Why Data Privacy Matters More Than Ever

In an era where data breaches and privacy concerns dominate the headlines, protecting customer information has never been more critical. Enter the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA), set to take effect January 1, 2026.

Delve into the RIDTPPA’s key aspects, explaining why it matters, what it means for your business, and how you can turn compliance into a competitive advantage.

What the Rhode Island Data Privacy Act Means for Your Business

Understanding the Scope and Applicability of the RIDTPPA

The RIDTPPA applies to for-profit entities that conduct business in Rhode Island or offer products or services to state residents. Specifically, it targets businesses that control or process personal data of at least 35,000 customers (excluding payment transaction data) or 10,000 customers if over 20% of their gross revenue comes from selling personal data.

If your business falls into these categories, it’s time to start preparing for compliance.

Additionally, the RIDTPPA applies to commercial websites or Internet service providers that collect, store, and sell customers’ personally identifiable information (PII). These entities must designate a data controller and identify all categories of personal data collected and third parties to whom the PII has been or may be sold. Compliance with these requirements ensures transparency and protects consumer privacy.

Exemptions and Special Cases

The RIDTPPA exempts specific types of information, such as protected health information under HIPAA, data regulated by the Fair Credit Reporting Act, and employment-related data used solely for benefits administration.

The exemptions structure is unique to Rhode Island which are divided into two primary categories:

1. Commercial Websites and Internet Service Providers (ISPs) that collect, store, and sell customers’ PII hav obligations, such as designating a data controller; identifying collected personal data categories; disclosing third-party data sales; and providing an active email or online contact for customers. Exemptions from these obligations include higher education institutions, nonprofit organizations, National Security Agency (NSA), government bodies, financial institutions, and covered entities.
2. For-profit businesses that meet specific thresholds must comply with obligations, including conducting a DPIA, documenting data protection policies, and ensuring transparency in data processing and consumer rights. Exemptions from these broader obligations, include financial institutions and government contractors or agents in their government roles.

Key Provisions of the RIDTPPA: A Closer Look

Empowering Consumers: A New Era of Data Rights

The RIDTPPA grants Rhode Island residents several rights regarding their personal data. These include the right to:

• Confirm if their data is being processed.
• Access and obtain copies of their data.
• Correct inaccuracies and delete their data.
• Opt-out of data processing for targeted advertising, data sales, or profiling.

Businesses must respond to these requests within 45 days, with a possible extension of an additional 45 days if necessary, ensuring a swift and transparent process.

The Power of Consent: Handling Sensitive Data

One of the significant aspects of the RIDTPPA is its emphasis on obtaining explicit consent for processing sensitive data, which includes racial or ethnic origin, religious beliefs, health data, and more. Unique to the RIDTPPA, businesses are required to stop processing consumers’ data within 15 days of receiving a request to revoke consent. This rapid response is designed to ensure that consumer preferences are respected promptly, further strengthening data privacy protections.

For children’s data, businesses must comply with the Children’s Online Privacy Protection Act (COPPA) and obtain parental consent. This measure is crucial for safeguarding vulnerable populations.

Implementing the RIDTPPA: Steps for Success

Conducting Data Protection Impact Assessments (DPIAs)

Businesses must conduct DPIAs for processing activities that pose a high risk to customer privacy. This includes processing sensitive data or data for targeted advertising. DPIAs help identify and mitigate potential privacy risks, ensuring that businesses comply with the RIDTPPA’s requirements.

Ensuring Non-Discrimination and Transparency

Under the RIDTPPA, businesses cannot discriminate against customers who exercise their privacy rights. This means not denying goods or services or charging different prices based on a customer’s decision to opt out of data processing. Clear communication and accessible mechanisms for customers to exercise their rights are critical for compliance.

Building Robust Security Practices

The RIDTPPA mandates that businesses implement robust security measures to protect personal data. This includes reasonable administrative, technical, and physical safeguards. Businesses must also ensure that data processors adhere to these standards, with contractual agreements outlining the responsibilities of both parties.

Establishing a Website Notice

Commercial websites and internet service providers that collect, store, and sell customers’ PII must post a clear and conspicuous notice on their websites. This notice should identify all categories of personal data collected, the third parties to whom the data may be sold, and provide an active email address or online contact mechanism for customers.

