Kentucky sends comprehensive privacy bill to governor

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

Kentucky Sends Comprehensive Privacy Bill to Governor

Kentucky House Bill 15 passed through both chambers, moving the bill to the Governor’s desk for signature. Unless vetoed, the law will take effect January 1, 2026, making Kentucky the fifteenth state to enact a comprehensive privacy law. 

TAKEAWAY

The Kentucky bill is almost entirely copied from the Virginia Consumer Data Protection Act (with a few minor exceptions, like omission of the word “household” from the definition of a “consumer”). This means that, unlike the last several state comprehensive privacy bills to be enacted (e.g., New Hampshire, New Jersey, Delaware, Texas, and Oregon), Kentucky, like Virginia, will not require recognition of signals from universal opt-out mechanisms, like GPC. 

Washington’s My Health My Data Act Takes Effect

The core aspects of Washington’s new consumer health data privacy law, the My Health My Data Act, went into effect March 31, 2024 for all but small businesses (which must comply by June 30, 2024). The law prohibits the collection or sharing of consumer health data except with separate and distinct, GDPR-style, consumer consent that can’t be bundled with other consents.

The law goes further to require HIPAA-style valid authorization for the sale (defined similar to California’s CCPA) of consumer health data, a copy of which both the seller and purchaser must retain for 6 years.

Covered entities will also be required to place on their homepages a prominent link to a consumer health data privacy policy  (which must be separate and distinct from other policies and cannot contain information not required by the My Health My Data Act), and consumers will have certain rights, including the right to request the deletion of their consumer health data from a covered entity’s network, including archived or backup systems. This is in addition to the geolocation aspects of the law, which went into effect in 2023.

TAKEAWAY

The My Health My Data Act has gained a lot of attention from companies, largely due to the breadth of its potential application and its inclusion of a private right of action.

“Consumer Health Data” is defined broadly as personal information that “identifies the consumer’s past, present or future physical or mental health status” , which, in turn, is defined with a long list categories, including categories like bodily functions and “data that identifies a consumer seeking health care services”, which is then further defined broadly as “any service provided to a person to assess, measure, improve, or learn about a person’s mental or physical health”, potentially impacting a lot of entities that may not have ever thought of themselves as being in the healthcare space.

The definition also includes such information “derived or extrapolated by non-health data”, which may impact, for example, the use of non-health data to create health-related targeted marketing segments. Although the Washington Attorney General’s Office has issued a set of FAQs to help companies interpret the definitions and application of the law, a private right of action means that the AG’s office won’t be the only one interpreting and enforcing the law. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.