With the flurry of new consumer privacy laws enacted in states across the country, it is vital for healthcare companies that are not regulated under HIPAA to remain informed of this changing landscape in order to plan and execute their compliance strategies.
In the absence of comprehensive federal consumer privacy legislation, companies must continue to contend with an evolving landscape of state privacy laws when managing data and information about their customers. Spearheaded by California, several other states have enacted laws to fill the void. Colorado, Connecticut, and Virginia implemented new consumer privacy protections in 2023, and Utah’s law went into effect at the end of 2023.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) covered entities and business associates are generally exempt from the new state consumer privacy laws, but many healthcare companies are not regulated under HIPAA and must consider whether these laws apply. Healthcare companies that may be subject to the new state privacy laws include pharmaceutical manufacturers, medical device companies, and a wide range of consumer-directed digital health companies, such as healthcare mobile applications and personal health records.
SCOPE OF ‘HIPAA EXCEPTIONS’
The “HIPAA exception” under the California Consumer Privacy Act (CCPA) is the broadest among the new state laws, and applies to the following:
- Medical information subject to the California Confidentiality of Medical Information Act
- Protected health information (PHI) collected by a HIPAA-covered entity or business associate
- Entities described in (1) or (2) above, to the extent that they maintain patient information in the same manner as health information subject to the Confidentiality of Medical Information Act (CMIA) or HIPAA
- Personal information collected as part of a clinical trial or other biomedical research study. Cal. Civ. Code §§ 1798.145(c); 1798.146.
Some state laws have a simpler HIPAA-exemption framework (e.g., Colorado, Connecticut, Virigina, and Utah). [1]
It is important for healthcare organizations to be sensitive to when they may take on a more consumer-directed orientation that could cause them to be subject to the new state privacy laws. For example, if a health plan offers a personal health record (PHR) app to its plan members, the app developer would likely be acting as a HIPAA business associate of the plan. However, if the app developer also offers a direct-to-consumer version of the PHR app, then the developer would no longer be a business associate and would have to consider the applicability of the state privacy laws and the need to provide an array of privacy rights to its users.
Clinical research organizations and other entities engaged in research should carefully review the state privacy laws because California’s exemption for personal information collected in clinical trials or biomedical research is the exception rather than the rule.
THE NEXT WAVE OF STATE PRIVACY LAWS
More change is coming, as there has been a flurry of new consumer privacy laws enacted over the past six months. To date, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, and Texas have new comprehensive privacy protections that will go into effect over the next three years, and several other states are debating privacy legislation of their own.
While the new laws have some notable variations from the existing laws, they also have important similarities. The state privacy laws can be grouped into three “styles”: California-style, Virginia-style, and Utah-style. Assessing the similarities and differences is vital to planning and executing a compliance strategy for companies operating in multiple states.
CALIFORNIA-STYLE
California was the first US state to pass a comprehensive data privacy law when the CCPA was passed in 2018. Additional privacy protections were added by the California Privacy Rights Act, which amended the CCPA to add provisions for sensitive personal information and the right to opt out of sharing data for cross-context behavioral advertising.
Perhaps the most surprising—if possibly unintended—change in California this year is the grant of consumer privacy rights to employees, job candidates, business contacts, and others. Of the active state consumer data protection laws, the CCPA is considered the most consumer friendly.
Those doing business in California are subject to the CCPA if they meet one of the three threshold requirements: (1) annual revenue over $25 million; (2) collect information of at least 100,000 consumers; or (3) generate at least half of their revenue from sale of personal information. It should be noted that the threshold requirements are disjunctive, so the law is widely applicable. While California remains the trendsetter, to date, no other state has enacted a law in the California-style.
VIRGINIA-STYLE
Virginia was the second US state to pass a comprehensive data privacy law, the Virginia Consumer Data Protection Act (VCDPA). Among other requirements and like the CCPA, the VCDPA gives consumers the right to correct and delete their personal information and request access to it. The VCDPA also requires companies to offer consumers an opt out for targeted advertising, which is akin to the CCPA’s right to opt out of sharing data for cross-context behavioral advertising.
Unlike the CCPA, which requires individuals to opt out of the processing of sensitive information, the VCDPA requires individuals to opt in to the processing of sensitive information, and the VCDPA was the first law to add the right to appeal the denial of a privacy request.
The VCDPA requires companies to conduct and document a data protection assessment when conducting certain activities that involve personal data, such as targeted advertising, selling personal data, or profiling. Application of the VCDPA is more limited than the CCPA.
