On May 19, 2023, Montana’s Governor signed Senate Bill 384, the Consumer Data Privacy Act. Montana joins  CaliforniaColoradoConnecticut, IndianaIowaTennessee, Utah, and Virginia in enacting a comprehensive consumer privacy law.  The law is scheduled to take effect on October 1, 2024.

When does the law apply?

The law applies to a person who conducts business in the state of Montana and:

  • Controls or processes the personal data of not less than 50,000 consumers (defined as Montana residents), excluding data controlled or processed solely to complete a payment transaction.
  • Controls and processes the personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.

Hereafter these covered persons are referred to as controllers.

The following entities are exempt from coverage under the law:

  • Body, authority, board, bureau, commission, district, or agency of this state or any political subdivision of this state;
  • Nonprofit organization;
  • Institution of higher education;
  • National securities association that is registered under 15 U.S.C. 78o-3 of the federal Securities Exchange Act of 1934;
  • A financial institution or an affiliate of a financial institution governed by Title V of the Gramm- Leach-Bliley Act;
  • Covered entity or business associate as defined in the privacy regulations of the federal Health Insurance Portability and Accountability Act (HIPAA);

Who is protected by the law?

Under the law, a protected consumer is defined as an individual who resides in the state of Montana.

However, the term consumer does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company partnership, sole proprietorship, nonprofit, or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit, or government agency.

What data is protected by the law?

The statute protects personal data defined as information that is linked or reasonably linkable to an identified or identifiable individual.

There are several exemptions to protected personal data, including for data protected under HIPAA and other federal statutes.

What are the rights of consumers?

Under the new law, consumers have the right to:

  • Confirm whether a controller is processing the consumer’s personal data
  • Access Personal Data processed by a controller
  • Delete personal data
  • Obtain a copy of personal data previously provided to a controller.
  • Opt-out of the processing of the consumer’s personal data for the purpose of targeted advertising, sales of personal data, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.

What obligations do businesses have?

The controller shall comply with requests by a consumer set forth in the statute without undue delay but no later than 45 days after receipt of the request.

If a controller declines to act regarding a consumer’s request, the business shall inform the consumer without undue delay, but no later than 45 days after receipt of the request, of the reason for declining.

The controller shall also conduct and document a data protection assessment for each of their processing activities that present a heightened risk of harm to a consumer.

How is the law enforced?

Under the statute, the state attorney general has exclusive authority to enforce violations of the statute. There is no private right of action under Montana’s statute.

For additional information on Montana’s new privacy statute and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

Yesterday, New York’s Department of Financial Services (“DFS”) announced another enforcement action under the state’s Cybersecurity Requirements for Financial Services Companies, 23 N.Y.C.R.R. Part 500 (“Reg 500”).  According to the press release, OneMain Financial Group LLC (“OneMain”) will pay a $4.25 million penalty to New York State for alleged violations of Reg 500.  

In the Consent Order, DFS pointed to several provisions of Reg 500 for which it alleged OneMain came up short:

  • 23 NYCRR § 500.03: requires all covered entities to implement and maintain a cybersecurity policy that is based on the covered entity’s risk assessment and addresses business continuity and disaster recovery planning and resources.
  • 23 NYCRR § 500.07: requires covered entities to limit user access privileges to information systems that provide access to Nonpublic Information (“NPI”);
  • 23 NYCRR § 500.08: requires covered entities to implement and maintain policies and procedures to protect information systems and NPI during application development and quality assurance operations;
  • 23 NYCRR § 500.10(a)(3): requires covered entities to provide cybersecurity personnel with cybersecurity training and verify that key cybersecurity personnel take steps to maintain current knowledge of changing cybersecurity threats and countermeasures; and
  • 23 NYCRR § 500.11(a): requires covered entities to implement written policies and procedures that address, among other things, due diligence processes used to evaluate the adequacy of cybersecurity practices of third-party service providers.

These provisions of Reg 500 describe controls one might find in just about any cybersecurity framework, not just one focused on entities that provide financial services. For example, under the HIPAA Privacy and Security Rules, simply adopting a set of policies and procedures that address the standards under the Security Rule would be insufficient if they were not based on a risk assessment. That is, cybersecurity policies and procedures should reflect the threats and vulnerabilities to the organization identified in a risk assessment. Likewise, the New York SHIELD Act requires covered entities to “select[] service providers capable of maintaining appropriate safeguards,” not just require those safeguards by contract. The same is true for fiduciaries of ERISA-covered retirement plans – fiduciaries must exercise prudence in the selection of entities providing services to the plan.  