What’s Missing from the RIDTPPA?

The RIDTPPA has notable omissions compared to other state privacy laws. It lacks explicit data minimization requirements, which means businesses are not mandated to collect only the data necessary for specific purposes.

The Act also does not address secondary purposes, allowing businesses to use collected data for different purposes without obtaining new consent.

Additionally, RIDTPPA does not provide enhanced protections for adolescents, unlike other states that offer specific rights and safeguards for teenagers.

Navigating the Challenges and Opportunities

Preparing for the RIDTPPA’s Enforcement

The RIDTPPA will be enforced by the Rhode Island Attorney General, with no private right of action allowed under the law.

Violations can result in penalties of up to $10,000 per violation; higher than most states that impose penalties of up to $7,500 for each violation, making it crucial for businesses to prepare adequately. This preparation includes updating privacy policies, training staff, and conducting regular audits to ensure compliance.

Leveraging the RIDTPPA for Competitive Advantage

Beyond legal compliance, adhering to the RIDTPPA can enhance a business’s reputation and build consumer trust. By demonstrating a commitment to data privacy, companies can differentiate their brand in a crowded market. It’s not just about following the law—it’s about creating a positive customer experience.

Moving Forward with Confidence

As the digital landscape evolves, so too does the importance of data privacy. The RIDTPPA represents a significant step in protecting consumers’ personal data and ensuring businesses adhere to high standards of data security. By understanding and implementing the RIDTPPA’s requirements, businesses can not only avoid legal repercussions, but also gain a competitive edge in today’s data-driven world.

Your Ultimate Guide to Making Privacy Your Superpower!

Discover What’s New in Data Privacy

In the digital age, understanding data privacy laws is like having a superpower. The Minnesota Consumer Data Privacy Act (CDPA), recently signed into law, is set to reshape how businesses handle consumer information.

But why should this matter to you?

Because as this law comes into effect on July 31, 2025, protecting your data isn’t just a legal necessity—it’s a trust-building superpower that can set your business apart. Even if the CDPA may not apply to your business, it is likely that future states will follow Minnesota’s lead in some novel requirements added by this Act.

Understanding the Minnesota Consumer Data Privacy Act

With data breaches and misuse becoming more common, consumers are demanding greater control over their personal information. The Minnesota Consumer Data Privacy Act provides a framework that not only protects consumer rights but also sets a standard for businesses to follow. Compliance is not just a legal obligation but also a trust-building exercise that can enhance your reputation and customer loyalty.

What you need to know:

The Act applies to entities conducting business in Minnesota or targeting Minnesota residents and meets specific data processing thresholds. This includes processing the personal data of 100,000 consumers or more, or deriving over 25% of gross revenue from the sale of personal data involving 25,000 consumers or more.

Key Elements of the Minnesota Consumer Data Privacy Act

1. Consumer Rights

The Act provides consumers with several rights, including:

• Access: Consumers can request information about the personal data being processed. Organizations must disclose whether they have collected specific information about them but must not disclose the information itself.
• Correction: Consumers can request corrections to inaccurate data.
• Deletion: Consumers can ask for their data to be deleted.
• Data Portability: The right to receive personal data in a usable format.
• Opt-Out: Consumers can opt out of data processing for targeted advertising, data sales, and profiling.
• Contest Results: Consumers can question decisions made from profiling their data if these decisions have legal or significant effects on them.
• Obtain List of Third Parties: Consumers have the right to know which specific third parties have received their personal data from the controller. If the controller cannot provide this information, they can provide a list of all third parties that have received any consumers’ personal data.

Compliance isn’t optional. From handling data rights requests within 45 days to getting explicit consent for processing sensitive data, businesses must be proactive. The stakes? A hefty $7,500 fine per violation. Ouch!

2. Transparency and Privacy Policies

The Act mandates that businesses provide a clear, accessible privacy policy detailing how data is collected, used, and shared. These policies must be understandable to all consumers, including those with disabilities and children. Businesses should regularly review and update their privacy policies to comply with new requirements and ensure they are easily accessible on their website and other communication channels.