Businesses are subject to the VCDPA if they meet one of the three threshold requirements: (1) control or process the personal information of 100,000 or more state residents or (2) control or process the personal information of at least than 25,000 state residents and derive over 50% of gross revenue from the sale of personal information. Thus, large businesses with a limited presence in Virginia may well fall below this threshold.
Another key difference between the Virginia and California laws relates to institutions regulated by certain federal legislation such as the Gramm-Leach-Bliley Act (GLBA). Virginia exempts these entities entirely from the scope of the VCDPA, while California only exempts the information that is subject to the GLBA, permitting regulation of other personal information controlled by these entities.
Additionally, although there is no entity-level exemption for entities regulated under HIPAA, there is an information-level exemption in each of the new state laws that covers information subject to HIPAA.
Colorado’s and Connecticut’s laws templated the VCDPA, and now Delaware, Indiana, Montana, Oregon, Tennessee, and Texas have followed suit. Virginia-style laws grant consumers the right to access their data; the right to correct and delete their data; the right to portability; the right to opt out of certain processing; and the right to appeal.
Delaware
On September 11, 2023, Delaware’s governor signed the Delaware Personal Data Privacy Act (DPDPA) into law, effective January 1, 2025.
The DPDPA imposes obligations on controllers and processors that either (1) conduct business in Delaware or (2) produce products or services that are targeted to residents; and (3) either (a) control or process the personal data of at least 35,000 Delaware residents or (b) control or process the personal data of at least 10,000 Delaware residents and derive over 20% of its gross revenue from the sale of personal data.
Although Delaware does include an entity-level exemption for financial institutions regulated by the GLBA, there is only a very limited exemption for nonprofit organizations, exempting only those nonprofits that are “dedicated exclusively to preventing and addressing insurance crime.”
Indiana
On May 1, 2023, Indiana passed the Indiana Consumer Data Protection Act (ICDPA), effective January 1, 2026.
The ICDPA imposes certain obligations on controllers and processors that either (1) conduct business in Indiana or (2) produce products or services that are targeted to residents; and (3) either (a) control or process the personal data of at least 100,000 Indiana residents or (b) control or process the personal data of at least 25,000 Indiana residents and derive over 50% of its gross revenue from the sale of personal data.
Montana
On May 19, 2023, Montana passed the Montana Consumer Data Privacy Act (MCDPA), effective October 1, 2024. A key distinction here is the threshold of applicability.
Controllers and processors are subject to the MCDPA if they (1) conduct business or produce products or services that are targeted to Montana residents; and (2) either (a) control or process the personal data of no less than 50,000 Montana residents, excluding personal data controlled or processed solely for the purpose of completing a payment transaction or (b) control or process the personal data of no less than 25,000 Montana residents and derive more than 25% of its gross revenue from the sale of personal data.
Oregon
On July 18, 2023, Oregon passed the Oregon Consumer Privacy Act (OCPA), which goes into effect on July 1, 2024. The Act applies to any business that does business in Oregon and controls or processes the personal data of (1) at least 100,000 Oregon residents or (2) at least 25,000 Oregon residents while deriving at least 25% of its revenue from the sale of personal data.
While Oregon’s privacy law is similar to the other Virginia-style laws, there is an important distinction to draw, as it does not offer the same broad exceptions found in other states. For example, of the seven new state privacy laws, the OCPA is the only one that does not provide an entity-level exemption for financial institutions regulated by the GLBA, although it does still offer exemptions at the information level.
Similar to existing law in Colorado, but unlike most other states, Oregon does not exempt non-profits, although they do have an extra year to come into compliance. There is, however, a very narrow exception for nonprofits established “to detect and prevent fraudulent acts in connection with insurance,” which echoes the new Delaware law. Non-profit organizations and financial institutions in particular should carefully assess their compliance obligations under Oregon law.
Tennessee
On May 11, 2023, the Tennessee Information Protection Act (TIPA) was signed by Governor Bill Lee and will go into effect on July 1, 2025.
The TIPA applies to persons who do business in Tennessee or produce products or services targeted to residents and that (1) during a calendar year, control or process the personal information of at least 100,000 consumers; or (2) control or process the personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information.
The TIPA is the only new state privacy law that requires companies to adhere to the US National Institute of Standard and Technology’s (NIST’s) Privacy Framework. Controllers and processors must create and maintain a written privacy program that “reasonably conforms” to the NIST Privacy Framework.
Controllers and processors must also adapt to any changes in the NIST Privacy Framework and update its privacy program to conform to any change in NIST standards within one year of the change. Companies may find that doing so is worthwhile because maintaining a NIST-compliant privacy program provides companies with a codified affirmative defense to an alleged violation of the law.
