On July 18, 2023, Oregon’s Governor signed Senate Bill 619 which enacts Oregon’s comprehensive consumer data privacy statute. Oregon joins California, Colorado, Connecticut, Indiana, Iowa, Montana, Tennessee, Texas, Utah, and Virginia in enacting a comprehensive consumer privacy law. Most of the sections of the law are scheduled to take effect on July 1, 2024, with a delayed effective date of July 1, 2025, for non-profit organizations.

When does the law apply?

The statute applies to any person that conducts business in the State of Oregon or that provides products or services to residents of the state and who during a calendar year, controls, or processes:

  • The personal data of 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or,
  • The personal data of 25,000 or more consumers, while deriving 25 percent or more of the person’s annual gross revenue from selling personal data.

The following are some of the types of businesses that are exempted from the statute:  

  • A public corporation
  • Covered entities or business associates processing protected health information under the Health Insurance Portability and Accountability Act (HIPAA)
  • Organizations subject to the Gramm-Leach-Bliley Act.

Who is protected by the law?

The law protects consumers defined as a natural person who resides in the State of Oregon and acts in any capacity other than in a commercial or employment context.

What data is protected by the law?

Personal data that is protected under the statute is defined as “data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household.”

It does not include:

  • Deidentified data
  • Data that is lawfully available through federal, state, or local government records or through widely distributed media
  • Data the controller reasonably understood to have been lawfully made available to the public by the consumer.

The statute also includes biometric data under personal data. Under the legislation biometric data is defined as personal data generated by automatic measurements of a consumer’s biological characteristics, such as the consumer’s fingerprint, voice print, iris pattern, gait, or other unique biological characteristics that allow or confirm the unique identification of a consumer.

What are the rights of consumers?

Under the new legislation, consumers have the right to:

  • Confirm whether a controller is processing the consumer’s personal data and to access the personal data;
  • Correct inaccuracies in the consumer’s personal data;
  • Delete personal data provided by or obtained about the consumer;
  • Obtain a digital copy of the data the consumer previously provided, if available; and
  • Opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.
  • Obtain a list of “specific third parties” to whom a controller discloses personal data.

What obligations do businesses have?

The legislation requires that businesses post a privacy policy that describes the categories of personal information it collects, the purpose of the collection, the categories of third parties with whom the personal information is shared, and an explanation of the consumer’s rights.

Covered businesses must also include a “clear and conspicuous” description of any processing done for the purpose of targeted advertising.

Eventually, covered businesses will be required to recognize universal opt-out mechanisms, though that portion of the statute does not take effect until January 1, 2026.

How is the law enforced?

The State Attorney General has exclusive authority to enforce the statute and it does not allow for a private right of action to enforce.

If you have questions about Oregon’s privacy law or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.

On June 7, 2023, Connecticut’s Governor signed Senate Bill (SB) 1103, which enacted regulations regarding artificial intelligence, automated decision-making, and personal data privacy. The law sets several requirements for state agencies’ development and use of automated systems for critical decisions, including the designation of an artificial intelligence officer under the Office of Policy and Management, who would be tasked with developing and adopting automated systems procedures for state agencies’ use.

Under the bill state contracting agencies will be prohibited from entering into a contract on or after July 1, 2023, unless the contract contains a provision requiring the business to comply with all applicable provisions of the state’s consumer data privacy law.

The bill expands exemptions from the consumer data privacy law to include any air carrier that is regulated under the Federal Aviation Act (FAA) and the Airline Deregulation Act.

Most of the bill’s provisions took effect on July 1, 2023.

If you have questions about the changes in Connecticut law or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.

On June 26, 2023, the Governor of Connecticut signed Senate Bill (SB) 3 which set forth new requirements related to consumer health data and protections for minors online.

As Connecticut’s comprehensive consumer privacy law took effect on July 1, 2023, the state has expanded privacy requirements under SB 3. Similar to Washington and Nevada, Connecticut sets standards for accessing and sharing consumer health data by private entities. The health data portions of the legislation took effect July 1, 2023.

Health Data Defined

Under the new legislation, consumer health data is defined as personal data that a controller uses to identify a consumer’s physical or mental health condition or diagnosis and includes but is not limited to gender-affirming health data and reproductive or sexual health data.

Certain types of information are excluded from coverage including protected health information under the Health Insurance Portability and Accountability Act (HIPAA).

Protections for Health Data

Covered entities are prohibited from collecting or sharing health data without a consumer’s consent. And health data may not be sold without a consumer completing a specified consent form.

