Just a few weeks after California Attorney General Bonta announced an investigative sweep through inquiry letters sent to California employers, the California Privacy Protection Agency (CPPA) announced a California Consumer Privacy Act (CCPA) review of data privacy practices by connected vehicle manufacturers and related technologies, focusing on embedded features including “location sharing, web-based entertainment, smartphone integration, and cameras,” because “vehicles often automatically gather consumers’ locations, personal preferences, and details about their daily lives.”

Just a few weeks after California Attorney General Bonta announced an investigative sweep through inquiry letters sent to California employers, the California Privacy Protection Agency (CPPA) announced a California Consumer Privacy Act (CCPA) review of data privacy practices by connected vehicle manufacturers and related technologies, focusing on embedded features including “location sharing, web-based entertainment, smartphone integration, and cameras,” because “vehicles often automatically gather consumers’ locations, personal preferences, and details about their daily lives.”

So far this year, three US states have passed laws with specific obligations related to consumer health privacy law: Washington, Connecticut, and Nevada. When it comes to California, the omnibus California Consumer Privacy Act (CCPA) applies also to the processing of health information. But, if the sectoral Confidentiality of Medical Information Act (CMIA) applies and is complied with, CMIA, and not the CCPA, applies.

On 18 July 2023, Oregon Governor Tina Kotek signed SB 619 into law as the Oregon Consumer Privacy Act, making Oregon the eleventh US state to enact consumer privacy legislation and the seventh in 2023 alone. The compliance deadline for for-profit entities is 1 July 2024.

The Colorado Privacy Act has been enforceable since 1 July 2023. Just as the California Attorney General has done through several sweeps, the Colorado Attorney General, Phil Weiser, has announced through letters sent to business that enforcement of the Colorado Privacy Act has begun.
The initial round of letters are meant to educate businesses on their new obligations, with particular emphasis on the collection and use of sensitive data and related prior consent requirement as well as the obligation to allow consumers to opt out of targeted advertising and profiling.

With the new Washington state My Health My Data Act, you may wonder if any exceptions or exemptions apply to your organization. As a reminder, the definition of consumer health data is broad: “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.” Outside of the broad exclusion of employment context data, the My Health My Data Act’s list of exceptions and exemptions is long but is focused mainly on specific medical and health care contexts where health data is more narrowly defined or otherwise another specific law applying to processing of the data.

The Connecticut Data Privacy Act is operative since 1 July 2023, and so are certain amendments that were signed into law as recently as 26 June 2023. The amendments focus on protecting consumer health data and protecting minors, with additional consumer health data protections already operative but with some obligations related to minors becoming operative mid to late 2024.

Nevada Senate Bill 370 is the third US state law passed this year with specific obligations related to consumer health privacy. Just as with most obligations under the similar Washington state My Health My Data Act, regulated entities are required to comply with the Nevada law from 31 March 2024. Obligations specific to entities processing consumer health data are already operative in Connecticut since 1 July 2023.

The Colorado Privacy Act (CPA) comes into effect on 1 July 2023. Earlier this year, the Colorado Attorney General promulgated final rules for implementing the CPA. The rules provide insight as to how the Attorney General may interpret and enforce the CPA.

On 29 May 2023, Texas’s H.B. 4, also known as the Texas Data Privacy and Security Act, passed in the Texas legislature. The Texas Data Privacy and Security Act joins the growing number of states that have passed or enacted legislation in 2023, including Iowa, Indiana, Tennessee and Montana, and more are expected in the coming months.