Louisiana Data Privacy Laws: Breach Notification & Consumer Rights (2026)

Louisiana does not have a comprehensive consumer data privacy statute like the laws enacted in California, Texas, or Colorado. Multiple attempts to pass a broad privacy law have failed in the state legislature, including Senate Bill 199 in 2023 and House Bill 947 in 2024. Both bills died in committee.

Instead, Louisiana residents rely on a patchwork of state and federal laws for data privacy protection. The most important state law is the Database Security Breach Notification Law (La. R.S. 51:3071-3077), which was originally enacted in 2005 and significantly strengthened in 2018.

This guide covers every major data privacy protection available to Louisiana residents, including breach notification requirements, security obligations for businesses, sector-specific rules, federal coverage, and pending legislation.

Louisiana Database Security Breach Notification Law (La. R.S. 51:3071-3077)

The Database Security Breach Notification Law is the cornerstone of data privacy protection in Louisiana. Originally enacted as Acts 2005, No. 499 and effective January 1, 2006, this law requires businesses and government agencies to notify Louisiana residents when their personal information is compromised in a data breach.

The law was substantially amended in 2018 by Senate Bill 361 (Act 382), which expanded the definition of personal information, imposed a hard 60-day notification deadline, added data security and destruction requirements, and created new Attorney General notification obligations.

Who Must Comply

The breach notification law applies broadly to any person or business that conducts business in Louisiana and owns or licenses computerized data containing personal information of Louisiana residents. It also applies to any state or local government agency that owns or licenses such data.

There is no minimum size threshold. Small businesses, large corporations, and government entities are all covered if they handle the personal information of Louisiana residents in electronic form.

What Counts as Personal Information

Louisiana defines personal information as a Louisiana resident's first name or first initial and last name in combination with one or more of the following data elements, when the name or data element is not encrypted or redacted:

• Social Security number
• Driver's license number or state identification card number
• Account number, credit card number, or debit card number combined with any required security code, access code, or password that would permit access to the individual's financial account
• Passport number
• Biometric data, including fingerprints, voice prints, eye retina or iris scans, or other unique biological characteristics used to authenticate the individual's identity

The 2018 amendments added passport numbers and biometric data to this list, making Louisiana one of the earlier states to recognize biometric identifiers as protected personal information.

Information that is lawfully available from federal, state, or local government records is excluded from the definition of personal information.

What Triggers a Breach Notification

A notification is required when there is a breach of the security of a system containing personal information. The law defines a breach as the compromise of the security, confidentiality, or integrity of computerized data that results in, or there is a reasonable basis to conclude has resulted in, the unauthorized acquisition of and access to personal information.

Good faith acquisition of personal information by an employee or agent of the business for a legitimate business purpose does not count as a breach, as long as the information is not used for an unauthorized purpose or subject to further unauthorized disclosure.

Notification Requirements and Timeline

When a breach occurs, the business or agency must notify affected Louisiana residents in the most expedient time possible and without unreasonable delay, but no later than 60 days from the discovery of the breach.

This 60-day hard deadline was added by the 2018 amendments. Before that change, the law used only the vague standard of 'most expedient time possible.'

Notification can be provided through several methods:

• Written notice sent to the affected individual
• Electronic notice consistent with the federal E-Sign Act (15 U.S.C. 7001)
• Substitute notice if the cost of direct notification exceeds $100,000, the affected class exceeds 100,000 people, or the business lacks sufficient contact information. Substitute notice requires all three of the following: email notification to known addresses, conspicuous posting on the company's website, and notification to major statewide media outlets.

Attorney General Notification

When a business or agency is required to notify Louisiana residents of a breach, it must also provide written notice to the Consumer Protection Section of the Louisiana Attorney General's office. This notice must be received within 10 days of distributing notice to Louisiana residents and must include the names of all affected residents.

Each day that the Attorney General does not receive the required notice constitutes a separate violation.

Law Enforcement Delay Exception

Notification may be delayed if a law enforcement agency determines that the notification would impede a criminal investigation. Once the law enforcement agency determines that notification will no longer compromise the investigation, the business must provide notice without unreasonable delay.

If notification is delayed, the business must notify the Attorney General in writing within 60 days explaining the reasons for the delay. The Attorney General may grant reasonable extensions.

Harm Exception

Notification is not required if, after a reasonable investigation, the business determines there is no reasonable likelihood of harm to Louisiana residents. However, the business must document this determination in writing, retain the documentation for five years from the date of discovery of the breach, and provide a copy to the Attorney General within 30 days if requested.

Data Security and Destruction Requirements

The 2018 amendments added two important obligations that go beyond breach notification.

Reasonable Security Practices

Any person or business that conducts business in Louisiana and owns or licenses computerized data containing personal information must implement and maintain reasonable security procedures and practices appropriate to the nature of the information. These practices must protect personal information from unauthorized access, destruction, use, modification, or disclosure.

The law does not specify particular security technologies or frameworks that businesses must adopt. The standard is 'reasonable' based on the nature of the information being protected.

