2023 Year End Review: Data Privacy Laws Across the United States

PBA Cybersecurity and Data Privacy Cybersecurity, Data Breach December 14, 2023

By Jennifer K. Wagner, J.D., Ph.D.

 

As 2023 winds down, it is important to review the many changes to data privacy laws that have occurred in the United States. While federal privacy law reform has not come to fruition, by all other accounts this year has been a busy one. The changes have taken different forms, with some state policymakers focusing on gaps for consumer health data privacy, others targeting data brokers, and still others focusing more broadly. Here is a brief recap of how the privacy law landscape has changed in 2023.

 

Consumer Health Privacy Laws

Prompted in large part by the 2022 Dobbs decision, legislatures in several states took action to shore up information privacy rights in the realm of health privacy. As we previously discussed, in April Washington enacted a suite of laws focused on consumer health privacy, which notably included the My Health, My Data Act. Shortly thereafter, both Nevada (with S.B. 370) and Connecticut (with S.B. 3) passed similar laws.

 

Understanding the varying definitions remain critical to compliance, as consumer health data, consumer, and other terms are not uniformly defined.

 

“Consumer health data” as defined by Washington’s My Health, My Data Act is personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.” A non-exhaustive list of what is regarded as within the definitional scope of “physical or mental health status” includes, e.g., individual health conditions, treatments, diseases, and diagnoses; biometric data; genetic data; precise location data; and algorithmic inferences, proxies, and extrapolations that might be made from non-health data.

 

“Consumer health data” as defined by Nevada S.B. 370, Section 8 is “personally identifiable information that is linked or reasonably capable of being linked to a consumer and that a regulated entity uses to identify the past, present or future health status of the consumer.” In addition to health conditions, diseases, and other information about health status, the term is inclusive of other important and related data (e.g., biometric data, genetic data, geolocation data, and algorithmic inferences, proxies, and extrapolations that might be made from non-health data).

 

“Consumer health data” as defined by Connecticut S.B. 3 (amending the Connecticut Data Privacy Act), is “any personal data that a controller uses to identify a consumer’s physical or mental health condition or diagnosis, and includes, but is not limited to, gender-affirming health data and reproductive or sexual health data.” A separate definition is offered in S.B. 3 for “personal data,” which refers to “any information that is linked or reasonably linkable to an identified or identifiable individual” and which notably excludes “publicly available information.” The law also expressly lists “consumer health data” as a form of “sensitive data” for purposes of the Connecticut Data Privacy Act.

 

Who is protected also varies between these three states. In Washington “consumer” means not only “a natural person who is a Washington resident” but also “a natural person whose consumer health data is collected in Washington.” By contrast, in Connecticut a “consumer” relates only to “an individual who is a resident of this state.” The narrowest definitional scope of the three is in Nevada, where “consumer” means “a natural person who has requested a product or service from a regulated entity and who resides in this State or whose consumer health data is collected in this State.”

 

There are also important enforcement differences. Washington’s law is enforced via the Consumer Protection Act, so enforcement actions can be brought either by the Attorney General or individuals through a private cause of action. By contrast, the Attorney General in Connecticut and Nevada has exclusive enforcement of their states’ laws.

 

Compliance obligations for Connecticut took effect already on July 1, 2023 and for both Washington and Nevada are generally to take effect by March 31, 2024.

 

Genetic Privacy Laws

Genetic information privacy laws have been popping up over the past few years, and three new laws targeting the direct-to-consumer personal genetics industry were enacted in 2023. In March 2023, Virginia enacted S.B.1087, a genetic information privacy law. In June 2023, Montana enacted S.B. 351, and Texas enacted H.B. 2545.

 

There has been important criticism and discussion of unintended problems with these laws and with recent genetic privacy laws’ drawbacks and limitations. For example, Montana’s law does not exempt de-identified data, which has drawn criticism from the personal genomics industry.

 

There are now roughly a dozen states with genetic information privacy laws, including Florida’s Protecting DNA Privacy Act or H.B.833, the California Genetic Information Privacy Act or S.B. 41, Arizona’s Genetic Information Privacy Act or H.B. 2069, Utah’s Genetic Information Privacy Act or S.B. 227, the Kentucky Genetic Information Privacy Act or H.B. 502, Maryland’s H.B. 866 or the Genetic Information Privacy – Consumer Protection and Genetic Genealogy act, and Wyoming’s Genetic Data Privacy Act or H.B.86. When considering genetic information privacy laws and their applicability, it is critical to pay attention to the laws’ handling of entities subject to HIPAA/HITECH and to both data-level or entity-level exemptions or exclusions regarding research activities subject to the Federal Common Rule, 45 CFR 46. These more recent laws are quite different from the earlier versions of genetic privacy laws that are more comprehensive (such as Alaska’s Genetic Information Privacy Act). General discussion about genetic privacy laws is available elsewhere.