The law also prohibits anyone from implementing a geofence to identify, track, collect data from, or send notifications or messages to a consumer that enters the virtual perimeter around a healthcare provider or facility.

Protections for Minors

Under the legislation, certain social media platforms are prohibited from establishing accounts for a minor under the age of 16 without a parent’s or guardian’s consent.

Moreover, covered platforms must delete a minor’s social media account and cease processing personal data within 10 days of receiving a request.

Some of the protections pertaining to minors do not take effect until October 1, 2024.

Enforcement

Under the legislation, any violation of either the consumer health data or online service provisions are enforced solely by the state attorney general. There is no private right of action created.

If you have questions about the changes to Connecticut’s Privacy Law or related issues, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

On June 7, 2023, Montana’s Governor signed Senate Bill (SB) 351 which revises the state’s privacy law pertaining to genetic information.

This legislation takes effect on October 1, 2023.

Covered Entity

Businesses covered by the legislation are any partnership, corporation, association, or public or private organization that:

  • Offers consumer genetic testing products or services directly to a consumer; or
  • Collects, uses, or analyzes genetic data

Consumer Defined

Under the legislation, consumers are defined as an individual who is a resident of the state of Montana.

Covered Entity Obligations

Under the legislation, covered entities have the following obligations:

  • Provide clear and complete information regarding the business’s policies and procedures for the collection, use, or disclosure of genetic data.
  • Obtain a consumer’s initial express consent for the collection, use, or disclosure of the consumer’s genetic data.
  • Obtain a consumer’s separate express consent for, amount others, the transfer or disclosure of the consumer’s genetic data to any person other than the company’s vendors and service providers.
  • Develop, implement, and maintain a comprehensive security program to protect a consumer’s genetic data against unauthorized access, use, or disclosure.

The law does not apply to the following:

  • Protected health information that is collected by a covered entity or business associate as defined under federal privacy requirements if separate informed consent is related to the collection, use, and dissemination is obtained from the consumer.
  • An entity when engaged in collecting, using, or analyzing genetic data or biological samples in the context of research pursuant to certain federal definitions.

Enforcement

The legislation is solely enforced by the state attorney general, who can initiate a civil enforcement action.

If you have questions about Montana’s new genetic data law or related issues, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

Though enforcement of the California Privacy Rights Act (CPRA) which amended the California Consumer Privacy Act (CCPA) has been paused for now, the State of California is not resting when it comes to compliance with the CCPA.

On July 14, 2023, California’s Attorney General announced an “investigative sweep” regarding compliance with the CCPA. The Attorney General plans to send inquiry letters to large California employers requesting information on compliance with CCPA with respect to the personal information of employees and job applicants. Effective January 1, 2023, the CCPA extended coverage to employees and applicants.  

If a business is uncertain about whether it needs to comply with the CCPA requirements or related issues, review Jackson Lewis’ California Consumer Privacy Act, California Privacy Rights Act FAQs for Covered Businesses.

If you have specific questions about responding to the Attorney General’s investigative sweep or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

In March 2023, the California Chamber of Commerce filed a Petition for Writ of Mandate and Complaint for Declaratory and Injunctive Relief against the California Privacy Protection Agency (CPPA), the agency tasked with implementation and enforcement of the California Privacy Rights Act (CPRA) which amended the California Consumer Privacy Act (CCPA).

The writ sought to compel the CPPA to promptly adopt final regulations and seek to enjoin enforcement actions under the CPRA until 12 months after the adoption of final implementing regulations.

The hearing on the petition for Write of Mandate was on June 30, 2023, the last day before enforcement was set to commence for the CPRA. Specifically, the superior court’s opinion discusses that the CPPA adopted the first set of regulations in 12 of the 15 areas needed on March 29, 2023. The CPPA conceded it had not yet finalized regulations regarding 3 remaining areas e.g. cybersecurity audits, risk assessments, and automated decision-making technology.

The Chamber argued that California voters “intended for the Agency to issue the complete regulations covering the fifteen mandatory issues by July 1, 2022,” and that “…the voters intended businesses to have one year from the Agency’s adoption of final regulations before the Agency could begin enforcement.”

The CPPA disagreed with the Chamber’s argument indicating the text of the CPRA was not straightforward as to confer a mandatory promulgation deadline.

The superior court granted the writ in part, finding that enforcement of any final CPPA regulation implemented would be stayed for a period of 12 months from the date that individual regulation becomes final. The court however declined to mandate any specific date for the CPPA to finalize regulations.  

Based on the ruling, enforcement of the initial regulations approved in March, could not commence until March 2024. It is anticipated the CPPA may appeal the decision, though the ruling would likely remain in place during the pendency of an appeal.

