Nevada and Washington Consumer Health Privacy Laws Take Effect March 31

Two new privacy laws regulating consumer health data in Nevada and Washington take effect March 31. 

These novel laws take an expansive view of “consumer health data” and cover much more data than you may expect.

Companies should take notice even if they don’t think they collect consumer health data: They might be surprised.

New Obligations on Companies Collecting Consumer Health Data

Washington’s My Health My Data and Nevada’s similar law impose new obligations on companies collecting health data, including:

• Posting a consumer health data privacy policy on the company’s homepage and each page collecting health information.
• Obtaining consent for collecting and sharing health information that is not necessary to provide the product or service a consumer requested.
• Limiting access to consumer health data and implementing reasonable security measures.
• Maintaining data processing agreements with processors of consumer health data.
• Providing individual rights of access, withdrawal of consent and deletion.
• Prohibiting geofencing around certain health facilities to identify or track consumers seeking health services, collect consumer health data or send notifications, messages or advertisements to consumers related to consumer health data or health care.

Definition of Consumer Health Data

These laws are particularly tricky because the definition of consumer health data is expansive. It includes not only what would traditionally be considered health information (such as individually identifiable information regarding an individual’s physical and mental health and condition), but also information regarding “bodily functions,” “measurements,” and inferences made about health from non-consumer health information. Additionally, the definition includes biometric information and may be broad enough to include photographs and audio recordings.  

Companies that may not traditionally view themselves as healthcare companies may be in the mix—for example, 

• Restaurants collecting information about food allergies.
• Hotels fielding requests for accessible rooms.
• Gyms taking weight and height measurements and calculating BMI.
• Any company collecting promotional images of people in Washington or Nevada.

Moreover, “consumers” include not only residents in Washington and Nevada but also individuals whose consumer health data is processed in these states (even if not residents of those states).

Limited Exemptions

While both laws have important exceptions for protected health information under HIPAA and some research data, Washington does not have entity-level exceptions.  Moreover, neither law has applicability thresholds, although some small companies may take advantage of a delayed effective date for Washington’s My Health My Data.  Therefore, from start-ups to mature companies, businesses must carefully consider the applicability of these laws to their operations.

Enforcement

Under both laws, the state Attorney General may bring enforcement actions. 

Under Washington’s My Health My Data, the Attorney General may seek to recover:

• Attorney’s fees and litigation costs.
• Actual damages.
• Treble damages up to $25,000.
• Injunctive relief.
• A civil penalty up to $7,500.  

Washington’s My Health My Data also includes a private right of action. We expect the plaintiffs’ bar to be active, particularly in terms of tracking technologies on company websites collecting consumer health data for marketing purposes.

The Nevada Attorney General may obtain an injunction or other relief, including a civil penalty of not more than $10,000 for each violation.  

Next Steps

If you haven’t considered your company’s compliance obligations, we recommend you prioritize these four action items:

• Determine whether your company’s activities fall under the broad scope of either law. If yes, determine if any exemptions apply.
• Post a consumer health data privacy policy on your company’s website. Meet the requirements regarding the contents and the posting.
• Draft necessary consents. These consents cannot be buried in other documents, such as Privacy Notices and Terms of Use. The laws have specific content and form requirements.
• Review your company’s website. Determine if third parties collect consumer health information for analytics, marketing or other reasons. If yes, your company will likely need to execute data processing agreements with those third parties and obtain consumer consent.  

We are committed to helping our clients determine their obligations, defend their practices, and update their compliance programs to address these new consumer health data laws. If you face an enforcement action or lawsuit under these laws—or if you would like advice on how to avoid them—please contact one of the authors (Thora Johnson, Matthew Coleman, Kyle Kessler, and Cosmas Robless) or other members of the Orrick team.