Data Destruction Requirements

When personal information is no longer needed for business purposes, any person or business that holds such data must take all reasonable steps to destroy or arrange for the destruction of the records. Acceptable destruction methods include:

• Shredding paper records
• Erasing electronic data
• Otherwise modifying the personal information to make it unreadable or undecipherable through any means

This requirement applies to both paper and electronic records containing personal information of Louisiana residents.

Penalties for Violating Louisiana's Breach Notification Law

Violations of the Database Security Breach Notification Law are classified as unfair trade practices under Louisiana's Unfair Trade Practices and Consumer Protection Law (La. R.S. 51:1401 et seq.). This means violations carry both government enforcement and private action consequences.

Violation Type	Penalty
Failure to provide timely notice to residents	Civil action for actual damages
Failure to notify the Attorney General	Up to $5,000 per violation
Each day without AG notification	Counts as a separate violation
Knowing unfair trade practice (after AG notice)	Treble damages (3x actual damages)
Unfair trade practice generally	Attorney's fees and costs awarded

Government Enforcement

The Louisiana Attorney General can bring an action for injunctive relief and civil penalties against any person or business that violates the law. Fines for failure to provide timely notice to the Attorney General can reach up to $5,000 per violation, with each day of noncompliance counting as a separate violation.

Private Right of Action

Louisiana residents have a private right of action to recover actual damages resulting from a business's failure to provide timely breach notification. Under the Unfair Trade Practices law, if the court finds that the violation was committed knowingly after the business had been put on notice by the Attorney General, the court must award treble damages (three times actual damages) plus reasonable attorney's fees and costs.

Louisiana Insurance Data Security Law (R.S. 22:2501-2511)

In 2020, Louisiana enacted the Insurance Data Security Law through Act 283 (House Bill 614). This law, effective August 1, 2020, imposes specific cybersecurity requirements on insurance industry licensees.

Information Security Program Requirements

Every insurance licensee must develop, implement, and maintain a comprehensive written information security program designed to protect the security of nonpublic information. The program must include:

• A risk assessment identifying reasonably foreseeable internal and external threats
• Management-level oversight of cybersecurity practices
• Safeguards to manage identified risks, including employee training
• Third-party service provider oversight and contractual security requirements
• Regular evaluation and updates to the program

Cybersecurity Event Notification

Insurance licensees must notify the Louisiana Commissioner of Insurance without unreasonable delay, but no later than three business days from determining that a cybersecurity event has occurred, when either of the following is true:

• Louisiana is the licensee's state of domicile (for insurers) or home state (for producers and adjusters), and the event has a reasonable likelihood of materially harming the licensee's operations or the nonpublic information of Louisiana consumers
• The licensee reasonably believes that 250 or more Louisiana consumers are affected

The notification must include a description of how the information was compromised, whether lost data has been recovered, the identity of the source of the event, and whether law enforcement has been notified.

Children's Online Privacy Protections

Louisiana has been active in passing children's online privacy legislation. Two recent laws add protections for minors.

Kids Online Protection and Anti-Grooming Act (Act 236, 2025)

The legislature enacted the Kids Online Protection and Anti-Grooming Act (Act No. 236 of 2025, HB 37), which becomes effective June 1, 2026. This law regulates connections between adults and minors on covered digital platforms, including online platforms, video games, messaging applications, and video streaming services.

App Store Age Verification (Act 481, 2025)

Louisiana also enacted Act 481 (HB 570) in 2025, effective July 1, 2026. This law requires application store operators to verify the age category of Louisiana users. If the app store data determines an individual is a minor, the developer must require the account to be affiliated with a parent account and obtain verifiable parental consent before allowing the minor to download or purchase an application.

Federal Privacy Laws That Apply in Louisiana

Because Louisiana does not have a comprehensive state privacy law, federal statutes provide much of the privacy framework for Louisiana residents. These laws apply to specific sectors and types of data.

Health Insurance Portability and Accountability Act (HIPAA)

The HIPAA Privacy Rule protects the medical records and personal health information of patients. It applies to healthcare providers, health plans, and healthcare clearinghouses in Louisiana, as well as their business associates. HIPAA requires covered entities to implement safeguards for protected health information and gives patients rights to access and control their medical data.

Gramm-Leach-Bliley Act (GLBA)

The GLBA requires financial institutions operating in Louisiana to explain their information-sharing practices to customers and to safeguard sensitive data. Financial institutions must provide annual privacy notices and give customers the right to opt out of having their information shared with certain third parties.

Children's Online Privacy Protection Act (COPPA)

The federal COPPA applies to operators of websites and online services directed at children under 13, including those serving Louisiana children. COPPA requires verifiable parental consent before collecting personal information from children and gives parents the right to review and delete their child's data.

Family Educational Rights and Privacy Act (FERPA)

FERPA protects the privacy of student education records at schools that receive federal funding, which includes virtually all public schools and most colleges and universities in Louisiana. Parents and eligible students have the right to access education records and to consent to disclosures of personally identifiable information.