Jackson Lewis will continue to track information related to privacy regulations and related issues. For additional information on the CPRA, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

On June 18, 2023, Texas’ Governor signed House Bill (HB) 4 which enacts the Texas Data Privacy and Security Act. Texas joins California, Colorado, Connecticut, Indiana, Iowa, Montana, Tennessee, Utah, and Virginia in enacting a comprehensive consumer privacy law. Most of the sections of the law are scheduled to take effect July 1, 2024.

When does the law apply?

In general, the law applies to businesses (referred to as “controllers”) that:

  • Conduct business in the state of Texas or produce a product or service consumed by Texas residents; and
  • Processes or engages in the sale of personal data.

The law does not apply to small businesses (as defined by the Small Business Administration) and along with several categories of personal data that are excluded from coverage under the law, the following entities are specifically exempted:

  • State agencies or political subdivisions;
  • Financial institutions subject to Title V of the Gramm-Leach-Bliley Act;
  • Covered entities or business associates governed by the Health Insurance Portability and Accountability Act (HIPAA);
  • Non-profit organizations;
  • Institutions of higher education; and
  • Electric utilities.

Who is protected by the law?

Consumers that are protected under the law are defined as an individual who is a resident of the state of Texas acting only in an individual or household context. A consumer does not include an individual acting in a commercial or employment context.

What data is protected by the law?

Personal data is protected under the legislation and defined as any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual, but does not include de-identified data or publicly available information.

Under the law, sensitive data includes any data revealing a consumer’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, citizenship or immigration status, as well as any genetic or biometric data used for identifying an individual, any personal data collected from a known child, or any precise geolocation data.

What are the rights of consumers?

Under the new legislation, consumers have the right to:

  • Confirm whether a controller is processing the consumer’s personal data and to access the personal data;
  • Correct inaccuracies in the consumer’s personal data;
  • Delete personal data provided by or obtained about the consumer;
  • Obtain a digital copy of the data the consumer previously provided, if available; and
  • Opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.

What obligations do businesses have?

Limitations on Collection

Covered controllers must limit the collection of personal data to only what is adequate, relevant, and reasonably necessary for the purpose for which the personal data is being processed and disclosed to the consumer. They must also implement “reasonable” security practices to protect the confidentiality and integrity of the data.

Consent

In addition, controllers must obtain a consumer’s consent before (1) processing personal data for any other purpose than what was disclosed or (2) processing the sensitive data of a consumer. Controllers are barred from using the data to discriminate against consumers.

Notice to Consumers

Controllers must also provide consumers with a reasonably accessible and clear privacy notice that includes:

  • The categories of personal data processed by the controller;
  • The purpose of processing personal data;
  • How consumers may exercise their rights;
  • If applicable, the categories of personal data shared with third parties; and
  • If applicable, the categories of third parties with whom the controller shares personal data
  • A description of the methods through which consumers can submit requests to exercise rights.

In addition, controllers who engage in the sale of sensitive data or biometric personal data must give specific notices (posted in the same location and manner as the privacy notice):

  • “NOTICE: We may sell your sensitive personal data.”
  • “NOTICE: We may sell your biometric personal data.”

Data protection assessments

Whenever a controller processes any sensitive data or processes personal data for targeted advertising, the sale of personal data, specific forms of profiling, or any activity that presents a heightened risk of harm to consumers, the controller is required to prepare a detailed data protection assessment.

Consumer Rights

Controllers must also make available two or more secure and reliable methods to enable consumers to submit a request to exercise their rights under the legislation, as well as establish an appeal process that is “conspicuously available” and similar to the process established for initially exercising their rights. When a consumer seeks to exercise their rights, the controller must respond to the request without undue delay, but no later than 45 days after the receipt of the request (but may, in some circumstances, extend the response deadline once by an additional 45 days). If the controller declines the consumer’s request, it must provide justification for its decision and instructions on how to appeal the decision. If the controller denies the appeal, the controller must provide the consumer with the online mechanism to submit the complaint to the Attorney General.

How is the law enforced?

Under the law, there is no private cause of action for consumers. Instead, the Attorney General has exclusive authority to enforce the new restrictions and must establish an online mechanism through which a consumer may submit a complaint.

If the Attorney General has “reasonable cause” to believe someone has violated the law, it may issue a civil investigative demand and require a controller to disclose any relevant data protection assessment to facilitate its investigation. If the Attorney General identifies violations of the law, it must send a notice of violation to the controller at least 30 days before bringing the action and allow the controller an opportunity to cure. If the controller cures the violation within the 30-day period, the Attorney General may not bring an action against the controller.

