Blog
Kentucky sends comprehensive privacy bill to governor
April 1, 2024
Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.
USA
Kentucky Sends Comprehensive Privacy Bill to Governor
Kentucky House Bill 15 passed through both chambers, moving the bill to the Governor’s desk for signature. Unless vetoed, the law will take effect January 1, 2026, making Kentucky the fifteenth state to enact a comprehensive privacy law.
TAKEAWAY
The Kentucky bill is almost entirely copied from the Virginia Consumer Data Protection Act (with a few minor exceptions, like omission of the word “household” from the definition of a “consumer”). This means that, unlike the last several state comprehensive privacy bills to be enacted (e.g., New Hampshire, New Jersey, Delaware, Texas, and Oregon), Kentucky, like Virginia, will not require recognition of signals from universal opt-out mechanisms, like GPC.
Washington’s My Health My Data Act Takes Effect
The core aspects of Washington’s new consumer health data privacy law, the My Health My Data Act, went into effect March 31, 2024 for all but small businesses (which must comply by June 30, 2024). The law prohibits the collection or sharing of consumer health data except with separate and distinct, GDPR-style, consumer consent that can’t be bundled with other consents.
The law goes further to require HIPAA-style valid authorization for the sale (defined similar to California’s CCPA) of consumer health data, a copy of which both the seller and purchaser must retain for 6 years.
Covered entities will also be required to place on their homepages a prominent link to a consumer health data privacy policy (which must be separate and distinct from other policies and cannot contain information not required by the My Health My Data Act), and consumers will have certain rights, including the right to request the deletion of their consumer health data from a covered entity’s network, including archived or backup systems. This is in addition to the geolocation aspects of the law, which went into effect in 2023.
TAKEAWAY
The My Health My Data Act has gained a lot of attention from companies, largely due to the breadth of its potential application and its inclusion of a private right of action.
“Consumer Health Data” is defined broadly as personal information that “identifies the consumer’s past, present or future physical or mental health status” , which, in turn, is defined with a long list categories, including categories like bodily functions and “data that identifies a consumer seeking health care services”, which is then further defined broadly as “any service provided to a person to assess, measure, improve, or learn about a person’s mental or physical health”, potentially impacting a lot of entities that may not have ever thought of themselves as being in the healthcare space.
The definition also includes such information “derived or extrapolated by non-health data”, which may impact, for example, the use of non-health data to create health-related targeted marketing segments. Although the Washington Attorney General’s Office has issued a set of FAQs to help companies interpret the definitions and application of the law, a private right of action means that the AG’s office won’t be the only one interpreting and enforcing the law.
Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.
A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.
Latest Blog Posts
CPPA Settles With Unregistered Data Brokers
November 18, 2024Following an investigative sweep of unregistered data brokers, the...
Paramount Hit With VPPA Class Action
November 5, 2024A class action complaint was filed in NY alleging...
Noyb Complaint Alleges Pinterest Personalized Advertising Violates GDPR
October 28, 2024Noyb Complaint Alleges Pinterest Personalized Advertising Violates GDPR
Latest White Papers
E-book: Enterprise Guide To Cookie management & Tracker List Curation
July 1, 2024How to review the tracking tech on your websites...
Benchmark Report: US Privacy Compliance
August 19, 2022The current state of publisher compliance with CCPA, and...
Keep in touch
Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.