June 2023

1. RIGHT TO PRIVACY/ CONSTITUTIONAL PROTECTION

The Louisiana Constitution of 1974, Article 1, Section 5, recognizes the right to be protected against unreasonable invasions of privacy by the state or state actors. The Louisiana Supreme Court has described the right to privacy as the right to be let alone and to be free from unnecessary public scrutiny. Capital City Press v. East Baton Rouge Parish Metro. Council, 96-1979 (La. 7/1/97), 696 So. 2d 562, 566.

In Louisiana jurisprudence, the right to privacy has been variously defined as 'the right to be let alone' and 'the right to an 'inviolate personality.'' Easter Seal Soc’y For Crippled Children and Adults of La., Inc. v. Playboy Enterprises, Inc., 530 So. 2d 643, 647 (La. App. 4 Cir. 1988), writ denied, 532 So. 2d 1390 (La. 1988).

The right to privacy embraces four different interests: the appropriation of an individual’s name or likeness for the use or benefit of the defendant; unreasonable intrusion upon the plaintiff’s physical solitude or seclusion; publicity which unreasonably places the plaintiff in a false light before the public; and unreasonable public disclosure of embarrassing private facts. Spellman v. Disc. Zone Gas Station, 07-496 (La. App. 5 Cir 12/27/07), 975 So. 2d 44, 47.

In ascertaining whether individuals have a constitutionally-protected, reasonable expectation of privacy, a court must determine: (i) whether the individual has an actual or subjective expectation of privacy, and (ii) whether that expectation is also of a type which society at large is prepared to recognize as being reasonable. Angelo Iafrate Constr., L.L.C. v. State, 2003-0892 (La. App. 1 Cir 05/14/04), 879 So. 2d 250, 255.

The constitutional privacy right is not absolute; it is qualified by the rights of others. The right to privacy is also limited by society’s right to be informed about legitimate subjects of public interest, Angelo Iafrate Constr., 879 So. 2d at 255, as well as the freedom of the press. Jaubert v. Crowley Post-Signal, Inc., 375 So. 2d 1386, 1390 (La. 1979).

2. KEY PRIVACY LAWS

Louisiana’s Data Security Breach Notification Act ('the Act'), §§51:3071 to 51:3077 of Title 51 of the Louisiana Revised Statutes ('La. Rev. Stat.'), was enacted in 2005, became effective on January 1, 2006, and was amended, effective August 1, 2018.

Pursuant to La. Rev. Stat. 51:3074, the notification obligations under the Act apply to all persons and legal entities that own or license computerized data that includes Louisiana residents’ personal information (La. Rev. Stat. 51:3074(C)). In cases where the breach involves computerized data that the person or agency does not own, then the person or agency must notify the owner (La. Rev. Stat. 51:3074(D)).

Pursuant to the Act, when a data breach results in 'personal information' being acquired and accessed by a third party without authorization, the Act generally requires notice to affected individuals and the Office of the Attorney General ('the AG'). 'Personal information' includes the resident’s last name and first name or first initial, in combination with one or more of the following data elements:

• social security number;

• driver’s license number or state identification card number;

• account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account;

• passport number; and

• biometric data, including fingerprints and other unique biological characteristics used to authenticate an individual’s identity to access a system or account.

However, the definition excludes 'publicly available information that is lawfully made available to the general public from federal, state, or local government records(La. Rev. Stat. 51:3073(4)(b)).

The protection for loss of 'personal information' under La. Rev. Stat. 51:3073(4)(a) extends only to Louisiana residents. However, no notification is required if the information was encrypted or redacted or if there is no reasonable likelihood of harm to the affected individuals.

Louisiana Administrative Code, Title 16 ('La. Admin. Code'), Part III, Chapter 7 promulgated by the AG, provides additional guidance regarding data breach notification obligations. According to these regulations, failure to give timely notice to the AG may result in fines of up to $5,000 per day. La. Admin. Code 16:III §701.

Unlike many other breach notification laws, Louisiana’s law creates a private right of action for persons harmed by violations of the Act, including the right to recover “actual damages” for failure to give timely notice under the Act (La. Rev. Stat. 51:3074(J), 3075).

3. HEALTH DATA

A patient’s health data (diagnosis, treatment, or health) held by a health maintenance organization generally must be kept confidential (§22:265 of Title 22 of the La. Rev. Stat.). In addition:

• §40:1171.4 of Title 40 of the La. Rev. Stat. provides for the confidentiality of HIV test results;

• Louisiana’s hospital and health records statute, §40:2144 of Title 40 of the La. Rev. Stat., provides patients with statutory rights of access to medical records; and 

• Louisiana Code of Evidence Article 510 provides for a healthcare provider–patient privilege, which may be waived in cases involving child abuse or molestation.