If the Attorney General brings such an action, it may seek both civil penalties, injunctive relief, and recover attorney’s fees and expenses incurred both during the initial investigation and subsequent legal action.

Texas’ new consumer privacy law is comprehensive, and the summary above reflects only the highlights of the new obligations and risks presented to businesses operating in Texas. For more information or if you have questions or concerns or require guidance on how to bring your operations into compliance with the new law, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

On June 16, 2023, Nevada’s Governor signed Senate Bill (SB) 370, which enacts certain protections for consumer health data.

The law is similar to Washington’s My Health, My Data Act, which was passed in April. The Future of Privacy Forum prepared a useful chart comparing the Washington and Nevada laws.

Nevada’s law becomes operative on March 31, 2024.

To what entities does the law apply?

SB 370 applies to any person that:

  • Conducts business in Nevada or produces or provides products or services that are targeted at consumers in Nevada; and,
  • Alone or with other persons, determines the purpose and means of processing, sharing, or selling consumer health data.

The law includes a long list of exceptions, including exclusions for:

  • any person or entity subject to the Health Insurance Portability and Accountability Act (HIPAA), and
  • a financial institution or affiliate that is subject to the provisions of the Gramm-Leach-Bliley Act.

Who is protected by the law?

SB 370 protects “consumers” – natural persons who have requested a product or service from a regulated business and who reside in the state of Nevada or whose health information is collected in Nevada. The law does not extend to natural persons acting in an employment context or as an agent of a governmental entity.

What data is protected by the law?

Consumer health data is protected under the law. This is defined as personal information that is linked or reasonably capable of being linked to a consumer which the covered business uses to identify the past, present, or future health status of the consumer. Consumer health data includes:

  • Any health condition or status, disease, or diagnosis
  • Social psychological, behavioral, or medical intervention
  • Surgeries or health-related procedures
  • The use or acquisition of medication
  • Bodily functions, vital signs, or symptoms
  • Reproductive or sexual health care
  • Gender-affirming care
  • Biometric or genetic data

The law does not cover information used for certain research, public health, or health data shared pursuant to federal or state law.

What are the rights of consumers?

Similar to the California Consumer Privacy Act and the growing array of consumer privacy laws enacted in several states, consumers have certain rights under SB 370 concerning their consumer health information, such as:

  • The right to confirm whether a covered business is collecting, sharing, or selling their health data.
  • The right to access a list of all third parties with whom the business has shared or sold the consumer’s health data.
  • The right to request the business stop collection, sharing, or selling of the consumer’s health data.
  • The right to delete their health data.

What obligations do businesses have?

Below is a non-exhaustive list of obligations covered businesses have under SB 370.

Covered businesses must obtain affirmative voluntary consent when collecting and sharing consumer health data, except to the extent it is necessary to provide a product or service that the consumer has requested from the business. The covered business also may share consumer health information without consent when required by law.

Covered businesses shall upon request by a consumer:

  • Confirm whether the regulated entity is collecting, sharing, or selling the consumer’s health data.
  • Provide the consumer with a list of all third parties with whom the business has shared or sold the consumer’s health data.
  • Cease collection, sharing, or selling of the consumer’s health data.
  • Delete the consumer’s health data.

Responses to requests must be made without undue delay but no later than 45 days after the business authenticates the request. Note that under some other laws, such as Washington’s My Health, My Data Act, and the CCPA, the 45-day clock starts to run from the date the request is received, not when it is authenticated.

Covered businesses also are required to develop and maintain a policy concerning the privacy of consumer health data that clearly and conspicuously establishes:

  • The categories of consumer health data being collected and the manner in which it will be used.
  • The categories of sources from which the health data is collected
  • The categories of third parties and affiliates with whom the covered business shares health data.
  • The manner in which health data will be processed.
  • The procedure for submitting a request
  • The process by which a consumer can review and request changes to their health data
  • The way the business will notify consumers of changes to its privacy policy
  • Whether a third party may collect health data from the business
  • The effective date of the privacy policy

The business must conspicuously post a link to its policy on its main internet website or otherwise provide the policy to consumers in a manner that is clear and conspicuous. These website policy requirements across several states and countries are adding significant complexity to the compliance obligations of covered businesses.

Employees and processors of the covered business may be permitted to access consumer health information only where reasonably necessary (i) to further the purpose for which the consumer consented to the collection or sharing of the information, or (ii) to provide a product or service that the consumer requested.

Covered businesses also are required to establish, implement and maintain policies and practices for the administrative, technical, and physical security of consumer health data.