3. Data Security

Data security is crucial to avoid significant financial and reputational damage from breaches. The Act mandates that businesses adopt reasonable administrative, technical, and physical measures to protect personal data from unauthorized access, use, or disclosure. This includes conducting regular security audits, updating protocols, and training employees on best practices such as encryption and access controls.

Additionally, under the Minnesota Consumer Data Privacy Act, businesses must inventory their data to identify and manage personal data more effectively, ensuring all security measures are adequately applied.

4. Data Minimization and Purpose Limitation

The Act requires businesses to collect only the data necessary for its intended purpose and to avoid retaining data longer than needed. Businesses should review their data collection practices, implement data retention schedules, and promptly delete data that is no longer required.

5. Accountability and Governance

The Act requires businesses to document their data protection policies, conduct data protection impact assessments (DPIAs) for high-risk processing activities, and manage data that cannot be identified or linked to individuals. Businesses should establish a comprehensive data governance framework, appoint a data protection officer, document all compliance and processing activities, and perform regular privacy audits.

Additionally, DPIAs must be thorough, considering all potential risks and mitigation strategies for processing activities that could significantly affect data subjects.

What’s Next?

Here’s your game plan:

1. Audit Your Data Practices: Know what data you collect, how it’s used, and who it’s shared with. This is your baseline.
2. Revamp Your Privacy Policies: Make them clear, accessible, and compliant with the new law. Transparency is key.
3. Set Up Easy Opt-Outs: Give your customers control. Make opting out simple and straightforward.
4. Train Your Team: Ensure everyone understands the importance of data privacy and how to handle consumer requests.
5. Stay Informed: The law is ever-evolving. Keep an eye on changes and be ready to adapt. For more detailed insights and tools to help you navigate these changes, visit Nymity Research.

Taking Action and Moving Forward

The Minnesota Consumer Data Privacy Act is more than just another regulation—it’s a signal that the future of business is privacy-first. By embracing these changes now, you’re not just avoiding fines; you’re investing in customer trust and loyalty. So, gear up, stay informed, and make privacy your superpower!

On April 4, 2024, the Kentucky Consumer Data Protection Act (KCDPA) was passed, making Kentucky the third U.S. state in 2024 to enact a comprehensive privacy law, following New Jersey and New Hampshire. It’s the 15th state overall to do so. Passing such laws is at an all-time high, with several other states – including New York, Pennsylvania, North Carolina, and Ohio – also currently considering similar comprehensive privacy legislation.

The surge in data privacy laws at the state level in the U.S. stems from various factors, mirroring the dynamic evolution of technology and escalating apprehensions regarding data privacy and security. Several other key drivers underpin the enactment of these laws across numerous states, including the absence of comprehensive federal legislation and the alignment with global standards.

Like the General Data Protection Regulation (GDPR) implemented in Europe, the recent legislation in Kentucky aims to bolster transparency and accountability concerning the gathering, utilizing, and disseminating of personal data. Many of its stipulations resemble those introduced in various other U.S. states over recent years. Notably, the Kentucky Consumer Data Protection Act closely mirrors the framework of Virginia’s legislation, along with similar laws in states like Tennessee and Indiana.

Unlike some state privacy laws that may have limited scope or focus, Kentucky’s legislation covers a wide range of data protection measures. It addresses key areas such as data processing, consumer rights, and enforcement mechanisms, ensuring a holistic approach to privacy regulation.

What is the Kentucky Consumer Data Protection Act?

The Kentucky Consumer Data Protection Act encompasses several pivotal components, rendering it a substantial legislative measure. It mandates that businesses secure explicit consent from consumers before gathering or processing sensitive personal data, and before selling consumers’ personal information. The KCDPA also affords consumers the right to access, delete, and rectify their personal data.

Under the KCDPA, personal data is defined as any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified data or publicly available information.

Additionally, federal regulations impose stringent mandates on businesses engaged in the collection and processing of personal information, including obligatory data protection assessments and protocols for notifying individuals in the event of data breaches.

The ramifications of the KCDPA are extensive and will profoundly affect businesses operating within Kentucky. Entities entrusted with personal data must scrutinize their data management procedures and adhere to the dictates of the new legislation. Failure to do so may incur substantial fines and legal repercussions.