Among the examples provided in the Consent Order was a folder containing passwords, that was named “PASSWORDS.” DFS acknowledged the folder was encrypted and password protected, but cautioned that “anyone with access to that internal shared drive, which included personnel in OneMain’s call center, could rename, move, or delete the folder.” New York’s Attorney General recently released a guide for businesses on effective data security that addresses strong password hygiene.

Another area of concern cited by DFS was the management of third-party service providers. Having a written vendor assessment policy is not enough. According to DFS, the required due diligence to assess the cybersecurity risk of vendors must be performed timely. Allowing vendors to commence work prior to completing the assessment process is problematic. Also problematic is failing to adjust a cybersecurity risk score assigned to a third-party vendor after the vendor experience a cybersecurity event that arguably warrants a change to its risk profile.  

This settlement demonstrates the Department’s ongoing dedication to upholding the responsibility of licensees, particularly those with access to personal financial information of consumers.” Superintendent of Financial Services Adrienne A. Harris.

The Consent Order points out that it is not enough to establish a written cybersecurity program. That program must be actively managed and adjusted based on changing circumstances.

On May 11, 2023, Tennessee’s Governor signed Senate Bill 0073, the Tennessee Information Protection Act, making the state the eighth state to pass consumer privacy legislation. Tennessee joins  CaliforniaColoradoConnecticutIndiana, IowaUtah, and Virginia which have previously passed consumer privacy statutes.

Tennessee’s law will take effect July 1, 2025.

When does this law apply?

The law will apply to persons that conduct business in the state of Tennessee or produce products or services that are targeted to Tennessee residents and that:

  • During the calendar year, control or process personal information of at least 100,000 consumers; or,
  • Control or process the personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information.

Covered persons hereafter are referred to as controllers.

Are there exemptions?

Among the entities not subject to the Act include Tennessee and state agencies, financial institutions, HIPAA-covered entities and business associates, not-for-profit organizations, and institutions of higher education.

There also are several categories of personal information exempted from the Act, including without limitation personal information protected by the Family Educational Rights and Privacy Act (FERPA) and the Driver’s Privacy Protection Act.

Who is protected by the law?

Under the statute, individuals referred to as “consumers” are protected. A consumer is defined as a natural person who is a resident of the state of Tennessee and acts only in a personal context.

What personal information is protected by law?

Under the statute, personal information is protected, which includes:

  • Identifiers such as a real name, alias, unique identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
  • Information that identifies, relates to, describes, or could be associated with, a particular individual, including, but not limited to, signature, physical characteristics or description, address, telephone number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or other financial, medical, or health insurance information
  • Characteristics of protected classifications under state or federal law;
  • Commercial information, including records of personal property, products, or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
  • Biometric data;
  • Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement
  • Geolocation data
  • Audio, electronic, visual, thermal, olfactory, or similar information
  • Professional or employment-related information;
  • Education information that is not publicly available information

Personal information also includes “sensitive data” which means:

  • Personal information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
  • The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
  • The personal information collected from a known child; or
  • Precise geolocation data.

Personal information does not include information that is:

  • Publicly available
  • De-identified or aggregate consumer information

What are the rights of consumers?

Under the statute, consumers have the right to:

  • Confirm whether a controller is processing the consumer’s personal information and to access the personal information.
  • Correct inaccuracies in the consumer’s personal information.
  • Delete personal information provided by or obtained about the consumer.
  • Obtain a copy of the consumer’s personal information that the consumer previously provided to the controller.
  • Request information about personal information the controller sold or disclosed to third parties.
  • Opt-out of the controller selling the personal information of the consumer.

What obligations do controllers and processors have?

Under the statute, a controller shall respond to requests from a consumer without undue delay, but no later than 45 days from the date of receipt of the request. If the controller declines to take action upon a consumer’s request, the controller shall inform the consumer without undue delay but no later than 45 days from receipt.

