.
(7)    Taking necessary steps in response to certain incidents.
(8)    Taking actions relative to the integrity or security of systems.
(9)    Engaging in certain research.
(10)   Assisting another person in exercising a right provided in proposed law.
(11)   Processing personal data for certain purposes.
(12)   Retaining a consumer's email address to comply with his request.
Proposed law does not apply if compliance by the controller or processor would result in a violation
of an evidentiary rule or privilege or would adversely affect the privacy rights of another.
Proposed law provides that a controller or processor is not in violation of proposed law if he
provides data to a third party in accordance with proposed law and the third party then processes the
data in violation of proposed law, if he had no knowledge of the intent to commit a violation. If a
controller or processor processes data pursuant to an exception in proposed law, he bears the burden
of proving that the necessary criteria are met.
Proposed law requires a controller to conduct and document a data protection assessment prior to
engaging in processing that presents a heightened risk of harm to a consumer.
Proposed law provides a list of processing activities that are considered to present a heightened risk
of harm to a consumer.
Proposed law provides that data protection assessments are confidential and exempt from the Public
Records Law.
Proposed law does not allow any person to disclose a trade secret.
Proposed law provides that a violation of proposed law does not provide a basis for a private cause
of action.
Proposed law requires that a system to receive consumer complaints be established and administered
by the consumer protection section within the Dept. of Justice.
Proposed law allows the section to investigate complaints and refer the matter to the attorney general
if a violation is substantiated. Further provides the attorney general has the exclusive authority to
enforce proposed law.
Proposed law requires the attorney general to provide notice and explanation to a controller or
processor at least 30 days prior to initiating an enforcement action. If the controller or processor
cures the noticed violation within 30 days of receipt of notice and provides attestation to the attorney
general, proposed law prohibits the attorney general from initiating the action.
Proposed law allows the attorney general to initiate an action if the controller continues to violate
proposed law after remedying the problem and providing notice. The attorney general may recover
actual damages to the consumer and a civil fine of up to $7,500 per violation of proposed law.
Proposed law provides that if a controller and processor are involved in the same violation of
proposed law, comparative fault is used to allocate liability.
Proposed law creates the Consumer Privacy Account (account) where all monies received from an
action arising out of proposed law are to be deposited. Further provides that the money in the account
may be used for investigative and administrative costs, recovery of costs and attorney fees, and
consumer and business education programs. If the balance in the account exceeds $4,000,000 at the
close of any fiscal year, all funds in excess of $4,000,000 are to be deposited into the general fund.
Proposed law requires the section and the attorney general to submit a report evaluating and
summarizing various aspects of proposed law. The report is to be submitted to the House and Senate
commerce committees before July 1, 2026.
Effective December 31, 2024.
(Amends R.S. 44:4.1(B)(35); adds R.S. 51:1381-1397)
Statutes affected: 
HB947 Original: 44:1(B)(35)