Louisiana - Sectoral Privacy Overview
Article 1, §5 of the Louisiana Constitution of 1974 ('the Constitution') recognises the right to be protected against unreasonable invasions of privacy by the state or state actors. The Louisiana Supreme Court has described the right to privacy as the right to be let alone and to be free from unnecessary public scrutiny (Capital City Press v. East Baton Rouge Parish Metro. Council, 96-1979 (La. 7/1/97), 696 So. 2d 562, 566).
In Louisiana jurisprudence, the right to privacy has been variously defined as "the right to be let alone" and "the right to an 'inviolate personality'" (Easter Seal Soc'y For Crippled Children and Adults of La., Inc. v. Playboy Enterprises, Inc., 530 So. 2d 643, 647 (La. App. 4 Cir. 1988), writ denied, 532 So. 2d 1390 (La. 1988)).
The right to privacy embraces four different interests (Spellman v. Disc. Zone Gas Station, 07-496 (La. App. 5 Cir 12/27/07), 975 So. 2d 44, 47):
- the appropriation of an individual's name or likeness for the use or benefit of the defendant;
- unreasonable intrusion upon the plaintiff's physical solitude or seclusion;
- publicity which unreasonably places the plaintiff in a false light before the public; and
- unreasonable public disclosure of embarrassing private facts.
In ascertaining whether individuals have a constitutionally-protected, reasonable expectation of privacy, a court must determine (Angelo Iafrate Constr., L.L.C. v. State, 2003-0892 (La. App. 1 Cir 05/14/04), 879 So. 2d 250, 255):
- whether the individual has an actual or subjective expectation of privacy; and
- whether that expectation is also of a type which society at large is prepared to recognise as being reasonable.
The constitutional privacy right is not absolute; it is qualified by the rights of others. The right to privacy is also limited by society's right to be informed about legitimate subjects of public interest (Angelo Iafrate Constr., 879 So. 2d at 255), as well as the freedom of the press (Jaubert v. Crowley Post-Signal, Inc., 375 So. 2d 1386, 1390 (La. 1979)).
The Database Security Breach Notification Law, under §§51:3071 to 51:3077 of Title 51 of the Louisiana Revised Statutes ('La. Rev. Stat.') was enacted in 2005, became effective on 1 January 2006, and was amended effective 1 August 2018.
Pursuant to La. Rev. Stat. §51:3074, the notification obligations under the Database Security Breach Notification Law apply to all persons and legal entities that own or license computerised data that includes Louisiana residents' personal information (La. Rev. Stat. §51:3074(C)). In cases where the breach involves computerised data that the person or agency does not own, then the person or agency must notify the owner (La. Rev. Stat. §51:3074(D)).
When a data breach results in 'personal information' being acquired and accessed by a third party without authorisation, the Database Security Breach Notification Law generally requires notice to affected individuals and the Louisiana Attorney General ('AG'). 'Personal information' includes the resident's last name and first name or first initial, in combination with one or more of the following data elements:
- social security number;
- driver's licence number or state identification card number;
- account number, credit, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account;
- passport number; and
- biometric data, including fingerprints and other unique biological characteristics used to authenticate an individual's identity to access a system or account.
However, the definition excludes 'publicly available information that is lawfully made available to the general public from federal, state, or local government records' (La. Rev. Stat. §51:3073(4)(b)).
The protection for loss of 'personal information' under La. Rev. Stat. §51:3073(4)(a) extends only to Louisiana residents. However, no notification is required if the information was encrypted or redacted, or if there is no reasonable likelihood of harm to the affected individuals.
According to regulations promulgated by the Louisiana AG, failure to give timely notice to the Louisiana AG may result in fines of up to $5,000 per day, pursuant to §701 of Title 16 of the Louisiana Administrative Code ('La. Admin. Code').
Unlike many other breach notification laws, Louisiana’s law creates a private right of action for persons harmed by violations of the Database Security Breach Notification Law, including the right to recover actual damages for failure to give timely notice under the Database Security Breach Notification Law (La. Rev. Stat. §§51:3074(J) and 51:3075).