 

Data Broker Laws

Data brokers have come under increased criticism in recent years. Vermont was the first state to pass a data broker registration law, which it did in 2018. California did so in 2019, but in October 2023 amended it with passage of S.B. 362 (the Delete Act). California’s big change was to move the data broker registry’s enforcement authority to the California Privacy Protection Agency. Two states passed new data broker laws in 2023: Oregon, which passed H.B. 2052 in June, and Texas, which passed S.B. 2105 in July.

 

Variation exists in the data broker laws among these four states as well, including the definition of “data broker” that ultimately determines who must comply with the laws.

 

Vermont’s definition of “data broker” is “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.”

 

In California, a “data broker” is “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship” with various exclusions of entities covered by the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, and Insurance Information and Privacy Protection Act.

 

Oregon’s definition of “data broker” is “a business entity or part of a business entity that collects and sells or licenses brokered personal data to another person.”

 

Texas appears to have the narrowest scope for its data broker registry of the four states thus far, as there (1) a “data broker” refers only to a “business entity whose principal source of revenue is derived from the collecting, processing, or transferring of personal data that the entity did not collect directly from the individual linked or linkable to the data” and (2) the registry applies only to a data broker who, in a 12-month period derives (a) >50% of its revenue “from processing or transferring personal data that the data broker did not collect directly from the individuals to whom the data pertains” or (b) revenue from processing or transferring the personal data of >50,000 individuals that the data broker did not collect directly from the individuals to whom the data pertains. There are other exclusions as well.

 

Another distinction is that while Vermont and California have specific registration deadlines (registration annually by January 31), Oregon and Texas only require registration prior to conducting business there.

 

Compliance obligations for Vermont’s law have been ongoing for nearly four years (since January 1, 2019), and compliance obligations for Texas began on September 1, 2023. Those in Oregon take effect on January 1, 2024, as do the changes to California’s data broker registration (although some requirements under the California law—such as the accessible deletion mechanism and independent auditing—are delayed until 2026 and 2028, respectively).

 

Comprehensive Data Protection Laws

At the start of 2023, comprehensive consumer protection laws were found in five states: California, Virginia, Colorado, Utah, and Connecticut. By the (almost) end of 2023, they can be found in twelve (12) states, with new laws passed in Iowa, Indiana, Tennessee, Oregon, Montana, Texas, and Delaware.

 

The effective dates for these laws are listed in chronological order below:

 

A comparison of these laws is beyond the scope of this brief end-of-year review, but the chart provided by the International Association of Privacy Professionals that tracks state privacy legislation is a useful starting point for those interested in more detailed information. There are exemptions and exclusions differing among these laws.

 

The National Conference of State Legislatures reported that at least 40 states and Puerto Rico have considered hundreds of privacy bills in 2023. In Pennsylvania, this has involved consideration of H.B. 1201.

 

Looking ahead to 2024

As we look ahead to 2024, we anticipate that policymakers will remain keen on modernizing privacy law—particularly with the growing sentiment that solid data privacy law foundations are needed to enable proper governance of rapidly developing artificial intelligence technologies. This was underscored by the Executive Order on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence issued by President Biden on October 30, 2023, which named protection of privacy as one of the guiding principles and priorities for policy as AI advances. There will be no shortage of work for privacy attorneys and professionals in 2024, as we should expect not only further development of laws regarding the areas reviewed here but also other areas, including biometrics, children’s online privacy, and others.

 

 

Jennifer K. Wagner, J.D., Ph.D., is a solo practicing attorney and also is Assistant Professor of Law, Policy, and Engineering and Anthropology at Penn State University. She has been a member of the PBA Cybersecurity & Data Privacy Committee since 2018, is a former contributing editor of the Genomics Law Report, and has published scholarly articles in prominent legal and scientific journals, including the Journal of Law & Biosciences; Journal of Law, Medicine, & Ethics; Albany Law Journal of Science & Technology; Virginia Sports and Entertainment Law Journal; North Carolina Journal of Law and Technology; Science; Nature Communications; Nature Medicine; American Journal of Human Genetics; Human Genetics and Genomics Advances; Genetics in Medicine; and PLOS Genetics. She served as a AAAS Congressional Fellow in a U.S. Senator’s office in 2014-2015, and her work has been cited by the Supreme Court of the United States. You may follow her on several social media platforms as @DNAlawyer. Views expressed are her own.

About: PBA Cybersecurity and Data Privacy

The Pennsylvania Cybersecurity and Data Privacy Committee analyzes cybersecurity issues and educates PBA members about legal, regulatory and industry standards that preserve the confidentiality of protected information.

Leave a Reply

Your email address will not be published. Required fields are marked *