Who does the Kentucky Consumer Data Protection Act apply to?

The KCDPA applies to any person who conducts business in Kentucky or who produces products or services that target residents of the state, and during a calendar year controls or processes data of at least:

• 100,000 consumers; or
• 25,000 consumers and derives over 50 per cent of gross revenue from the sale of personal data.

Similar to preceding data privacy statutes, the KCDPA extends its jurisdiction to both controllers – entities that define the purpose and methods of data processing – and processors: entities engaged in processing personal data on behalf of controllers, such as third-party vendors tasked with data analysis. This distinction between controllers and processors serves to definitively allocate duties for data governance among the entities involved in the acquisition and handling of consumer data.

Who is exempt from the KCDPA?

To mitigate potential conflicts with existing regulations across various sectors, the KCDPA includes exemptions for specific organizations and categories of data. These exemptions primarily apply to entities and data already subject to regulation under federal laws.

The organizational exemptions outlined in Kentucky’s privacy legislation encompass:

• Municipalities, state agencies, or governmental subdivisions.
• Financial institutions, their affiliates, or data governed by the Gramm-Leach-Bliley Act.
• Entities covered by HIPAA privacy regulations, including covered entities and business associates.
• Non-profit organizations.
• Institutions of higher education.
• Entities involved in the collection, processing, utilization, or sharing of data exclusively for the identification or investigation of insurance fraud or in support of first responders.
• Small-scale telephone utilities, Tier III CMRS providers, or municipal utilities that do not engage in the sale or dissemination of personal data.

When considering exemptions at the data level, health data emerges as the most substantial category affected. This encompasses data regulated under the Health Insurance Portability and Accountability Act (HIPAA), health records, patient identifiers, data from human subjects research, and information utilized for quality improvement and patient safety initiatives.

Furthermore, personal data utilized in specific contexts and governed by statutes such as the Fair Credit Reporting Act, FERPA, the Driver’s Privacy Protection Act, and the Farm Credit Act are also exempted.

Moreover, data collected for law enforcement, public health, emergency response, and compliance with the Combat Methamphetamine Epidemic Act fall under exemptions from Kentucky’s data privacy legislation.

Additionally, the law acknowledges that entities already in compliance with parental consent requisites as outlined in the Children’s Online Privacy Protection Act (COPPA) are automatically deemed compliant with obligations regarding parental consent.

Compliance with the Kentucky Consumer Data Protection Act

Kentucky’s privacy legislation delineates a comprehensive set of obligations for controllers concerning data handling, encompassing security measures, consent protocols, privacy policies, and procedures for addressing consumer rights requests.

Aligned with privacy laws in other states, the KCDPA mandates controllers to:

• Restrict the collection of personal data to what is deemed adequate, relevant, and reasonably necessary.
• Refrain from processing personal data for undisclosed purposes without obtaining consent.
• Establish, implement, and uphold reasonable administrative, technical, and physical measures to safeguard personal data.
• Adhere to anti-discrimination statutes when handling personal data and refrain from discriminatory practices against consumers who exercise their rights.
• Obtain consent before processing sensitive data and comply with the Children’s Online Privacy Protection Act (COPPA) when dealing with children’s data.
• Furnish a comprehensive privacy notice encompassing categories of processed personal data, purposes of processing, avenues for consumers to exercise their rights, categories of personal data shared with third parties, and the categories of third parties with whom personal data is shared.

What are Data Protection Impact Assessments (DPIAs)?

Data Protection Impact Assessments (DPIAs) serve as crucial instruments for assessing and mitigating potential risks linked to the processing of personal data. According to Kentucky’s privacy legislation, data controllers are obligated to conduct DPIAs for activities that pose elevated risks to individuals’ privacy rights. These assessments entail identifying and evaluating potential risks, scrutinizing the necessity and proportionality of data processing, and instituting measures to alleviate identified risks.

