Nevada and Washington Consumer Health Privacy Laws Take Effect March 31

3 minute read | March.29.2024

Two new privacy laws regulating consumer health data in Nevada and Washington take effect March 31.

These novel laws take an expansive view of “consumer health data” and cover much more data than you may expect.

Companies should take notice even if they don’t think they collect consumer health data: They might be surprised.

New Obligations on Companies Collecting Consumer Health Data

Washington’s My Health My Data and Nevada’s similar law impose new obligations on companies collecting health data, including:

Posting a consumer health data privacy policy on the company’s homepage and each page collecting health information.
Obtaining consent for collecting and sharing health information that is not necessary to provide the product or service a consumer requested.
Limiting access to consumer health data and implementing reasonable security measures.
Maintaining data processing agreements with processors of consumer health data.
Providing individual rights of access, withdrawal of consent and deletion.
Prohibiting geofencing around certain health facilities to identify or track consumers seeking health services, collect consumer health data or send notifications, messages or advertisements to consumers related to consumer health data or health care.

Definition of Consumer Health Data

These laws are particularly tricky because the definition of consumer health data is expansive. It includes not only what would traditionally be considered health information (such as individually identifiable information regarding an individual’s physical and mental health and condition), but also information regarding “bodily functions,” “measurements,” and inferences made about health from non-consumer health information. Additionally, the definition includes biometric information and may be broad enough to include photographs and audio recordings.

Companies that may not traditionally view themselves as healthcare companies may be in the mix—for example,

Restaurants collecting information about food allergies.
Hotels fielding requests for accessible rooms.
Gyms taking weight and height measurements and calculating BMI.
Any company collecting promotional images of people in Washington or Nevada.

Moreover, “consumers” include not only residents in Washington and Nevada but also individuals whose consumer health data is processed in these states (even if not residents of those states).

Limited Exemptions

While both laws have important exceptions for protected health information under HIPAA and some research data, Washington does not have entity-level exceptions. Moreover, neither law has applicability thresholds, although some small companies may take advantage of a delayed effective date for Washington’s My Health My Data. Therefore, from start-ups to mature companies, businesses must carefully consider the applicability of these laws to their operations.

Enforcement

Under both laws, the state Attorney General may bring enforcement actions.

Under Washington’s My Health My Data, the Attorney General may seek to recover:

Attorney’s fees and litigation costs.
Actual damages.
Treble damages up to $25,000.
Injunctive relief.
A civil penalty up to $7,500.

Washington’s My Health My Data also includes a private right of action. We expect the plaintiffs’ bar to be active, particularly in terms of tracking technologies on company websites collecting consumer health data for marketing purposes.

The Nevada Attorney General may obtain an injunction or other relief, including a civil penalty of not more than $10,000 for each violation.

Next Steps

If you haven’t considered your company’s compliance obligations, we recommend you prioritize these four action items:

Determine whether your company’s activities fall under the broad scope of either law. If yes, determine if any exemptions apply.
Post a consumer health data privacy policy on your company’s website. Meet the requirements regarding the contents and the posting.
Draft necessary consents. These consents cannot be buried in other documents, such as Privacy Notices and Terms of Use. The laws have specific content and form requirements.
Review your company’s website. Determine if third parties collect consumer health information for analytics, marketing or other reasons. If yes, your company will likely need to execute data processing agreements with those third parties and obtain consumer consent.

We are committed to helping our clients determine their obligations, defend their practices, and update their compliance programs to address these new consumer health data laws. If you face an enforcement action or lawsuit under these laws—or if you would like advice on how to avoid them—please contact one of the authors (Thora Johnson, Matthew Coleman, Kyle Kessler, and Cosmas Robless) or other members of the Orrick team.

Authors

Thora Johnson Partner, Life Sciences & HealthTech, Cyber, Privacy & Data Innovation

Washington, D.C.

See my bio

Practice:

Technology & Innovation Sector
Life Sciences & HealthTech
Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Thora Johnson Partner

Washington, D.C.

Thora works with medical device, pharmaceutical, biotech and digital health companies, helping them navigate the increasingly complex patchwork of state and federal health privacy laws. One client described her to the Legal 500 as a “very practical” advisor providing “exceptional guidance” on health information privacy and HIPAA compliance matters.