4. FINANCIAL DATA

Louisiana Insurance Data Security Law

For insurance customers, La. Rev. Stat. §22:1604(B) requires a Louisiana consumer resident's prior written consent before the consumer's non-public customer information may be accessed, released, or shared by an insurer in the course of selling or soliciting the purchase of insurance.

For insureds receiving a viatical settlement on their life insurance policies, La. Rev. Stat. §22:1795 limits the use and disclosure of the insured's identity and financial and medical information.

Disclosure of customer financial records

Louisiana-based financial institutions are bound by the privacy restrictions and procedural requirements regarding third-party financial information requests found in §6:333 of Title 6 of the La. Rev. Stat. In practice, this provision may require personal service upon any person whose financial information is being requested via subpoena or otherwise in the course of a legal proceeding.

5. EMPLOYMENT DATA

§23:368(B) of Title 23 of the La. Rev. Stat. limits the collection, use, and disclosure of employees' genetic information.

The Personal Online Account Privacy Protection Act, under §§51:1951 to 51:1955 of Title 51 of La. Rev. Stat., prohibits employers from penalizing an individual employee for failing to disclose certain login credentials. The employer may, however:

• request or require an employee or employee applicant 'to disclose any username, password, or other authentication information to the employer to gain access to or operate […]':
  • an 'electronic communications device' that is 'supplied in whole or in part by the employer'; or
  • an account or service affiliated with the employer's business purposes;
• discipline an employee for transferring employer data to a personal account or device without authorization; or
• investigate an employee in justified circumstances related to abuse of the employer's property.

6. ONLINE PRIVACY AND ONLINE BEHAVIOURAL ADVERTISING

As stated in the previous section, the Personal Online Account Privacy Protection Act prohibits employers from penalizing an individual for failing to disclose certain login credentials. Other provisions relate to employee privacy, as set forth in section 5.

The Personal Online Account Privacy Protection Act also addresses student online privacy and provides that an educational institution is prohibited from doing the following:

• request or require a student or prospective student to disclose any username, password, or other authentication information that allows access to the student's or prospective student's personal online account; and
• expel, discipline, fail to admit, or otherwise penalize or threaten to penalize a student or prospective student for failure to disclose any specified information.

The educational institution may, however:

• request or require an employee or employee applicant to disclose user login credentials to gain access to, or to operate, an institution-supplied communications device, or an account or service provided by the institution;
• view all public-domain/stored student information; and
• restrict access to certain websites on institution-supplied hardware, software, or internet connection.

7. UNSOLICITED COMMERCIAL COMMUNICATIONS

Email marketing

Louisiana regulates unsolicited electronic mail sent to or from Louisiana electronic mail addresses through §51:2001 et seq. of Title 51 of the La. Rev. Stat.. In Louisiana, it is a crime to send unsolicited bulk electronic mail, defined as an electronic message sent to more than 1,000 recipients that is 'developed and distributed in an effort to sell or lease consumer goods or services', unless authorized by the electronic mail service provider (§14:73.1(15) and §14:73.6 of Title 14 of the La. Rev. Stat.). Further, electronic mail fraud is generally prohibited (La. Rev. Stat. §51:2003), with special protections for recipients of fraudulent electronic mail, text messages, or phone calls who are elderly or have special disabilities (La. Rev. Stat. §51:1409.1).

Pursuant to La. Rev. Stat. §51:2002, senders of unsolicited electronic communications must do each of the following:

• maintain a functioning return electronic mail address to which a recipient may send a reply indicating the recipient's desire not to receive further commercial electronic mail advertisements from the sender at the electronic mail address at which the message was received;
• maintain a functioning website at which a recipient may request their removal from the sender's mailing list;
• clearly and conspicuously disclose in the commercial electronic mail advertisement all of the following:
  • the recipient's right to decline to receive further unsolicited commercial electronic mail advertisements at the electronic mail address at which the message was received;
  • the recipient's ability to decline to receive further unsolicited commercial electronic mail advertisements by sending a message to the sender's functioning return electronic mail address; and
  • the sender's functioning return electronic mail address;
• include in the subject line of the commercial electronic mail advertisement 'ADV:' as the first four characters; and
• if the commercial electronic mail advertisement contains obscene material, include in the subject line of the commercial electronic mail advertisement 'ADV::ADLT' as the first eight characters.