Similar to California, Colorado, Virginia, and Indiana, the KCDPA mandates controllers to conduct and meticulously document a Data Protection Assessment (DPA) for various processing activities involving personal data. These encompass processing personal data for:

• Targeted advertising.
• Sale of personal data.
• Profiling, particularly if it carries a risk of unfair or deceptive treatment, potential harm to consumers, or intrusion into their privacy.
• Handling sensitive data.
• Managing personal data that poses an elevated risk of harm to consumers.

A single DPIA may cover a comparable range of processing operations if they entail similar activities.

Penalties for non-compliance with KCDPA

Violating the KCDPA carries a penalty of up to $7,500 for each infringement, with the fines collected directed into a fund at the disposal of the Office of the Attorney General for the enforcement of the KCDPA.

Additionally, the enacted legislation establishes a consumer privacy fund, highlighting the state’s dedication to safeguarding consumers’ rights and offering recourse in instances of privacy breaches.

Noteworthy is the absence of a private right of action within the KCDPA, with enforcement exclusively under the purview of Kentucky’s Attorney General. The law also incorporates a 30-day cure period, during which controllers and processors, if utilized, must furnish a written declaration confirming the rectification of alleged violations and the commitment to refrain from future infractions. This cure provision remains in effect indefinitely.

What are key Kentucky Consumer Data Protection Act dates?

The Kentucky Consumer Data Protection Act was passed on March 27, 2024. Businesses will become subject to the law as of January 1, 2026.

TrustArc U.S. State Data Privacy Resources

TrustArc is committed to helping organizations understand and manage their compliance obligations for all existing and emerging U.S. state privacy laws.

Are you New HampSURE you’re ready for the new NH Privacy Act?

New Hampshire became the 14th state to enact a comprehensive consumer privacy law when Governor Chris Sununu signed SB 255-FN (“An Act relative to the expectation of privacy”) into law on March 6, 2024.

The Act delivers many of the privacy protections consumers have in other U.S. states that have already introduced similar data privacy laws, including rights to request access to their personal data records held by controllers and have those records corrected and/or deleted, as well as opt-out from having their personal data sold or used for targeted advertising.

Also known as the New Hampshire Consumer Expectation of Privacy Act (NHPA), the state’s privacy law is enforceable from January 1, 2025. Controllers must honor opt-out requests by no later than January 1, 2025.

Key Dates: New Hampshire Consumer Data Privacy Law

• January 19, 2023 – SB255 “Relative to the expectation of privacy” is introduced in the New Hampshire Senate and referred to the Judiciary Committee.
• March 16, 2023 – House Bill 314-FN “relative to the expectation of privacy in the collection and use of personal information” is introduced in the New Hampshire House of Representatives. It differs slightly from SB255 with broader privacy protections for the state’s citizens, including a private right of action against companies.
• March 6, 2024 – New Hampshire Governor Chris Sununu signs SB 255-FN, (“relative to the expectation of privacy”) into law. In a media release announcing the new law he says: “New Hampshire is living up to our motto as the ‘Live Free or Die’ state by ensuring that ‘The Granite Staters’ have control over their personal information. This law provides transparency about what information is collected, why, and confidence that in the age of AI, steps are taken to protect that data.”
• January 1, 2025 – New Hampshire Consumer Expectation of Privacy Act becomes enforceable.

New Hampshire Expectation of Privacy: Consumer Personal Data Rights

SB255-FN / the New Hampshire Act relative to the expectation of privacy defines a consumer as “an individual who is a resident of this state” and just like many other U.S. state data privacy laws (apart from those in California), the definition of a consumer excludes individuals “acting in a commercial or employment context.”

The text of the Act defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable individual.” This definition excludes “de-identified data or publicly available information.”

New Hampshire residents – along with parents/guardians on behalf of their children and conservators/guardians of consumers subject to protective arrangements – can exercise their personal data privacy rights by contacting each controller via “a secure and reliable means established by the secretary of state and described to the consumer in the controller’s privacy notice.”

By January 1, 2024, controllers must also honor verified consumers’ opt-out requests signaled via browser extension or device settings such as Global Privacy Control (GPC).

