In the absence of a comprehensive federal data privacy law, state legislators continue to add to the often-contradictory array of laws aimed at protecting the security and privacy of their residents’ data. Very recently, Washington State’s My Health My Data Act was signed into law by Governor Jay Inslee in late April, Florida lawmakers passed Senate Bill 262 in early May, and the Tennessee Information Protection Act was signed into law earlier this month as well. While preparing this update, Montana’s enacted its Consumer Data Privacy Act on May 19th, which we will address in subsequent guidance due to its recency. These newly enacted state laws build upon the growing patchwork of laws enacted in California, Connecticut, Colorado, Virginia, and Utah, all of which we previously discussed here and here. Yet, among these state laws there is significant variety, including inconsistencies as to whether the laws allow for private rights of action, and whether the laws provide affirmative defenses and other incentives based on compliance with relevant best practices.

Washington

Washington’s My Health My Data Act (“MHMD Act”) will become effective on March 31, 2024 for larger organizations, and June 30, 2024 for small businesses. Although limited in application to “consumer health data,” the MHMD Act affects a wide array of companies that have had little or no prior involvement with the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively “HIPAA”). For example, developers of apps that track consumer health data, companies to which the privacy protections of HIPAA do not extend, are subject to the MHMD Act. This extension of privacy protections by Washington comes at a critical time, when concerns about the privacy of reproductive health data are at an all-time high, which we previously analyzed here and here.

Under the MHMD Act, patients have the right to access their medical records and other health-related information in electronic form, and patients have the right to request that this information be transmitted to them or to a designated third party. Patients also have the right to direct the deletion of their data in certain circumstances, and can choose to opt-out of having their data shared for research purposes.

The MHMD Act requires regulated entities to prominently display a hyperlink to a consumer health data privacy policy on their websites. These policies must disclose, among other information, the categories of consumer health data collected, how such data will be used, and how consumers can exercise their rights under the MHMD Act.

Given that the law provides for a private right of action to sue (analogous to the California law upon which the Washington statute is modeled), implementation of the MHMD Act should prove to be a litigation jackpot. However, the Act’s broad definition of “consumer health data,” among other things, will likely be the subject of debate and uncertain judicial interpretation in such cases.

Florida

Florida Senate Bill 262, which is broader than Washington’s MHMD Act in terms of the scope of personal data protected, creates a Digital Bill of Rights with which the following entities must comply: (1) “controllers” generating more than $1 billion in global gross annual revenue who meet certain criteria; (2) “processors” of any size; and (3) affiliates of these controllers and processors. Large digital advertising platforms will most certainly be impacted, but so will the smaller businesses that utilize these platforms’ advertising tools and solutions.  

Florida Senate Bill 262 is, in one important aspect, the broadest state comprehensive data privacy law to date. In addition to granting consumers the same rights which other states’ privacy laws have granted (i.e., the right to access personal data, the right to request deletion of personal data), Senate Bill 262 gives consumers the right to opt out of all personalized advertisements and contextual advertisements. These types of advertisements are critical sources of revenue for businesses, and often involve little to no identifiable information.

However, Florida Senate Bill 262 is also narrower in other respects. The digital rights granted to Florida consumers may only be exercised on “controllers,” the entities meeting the high revenue threshold such as the digital advertising platforms of Big Tech. As a consequence, the primary impact on most Florida businesses would be on their ability to utilize digital advertising platforms to the extent consumers opt-out of advertising generated by controllers. Under Senate Bill 262, only the Florida Attorney General has authority to enforce the law. The Digital Bill of Rights provisions of Senate Bill 262 go into effect on July 1, 2024.

Tennessee

The Tennessee Information Protection Act (“TIPA”) was signed into law by Governor Bill Lee on May 11, 2023. TIPA, which will go into effect on July 1, 2025, is more narrow in application than most other state privacy laws, applying only to data controllers conducting business in the state that exceed $25 million in revenue and meeting one of the following criteria: (a) control or process information of 25,000+ Tennessee consumers per year and derive 50% of gross revenue from the sale of personal information; or (b) control or process information of at least 175,000 Tennessee consumers. Similar to other states’ privacy laws, TIPA also includes requirements for processors of personal information.

As with the other states’ laws, TIPA creates new consumer rights relating to data access, deletion, correction, and certain opt-out rights. Contracts between data controllers and data processors must meet certain requirements, such as outlining data processing procedures, setting forth how data will be deleted or returned upon termination of the contract, and obligating processors to contractually impose applicable TIPA requirements on any subcontractors. Controllers must also explain in an accessible and clear privacy notice the types of personal information collected, how such information is used, and how consumers may exercise their rights. There is no private right of action under TIPA.

Notably, unlike many other state privacy laws, TIPA includes an affirmative defense against alleged violations of the law. If a controller or processor develops, implements, and maintains a written privacy policy that reasonably conforms to National Institute of Standards and Technology (“NIST”) standards, the business may be able to avoid liability under the law. Importantly, the NIST standards allow for companies to tailor their privacy frameworks based upon the company’s size, activities, and complexity of business operations.

* * * * *

Epstein Becker Green will be closely following the rulemaking process in these states as implementing regulations are developed, and as other states continue to legislate in this area. For additional information about the issues discussed above, or if you have any other privacy, cybersecurity, and data asset management concerns, please contact the Epstein Becker Green attorney who regularly handles your legal matters, or one of the authors of this blog post. Read more about our expansive capabilities and offerings here.

Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Authors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.