If you are a data broker or a business that relies on data brokers for targeted advertising, you should be aware that the California Data Broker Law may be significantly changed under a proposed bill. Under Senate Bill 362, the California Privacy Protection Agency (CPPA) would be required to set up, by 1 January 2026, an accessible deletion mechanism where consumers could request deletion via the CPPA that all data brokers then have to honor. Data brokers would have to check the CPPA mechanism to process all deletion requests every 31 days, as well as delete personal information about every California resident who ever made a request through the mechanism every 31 days.
Just a few weeks after California Attorney General Bonta announced an investigative sweep through inquiry letters sent to California employers, the California Privacy Protection Agency (CPPA) announced a California Consumer Privacy Act (CCPA) review of data privacy practices by connected vehicle manufacturers and related technologies, focusing on embedded features including “location sharing, web-based entertainment, smartphone integration, and cameras,” because “vehicles often automatically gather consumers’ locations, personal preferences, and details about their daily lives.”
Just a few weeks after California Attorney General Bonta announced an investigative sweep through inquiry letters sent to California employers, the California Privacy Protection Agency (CPPA) announced a California Consumer Privacy Act (CCPA) review of data privacy practices by connected vehicle manufacturers and related technologies, focusing on embedded features including “location sharing, web-based entertainment, smartphone integration, and cameras,” because “vehicles often automatically gather consumers’ locations, personal preferences, and details about their daily lives.”
So far this year, three US states have passed laws with specific obligations related to consumer health privacy law: Washington, Connecticut, and Nevada. When it comes to California, the omnibus California Consumer Privacy Act (CCPA) applies also to the processing of health information. But, if the sectoral Confidentiality of Medical Information Act (CMIA) applies and is complied with, CMIA, and not the CCPA, applies.
On 18 July 2023, Oregon Governor Tina Kotek signed SB 619 into law as the Oregon Consumer Privacy Act, making Oregon the eleventh US state to enact consumer privacy legislation and the seventh in 2023 alone. The compliance deadline for for-profit entities is 1 July 2024.
The Colorado Privacy Act has been enforceable since 1 July 2023. Just as the California Attorney General has done through several sweeps, the Colorado Attorney General, Phil Weiser, has announced through letters sent to business that enforcement of the Colorado Privacy Act has begun.
The initial round of letters are meant to educate businesses on their new obligations, with particular emphasis on the collection and use of sensitive data and related prior consent requirement as well as the obligation to allow consumers to opt out of targeted advertising and profiling.
With the new Washington state My Health My Data Act, you may wonder if any exceptions or exemptions apply to your organization. As a reminder, the definition of consumer health data is broad: “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.” Outside of the broad exclusion of employment context data, the My Health My Data Act’s list of exceptions and exemptions is long but is focused mainly on specific medical and health care contexts where health data is more narrowly defined or otherwise another specific law applying to processing of the data.
The Connecticut Data Privacy Act is operative since 1 July 2023, and so are certain amendments that were signed into law as recently as 26 June 2023. The amendments focus on protecting consumer health data and protecting minors, with additional consumer health data protections already operative but with some obligations related to minors becoming operative mid to late 2024.
Nevada Senate Bill 370 is the third US state law passed this year with specific obligations related to consumer health privacy. Just as with most obligations under the similar Washington state My Health My Data Act, regulated entities are required to comply with the Nevada law from 31 March 2024. Obligations specific to entities processing consumer health data are already operative in Connecticut since 1 July 2023.