The ‘expectation of privacy’ rights for consumers in New Hampshire include:

• Right to confirm (right to know) whether a controller is processing their personal data and Right to access their personal data about them held by a controller, “unless such confirmation or access would require the controller to reveal a trade secret.”
• Right to correct inaccuracies in their personal data, “taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data.”
• Right to delete personal data provided by or about the consumer.
• Right to obtain a copy (portability) of their personal data processed by the controller. Controllers must provide the consumer with a copy of their personal data “in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means, provided such controller shall not be required to reveal any trade secret.”
• Right to opt-out from the processing of their personal data for the purposes of targeted advertising, sale of personal data (the text also refers to controller responsibilities under NH 507-H:6, which prohibit controllers from selling personal data consumers aged 13 to 16 without the consumer’s consent) or personal data used for profiling “in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.”
  Note: controllers are not required to authenticate opt-out requests, but may deny any requests they believe are fraudulent, provided they send notices to the people who made the requests.
• Right to non-discrimination for exercising consumer rights – this right is listed in the same subsection as the opt-out right. Prohibited forms of discrimination mentioned include “denying goods or services, charging different prices or rates for goods or services or providing a different level of quality of goods or services to the consumer.”

Controllers must respond to New Hampshire consumers’ personal data rights requests within 45 days.

A controller can extend the period to process the requests by 45 more days (considering their complexity and number), but the consumer must first be told the reason for the extension within the initial 45 day period. Consumers must be informed of a decision to decline the rights request within 45 days, and be given a justification for the decision along with instructions on how to appeal.

Consumers are allowed to make such requests free of charge once in any 12-month period; while controllers may charge “a reasonable fee” to cover the administrative costs or responding to consumer requests the controller can demonstrate are “manifestly unfounded, excessive or repetitive.”

Sensitive Personal Data Requirements

New Hampshire’s data privacy law prevents controllers from processing a consumer’s sensitive personal data unless they’ve first obtained the consumer’s consent (opt-in). This provision is in line with sensitive data privacy protections in other state’s similar laws and includes a requirement for controllers to comply with the federal Children’s Online Privacy Protection Act (COPPA) when processing the sensitive data of a known child.

Any personal data collected from a known child is classified as sensitive data.

New Hampshire SB255 privacy law defines ‘sensitive data’ for adults as personal data that reveals a consumer’s:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health condition or diagnosis
• Sex life
• Sexual orientation
• Citizenship or immigration status
• Genetic or biometric data (“for the purpose of uniquely identifying an individual”); and/or
• Precise geolocation within 1750 feet (excluding “the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility”).

Applicability: Who Must Comply with New Hampshire SB255 Privacy Law?

The compliance requirements of New Hampshire’s privacy law apply to any person who conducts business in New Hampshire or produces products or services targeted to residents of New Hampshire during a one-year period:

• Controlled or processed the personal data of 35,000 or more unique consumers. However, this threshold excludes “personal data controlled or processed solely for the purpose of completing a payment transaction.”

or

• Controlled or processed the personal data of 10,000 or more unique consumers and derived more than 25% of their gross revenue from the sale of personal data.

Exempted Organizations and Data Under New Hampshire Privacy Law

The New Hampshire Privacy Law includes exemptions similar to those under other state consumer privacy laws, such as organizations regulated by HIPAA and GLBA, and personal information regulated by FCRA, DPPA, and FERPA.

Controllers and processors that comply with the verifiable parental consent requirements of the Children’s Online Privacy Protection Act (COPPA) shall be deemed compliant with any obligation to obtain parental consent.

New Hampshire Privacy Law Compliance Requirements

Under New Hampshire’s data privacy law, controllers must comply with the following requirements related to the collection and processing of personal data:

• Limit the collection of personal data to what is adequate, relevant and reasonably necessary to the disclosed purposes for which the data is processed
• Obtain the consumer’s consent before processing their personal data for other purposes that are neither reasonably necessary to, nor compatible, with the disclosed purposes – this consent requirement also applies to the processing of personal data for sale or for the purposes of targeted advertising or profiling, and the processing of sensitive data – or in the case of a known child, the controller must process such data in compliance with COPPA
• Not process personal data in violation of state and federal laws prohibiting unlawful discrimination against consumers
• Support consumers’ right to revoke consent to selected data collection and processing activities by providing an effective mechanism that is at least as easy to use as the mechanism by which the consumer provided their consent – and when a consumer exercises this right, stop processing the data as soon as practicable and at least within 15 days of consent being revoked
• Publish a privacy notice (see below) and
• Disclose whether the controller sells personal data to third parties or processes personal data for targeted advertising and if so, provide a clear and conspicuous link on the controller’s website to a page that enables a consumer or an agent acting on their behalf to opt-out of the target advertising of sale of the consumer’s personal data.
  Note: universal opt-out signals (e.g., Global Privacy Control) must be honored by January 1, 2025.