Her breadth and depth of experience enable Thora to assist clients in harnessing the power of artificial intelligence and executing data-sharing arrangements, all while protecting health data. As a result, Thora spends much of her time counseling pioneering startups and high-growth companies on responsible innovation in healthcare and life sciences.

Thora brings extensive experience counseling clients, including Fortune 500 companies and brick and mortar providers, on the Health Insurance Portability and Accountability Act (HIPAA) and other state and federal health privacy and regulatory compliance regimes including:

Office of the National Coordinator for Health Information Technology’s interoperability and information blocking regulations
Centers for Medicare & Medicaid Service’s (CMS’s) interoperability and patient access regulations
Part 2 confidentiality requirements applicable to substance abuse records
State health information privacy laws
State consumer privacy laws with special controls for health data
Medicare/Medicaid compliance
Mental Health Parity and Addiction Equity Act (MHPAEA)
Genetic Information Nondiscrimination Act (GINA)
Affordable Care Act (ACA) compliance
Regulatory requirements of the Employer Retirement Income Security Act (ERISA), the Internal Revenue Code, HIPAA, and the ACA as they apply to employer health and wellness plans

Thora routinely helps companies and large employers prepare for and respond to privacy and security incidents involving health information. She also defends clients in government investigations initiated by the OCR, OIG, DOJ, FTC and State AGs, among others.

Matthew E.S. Coleman Senior Associate, Cyber, Privacy & Data Innovation, Technology Transactions

New York; Boston

See my bio

D:+1 212 506 3569
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Technology Companies Group
Mergers & Acquisitions
Artificial Intelligence (AI)
California Consumer Privacy Act
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Matthew E.S. Coleman Senior Associate

New York; Boston

Matthew helps clients comply with the Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM), the Children’s Online Privacy Protection Act (COPPA), the California Consumer Privacy Act of 2018 (CCPA), the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), the General Data Protection Regulation (GDPR), the Telephone Consumer Protection Act (TCPA), and state breach notification, biometric privacy, and cybersecurity laws. He counsels on self-regulatory privacy programs, including Binding Corporate Rules, the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (APEC CBPRs); programs covering online behavioral advertising, including the Digital Advertising Alliance (DAA), the European Interactive Digital Advertising Alliance (EDAA), the Interactive Advertising Bureau (IAB), and the Network Advertising Initiative (NAI); and programs covering payment card processing. Matthew also provides compliance solutions for emerging technologies, including artificial intelligence and blockchain.

Matthew’s federal regulatory experience helps clients stay compliant and avoid regulatory scrutiny. His comprehensive data management knowledge helps him counsel beyond the letter of the law and facilitates worldwide expansion, interoperable business processes, and innovative uses of consumer data while maintaining user trust. His all-encompassing, risk-based approach involves developing and executing internal and external policies for the collection, use, disclosure, sharing, retaining, transferring, and destruction of personal information. This includes managing contractual relationships with vendors, employees, acquired entities, and creditors as well as building privacy into companies’ product development life cycle and change management strategies.

Prior to joining Orrick, Matthew was an Enterprise Privacy Solutions Manager for TrustArc (formerly TRUSTe), a San Francisco-based privacy consulting and certification firm, and an adjunct law professor of Privacy Law at Santa Clara University. Matthew is a Certified Information Privacy Manager and a Certified Information Privacy Professional with a specialization in United States privacy law.

Cosmas Robless Associate, Cyber, Privacy & Data Innovation

Washington, D.C.

See my bio

D:+1 202 339 8663
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation

vCard

See full bio

Cosmas Robless Associate

Washington, D.C.

Cosmas provides guidance on issues relating to numerous privacy and cybersecurity laws, including the U.S. state privacy laws in California, Colorado, Connecticut, Utah, Virginia and other states, state data breach notification laws, and Europe’s General Data Protection Regulation (GDPR).

Cosmas graduated with honors from Harvard Law School. During law school, he participated in the Berkman Klein Center's Cyberlaw Clinic, completed a clinical placement in the Securities, Financial & Cyber Fraud Unit of the United States Attorney’s Office for the District of Massachusetts, and interned with the Special Assistant for Legal & Legislative Matters to the Secretary of the Navy. Prior to law school, Cosmas served as a submarine officer in the U.S. Navy.

Cosmas is accredited by the International Association of Privacy Professionals (IAPP) as a Certified Information Privacy Professional in the United States (CIPP/US).