Washington and Nevada join the ever-growing group of states passing laws to regulate data privacy with the Washington My Health My Data Act (“MHMDA”) and the Nevada Consumer Health Data Privacy Law (the “CHDPL”), both of which become effective March 31, 2024. Both laws have extraterritorial effect and businesses should be prepared to promptly assess their data privacy compliance needs.
Washington My Health My Data Act
The MHMDA applies to two types of entities: (1) “regulated entities,” which are defined as any legal entity that conducts business in the state, or targets products or services to Washington consumers, and determines the means of collecting, processing, sharing or selling consumer health data; and (2) “small businesses,” which are regulated entities that “collect, process, sell or share consumer health data of less than 100,000 consumers during a calendar year or derive less than 50 percent of gross revenue from the collection, processing, selling or sharing of consumer health data and control, process, sell or share consumer health data of less than 25,0000 consumers.”
Regulated entities must fully comply with the MHMDA beginning March 31, 2024. Small businesses must comply by June 30, 2024.
The MHMDA regulates “consumer health data,” which is broadly defined as “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present or future physical or mental health status.” The MHMDA was passed to cover many categories of information not already covered by other laws, such as HIPAA, including information regarding reproductive health services and gender-affirming care, “biometric data,” “information about bodily functions and vital signs,” genetic data, and data that could “reasonably indicate a consumer’s attempt to acquire or receive health services or supplies.”
While not technically a comprehensive data privacy law, the MHMDA affords multiple rights to consumers, such as the right to access their consumer health data and receive a list of all third parties and affiliates who receive their individual data from the regulated entity. Consumers are also given the right to withdraw their consent from an entity collecting and sharing their health data, as well as the right to delete that data. A violation of the MHMDA’s provisions constitutes an “unfair or deceptive act in trade or commerce and an unfair method of competition” under Washington’s Consumer Protection Act, which is enforceable by the Washington attorney general and also provides individuals a private right of action for violations.
Regulated entities must maintain a consumer health data privacy policy and prominently publish a link to that policy on their websites. The MHMDA also prohibits regulated entities from collecting, using, or sharing a consumer’s health data or other data for purposes not disclosed in the health data privacy policy without first obtaining affirmative consent for the particular purpose of collection (with limited exceptions). Regulated entities are also required to restrict access to consumer health data to necessary employees, processors, and contractors; to establish, implement, and maintain reasonable data security practices, to establish a consumer appeals process, and to avoid any retaliation for exercise of consumer rights.
Employee data and business-to-business data are excluded from the MHMDA’s coverage, as is data covered by the Gramm-Leach-Bliley Act, Social Security Act, title XI, Fair Credit Reporting Act, and the Family Educational Rights and Privacy Act.
Nevada Consumer Health Data Privacy Law
The Nevada CHDPL is similar to the MHMDA and contains comparable rights for consumers and responsibilities for covered businesses. The CHDPL applies to a “regulated entity,” which is any person who (a) conducts business in Nevada or produces or provides products or services that are targeted to consumers in Nevada and (b) alone or with other persons, determines the purpose and means of processing, sharing, or selling consumer health data. The CHDPL does not include a small business exception.
Like the MHMDA, regulated entities are required to:
- develop and maintain a consumer health data privacy policy,
- restrict access to consumer health data to necessary employees and processors,
- establish, implement, and maintain reasonable data security practices,
- establish a consumer appeals process, and
- avoid discrimination against consumers exercising their rights.
Regulated entities must obtain affirmative voluntary consent when collecting and sharing consumer health data except to the extent necessary to provide a product or service that the consumer has requested from the business.
Under the CHDPL, consumers are afforded similar rights to those granted under the MHMDA. These include the right to confirm whether a covered business is collecting, sharing, or selling their health data; the right to access a list of all third parties with whom the business has shared or sold the consumer’s health data; the right to request the business stop collection, sharing, or selling of the consumer’s health data; and the right to delete their health data.
However, unlike the MHMDA, the CHDPL does not provide a private right of action. Instead, the Nevada attorney general will have the authority to bring an enforcement action.
Key Takeaways
In preparation for these two laws and the growing number of laws regulating data privacy, we recommend considering what data you have that may be subject to these laws and how to comply with their requirements. If applicable, companies should be prepared to post their consumer health data privacy policies before March 31, 2024 to comply with these two laws.
[View source.]
