In 2020, when the California Consumer Privacy Act (CCPA) came into effect, the privacy landscape in the US changed forever. Fast forward three years, we now have close to a dozen states that have passed consumer privacy laws, with the second generation of consumer privacy laws giving particular attention to sensitive data. In particular, there is an emerging trend, in both new legislation and enforcement of existing privacy and consumer protection regimes, towards a focus on the collection, use, and sharing or selling of health-related personal information, specifically information that is outside the scope of the federal Health Insurance Portability and Accountability Act (HIPAA). The effect is a restriction on what publishers, advertisers, and other commercial enterprises can do with consumer health information, often broadly defined to include any past, present or future health status or inference regardless of sensitivity (e.g., acne or a headache). These developments include:
As of July 1, 2023, privacy regulators in four states – California, Colorado, Connecticut, and Virginia – require, and will have the ability to inspect, data protection assessments of processing of consumer health information and other sensitive data, and these states’ laws will require opt-in or opt-out of uses for advertising and certain other purposes.
Also in July of this year, companies that carry out geofencing near medical and similar facilities will have to comply with Washington’s My Health My Data (MHMD) law and New York’s recently passed law – and simply must stop doing it in those states, subject to very limited exceptions. Connecticut and Nevada have passed similar laws, which are pending their respective governors’ signatures. If signed by the governor, the consumer health information portions of Connecticut’s version of MHMD will go into effect in July of this year.
In March 2024, the remainder of MHMD comes into effect, requiring complex notice and consent requirements for collection, use, and/or sharing or selling of consumer health information beyond what is necessary to provide requested services, such as for advertising, and notice and other protections even for purposes of providing requested services. If signed by the governor, Nevada’s health-specific privacy law that was inspired by MHMD will become effective on March 31, 2024. Other states are sure to follow, and the Federal Trade Commission (FTC) is using its authority under the Health Breach Notification Rule (HBNR) to restrict secondary uses of consumer health information by digital health apps and others that fall within the scope of that rule.
As a result, businesses that are not HIPAA-regulated healthcare providers, but that handle consumer health information, will need to choose between (1) providing differential privacy practices dependent on residency (where possible), including user experiences (e.g., type of notice and nature of consent) on the front end and heightened privacy protections on the back end, or (2) adopting a high watermark approach that applies the strictest restrictions and obligations by default to all users.
Particular attention should be given to the use of consumer health information for targeted advertising as these laws, and potentially implications from recent enforcement action settlements, diverge from ad industry self-regulatory programs, mandate higher consent requirements, and outright prohibit certain location-aware health related advertising.