Organizations subject to the Washington State My Health My Data Act (generally any organization with physical premises in Washington, and many organizations without it) are preparing for compliance by 31 March 2024. And should, in addition to the overall compliance requirements and immediate action items, be aware that the Washington Attorney General updated its guidance on the requirements for a consumer health privacy policy.
If your organization does business across the US and collects consumer health data (broadly defined, health inferences generated from non-health data count), compliance with US state consumer health privacy laws is just around the corner. Consumer health privacy laws in Nevada (Senate Bill 370) and Washington (the My Health My Data Act) become fully operative for regulated entities on 31 March 2024. Requirements specific to consumer health data are already operative in Connecticut.
If you are a data broker or a business that relies on data brokers for targeted advertising, you should be aware that the California Data Broker Law will be significantly changed under the California Delete Act, which was signed into law by California Governor Newsom on 10 October 2023. Under the act, the California Privacy Protection Agency (CPPA) is required to set up, by 1 January 2026, an accessible deletion mechanism where consumers can request deletion via the CPPA that all data brokers then have to honor.
If you are a data broker or a business that relies on data brokers for targeted advertising, you should be aware that the California Data Broker Law may be significantly changed under a proposed bill. Under Senate Bill 362, the California Privacy Protection Agency (CPPA) would be required to set up, by 1 January 2026, an accessible deletion mechanism where consumers could request deletion via the CPPA that all data brokers then have to honor. Data brokers would have to check the CPPA mechanism to process all deletion requests every 31 days, as well as delete personal information about every California resident who ever made a request through the mechanism every 31 days.
So far this year, three US states have passed laws with specific obligations related to consumer health privacy law: Washington, Connecticut, and Nevada. When it comes to California, the omnibus California Consumer Privacy Act (CCPA) applies also to the processing of health information. But, if the sectoral Confidentiality of Medical Information Act (CMIA) applies and is complied with, CMIA, and not the CCPA, applies.
Companies around the world should start preparing for the Iowa Consumer Data Protection Act with respect to personal data of consumers in Iowa. With the Iowa Act, Iowa follows the California Consumer Privacy Act of 2018, as amended by the California Consumer Rights Act of 2020, but excludes consumers acting in a commercial or employment context. Businesses that have implemented measures to comply with the CCPA and other US state privacy laws can leverage some of their existing vendor contract terms, website disclosures and data subject rights response processes to satisfy requirements under the Iowa Act. The Iowa Act becomes effective January 1, 2025 and does not include a look-back period for violations.
Having to click through a gauntlet of screens to cancel recurring subscriptions. Being told you are foolish if you decline a service. Discovering you were charged extra fees that were not clearly brought to your attention earlier. Finding it hard or confusing to configure your privacy settings to high. These and similar experiences arise when you encounter “dark patterns”, a term that US authorities are increasingly using to refer to interface design strategies that manipulate users into making choices they likely wouldn’t have otherwise made and that may cause harm.