A patient's health data (diagnosis, treatment, or health) held by a health maintenance organisation generally must be kept confidential (§22:265 of Title 22 of the La. Rev. Stat.).
- §40:1171.4 of Title 40 of the La. Rev. Stat. provides for the confidentiality of HIV test results;
- §40:2144 of Title 40 of the La. Rev. Stat. ('Hospital Records and Retention Act') provides patients with statutory rights of access to medical records; and
- Article 510 of the Code of Evidence provides for a healthcare provider-patient privilege, which may be waived in cases involving child abuse or molestation.
Louisiana Insurance Data Security Law
Louisiana's Insurance Data Security Law, under §§22:2501 to 22:2511 of Title 22 of the La. Rev. Stat. provides that for insurance customers, La. Rev. Stat. §22:1604(B) requires a Louisiana consumer resident's prior written consent before the consumer's non-public customer information may be accessed, released, or shared by an insurer in the course of selling or soliciting the purchase of insurance.
For insureds receiving a viatical settlement on their life insurance policies, La. Rev. Stat. §22:1795 limits the use and disclosure of the insured's identity and financial and medical information.
Disclosure of customer financial records
Louisiana-based financial institutions are bound by the privacy restrictions and procedural requirements regarding third-party financial information requests found in §6:333 of Title 6 of the La. Rev. Stat. In practice, this provision may require personal service upon any person whose financial information is being requested via subpoena or otherwise in the course of a legal proceeding.
§23:368(B) of Title 23 of the La. Rev. Stat. limits the collection, use, and disclosure of employees' genetic information.
The Personal Online Account Privacy Protection Act, under §§51:1951 to 51:1955 of Title 51 of La. Rev. Stat., prohibits employers from penalising an individual employee for failing to disclose certain login credentials. The employer may, however:
- request or require an employee or employee applicant 'to disclose any username, password, or other authentication information to the employer to gain access to or operate […]':
- an 'electronic communications device' that is 'supplied in whole or in part by the employer'; or
- an account or service affiliated with the employer's business purposes;
- discipline an employee for transferring employer data to a personal account or device without authorisation; or
- investigate an employee in justified circumstances related to abuse of the employer's property.
As stated in the previous section, the Personal Online Account Privacy Protection Act prohibits employers from penalising an individual for failing to disclose certain login credentials. Other provisions relate to employee privacy, as set forth in section 5.
The Personal Online Account Privacy Protection Act also addresses student online privacy and provides that an educational institution is prohibited from doing the following:
- request or require a student or prospective student to disclose any username, password, or other authentication information that allows access to the student's or prospective student's personal online account; and
- expel, discipline, fail to admit, or otherwise penalise or threaten to penalise a student or prospective student for failure to disclose any specified information.
The educational institution may, however:
- request or require an employee or employee applicant to disclose user login credentials to gain access to, or to operate, an institution-supplied communications device, or an account or service provided by the institution;
- view all public-domain/stored student information; and
- restrict access to certain websites on institution-supplied hardware, software, or internet connection.
Louisiana regulates unsolicited electronic mail sent to or from Louisiana electronic mail addresses through §51:2001 et seq. of Title 51 of the La. Rev. Stat.). In Louisiana, it is a crime to send unsolicited bulk electronic mail, defined as an electronic message sent to more than 1,000 recipients that is 'developed and distributed in an effort to sell or lease consumer goods or services', unless authorised by the electronic mail service provider (§14:73.1(15) and §14:73.6 of Title 14 of the La. Rev. Stat.). Further, electronic mail fraud is generally prohibited (La. Rev. Stat. §51:2003), with special protections for recipients of fraudulent electronic mail, text messages, or phone calls who are elderly or have special disabilities (La. Rev. Stat. §51:1409.1).
