May 28, 2023

Volume XIII, Number 148


May 26, 2023

Subscribe to Latest Legal News and Analysis

May 25, 2023

Subscribe to Latest Legal News and Analysis

Patchwork of State Data Privacy Laws Adds Three New Patches

In the absence of a comprehensive federal data privacy law, state legislators continue to add to the often-contradictory array of laws aimed at protecting the security and privacy of their residents’ data. Very recently, Washington State’s My Health My Data Act was signed into law by Governor Jay Inslee in late April, Florida lawmakers passed Senate Bill 262 in early May, and the Tennessee Information Protection Act was signed into law earlier this month as well. While preparing this update, Montana’s enacted its Consumer Data Privacy Act on May 19th, which we will address in subsequent guidance due to its recency. These newly enacted state laws build upon the growing patchwork of laws enacted in California, Connecticut, Colorado, Virginia, and Utah, all of which we previously discussed here and here. Yet, among these state laws there is significant variety, including inconsistencies as to whether the laws allow for private rights of action, and whether the laws provide affirmative defenses and other incentives based on compliance with relevant best practices.


Washington’s My Health My Data Act (MHMD Act) will become effective on March 31, 2024 for larger organizations, and June 30, 2024 for small businesses. Although limited in application to “consumer health data,” the MHMD Act affects a wide array of companies that have had little or no prior involvement with the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively HIPAA). For example, developers of apps that track consumer health data, companies to which the privacy protections of HIPAA do not extend, are subject to the MHMD Act. This extension of privacy protections by Washington comes at a critical time, when concerns about the privacy of reproductive health data are at an all-time high, which we previously analyzed here and here.

Under the MHMD Act, patients have the right to access their medical records and other health-related information in electronic form, and patients have the right to request that this information be transmitted to them or to a designated third party. Patients also have the right to direct the deletion of their data in certain circumstances, and can choose to opt out of having their data shared for research purposes.

The MHMD Act requires regulated entities to prominently display a hyperlink to a consumer health data privacy policy on their websites. These policies must disclose, among other information, the categories of consumer health data collected, how such data will be used, and how consumers can exercise their rights under the MHMD Act.

Given that the law provides for a private right of action to sue (analogous to the California law upon which the Washington statute is modeled), implementation of the MHMD Act should prove to be a litigation jackpot. However, the Act’s broad definition of “consumer health data,” among other things, will likely be the subject of debate and uncertain judicial interpretation in such cases.


Florida Senate Bill 262, which is broader than Washington’s MHMD Act in terms of the scope of personal data protected, creates a Digital Bill of Rights with which the following entities must comply: (1) “controllers” generating more than $1 billion in global gross annual revenue who meet certain criteria; (2) “processors” of any size; and (3) affiliates of these controllers and processors. Large digital advertising platforms will most certainly be impacted, but so will the smaller businesses that utilize these platforms’ advertising tools and solutions.  

Florida Senate Bill 262 is, in one important aspect, the broadest state comprehensive data privacy law to date. In addition to granting consumers the same rights which other states’ privacy laws have granted (i.e., the right to access personal data, the right to request deletion of personal data), Senate Bill 262 gives consumers the right to opt out of all personalized advertisements and contextual advertisements. These types of advertisements are critical sources of revenue for businesses and often involve little to no identifiable information.

However, Florida Senate Bill 262 is also narrower in other respects. The digital rights granted to Florida consumers may only be exercised on “controllers,” the entities meeting the high revenue threshold such as the digital advertising platforms of Big Tech. As a consequence, the primary impact on most Florida businesses would be on their ability to utilize digital advertising platforms to the extent consumers opt out of advertising generated by controllers. Under Senate Bill 262, only the Florida Attorney General has authority to enforce the law. The Digital Bill of Rights provisions of Senate Bill 262 go into effect on July 1, 2024.


The Tennessee Information Protection Act (TIPA) was signed into law by Governor Bill Lee on May 11, 2023. TIPA, which will go into effect on July 1, 2025, is more narrow in application than most other state privacy laws, applying only to data controllers conducting business in the state that exceed $25 million in revenue and meeting one of the following criteria: (a) control or process information of 25,000+ Tennessee consumers per year and derive 50% of gross revenue from the sale of personal information; or (b) control or process information of at least 175,000 Tennessee consumers. Similar to other states’ privacy laws, TIPA also includes requirements for processors of personal information.

As with the other states’ laws, TIPA creates new consumer rights relating to data access, deletion, correction, and certain opt-out rights. Contracts between data controllers and data processors must meet certain requirements, such as outlining data processing procedures, setting forth how data will be deleted or returned upon termination of the contract, and obligating processors to contractually impose applicable TIPA requirements on any subcontractors. Controllers must also explain in an accessible and clear privacy notice the types of personal information collected, how such information is used, and how consumers may exercise their rights. There is no private right of action under TIPA.

Notably, unlike many other state privacy laws, TIPA includes an affirmative defense against alleged violations of the law. If a controller or processor develops, implements, and maintains a written privacy policy that reasonably conforms to National Institute of Standards and Technology (NIST) standards, the business may be able to avoid liability under the law. Importantly, the NIST standards allow for companies to tailor their privacy frameworks based onTenne the company’s size, activities, and complexity of business operations.

©2023 Epstein Becker & Green, P.C. All rights reserved.National Law Review, Volume XIII, Number 146

About this Author

Alaap Shah Attorney Healthcare Life Sciences

Alaap B. Shah is a Member of the Firm in the Health Care and Life Sciences practice, in the firm's Washington, DC, office.

Mr. Shah:

  • Advises clients on federal and state privacy and data security laws and regulations
  • Advises on cybersecurity and data breach matters
  • Advises clients on health care fraud and abuse matters and government investigations relating to health information technology
  • Counsels clients on digital health and data strategies and related compliance issues

His work focuses on defense and counseling...

Audrey Davis food and drug law Epstein Becker Washington DC
Law Clerk

Audrey Davis* is a Law Clerk – Admission Pending – in the Health Care and Life Sciences practice, in the Washington, DC, office of Epstein Becker Green. She will be focusing her practice on food and drug law, fraud and abuse, health care compliance, and managed care issues. 

Ms. Davis received her Juris Doctor, cum laude, from Temple University, Beasley School of Law, where she served as a Staff Editor of the Temple Law Review and on the executive board of the school’s Health Law Society. During law school, she also interned with...

Christopher D. Taylor Healthcare Attorney Epstein Becker Green

Chris Taylor* brings his passion and analytical talents to assisting health care clients with a variety of matters, from telehealth and food and drug issues to mergers, acquisitions, and divestitures. He has helped private equity firms identify and quantify the risk of proposed transactions in the health care and life sciences industries. He has also contributed research to state-level regulatory surveys for the use of health care providers seeking to expand geographically.

During and after law school, Chris worked on Capitol Hill, managing a portfolio of legislative issues,...

Stuart Gerson, Health Care Attorney, Epstein Becker Law Firm
Member of the Firm

STUART M. GERSON is a Member of the Firm in the Litigation and Health Care & Life Sciences practices, in the firm's Washington, DC, and New York offices. Much of Mr. Gerson's practice has been centered on providing representation to clients in the health care industry (including insurers, hospitals, pharmaceutical manufacturers, managed care providers, and private equity funds, among others). He has extensive experience litigating cases involving the cybersecurity of health care information, trade secrets, and other confidential data as well as civil...