Patchwork of State Data Privacy Laws Adds Three New Patches
In the absence of a comprehensive federal data privacy law, state legislators continue to add to the often-contradictory array of laws aimed at protecting the security and privacy of their residents’ data. Very recently, Washington State’s My Health My Data Act was signed into law by Governor Jay Inslee in late April, Florida lawmakers passed Senate Bill 262 in early May, and the Tennessee Information Protection Act was signed into law earlier this month as well. While preparing this update, Montana’s enacted its Consumer Data Privacy Act on May 19th, which we will address in subsequent guidance due to its recency. These newly enacted state laws build upon the growing patchwork of laws enacted in California, Connecticut, Colorado, Virginia, and Utah, all of which we previously discussed here and here. Yet, among these state laws there is significant variety, including inconsistencies as to whether the laws allow for private rights of action, and whether the laws provide affirmative defenses and other incentives based on compliance with relevant best practices.
Washington’s My Health My Data Act (MHMD Act) will become effective on March 31, 2024 for larger organizations, and June 30, 2024 for small businesses. Although limited in application to “consumer health data,” the MHMD Act affects a wide array of companies that have had little or no prior involvement with the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively HIPAA). For example, developers of apps that track consumer health data, companies to which the privacy protections of HIPAA do not extend, are subject to the MHMD Act. This extension of privacy protections by Washington comes at a critical time, when concerns about the privacy of reproductive health data are at an all-time high, which we previously analyzed here and here.
Under the MHMD Act, patients have the right to access their medical records and other health-related information in electronic form, and patients have the right to request that this information be transmitted to them or to a designated third party. Patients also have the right to direct the deletion of their data in certain circumstances, and can choose to opt out of having their data shared for research purposes.
Given that the law provides for a private right of action to sue (analogous to the California law upon which the Washington statute is modeled), implementation of the MHMD Act should prove to be a litigation jackpot. However, the Act’s broad definition of “consumer health data,” among other things, will likely be the subject of debate and uncertain judicial interpretation in such cases.
Florida Senate Bill 262, which is broader than Washington’s MHMD Act in terms of the scope of personal data protected, creates a Digital Bill of Rights with which the following entities must comply: (1) “controllers” generating more than $1 billion in global gross annual revenue who meet certain criteria; (2) “processors” of any size; and (3) affiliates of these controllers and processors. Large digital advertising platforms will most certainly be impacted, but so will the smaller businesses that utilize these platforms’ advertising tools and solutions.
Florida Senate Bill 262 is, in one important aspect, the broadest state comprehensive data privacy law to date. In addition to granting consumers the same rights which other states’ privacy laws have granted (i.e., the right to access personal data, the right to request deletion of personal data), Senate Bill 262 gives consumers the right to opt out of all personalized advertisements and contextual advertisements. These types of advertisements are critical sources of revenue for businesses and often involve little to no identifiable information.
However, Florida Senate Bill 262 is also narrower in other respects. The digital rights granted to Florida consumers may only be exercised on “controllers,” the entities meeting the high revenue threshold such as the digital advertising platforms of Big Tech. As a consequence, the primary impact on most Florida businesses would be on their ability to utilize digital advertising platforms to the extent consumers opt out of advertising generated by controllers. Under Senate Bill 262, only the Florida Attorney General has authority to enforce the law. The Digital Bill of Rights provisions of Senate Bill 262 go into effect on July 1, 2024.
The Tennessee Information Protection Act (TIPA) was signed into law by Governor Bill Lee on May 11, 2023. TIPA, which will go into effect on July 1, 2025, is more narrow in application than most other state privacy laws, applying only to data controllers conducting business in the state that exceed $25 million in revenue and meeting one of the following criteria: (a) control or process information of 25,000+ Tennessee consumers per year and derive 50% of gross revenue from the sale of personal information; or (b) control or process information of at least 175,000 Tennessee consumers. Similar to other states’ privacy laws, TIPA also includes requirements for processors of personal information.
As with the other states’ laws, TIPA creates new consumer rights relating to data access, deletion, correction, and certain opt-out rights. Contracts between data controllers and data processors must meet certain requirements, such as outlining data processing procedures, setting forth how data will be deleted or returned upon termination of the contract, and obligating processors to contractually impose applicable TIPA requirements on any subcontractors. Controllers must also explain in an accessible and clear privacy notice the types of personal information collected, how such information is used, and how consumers may exercise their rights. There is no private right of action under TIPA.