On June 5, the Nevada state legislature passed an amended version of Senate Bill 370 (“SB 370”), a bill imposing new requirements on the collection, use, and sale of consumer health data. The bill has been delivered to Governor Joe Lombardo’s desk for signature. If signed, it would go into effect on March 31, 2024 and would be the third law this year that creates special processing requirements for health data.
SB 370 imposes requirements pertaining to the collection, use, and sale of consumer health data. It would generally prohibit the collection and sharing of consumer health data without the relevant consumer’s affirmative, voluntary consent (with separate consents required for collection and sharing, respectively), and would similarly prohibit the sale of consumer health data without the consumer’s written authorization. In these respects, SB 370 echoes the Washington My Health My Data Act and Connecticut’s SB 3 — two recently enacted state laws that impose similar restrictions on the processing of consumer health data. Importantly, however, unlike the My Health My Data Act, SB 370 does not contain a private right of action (which will somewhat lessen the compliance risk that this bill poses for regulated entities) and relies on a slightly narrower definition of consumer health data than that employed by its Washington counterpart.
In this post, we highlight key takeaways from SB 370 and summarize its key provisions. We are happy to answer any questions you have about how this bill will affect your company’s privacy compliance obligations. And to keep updated on future developments regarding state health privacy laws, be sure to subscribe to the WilmerHale Privacy and Cybersecurity Law blog.
The following elements of SB 370 should be of particular note for entities within the bill’s scope.
- Requiring Separate Consents for Collection and Sharing of Consumer Health Data: SB 370 requires that regulated entities obtain the relevant consumer’s affirmative, voluntary consent before collecting or sharing consumer health data, subject to limited exceptions. Notably, the Act requires that the consents obtained for collection and sharing be “separate and distinct.”
- Prohibiting Sale of Consumer Health Data: The Act prohibits any person from selling or offering to sell consumer health data without the relevant consumer’s written authorization. Additionally, the Act articulates specific requirements that such written authorization must satisfy in order to be valid.
- Narrower Definition of Consumer Health Data: SB 370 adopts a slightly narrower definition of consumer health data than the Washington My Health My Data Act. Specifically, whereas the My Health My Data Act applies to data “that identifies the consumer's past, present, or future physical or mental health status,” SB 370 is focused more narrowly on data “that a regulated entity uses to identify the past, present or future health status of the consumer” (emphasis added).
- No Private Right of Action: Unlike Washington’s My Health My Data Act, SB 370 does not create a private right of action against violators.
- Effective Date: SB 370 will go into effect on March 31, 2024 — incidentally, the same day as the majority of the My Health My Data Act’s provisions. The looming effective dates of these two bills (and the even-more-impending effective date of Connecticut SB 3’s consumer health data provisions, which will go into effect on July 1, 2023), means that compliance efforts should be a high priority for entities within the scope of these laws.
SUMMARY OF NOTABLE PROVISIONS
Definitions, Applicability, and Scope
- Definition of “Consumer”: Defines “consumer” as “a natural person who has requested a product or service from a regulated entity and who resides in [Nevada] or whose consumer health data is collected in [Nevada].” The Act exempts from its definition of “consumer” any person “acting in an employment context or as an agent of a governmental entity.”
- Definition of “Consumer Health Data”: Defines “consumer health data” as “personally identifiable information that is linked or reasonably capable of being linked to a consumer and that a regulated entity uses to identify the past, present or future health status of the consumer.” Notably, the Act specifies that its definition of “consumer health data” includes precise geolocation data “that a regulated entity uses to indicate an attempt by a consumer to receive health care services or products,” as well as health-related information that is derived from non-health data.
- Definition of “Sell”: Defines “sell” to mean “to exchange consumer health data for money or other valuable consideration,” subject to certain exceptions.
- Applicability: Defines “regulated entity” as any person that (1) “[c]onducts business in [Nevada] or produces or provides products or services that are targeted to consumers in [Nevada]”; and (2) “determines the purpose and means of processing, sharing or selling consumer health data.”
- Exemptions: Exempts various entities and information types, including: entities subject to HIPAA; entities and information subject to GLBA; information governed by FCRA; information governed by FERPA; information processed by a governmental or tribal entity; and law enforcement agencies.
- Consumer Health Data Privacy Policies: Requires regulated entities to publish consumer health data privacy policies that describe, among other things: categories of consumer health data collected; how the collected consumer health data will be used; categories of sources from which the consumer health data is collected; categories of consumer health data shared with other entities; categories of entities with which the consumer health data is shared; purposes for collecting, using, and sharing consumer health data; how consumers may exercise their consumer health data rights; and whether third parties “may collect consumer health data over time and across different Internet websites or online services when the consumer uses any Internet website or online service of the regulated entity.”
- Consent Requirements for Collection and Sharing of Consumer Health Data: Prohibits regulated entities from collecting or sharing consumer health data without consumer’s affirmative, voluntary consent, unless such collection or sharing is necessary to provide a product or service that the consumer has requested (or, in the case of sharing, such sharing is required or authorized by law). The consents obtained for collection and sharing must be “separate and distinct.”
- Consumer Health Data Rights: Establishes consumer health data rights for consumers, including: the right to confirm whether a regulated entity is collecting, sharing, or selling a consumer’s health data; the right to obtain a list of third parties with whom the consumer’s health data has been shared or sold to; the right to terminate a regulated entity’s collection, sharing, or selling of the consumer’s health data; and the right to delete consumer health data.
- Protection of Consumer Health Data: Requires regulated entities to implement various protections for consumer health data, including limiting access to such data and implementing reasonable security policies and practices.
- Processor Requirements: Imposes various requirements on data processors, including that such processors “shall only process consumer health data pursuant to a contract between the processor and a regulated entity.”
- Prohibition on Sale of Consumer Health Data: Prohibits any person from selling or offering to sell consumer health data without a consumer’s written authorization, which must satisfy certain statutorily-prescribed requirements, including, among other things, a description of the consumer health data to be sold, a description of the purpose of the sale, the name and contact information of the person purchasing the data, and the expiration date of the authorization.
- Prohibition on Geofencing: Prohibits any person from implementing a geofence near specified healthcare-related facilities for purposes of (1) “[i]dentifying or tracking consumers seeking in-person health care services or products,” (2) “[c]ollecting consumer health data,” or (3) “[s]ending notifications, messages or advertisements to consumers related to their consumer health data or health care services or products.”
Enforcement, Effective Date, and Miscellaneous Provisions
- Enforcement: The Act does not create a private right of action. Violations of the Act are deemed deceptive trade practices under Nevada law.
- Exemption of Consumer Health Data from Nevada Internet Privacy Law: In addition to the above provisions, the Act also amends Nevada’s statute on “Notice Regarding Privacy of Information Collected on Internet from Consumers,” Nev. Rev. Stat. Ann. § 603A.300 et seq., to exempt consumer health data.
- Effective Date: The Act will go into effect on March 31, 2024.