Pursuant to La. Rev. Stat. §51:2002, senders of unsolicited electronic communications must do each of the following:
- maintain a functioning return electronic mail address to which a recipient may send a reply indicating the recipient's desire not to receive further commercial electronic mail advertisements from the sender at the electronic mail address at which the message was received;
- maintain a functioning website at which a recipient may request their removal from the sender's mailing list;
- clearly and conspicuously disclose in the commercial electronic mail advertisement all of the following:
- the recipient's right to decline to receive further unsolicited commercial electronic mail advertisements at the electronic mail address at which the message was received;
- the recipient's ability to decline to receive further unsolicited commercial electronic mail advertisements by sending a message to the sender's functioning return electronic mail address; and
- the sender's functioning return electronic mail address;
- include in the subject line of the commercial electronic mail advertisement 'ADV:' as the first four characters; and
- if the commercial electronic mail advertisement contains obscene material, include in the subject line of the commercial electronic mail advertisement 'ADV::ADLT' as the first eight characters.
Louisiana does not have data protection laws specific to privacy policies, nor does Louisiana law explicitly require organisations to post online privacy policies.
The Louisiana Database Security Breach Notification Law, discussed in section 2, requires that persons subject to that statute 'shall take all reasonable steps to destroy or arrange for the destruction of the records within its custody or control containing personal information that is no longer to be retained by the person or business by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means'. The statute does not specify what records or data qualify as 'no longer to be retained' by the person or entity holding the data.
§14:73.7 of Title 14 of the La. Rev. Stat. establishes the crime of 'computer tampering', which criminalises the unlawful destruction of data, and prohibits the following acts taken knowingly and without the authorisation of the owner of a computer:
- accessing, or causing to be accessed, a computer or any part of a computer or any program or data contained within a computer;
- copying or otherwise obtaining any program or data contained within a computer;
- damaging or destroying a computer, or altering, deleting, or removing any program or data contained within a computer, or eliminating or reducing the ability of the owner of the computer to access or utilise the computer or any program or data contained within the computer; and
- introducing or attempting to introduce any electronic information of any kind and in any form into one or more computers, either directly or indirectly, and either simultaneously or sequentially, with the intention of damaging or destroying a computer, or altering, deleting, or removing any program or data contained within a computer, or eliminating or reducing the ability of the owner of the computer to access or utilise the computer or any program or data contained within the computer.
Right of publicity
Louisiana has a criminal right of publicity statute that provides protection only to deceased soldiers (§14:102.21 of Title 14 of the La. Rev. Stat.). The statute for soldiers expressly limits liability to circumstances in which the 'name, portrait, or picture' of a deceased soldier is used.
Louisiana law does not protect the post mortem rights of other persons, such that claims under the state's misappropriation tort have thus far been held not to survive death (Frigon v. Universal Pictures, 255 So.3d 591 (La. App. 2018), writ denied, 262 So.3d 896 (La. 2019)).
The state only recognises a privacy-based tort of misappropriation (Jaubert v. Crowley Post-Signal, Inc., 375 So. 2d 1386 (La. 1979)).
One intermediate Louisiana appellate court has held that consent to the use of one's name or likeness is time-limited. In the context of a photograph, the court held that ten years after consent was given, continued consent could no longer be presumed (McAndrews v. Roy, 131 So. 2d 256 (La. Ct. App. 1961)).
Under the Student Data Privacy Act, §17:3913 of Title 17 of the La. Rev. Stat. grants rights of access to students and their parents or guardians.
For students, La. Rev. Stat. §17:3914 limits the collection, use, and disclosure of student information. This statute requires school administrators to assign unique identifiers to all students and to collect and track parental consent to share personal information with third parties, including state agencies. It also provides for limitations on the collection and sharing of student information.
Louisiana recording law stipulates that it is a one-party consent recording state. Thus, it is a criminal offense in the state to use any device to record, obtain, use or share communications, whether they are wire, oral or electronic, without the consent of at least one person taking part in the communication. As a result, individuals are legally allowed to record a conversation if they are a contributor, or with prior consent from one of the involved parties (§15:1303 of Title 15 of the La. Rev. Stat.).
Louisiana forbids the recording or sharing of an illegally-obtained recording under its video voyeurism laws (§14:283 of Title 14 of the La. Rev. Stat.). To be found liable under this statute, the purpose of the recording must be for a lewd or lascivious purpose, and the person being recorded must have a reasonable expectation of privacy.