{"id":546,"date":"2023-12-14T11:58:42","date_gmt":"2023-12-14T16:58:42","guid":{"rendered":"https:\/\/pbacyber.com\/?p=546"},"modified":"2023-12-14T12:01:16","modified_gmt":"2023-12-14T17:01:16","slug":"2023-year-end-review-data-privacy-laws-across-the-united-states","status":"publish","type":"post","link":"https:\/\/pbacyber.com\/index.php\/2023\/12\/14\/2023-year-end-review-data-privacy-laws-across-the-united-states\/","title":{"rendered":"2023 Year End Review: Data Privacy Laws Across the United States"},"content":{"rendered":"

By Jennifer K. Wagner, J.D., Ph.D.<\/p>\n

 <\/p>\n

As 2023 winds down, it is important to review the many changes to data privacy laws that have occurred in the United States. While federal privacy law reform has not come to fruition, by all other accounts this year has been a busy one. The changes have taken different forms, with some state policymakers focusing on gaps for consumer health data privacy, others targeting data brokers, and still others focusing more broadly. Here is a brief recap of how the privacy law landscape has changed in 2023.<\/p>\n

 <\/p>\n

Consumer Health Privacy Laws<\/u><\/strong><\/p>\n

Prompted in large part by the 2022 Dobbs<\/em> decision, legislatures in several states took action to shore up information privacy rights in the realm of health privacy. As we previously discussed<\/a>, in April Washington enacted a suite of laws focused on consumer health privacy, which notably included the My Health, My Data Act<\/a>. Shortly thereafter, both Nevada (with S.B. 370<\/a>) and Connecticut (with S.B. 3<\/a>) passed similar laws.<\/p>\n

 <\/p>\n

Understanding the varying definitions remain critical to compliance, as consumer health data, consumer, and other terms are not uniformly defined.<\/p>\n

 <\/p>\n

\u201cConsumer health data\u201d as defined by Washington\u2019s My Health, My Data Act is personal information that is linked or reasonably linkable to a consumer and that identifies the consumer\u2019s past, present, or future physical or mental health status.\u201d A non-exhaustive list of what is regarded as within the definitional scope of \u201cphysical or mental health status\u201d includes, e.g., individual health conditions, treatments, diseases, and diagnoses; biometric data; genetic data; precise location data; and algorithmic inferences, proxies, and extrapolations that might be made from non-health data.<\/p>\n

 <\/p>\n

\u201cConsumer health data\u201d as defined by Nevada S.B. 370, Section 8 is \u201cpersonally identifiable information that is linked or reasonably capable of being linked to a consumer and that a regulated entity uses to identify the past, present or future health status of the consumer.\u201d In addition to health conditions, diseases, and other information about health status, the term is inclusive of other important and related data (e.g., biometric data, genetic data, geolocation data, and algorithmic inferences, proxies, and extrapolations that might be made from non-health data).<\/p>\n

 <\/p>\n

\u201cConsumer health data\u201d as defined by Connecticut S.B. 3 (amending the Connecticut Data Privacy Act), is \u201cany personal data that a controller uses to identify a consumer\u2019s physical or mental health condition or diagnosis, and includes, but is not limited to, gender-affirming health data and reproductive or sexual health data.\u201d A separate definition is offered in S.B. 3 for \u201cpersonal data,\u201d which refers to \u201cany information that is linked or reasonably linkable to an identified or identifiable individual\u201d and which notably excludes \u201cpublicly available information.\u201d The law also expressly lists \u201cconsumer health data\u201d as a form of \u201csensitive data\u201d for purposes of the Connecticut Data Privacy Act.<\/p>\n

 <\/p>\n

Who is protected also varies between these three states. In Washington \u201cconsumer\u201d means not only \u201ca natural person who is a Washington resident\u201d but also \u201ca natural person whose consumer health data is collected in Washington.\u201d By contrast, in Connecticut a \u201cconsumer\u201d relates only to \u201can individual who is a resident of this state.\u201d The narrowest definitional scope of the three is in Nevada, where \u201cconsumer\u201d means \u201ca natural person who has requested a product or service from a regulated entity and who resides in this State or whose consumer health data is collected in this State.\u201d<\/p>\n

 <\/p>\n

There are also important enforcement differences. Washington\u2019s law is enforced via the Consumer Protection Act, so enforcement actions can be brought either by the Attorney General or individuals through a private cause of action. By contrast, the Attorney General in Connecticut and Nevada has exclusive enforcement of their states\u2019 laws.<\/p>\n

 <\/p>\n

Compliance obligations for Connecticut took effect already on July 1, 2023 and for both Washington and Nevada are generally to take effect by March 31, 2024.<\/p>\n

