Louisiana Biometric Privacy Laws: Collection, Consent & Penalties (2026)

Louisiana does not have a standalone biometric privacy law. Unlike Illinois, Texas, and Washington, the state has not enacted legislation that specifically regulates how private businesses collect, store, use, or share biometric identifiers such as fingerprints, facial geometry, or iris scans.

What Louisiana does have is a breach notification law that includes biometric data in its definition of protected personal information, and a separate student-specific biometric law. These protections are limited compared to states with dedicated biometric statutes, but they do create real obligations for businesses and schools that handle biometric data in Louisiana.

This guide explains the current legal framework, what protections exist, where the gaps are, and what proposed legislation could change.

For broader context on Louisiana's overall privacy framework, see the parent guide to [Louisiana Data Privacy Laws](/us-laws/data-privacy-laws/louisiana-data-privacy-laws).

How Louisiana Defines Biometric Data

Louisiana's Database Security Breach Notification Law defines "biometric data" under La. R.S. 51:3073 as:

Data generated by automatic measurements of an individual's biological characteristics, such as fingerprints, voice print, eye retina or iris, or other unique biological characteristic that is used by the owner or licensee to uniquely authenticate an individual's identity when the individual accesses a system or account.

This definition is narrower than what states like Illinois use. It only covers biometric data used for authentication purposes, meaning fingerprints or facial scans used to unlock a system or verify identity. Biometric data collected for other purposes, such as surveillance cameras using facial recognition to track foot traffic, may fall outside this definition.

The law also requires that the biometric data be paired with an individual's first name (or first initial) and last name to qualify as protected "personal information."

Database Security Breach Notification Law (La. R.S. 51:3071 et seq.)

Louisiana's primary biometric protection comes from the Database Security Breach Notification Law, originally enacted in 2005 and significantly amended in 2018 by Senate Bill 361. The 2018 amendments added biometric data to the list of protected personal information elements.

What the Law Requires

Any person or business that conducts business in Louisiana and owns or licenses computerized data containing personal information must take several steps under this law.

Reasonable security measures. Entities must implement and maintain "reasonable security procedures and practices appropriate to the nature of the information" to protect personal data from unauthorized access, destruction, use, modification, or disclosure (La. R.S. 51:3074).

Breach notification within 60 days. If a breach compromises biometric data (combined with an individual's name), the entity must notify affected Louisiana residents "in the most expedient time possible and without unreasonable delay but not later than sixty days from the discovery of the breach."

Attorney General notification. The entity must also notify the Louisiana Attorney General's Consumer Protection Section within 10 days of distributing notice to affected residents. The notice must include the names of all affected individuals.

Data destruction. When personal information (including biometric data) is no longer needed, entities must destroy or erase records so the data "cannot be read or reconstructed."

Penalties for Non-Compliance

Violations of the breach notification law carry real consequences.

A failure to comply is treated as an unfair trade practice under La. R.S. 51:1405(A). This means the Louisiana Attorney General can bring enforcement actions.

Civil penalties can reach up to $5,000 per violation. Each day that notice is not received by the Attorney General counts as a separate violation, so fines can accumulate quickly.

Individuals also have a private right of action. Louisiana residents can sue for actual damages caused by a failure to provide timely breach notification.

If a court finds that a violation was committed knowingly after the entity was put on notice by the Attorney General, the court can award treble damages (three times actual damages) plus reasonable attorney fees and costs.

Exemptions

The law includes several exceptions. Entities that determine after a reasonable investigation that there is "no reasonable likelihood of harm" to affected residents may skip notification, but they must keep written documentation of that determination for five years and provide it to the Attorney General within 30 days upon request.

Financial institutions that comply with the Gramm-Leach-Bliley Act and federal interagency guidance on data security are considered compliant with Louisiana's breach notification requirements.

Encrypted data is also exempt. The statute does not apply to personal information that has been encrypted or redacted.

Student Biometric Protections (La. R.S. 17:100.8)

Louisiana has a separate, more protective law specifically for student biometric data. La. R.S. 17:100.8 regulates the collection and use of biometric information by schools and school governing authorities.

This law defines "biometric information" more broadly than the breach notification statute. It covers "the noninvasive electronic measurement and evaluation of any physical characteristics that are attributable to a single person," including fingerprint characteristics, eye characteristics, hand characteristics, vocal characteristics, facial characteristics, and any other physical characteristics used for electronic identification.

Key Requirements for Schools

Schools that collect student biometric data must follow these rules:

Written parental consent. Schools must obtain written permission from a student's parent or legal guardian (or the student if 18 or older) before collecting any biometric information. The consent form must be a standalone document created specifically for this purpose and cannot be bundled with enrollment forms.

Full disclosure. Schools must develop policies that explain what biometric data will be collected, how it will be collected and stored, and how it will be used.

