Health data privacy takes center stage as legislation advances

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

UNITED STATES

Health Data Privacy Takes Focus From All Angles

Three major developments occurred over the last week in health data privacy:

1. The Washington state House of Representatives passed (moving the legislation to the Senate) HB 1155, a bill that would prohibit the sale of non-HIPAA-protected consumer health data and require consumer consent before personal health-related data is shared or collected.

2. U.S. Senators introduced the Uphold Privacy Act, federal legislation that would restrict companies’ ability to collect or use information about personal health without user consent and prohibit profiting off of personally identifiable health data for advertising purposes

3. A class action lawsuit (Case 5:23-cv-01033-NC) was filed against online mental health counseling service BetterHelp, alleging that its sharing of identifying data and health information with third-party advertising platforms (despite promises that user health information would stay private) constituted a deceptive and unfair marketing practice. 

TAKEAWAY

These developments, combined with increasing action from the FTC regarding health data privacy and progressing health data legislation in several other states, demonstrate that health data privacy is taking center stage in the eyes of legislators, regulators and plaintiffs’ attorneys. 

Read more about the proposed FTC settlement with BetterHelp.

Three States Pass Comprehensive Privacy Bills Through One Chamber

The Hawaii and Iowa Senates and Oklahoma House passed comprehensive privacy bills, moving the legislation through to the opposite chamber. 

TAKEAWAY

These states join Montana and Indiana, totalling five states that have passed comprehensive privacy legislation through one chamber in 2023.

All of these bills largely resemble existing comprehensive state privacy laws, with the exception of Oklahoma, which would be the first state to require explicit opt-in consent for the general collection and processing of personal information.

This is the third year that such legislation has passed the Oklahoma House, however, and previous attempts have failed to see movement in the Senate. 

EUROPE

UK Introduces Data Protection Reform Bill

UK Technology Secretary Michelle Donelan introduced the Data Protection and Digital Information Bill, which her press release described as a “new common-sense-led UK version of the EU’s GDPR”.

According to the press release, the goal of the legislation is to take the best elements of GDPR and provide businesses with more flexibility, while still maintaining adequacy with the EU.

TAKEAWAY

The legislation still requires the same lawful bases for processing Personal Data as the UK GDPR (which may include consent or legitimate interest, among other bases). It also continues, like existing PECR, to require consent for access to terminal equipment for certain purposes.

However, it does provide more specific detail than the UK GDPR and PECR about the purposes that may constitute legitimate interest under the UK GDPR or an exception to the consent requirement under PECR, presumably to aid in taking the guesswork out of the consent process for businesses. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.