The controller is required to take certain steps to ensure transparency of its processing including:

  • Limit the collection of personal information to what is adequate, relevant, and reasonably necessary in relation to the purpose for which the data is processed
  • Establish, implement, and maintain reasonable administrative, technical, and physical data security practices.
  • Not process “sensitive data” without obtaining the consumer’s consent, provided that in the case of a child, the controller does so in accordance with the federal Children’s Online Privacy Protection Act.  

Controllers shall conduct and document a data protection assessment of each of the following processing activities:

  • The processing of personal information for purposes of targeted advertising
  • The sale of personal information
  • The processing of personal information for purposes of profiling where the profiling presents a foreseeable risk
  • The processing of sensitive data
  • The processing of personal information presents a heightened risk of harm to consumers.

Upon receipt of an authenticated consumer request, a controller must provide a “reasonably accessible, clear, and meaningful privacy notice” the contents of which are similar to but not as expansive as the California Consumer Privacy Act (CCPA).

With respect to processors, the Act requires they adhere to the instructions of controllers, such as assisting the controller with responding to consumer requests. Contracts between controllers and processors are required and must include certain provisions, such as (i) instructions for processing personal information, (ii) the nature, purpose, and duration of the processing, and (iii) the type of data subject to the processing. Other required provisions include (i) a requirement for processors to make available all information in the processor’s possession to demonstrate the processor’s compliance with the Act, (ii) cooperating with reasonable assessments of compliance by the controller (or arrange for a qualified and independent assessor), and (iii) obligating the processor to push the Act’s required provisions down to the processor’s subcontractors.

How is the law enforced?

The attorney general and reporter have exclusive authority to enforce the statute, which may include bringing an action in a court of competent jurisdiction.

The Act requires controllers or processors to create, maintain, and comply with a written privacy program that reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework entitled “A Tool for Improving Privacy through Enterprise Risk Management Version 1.0.” Among the requirements for a privacy, program is that it discloses the commercial purposes for which the controller or processor collects, controls, or processes personal information. Maintaining such a program is not only important for compliance purposes, but it also provides an affirmative defense to a cause of action for a violation of the law.

For additional information on Tennessee’s new privacy statute and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

We have written several times about U.S. Department of Health and Human Services Office for Civil Rights’ “HIPAA Right of Access Initiative.” In its most recent enforcement action under the Initiative, the 44th such enforcement action, the OCR investigated a complaint made against a psychotherapist concerning the alleged refusal to provide medical records. Ultimately, and even after the OCR provided “technical assistance,” the OCR claimed the covered entity still failed to provide the records.

“Under HIPAA, parents, as the personal representatives of their minor children, generally have a right to access their children’s medical records,” said OCR Director Melanie Fontes Rainer. “It should not take an individual or their parent representative nearly six years and multiple complaints to gain access to patient records.”

The settlement resulted in a $15,000 resolution amount and required compliance with a two-year corrective action plan (CAP). The CAP includes the following requirements for the solo practitioner:

  • Review and revise right to access policies within 30 days of the settlement, and review and adopt OCR recommend changes to such policies.
  • Provide to the OCR right to access training materials within 60 days of the settlement for OCR’s review and approval.
  • Following OCR’s approval of the training materials, provide training to all employees within 30 days and annually thereafter.
  • Provide the requested records to the complainant with 15 days of the settlement.
  • Within 90 days of receiving OCR’s approval of the right to access policies and procedures, and every 90 days thereafter, submit to OCR a detailed list of requests for access received by the healthcare provider, and documentation for any denials of access.
  • In the event an employee of the provider fails to comply with the right to access policies, the provider must notify OCR within 30 days and include a description of the failure and mitigation plan.
  • Within 120 days after OCR’s approval of the provider’s right to access policies and procedures, submit to OCR a report summarizing the status of implementation.
  • Within 60 days after the end of each year of the CAP, submit to OCR an annual report regarding the healthcare provider’s compliance with the CAP.   

For small providers, the HIPAA rules can be confusing; they also are more than 20 years old. So, smaller practitioners, particularly those newer to practice, simply may not be fully aware of the scope and obligations under of the HIPAA privacy, security, and breach notification rules. Compliance goes well beyond handing patients a template Notice of Privacy Practices and having a secure electronic medical record platform.

