Privacy in the bayou: Louisiana to debut new data privacy law

Who does the LDPA apply to?

The LDPA applies to a person or entity that conducts business in Louisiana and meets at least one of the following thresholds, which are borrowed from the California Consumer Privacy Act:

• Has an annual gross revenue greater than $25 million;
• Annually buys, receives, sells, or shares for commercial purposes the personal information of 75,000 or more consumers, households, or devices; or
• Derives 50% or more of its annual revenue from selling consumers’ personal information.

As with other state laws, “sale of personal data” means “the exchange of personal data for monetary or other valuable consideration” to a third party. A sale does not include disclosure of personal data to a processor, a third party for the purposes of providing a product requested by the consumer, or an affiliate, nor does a sale include the disclosure of information made publicly available by the consumer or made as part of a corporate transaction, such as a merger or acquisition.

Who is a consumer?

A consumer is a resident of Louisiana acting in an individual or household context. A consumer is not an individual acting in a commercial or employment context.

What is personal data?

The definition of “personal data” under the LDPA is a familiar one. Personal data is “information that is linked or can be reasonably linked to an identified or identifiable individual.” Deidentified data or publicly available information does not constitute personal data under the LDPA.

What is sensitive data?

The LDPA’s definition of sensitive data is also familiar, following other state privacy laws:

• Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status;
• Genetic or biometric data processed for the purpose of uniquely identifying an individual;
• Personal data collected from a known child; or
• Precise geolocation data.

As in many recent state privacy laws, “precise geolocation data” means information derived from technology that directly identifies the specific location of an individual with precision and accuracy within a radius of 1,750 feet.

Who can enforce the LDPA?

The Louisiana attorney general has exclusive enforcement authority. There is a 30-day cure period requirement that will sunset on July 31, 2027. Under the LDPA, the attorney general may bring a civil action under Louisiana’s Unfair Trade Practices and Consumer Protection Law for up to $5,000 per violation.

Who is exempt?

The LDPA provides for entity-level and data-level exemptions, both of which are generally standard for state privacy laws.

At the entity level, the LDPA exempts, among others, state agencies and political subdivisions, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), covered entities and business associates regulated by the Health Insurance Portability and Accountability Act (HIPAA), nonprofit organizations, and institutions of higher education.

At the data level, the LDPA exemptions include but are not limited to personal data subject to the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, federal research laws, the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, and the Farm Credit Act.

What obligations are imposed?

The obligations imposed by the LDPA on controllers should look familiar:

• The controller’s processing must be reasonably necessary, as well as adequate, relevant, limited, and necessary to the controller’s purpose for processing the data;
• The controller must maintain reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data it processes;
• The controller must refrain from processing personal data for a purpose that is neither reasonably necessary to nor compatible with the disclosed purpose unless the controller first obtains the consumer’s consent;
• The controller must provide consumers with a reasonably accessible and clear privacy notice that includes information on how consumers may exercise their rights;
• The controller must comply with authenticated consumer requests to exercise their rights and respond without undue delay;
• The controller must conduct data protection assessments for certain enumerated processing activities involving the processing of personal data, as described below; and
• The controller cannot process (or sell) sensitive data without consent. In the case of sensitive data of a known child, a controller must process such data in accordance with parental consent requirements under the Children’s Online Privacy Protection Act.

Data protection assessments

The LDPA requires controllers to conduct data protection assessments for:

• The processing of personal data for the purposes of targeted advertising;
• The sale of personal data;
• The processing of sensitive data;
• The processing of personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk of
  • Unfair, abusive, or deceptive treatment of consumers;
  • Financial, physical, or reputational injury to consumers;
  • Intrusion to the private affairs of consumers if it would be offensive to a reasonable person; or
  • Other substantial injury to consumers; or
• Any processing activities involving personal data that present a heightened risk of harm to consumers.

The LDPA’s data protection assessment requirements mirror those of other state privacy laws: The assessment must identify and weigh the benefits and risks of the processing, taking into account the use of deidentified data, reasonable consumer expectations, the context of the processing, and the controller–consumer relationship. Also similarly, a single assessment may address comparable processing operations, and an assessment prepared for another law may satisfy the LDPA if that assessment has a reasonably comparable scope and effect.

Assessments under the LDPA are confidential, although they may be requested by the Louisiana attorney general pursuant to a civil investigation demand. Finally, data protection assessments are required for applicable processing activities as of January 1, 2027, and are not retroactive.

What consumer rights are created by the LDPA?

The LDPA mirrors other state privacy laws in providing consumers rights regarding their personal data, including the right to:

• Confirm whether a controller is processing their personal data and access their personal data;
• Correct inaccuracies in their personal data;
• Delete their personal data maintained by the controller;
• Obtain a copy of their personal data;
• Opt out of their personal data being processed for targeted advertising, sale, or profiling in furtherance of solely automated significant decisions; and
• Appeal the controller’s refusal to take action on any of the rights enumerated above. A parent or legal guardian of a known child may exercise these rights on the child’s behalf.

Response to consumer requests

A controller must respond to a consumer request within 45 days. This response period can be extended once by an additional 45 days if necessary, as long as the controller informs the consumer of the extension within the initial 45-day response period. If a controller declines to act on a consumer’s request, the controller must inform the consumer within 45 days of receiving the consumer’s request. In the controller’s notice to the consumer, the controller must state the justification for refusal and provide instructions for how to appeal the controller’s decision.

When does the LDPA take effect?

The LDPA will take effect on January 1, 2027.

* * *

While the LDPA may not introduce entirely novel compliance requirements in terms of US data privacy laws, organizations should be cognizant that the patchwork of such privacy laws is likely to expand by one patch and should prepare accordingly. If you have questions or need assistance with readiness work for new state consumer privacy laws, please contact your regular McDermott lawyer.