Limited use. Student biometric data can only be used for identification or fraud prevention purposes. Schools cannot repurpose it for other uses.

Encryption required. Student biometric information must be encrypted using an algorithmic process that transforms the data into a form with a "low probability of assigning meaning" without a confidential key.

Mandatory destruction. Schools must discontinue use and destroy all biometric data within 30 days when a student graduates, withdraws, or when a parent submits a written request to stop collection.

No denial of services. A student cannot be refused services because a parent declines to consent to biometric data collection.

What Louisiana Law Does Not Cover

Louisiana's existing laws leave significant gaps in biometric privacy protection.

No general consent requirement. Outside of the school context, Louisiana does not require businesses or employers to obtain consent before collecting biometric data from adults. An employer can implement fingerprint time clocks or facial recognition systems without notifying employees or getting their approval.

No retention or destruction timelines for private entities. The breach notification law requires destruction of data that is no longer needed, but it does not mandate specific retention schedules or destruction timelines for biometric data held by businesses.

No restrictions on biometric data sales. Louisiana does not prohibit or restrict the sale or sharing of biometric data with third parties.

No private right of action for collection practices. While individuals can sue over a failure to notify them of a breach, there is no private right of action for the unauthorized collection, use, or storage of biometric data itself.

No law enforcement restrictions. Louisiana has not enacted limits on government or law enforcement use of facial recognition or other biometric surveillance technologies.

Employer Use of Biometric Data

Louisiana has no state law that restricts employers from collecting biometric data from employees. Companies operating in Louisiana that use fingerprint scanners for timekeeping, facial recognition for building access, or other biometric systems are not required by state law to:

• Provide written notice before collecting biometric data
• Obtain employee consent
• Establish data retention policies
• Limit sharing of employee biometric data with vendors or third parties

This stands in sharp contrast to Illinois, where employers face statutory damages of $1,000 to $5,000 per violation of the Biometric Information Privacy Act.

That said, employers in Louisiana should still implement reasonable security measures for biometric data. If a breach occurs that exposes employee biometric data alongside names, the employer must comply with the 60-day breach notification requirement or face penalties under the Unfair Trade Practices Act.

Pending Legislation

Louisiana has seen attempts to pass broader privacy laws that would include biometric data protections.

Louisiana Consumer Privacy Act (HB 947, 2024). This bill was introduced in April 2024 and would have created a comprehensive consumer privacy framework. The bill was referred to the House Committee on Commerce but did not advance beyond committee.

SB 386 (2026 Regular Session). This bill proposes the Louisiana Data Privacy Act, which would establish consumer rights over personal data, including the right to access, correct, and delete personal information. The bill would require controllers to post a conspicuous notice before collecting biometric personal data. As of March 2026, SB 386 is in the early stages of the 2026 Regular Session.

Neither bill has been enacted. If passed, SB 386 would bring Louisiana closer to the frameworks adopted by states like Colorado, Connecticut, and Virginia, which classify biometric data as sensitive information requiring affirmative consent.

Federal Protections That Apply in Louisiana

Because Louisiana lacks a comprehensive biometric privacy law, federal statutes provide additional protections for residents.

Section 5 of the FTC Act allows the Federal Trade Commission to take enforcement action against companies engaged in unfair or deceptive practices involving biometric data, including failures to secure biometric information or deceptive collection practices.

HIPAA protects biometric data collected or used by covered healthcare entities and their business associates under the Privacy Rule.

FERPA restricts how schools handle student biometric data at the federal level, supplementing Louisiana's state-level student biometric protections under La. R.S. 17:100.8.

COPPA requires parental consent before collecting biometric data from children under 13, enforced by the FTC.

How Louisiana Compares to Other States

Louisiana falls into a lower tier of states for biometric privacy protection. While the inclusion of biometric data in the breach notification law is meaningful, the state lacks the collection-level protections found in more protective states.

• Illinois has the strongest biometric law in the nation (BIPA), with a private right of action and statutory damages of $1,000 to $5,000 per violation
• Texas and Washington have biometric-specific statutes enforced by their attorneys general
• States with comprehensive privacy laws (Colorado, Connecticut, Virginia) classify biometric data as sensitive and require opt-in consent
• Louisiana protects biometric data only through breach notification, student biometric rules, and general unfair trade practices enforcement

More Louisiana Laws

• Louisiana Data Privacy Laws
• Louisiana Hit and Run Laws
• Louisiana Data Privacy Laws
• Louisiana Recording Laws
• Louisiana Recording Laws
• Louisiana Recording Laws
• Louisiana Statute of Limitations
• Louisiana Child Support Laws

This article provides general legal information about Louisiana biometric privacy laws. It is not legal advice. Laws and regulations change frequently, and this content may not reflect the most recent developments. Consult a qualified attorney licensed in Louisiana for advice about your specific situation.