The full scope of the HIPAA rules is beyond the scope of this post, but at least for the right to access and considering the OCR’s Enforcement Initiative, here are some resources to help avoid patient complaints and an onerous OCR corrective enforcement action:

Ransomware is a scary term for many business leaders and CISOs who dread being hit with a malware attack that locks up their data and could shut down operations. They expect to find that oddly-worded ransom note advising how they could recover access to their data, for a sizable fee of course. For a variety of reasons, including improved controls, backups, a loathe for paying criminal threat actors, organizations are increasingly refusing to pay hackers.

Hackers have responded to these refusals with threats to disclose sensitive personal information online and even resorting to directly contacting the individuals whose data has been compromised.

A Wall Street Journal article this morning speaks to this disturbing trend in data breaches. Vastaamo, a psychotherapy treatment center in Helsinki, was hit with a cyberattack in 2020. The hackers exfiltrated sensitive patient mental health records of 33,000 patients and threatened to disclose them online unless Vastaamo paid the ransom – approximately 400,000 euros.

According to the article:

“When the clinic didn’t pay, the hacker pressed individual patients for payment with bullying emails…one victim said the hacker gave her 24 hours to pay around 200 euros in bitcoin, or her therapy records would be posted.”  

Going directly to the affected individuals, whether they be patients, employees, students, etc. allows the hackers to also apply significant pressure on the organization to pay a much larger sum.

The decision to pay or not to pay a ransom comes with a range of critical considerations, some of which are discussed here. In the fog of an attack, with the press, government agencies, affiliates, and/or patients or other affected individuals looking to the organization for answers, working to develop an effective strategy is far more difficult. Increasing preparedness will not make this process easy, however, tough decisions need to be made. But working through these kinds of scenarios and planning generally for an attack will better equip executives and the board to work through the facts of their case and make better decisions more quickly.

As noted in a prior post, New York’s Attorney General (“NYAG”) has made enforcement of the New York SHIELD Act  an enforcement priority. The SHIELD Act requires organizations handling personal information related to New York residents to maintain reasonable safeguards to protect that information.  Maintaining its focus on this area, the NYAG recently released a guide to help organizations strengthen their data security programs and “to put [them] on notice that they must take their data security obligations seriously, and at a minimum, take the reasonable steps outlined” in the NYAG’s guide (the “Guide”).   

The Guide is based on the NYAG’s experiences in investigating and prosecuting organizations in the wake of data incidents.  It states that the NYAG received 4,000 data breach notifications in 2022 and penalized organizations millions of dollars for failing to comply with their data security obligations.

In the Guide, the NYAG recommends action in nine areas.  Specifically, it directs organizations to:

  1. Maintain controls for secure authentication to ensure only authorized individuals have access to data.
  2. Encrypt sensitive customer information
  3. Ensure service providers use reasonable security measures
  4. Know where the business is keeping consumer information
  5. Guard against data leakage in web applications
  6. Protect customer accounts impacted by data security incidents
  7. Delete or disable unnecessary accounts
  8. Guard against automated attacks
  9. Provide clear and accurate notice to consumers

The Guide recommends best practices related to each of the above recommendations and also highlights relevant cases the NYAG has investigated that implicate these areas.  Additionally, it incorporates by reference guidance the NYAG issued in 2022 regarding credential stuffing attacks, which outlines four areas in which safeguards should be maintained and certain safeguards may not be effective.

In light of the NYAG’s aggressive enforcement of the NY SHIELD Act, and the sharp rise in data breach-related litigation, organizations should take a close look at their data security programs – with the Guide as one reference point – to ensure they are appropriately managing risk.

If you have questions or concerns regarding your organization’s data security program, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

The Federal Trade Commission updated its “Standards for Safeguarding Customer Information” (“Safeguards Rule”) and extended the compliance deadline to June 9, 2023. Some entities still may be wondering – “Do these regulations apply to my business?” and “What do I have to do?”

Back in 2021, we provided a high-level summary of the Safeguards Rule, and reiterate some of the requirements here. It is important to note that even if your entity or business is not a “financial institution,” the Safeguards Rule lays out a framework to safeguard personal information that you might use as a guide. Business that are not in “heavily regulated” industries often wonder – where do we get started, what are best practices. The Safeguards Rule may be a place to look. 

Who is Subject to the Safeguards Rule?