In addition, covered businesses may not establish a geofence within 1,750 feet of any medical facility for the purposes of identifying or tracking consumers seeking in-person health care, collecting health data, and sending notifications. 

How is the law enforced?

The new law provides for enforcement by the Nevada Attorney General. There is no private right of action.

For additional information on Nevada’s new privacy statute and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

The Association of Corporate Counsel and Major, Lindsey & Africa recently released their 2023 Law Department Management Benchmarking Report (Report) which tracks key trends in law department financial and operational data.

Unsurprising, as there has been an increase in privacy regulation across the country with several states passing comprehensive privacy legislation in 2023, privacy compliance is becoming a focus for legal departments. Our team is seeing this significant growth show up in a wide range of areas, ranging from the adoption of new technologies, incident response, compliance generally, vendor management, and transactions. Here are some examples:

  • The uptick in the utilization of generative AI tools like ChatGPT has in-house counsel concerned about several factors including privacy.
  • The continued threat of data breaches, including the recent surge in ransomware, warrants continued focus in this area, such as strengthening preparedness with tabletop exercises.  
  • Consumers and employees are becoming more savvy about their privacy, raising questions about surveillance, broad data collection, retention of personal data, and the use of their information.
  • For all organizations, leveraging vendors and third-party service providers is essential to maintaining business-critical functions. But they need data to do it, which requires assessment, strong contract language, and continuous management to maintain the privacy and security of data.
  • Long before a deal closes, information, sometimes sensitive personal information, is exchanged, often creating headaches for in-house counsel managing the deal who can face significant compliance challenges.  

The Report found that privacy was now the most common business function directly overseen by Legal Departments of businesses overtaking compliance. 70 percent of Chief Legal Officers that were surveyed have oversight over privacy.

The Report also showed that 96 percent of businesses were handling privacy and security compliance in-house, with 25 percent handled by outside counsel and only 3 percent of respondents using alternative legal services for their privacy and security compliance.

This increased focus by legal departments mirrors the increased complexities in the privacy arena, and the risks businesses face in failing to comply, with no signs of slowing down.

It is not the first time we have written about complaints, OCR settlements, and even jail time following snooping by hospital employees into patient records. For example, as COVID raged, an investigation showed that for approximately 10 months ending in February, 2021, an employee at a California state hospital improperly accessed approximately 2,000 individuals’ COVID-19 related data including test results. Preventing these kinds of breaches can be difficult especially when system assess is needed to facilitate the efficient and often urgent delivery of health care.

Yesterday, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), announced a settlement with a not-for-profit community hospital under HIPAA. As many do, the settlement resulted from an investigation of a data breach report submitted by the hospital. According to the report, 23 security guards working in the hospital’s emergency department used their login credentials to access patient medical records maintained in hospital’s electronic medical record (EMR) system without a job-related purpose. The information accessed included names, dates of birth, medical record numbers, addresses, certain notes related to treatment, and insurance information. The breach affected 419 individuals.  

“Data breaches caused by current and former workforce members impermissibly accessing patient records are a recurring issue across the healthcare industry. Health care organizations must ensure that workforce members can only access the patient information needed to do their jobs,” said OCR Director Melanie Fontes Rainer. “HIPAA covered entities must have robust policies and procedures in place to ensure patient health information is protected from identify theft and fraud.”

In addition to agreeing to pay $240,000, the hospital also agreed to be monitored under a two-year corrective action plan (CAP). The CAP included the following steps:

  • Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic protected health information.
  • Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities identified in the risk analysis;
  • Develop, maintain, and revise, as necessary, its written HIPAA policies and procedures;
  • Enhance its existing HIPAA and Security Training Program to provide workforce training on the updated HIPAA policies and procedures;
  • Review all relationships with vendors and third-party service providers to identify business associates and obtain business associate agreements with business associates if not already in place.

Digging into the details of the settlement and CAP, it is clear OCR is focused on access management – ensuring appropriate access between systems, ensuring access only to those that need it, providing training about access, etc. Another consideration, prudent for any kind of surveillance, is monitoring the monitors. That is, for example, regularly reviewing access logs to assess appropriateness of the activity.

Organizations, whether covered by HIPAA or not, engaged in monitoring and surveillance activities should be thinking about how to control the nature and extent of that monitoring and surveillance to avoid unintended consequences. This includes assessing the safeguards implemented by third party vendors supporting the systems, devices, and activities. Data security should not be focused only on systems designed to prevent external hackers, but also what can be done internally to prevent unauthorized access, uses, and disclosures of confidential and sensitive personal information by insiders, employees.