8. PRIVACY POLICIES

Louisiana does not have data protection laws specific to privacy policies, nor does Louisiana law explicitly require organizations to post online privacy policies.

9. DATA DISPOSAL/CYBERSECURITY/DATA SECURITY

The Louisiana Database Security Breach Notification Law, discussed in section 2, requires that persons subject to that statute 'shall take all reasonable steps to destroy or arrange for the destruction of the records within its custody or control containing personal information that is no longer to be retained by the person or business by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.' The statute does not specify what records or data qualify as 'no longer to be retained' by the person or entity holding the data.

§14:73.7 of Title 14 of the La. Rev. Stat. establishes the crime of 'computer tampering', which criminalizes the unlawful destruction of data, and prohibits the following acts taken knowingly and without the authorization of the owner of a computer:

• accessing, or causing to be accessed, a computer or any part of a computer or any program or data contained within a computer;
• copying or otherwise obtaining any program or data contained within a computer;
• damaging or destroying a computer, or altering, deleting, or removing any program or data contained within a computer, or eliminating or reducing the ability of the owner of the computer to access or utilize the computer or any program or data contained within the computer; and
• introducing or attempting to introduce any electronic information of any kind and in any form into one or more computers, either directly or indirectly, and either simultaneously or sequentially, with the intention of damaging or destroying a computer, or altering, deleting, or removing any program or data contained within a computer, or eliminating or reducing the ability of the owner of the computer to access or utilize the computer or any program or data contained within the computer.

10. OTHER SPECIFIC JURISDICTIONAL REQUIREMENTS

Right of publicity

Louisiana has a criminal right of publicity statute that provides protection only to deceased soldiers (§14:102.21 of Title 14 of the La. Rev. Stat.). The statute for soldiers expressly limits liability to circumstances in which the 'name, portrait, or picture' of a deceased soldier is used.

Louisiana law does not protect the post mortem rights of other persons, such that claims under the state's misappropriation tort have thus far been held not to survive death (Frigon v. Universal Pictures, 255 So.3d 591 (La. App. 2018), writ denied, 262 So.3d 896 (La. 2019)).

The state only recognizes a privacy-based tort of misappropriation (Jaubert v. Crowley Post-Signal, Inc., 375 So. 2d 1386 (La. 1979)).

One intermediate Louisiana appellate court has held that consent to the use of one's name or likeness is time-limited. In the context of a photograph, the court held that ten years after consent was given, continued consent could no longer be presumed (McAndrews v. Roy, 131 So. 2d 256 (La. Ct. App. 1961)).

Student data

Lousinana's Student Data Privacy Act, §17:3913 of Title 17 of the La. Rev. Stat. governs the transfer of personally identifiable student information. The statute grants rights of access to students and their parents or guardians, and it requires public schools to make available to the public information about the transfer of personally identifiable student information including: 

• a profile of each authorized recipient of such information;

• a copy of the signed agreement between the governing authority of the public school and the authorized recipient;

• a complete listing of all of the data elements authorized to be transferred;

• a statement of the intended use of the information, including references to legal authority or legal requirements associated with the transfer of such information;

• the name and contact information of the individual serving as the primary point of contact for inquiries about the agreement; and

• a process by which parents of students attending public schools may register a complaint related to the unauthorized transfer of personally identifiable student information.

For students, La. Rev. Stat. §17:3914 l limits the collection, use, and disclosure of student information. This statute requires school administrators to assign unique identifiers to all students and to collect and track parental consent to share personal information with third parties, including state agencies. It also provides for limitations on the collection and sharing of student information.

A 2022 amendment to §17:3914 of La. Rev. Stat. provides for the mandatory anonymizing of student social security numbers. 

Wiretapping

Louisiana recording law stipulates that it is a one-party consent recording state. Consequently, to use any device to record, obtain, use, or share communications, without the consent of at least one person taking part in the communication is a criminal offense punishable by a fine of not more than $10,000 or imprisonment of two to ten years. This applies to recordings of communications whether via wire, oral, or electronic (§15:1303 of Title 15 of the La. Rev. Stat.).

Voyeurism

Louisiana forbids the recording or sharing of an illegally-obtained recording under its video voyeurism laws (§14:283 of Title 14 of the La. Rev. Stat.). To be found liable under this statute, the purpose of the recording must be for a lewd or lascivious purpose, and the person being recorded must have a reasonable expectation of privacy.