The Safeguards Rule applies to “financial institutions” subject to the FTC’s jurisdiction and that aren’t subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act. If that seems as clear as mud, it is. But the regulations and FTC guidance provide some helpful examples. There might be some entities on the list that you would expect and some you might not have expected. We list some of the examples below:

  • mortgage lenders and brokers
  • payday lenders
  • finance companies
  • account servicers
  • check cashing companies
  • wire transferors
  • collection agencies
  • tax preparation firms
  • non-federally insured credit unions
  • investment advisors that aren’t required to register with the SEC
  • a retailer that extends credit by issuing its own credit card directly to consumers
  • an automobile dealership that, as a usual part of its business, leases automobiles on a nonoperating basis for longer than 90 days
  • a personal property or real estate appraiser
  • a career counselor that specializes in providing career counseling services to individuals currently employed by or recently displaced from a financial organization, individuals who are seeking employment with a financial organization, or individuals who are currently employed by or seeking placement with the finance, accounting or audit departments of any company is a financial institution
  • a business that prints and sells checks for consumers
  • a business that regularly wires money to and from consumers
  • a business that operates a travel agency in connection with financial services
  • a business that provides real estate settlement

Note, entities that maintain customer information concerning fewer than 5,000 consumers are exempt from some aspects of the Safeguards Rule, such as maintaining an incident response plan. Of course, such a plan is important to have should the entity have a security incident. Also, the business may be required to have such a plan under other laws, including state law, as well as under contracts with the business’s customers.

What do we have to do?

The June 9, 2023, deadline noted above was a six-month extension of the original compliance deadline for the updated Rule. The extension generally applies to the following items:  

  • designate a qualified person to oversee their information security program,
  • develop a written risk assessment,
  • limit and monitor who can access sensitive customer information,
  • encrypt all sensitive information,
  • train security personnel,
  • develop an incident response plan,
  • periodically assess the security practices of service providers, and
  • implement multi-factor authentication or another method with equivalent protection for anyone accessing customer information.

A business may not be able to tackle all of these items between now and June 9, 2023, but there are several items that could be addressed within that time. Importantly, the Safeguards Rule contemplates that not all covered financial institutions are the same. Specifically, the Rule provides that information security programs required under the Rule must contain administrative, technical, and physical safeguards that are

appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.

In short, covered financial institutions will need to address all of the applicable requirements but perhaps not to the same extent or in the same way as other covered financial institutions. Much will depend on a number of factors noted above, as well as the business’s risk assessment.   

On May 1, 2023, Governor Holcomb signed Senate Bill 5, Indiana’s comprehensive privacy statute (The Act). the Act will become operative on January 1, 2026, and make Indiana the seventh state, after CaliforniaColoradoConnecticutIowaUtah, and Virginia to enact a comprehensive consumer privacy statute.

Indiana beat Montana and Tennessee which both have consumer privacy statutes pending signature by their governors.

The Act applies to persons that conduct business in Indiana or produce products or services that are targeted to residents of the state and that, during a calendar year:

  • Control or process the personal data of at least 100,000 consumers who are residents of the state, or
  • Control or process personal data of at least 25,000 consumers who are residents of the state and derive more than 50% of gross revenue from the sale of personal data.

Like other states’ comprehensive consumer privacy laws, the statute provides consumers with the right to access personal data being processed, to delete personal data, and to opt out of the sale of their personal data.

For additional information on Indiana’s new privacy statute and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

Health data privacy, including in the context of reproductive health, was strengthened last week when Washington Governor Jay Inslee signed the “My Health, My Data Act” on April 27, 2023. See our summary of the law here.

Set to take effect on March 31, 2024, the new law aims to address health data collected by entities not covered by the federal Health Insurance Portability and Accountability Act (HIPAA).

Washington is not alone in considering more in-depth health data protections in the wake of the recent U.S. Supreme Court decisions pertaining to reproductive health.

Nevada’s legislature recently passed Senate Bill (SB) 370. Similar to the Evergreen State, the Nevada bill would prescribe protections for consumer health data that is maintained and used by entities not covered by HIPAA.

California is also considering Assembly Bill (AB) 354 which would amend the state’s Confidentiality of Medical Information Act to include protection for consumer’s reproductive or sexual health collected by a reproductive or sexual health digital service.

For additional information on Washington’s new privacy statute and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

Since the privacy and security regulations were issued under the federal Health Insurance Portability and Accountability Act (HIPAA), critics pointed to the limitations on the reach of those rules. A critical limitation advanced by privacy advocates is that the popular health data privacy rule extends only to certain covered entities and their business associates, not to health data generally. On April 17, 2022, Washington’s legislature passed House Bill 1155, also known as the My Health, My Data Act. The bill aims to address health data collected by entities not covered by HIPAA, including certain apps and websites.