Fair Credit Reporting Act (FCRA)

The FCRA regulates how consumer reporting agencies collect, distribute, and use credit information for Louisiana residents. The law gives consumers the right to access their credit reports, dispute inaccurate information, and place fraud alerts or credit freezes on their accounts.

FTC Act Section 5

The Federal Trade Commission Act prohibits unfair or deceptive acts or practices in commerce, including deceptive privacy practices. The FTC has used this authority to bring enforcement actions against companies that fail to honor their privacy commitments or that engage in unfair data practices affecting Louisiana consumers.

Louisiana's Unfair Trade Practices and Consumer Protection Law

Louisiana's Unfair Trade Practices and Consumer Protection Law (La. R.S. 51:1401 et seq.) serves as a supplementary privacy enforcement tool. While this law is not a privacy statute, it prohibits unfair methods of competition and unfair or deceptive acts or practices in trade or commerce.

The Attorney General can use this law to take action against businesses that engage in deceptive data practices, such as making false promises in privacy policies or misrepresenting how consumer data is used. Individual consumers can also bring private actions to recover actual damages, and the court must award treble damages plus attorney's fees when a business knowingly violates the law after receiving notice from the Attorney General.

Violations of the Database Security Breach Notification Law are explicitly treated as unfair trade practices under this statute, giving the Attorney General and private plaintiffs additional enforcement leverage.

Status of Comprehensive Privacy Legislation in Louisiana

As of March 2026, Louisiana has not enacted a comprehensive consumer data privacy law. Two significant attempts have failed:

• Senate Bill 199 (2023): Proposed 'The Louisiana Consumer Privacy Act,' which would have applied to businesses with $25 million or more in annual revenue that process data of 100,000 or more Louisiana consumers. The bill was referred to the Committee on Commerce, Consumer Protection and International Affairs and died without advancing.

• House Bill 947 (2024): A similar comprehensive privacy bill that was referred to the House Commerce Committee in April 2024 and died without a hearing.

Both bills would have granted Louisiana consumers rights to access, delete, correct, and port their personal data, and would have created opt-out rights for targeted advertising and data sales. Neither bill advanced beyond the committee stage.

The Louisiana legislature may consider new privacy legislation in future sessions. Other states in the region, including Texas, have successfully enacted comprehensive privacy laws that could serve as models for Louisiana.

How to Report a Data Breach or Privacy Violation in Louisiana

Louisiana residents who believe their personal information has been compromised or that a business has violated state data privacy laws have several options.

Filing a Complaint with the Attorney General

The Louisiana Attorney General's Consumer Protection Section investigates complaints about data breaches and unfair trade practices. Residents can file a complaint by contacting the office directly.

Filing a Complaint with the FTC

For privacy violations involving deceptive practices, Louisiana residents can file a complaint with the Federal Trade Commission at reportfraud.ftc.gov.

Filing a Complaint with HHS

For HIPAA violations involving medical information, residents can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights.

Private Legal Action

Louisiana residents who suffer actual damages from a business's failure to comply with the breach notification law can pursue a civil lawsuit. Under the Unfair Trade Practices law, successful plaintiffs may recover actual damages, attorney's fees, and costs. Treble damages are available if the violation was knowing.

More Louisiana Laws

Explore related Louisiana legal guides on our site:

• Louisiana Recording Laws - Consent rules for recording conversations
• Louisiana Background Check Laws - Employment screening rules
• Louisiana Surveillance Camera Laws - Video monitoring rules
• [Louisiana Medical Records Retention Laws - Record keeping requirements
• Louisiana Whistleblower Laws - Protections for reporting violations
• All Data Privacy Laws by State - Compare privacy laws across all 50 states

Sources and References

• Database Security Breach Notification Law (La. R.S. 51:3071-3077) - Louisiana State Legislature
• La. R.S. 51:3074 - Notification Requirements - Louisiana State Legislature
• Senate Bill 361 (Act 382, 2018 Amendments) - Louisiana State Legislature
• Unfair Trade Practices and Consumer Protection Law (La. R.S. 51:1401) - Louisiana State Legislature
• Insurance Data Security Law (Act 283, HB 614) - Louisiana State Legislature
• Kids Online Protection and Anti-Grooming Act (Act 236, HB 37) - Louisiana State Legislature
• App Store Age Verification (Act 481, HB 570) - Louisiana State Legislature
• Senate Bill 199 (2023 Privacy Bill) - Louisiana State Legislature
• House Bill 947 (2024 Privacy Bill) - Louisiana State Legislature
• Louisiana Attorney General - Consumer Protection - Louisiana Office of the Attorney General
• HIPAA Privacy Rule - U.S. Department of Health and Human Services
• Gramm-Leach-Bliley Act - Federal Trade Commission
• COPPA Rule - Federal Trade Commission
• FERPA - U.S. Department of Education
• Fair Credit Reporting Act - Federal Trade Commission

This article provides general legal information about Louisiana data privacy laws. It is not legal advice. Laws and regulations change frequently, and enforcement interpretations evolve over time. Consult a licensed attorney for advice specific to your situation.