Texas
On June 18, 2023, Governor Greg Abbott signed into law the Texas Data and Privacy Security Act (TDPSA), which goes into effect July 1, 2024. The most notable difference between the TDPSA and other state privacy laws is its unique three-factor applicability standard.
The TDPSA applies to any person that (1) conducts business in Texas or produces products or services consumed by residents of the state; or (2) processes or engages in the sale of personal data; and (3) does not identify as a “small business,” as defined by the US Small Business Administration.
The first factor’s use of “consumed by residents” may prove to be interpreted more broadly than the “targeted to residents” language in other states’ threshold requirements. Notably, the TDPSA’s applicability standard does not have a minimum required level of data processing (such as a minimum number of consumers or percentage of revenue from the sale of data), which will likely result in the TDPSA having a wider scope than its counterparts.
The TDPSA’s cure period is also somewhat unique. Like other states, the TDPSA provides for a 30-day cure period for alleged violations. However, the TDPSA also requires companies to provide the Texas attorney general with a written statement describing the cure of the violation and supportive evidence showing how the violation was cured.
UTAH-STYLE
Utah was the fourth US state to pass a comprehensive data privacy law, the Utah Consumer Privacy Act (UCPA), which became effective December 31, 2023. The UCPA is considered the most business-friendly state privacy law because it grants fewer consumer rights, does not require a data-protection assessment, and has a narrower scope of applicability. Utah-style laws include an entity-level exemption for financial institutions regulated by the GLBA.
Controllers and processors are only subject to the UCPA if they (1) conduct business in Utah or produce a product or service that is targeted to Utah residents; (2) have annual revenue of $25 million or more; and (3) either (a) control or process the personal data of 100,000 or more consumers in a calendar year or (b) derive more than 50% of gross revenue from the sale of personal data and control or process the personal data of 25,000 or more consumers.
As a result of the revenue requirement, many small businesses in the state will be exempt from the UCPA.
Utah-style laws, now including Iowa, grant consumers most of the rights that other states include; however, consumers will not have the right to correct or appeal, and businesses are not required to get prior, affirmative consent to process sensitive personal data.
Iowa
On March 29, 2023, Iowa passed the Iowa Act Relating to Consumer Data Protection (ICDPA), effective January 1, 2025. The ICDPA applies to controllers and processors that conduct business or provide services in the state that either (1) control or process the personal data of at least 100,000 consumers or (2) derive over 50% of revenue from selling the personal data of at least 25,000 consumers.
Notably, unlike the UCPA, the ICDPA does not have a minimum annual revenue threshold, meaning some businesses not subject to the UCPA could be subject to the ICDPA.
In terms of consumer rights, the ICDPA also extends rights to consumers to know which data the businesses are processing as well as the right to access that data; the right to delete; the right to obtain a copy of the data; and the right to opt out of the sale of personal data. Similar to its UCPA counterpart, consumers do not have a right to opt out of profiling or to have their data corrected.
Finally, the ICDPA is unique among the other state privacy laws and provides businesses a 90-day cure period for alleged violations, with the ability for a 45-day extension.
NEXT STEPS
The good news is that the new state consumer privacy laws are largely consistent with the existing laws, so businesses that are compliant with the laws in California, Colorado, Connecticut, and Virginia will need to make only incremental adjustments to accommodate the new state laws.
Companies should analyze the differences between the various privacy laws in the states in which they operate and conduct an internal assessment to identify any shortcomings in their compliance initiatives that need to be addressed.
Companies should prepare to come into compliance with the new laws by their effective dates:
- Oregon – July 1, 2024
- Texas – July 1, 2024
- Montana – October 1, 2024
- Delaware – January 1, 2025
- Iowa – January 1, 2025
- Tennessee – July 1, 2025
- Indiana – January 1, 2026
To keep track of the latest developments at the state level and learn more about global privacy measures, see Morgan Lewis’s US Consumer Privacy Acts page and Global Privacy Year in Review report. For more information on proposed federal legislation, refer to our Insight US Data Privacy Legislation: Could A Federal Law Be On The Horizon?.
[1] E.g., Colo. Rev. Stat. § 6-1-1304(2)(a) (Colorado: exempts PHI collected, stored, and processed by a HIPAA-covered entity or business associate); Conn. Pub. Act 22-15 § 3 (Connecticut: exempting PHI under HIPAA, and HIPAA-covered entities and business associates); Va. Code Ann. § 59.1-576(B)-(C) (Virginia: same); Utah Code Ann. § 13-61-102(2)(e)-(g) (Utah: same). Additional exemptions may apply.
[View source.]