If signed by the governor, most sections of the law would take effect on March 31, 2024, though certain parts of the legislation may take effect sooner.

When would the law apply?

A “regulated entity” for purposes of the law is defined as:

  • Conducts business in the State of Washington, or produces or provides products or services that are targeted to consumers in Washington, and
  • Alone or jointly with others, determines the purposes and means of collecting, processing, sharing, or selling consumer health data.

The legislation creates a subgroup of regulated entities, known as “small businesses,” largely to provide a few more months to comply. Small businesses are regulated entities that satisfy one or both of the following thresholds:

  • Collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers during a calendar year; or,
  • Derives less than 50 percent of gross revenue from the collection, processing, selling, or shares of consumer health data and controls, processes, sells, or shares consumer health data of fewer than 25,000 consumers.

Who is protected by the law?

Under the legislation, a protected consumer is defined as a natural person who is a Washington resident or a natural person whose consumer health data is collected in Washington.

A consumer is only protected for actions taken as an individual or on behalf of a household and does not include actions taken by an individual acting in an employment context.

What data is protected by the law?

The law would protect “consumer health data,” defined as personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status. Health status includes but is not limited to the following:

  • Individual health conditions, treatment, diseases, or diagnosis
  • Social, psychological, behavioral, and medical interventions
  • Health-related surgeries or procedures
  • Use or purchase of prescribed medications
  • Bodily functions, vital signs, symptoms, or measurements of health-related functions
  • Diagnoses or diagnostic testing, treatment, or medication
  • Gender-affirming care information
  • Reproductive or sexual health information
  • Biometric data
  • Genetic data
  • Precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services and supplies
  • Data that identifies a consumer seeking health care services.

What are the rights of consumers?

Under HIPAA, individuals have several rights with respect to their protected health information (PHI). These rights include the right to authorize disclosures in certain contexts (and revoke those authorizations), to request an amendment, to request an accounting of disclosures, to request a restriction on use and disclosure, and to be notified of a breach. The Washington legislation would provide consumers with the right to:

  • Confirm whether their consumer health data is being collected, shared, or sold, including a list of all third parties and their affiliates to whom the data has been shared and their contact information.
  • Consent to or deny collection or sharing of health data.
  • Withdraw consent from a regulated entity or small business to collect or share health data.
  • Delete health data collected by a regulated entity or small business, including on archived or backup systems.
  • Be provided clear and conspicuous disclosure of rights to consent or deny collection or sharing of health data.

The provisions concerning the administration of these rights look a lot like the provisions in the California Consumer Privacy Act (CCPA) and other recently enacted state comprehensive data privacy laws.

What obligations do businesses have?

The Washington law would add to the growing compliance burden on company websites as it would require regulated entities and small businesses to maintain a consumer health data privacy policy prominently on their homepages. That policy must that clearly and conspicuously disclose:

  • Categories of consumer health data collected and the purpose for which the data is collected.
  • Categories of sources from which the consumer health data is collected
  • Categories of consumer health data that are shared.
  • A list of the categories of third parties and specific affiliates with whom consumer health data is shared.
  • How a consumer can exercise the rights provided under the law.

This too is very similar to obligations under the CCPA. Regulated entities and small businesses may not discriminate against a consumer for exercising any rights included under the law. They also must respond to requests from consumers to withdraw consent to collect or share health data. Moreover, they must respond to requests from consumers to delete their consumer health data. The law also would mandate contracts be in place with processors of consumer health data and codify specific data security obligations for regulated entities and small businesses, including specific access management requirements.

Additionally, the law would make it unlawful for “any person” (apparently not just regulated entities or small businesses) to implement a geofence around an entity that provides in-person health care services where such geofence is used to: (1) Identify or track consumers seeking health care services; (2) collect consumer health data from consumers; or (3) send notifications, messages, or advertisements to consumers related to their consumer health data or health care services.

How is the law enforced?

Under the new legislation, violations of the requirements for health care data would be enforceable either by the prosecution by the State’s Attorney General’s Office or by private actions brought by affected consumers.

For additional information on Washington’s new privacy statute and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.