Health data privacy takes center stage as legislation advances
March 13, 2023
Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.
Health Data Privacy Takes Focus From All Angles
Three major developments occurred over the last week in health data privacy:
1. The Washington state House of Representatives passed (moving the legislation to the Senate) HB 1155, a bill that would prohibit the sale of non-HIPAA-protected consumer health data and require consumer consent before personal health-related data is shared or collected.
2. U.S. Senators introduced the Uphold Privacy Act, federal legislation that would restrict companies’ ability to collect or use information about personal health without user consent and prohibit profiting off of personally identifiable health data for advertising purposes
3. A class action lawsuit (Case 5:23-cv-01033-NC) was filed against online mental health counseling service BetterHelp, alleging that its sharing of identifying data and health information with third-party advertising platforms (despite promises that user health information would stay private) constituted a deceptive and unfair marketing practice.
These developments, combined with increasing action from the FTC regarding health data privacy and progressing health data legislation in several other states, demonstrate that health data privacy is taking center stage in the eyes of legislators, regulators and plaintiffs’ attorneys.
Three States Pass Comprehensive Privacy Bills Through One Chamber
These states join Montana and Indiana, totalling five states that have passed comprehensive privacy legislation through one chamber in 2023.
All of these bills largely resemble existing comprehensive state privacy laws, with the exception of Oklahoma, which would be the first state to require explicit opt-in consent for the general collection and processing of personal information.
This is the third year that such legislation has passed the Oklahoma House, however, and previous attempts have failed to see movement in the Senate.
UK Introduces Data Protection Reform Bill
According to the press release, the goal of the legislation is to take the best elements of GDPR and provide businesses with more flexibility, while still maintaining adequacy with the EU.
The legislation still requires the same lawful bases for processing Personal Data as the UK GDPR (which may include consent or legitimate interest, among other bases). It also continues, like existing PECR, to require consent for access to terminal equipment for certain purposes.
However, it does provide more specific detail than the UK GDPR and PECR about the purposes that may constitute legitimate interest under the UK GDPR or an exception to the consent requirement under PECR, presumably to aid in taking the guesswork out of the consent process for businesses.
Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.
A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.
Latest Blog Posts
The Federal Trade Commission sent warning letters to five...
Delaware HB 154, implementing the Delaware Personal Data Privacy Act,...
How do different U.S. state laws define and protect...
Latest White Papers
The current state of publisher compliance with CCPA, and...
How to review your vendor list to mitigate compliance...
Keep in touch
Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.