 <\/p>\n

Genetic Privacy Laws<\/u><\/strong><\/p>\n

Genetic information privacy laws have been popping up over the past few years, and three new laws targeting the direct-to-consumer personal genetics industry were enacted in 2023. In March 2023, Virginia enacted S.B.1087<\/a>, a genetic information privacy law. In June 2023, Montana enacted S.B. 351<\/a>, and Texas enacted H.B. 2545<\/a>.<\/p>\n

 <\/p>\n

There has been important criticism and discussion of unintended problems<\/a> with these laws and with recent genetic privacy laws\u2019 drawbacks and limitations. For example, Montana\u2019s law does not exempt de-identified data, which has drawn criticism<\/a> from the personal genomics industry.<\/p>\n

 <\/p>\n

There are now roughly a dozen states with genetic information privacy laws, including Florida\u2019s Protecting DNA Privacy Act or H.B.833<\/a>, the California Genetic Information Privacy Act or S.B. 41<\/a>, Arizona\u2019s Genetic Information Privacy Act or H.B. 2069<\/a>, Utah\u2019s Genetic Information Privacy Act or S.B. 227<\/a>, the Kentucky Genetic Information Privacy Act or H.B. 502<\/a>, Maryland\u2019s H.B. 866<\/a> or the Genetic Information Privacy \u2013 Consumer Protection and Genetic Genealogy act, and Wyoming\u2019s Genetic Data Privacy Act or H.B.86<\/a>. When considering genetic information privacy laws and their applicability, it is critical to pay attention to the laws\u2019 handling of entities subject to HIPAA\/HITECH and to both data-level or entity-level exemptions or exclusions regarding research activities subject to the Federal Common Rule, 45 CFR 46<\/a>. These more recent laws are quite different from the earlier versions of genetic privacy laws that are more comprehensive (such as Alaska\u2019s Genetic Information Privacy Act<\/a>). General discussion about genetic privacy laws is available elsewhere<\/a>.<\/p>\n

 <\/p>\n

Data Broker Laws<\/u><\/strong><\/p>\n

Data brokers have come under increased criticism<\/a> in recent years. Vermont was the first state to pass a data broker registration law<\/a>, which it did in 2018. California did so in 2019, but in October 2023 amended it with passage of S.B. 362<\/a> (the Delete Act). California\u2019s big change was to move the data broker registry\u2019s enforcement authority to the California Privacy Protection Agency. Two states passed new data broker laws in 2023: Oregon, which passed H.B. 2052<\/a> in June, and Texas, which passed S.B. 2105<\/a> in July.<\/p>\n

 <\/p>\n

Variation exists in the data broker laws among these four states as well, including the definition of \u201cdata broker\u201d that ultimately determines who must comply with the laws.<\/p>\n

 <\/p>\n

Vermont\u2019s definition of \u201cdata broker\u201d is \u201ca business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.\u201d<\/p>\n

 <\/p>\n

In California, a \u201cdata broker\u201d is \u201ca business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship\u201d with various exclusions of entities covered by the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, and Insurance Information and Privacy Protection Act.<\/p>\n

 <\/p>\n

Oregon\u2019s definition of \u201cdata broker\u201d is \u201ca business entity or part of a business entity that collects and sells or licenses brokered personal data to another person.\u201d<\/p>\n

 <\/p>\n

Texas appears to have the narrowest scope for its data broker registry of the four states thus far, as there (1) a \u201cdata broker\u201d refers only to a \u201cbusiness entity whose principal source of revenue is derived from the collecting, processing, or transferring of personal data that the entity did not collect directly from the individual linked or linkable to the data\u201d and (2) the registry applies only to a data broker who, in a 12-month period derives (a) >50% of its revenue \u201cfrom processing or transferring personal data that the data broker did not collect directly from the individuals to whom the data pertains\u201d or (b) revenue from processing or transferring the personal data of >50,000 individuals that the data broker did not collect directly from the individuals to whom the data pertains. There are other exclusions as well.<\/p>\n

 <\/p>\n

Another distinction is that while Vermont and California have specific registration deadlines (registration annually by January 31), Oregon and Texas only require registration prior to conducting business there.<\/p>\n

 <\/p>\n

Compliance obligations for Vermont\u2019s law have been ongoing for nearly four years (since January 1, 2019), and compliance obligations for Texas began on September 1, 2023. Those in Oregon take effect on January 1, 2024, as do the changes to California\u2019s data broker registration (although some requirements under the California law\u2014such as the accessible deletion mechanism and independent auditing\u2014are delayed until 2026 and 2028, respectively).<\/p>\n

 <\/p>\n

Comprehensive Data Protection Laws<\/u><\/strong><\/p>\n

At the start of 2023, comprehensive consumer protection laws were found in five states: California, Virginia, Colorado, Utah, and Connecticut. By the (almost) end of 2023, they can be found in twelve (12) states, with new laws passed in Iowa, Indiana, Tennessee, Oregon, Montana, Texas, and Delaware.<\/p>\n

 <\/p>\n

The effective dates for these laws are listed in chronological order below:<\/p>\n