Controllers must also comply with the following data protection requirements:

• Establish, implement and maintain reasonable data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue
  and
• Conduct and document a data protection assessment for each processing activity that presents a heightened risk of harm to the consumer including:
  – processing of sensitive data
  – sale of personal data
  – processing of personal data for the purposes of targeted advertising or profiling.

Privacy Notice Requirements in New Hampshire

Controllers must provide consumers with a privacy notice that is reasonably accessible, clear and meaningful, which meets the “standards established by the secretary of state”) and includes:

• Categories of personal data processed by the controller
• Purpose for processing personal data
• How consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision about a consumer rights request;
• Categories of personal data shared by the controller with third parties (if any)
• Categories of third parties (if any) with which the controller shares personal data and
• An active email address or other online mechanism the consumer may use to contact the controller.

New Hampshire Privacy Act Processor Responsibilities

Processors must adhere to the instructions of a controller and assist the controller in meeting the controller’s obligations, taking into consideration the nature of processing and the information available to the processor to:

• Fulfill the controller’s obligations to respond to consumer rights requests
• Ensure security of processing personal data
• Notify a breach of security or breach of the processor’s system/s and
• Provide information needed by the controller to conduct and document data protection assessments.

A controller and a processor must enter a binding contract governing the processor’s data processing procedures performed on behalf of the controller that clearly details instructions for:

• Processing data and the nature and purpose of processing
• Type of data subject to processing
• Duration of processing and
• Rights and obligations of both parties.

The contract must also require the processor to:

• Ensure each person processing personal data is subject to a duty of confidentiality with respect to the data
• When directed, delete or return all personal data to the controller at the end of the provision of services – unless retention of personal data is required by law
• When reasonably requested, make available to the controller all information necessary to demonstrate the processor’s compliance with New Hampshire’s data privacy law
• After providing the controller an opportunity to object, engage any subcontractor under a written contract requiring the subcontractor to meet the processor’s obligations with respect to personal data and
• Allow and cooperate with reasonable compliance assessments, and provide a report of such assessment to the controller on request. These assessments can be conducted by the controller, an assessor designated by the controller or a qualified and independent assessor arranged by the processor, and must use an appropriate and accepted control standard or framework and assessment procedure.

New Hampshire Privacy Act Notice and Enforcement

In New Hampshire the state’s Attorney General has exclusive authority to enforce violations of the Act. Consumers do not have a private right of action.

For the first year the Act is in force – from January 1 to December 31, 2025 – before the Attorney General initiates any action for violation of the Act, the AG shall:

• Issue a notice of a violation to a controller if the AG determines that a cure is possible
• Give the controller up to 60 days to cure the violation and
• Bring an enforcement action if the controller fails to cure the violation.

From January 1, 2026, the New Hampshire Attorney General may consider whether to grant a controller or processor the opportunity to cure an alleged violation of the Act based on several factors, including:

• Number of violations
• Size and complexity of the controller or processor
• Nature and extent of the controller’s or processor’s processing activities
• Substantial likelihood of injury to the public
• Safety of persons or property and
• Whether the alleged violation was likely caused by human or technical error.

Penalties are not specified in the text of the New Hampshire Consumer Expectation of Privacy Act, although it does state that a violation “shall constitute an unfair method of competition or any unfair or deceptive act or practice in the conduct of any trade or commerce within this state under RSA 358-A:2.” (New Hampshire Regulation of Business Practices for Consumer Protection.)

New Jersey became the 13th U.S. state to give its consumers a set of comprehensive data privacy protections when Senate Bill 332 was signed into law by state Governor Phil Murphy on January 16, 2024.

The state’s data privacy legislation addresses consumers’ concerns about businesses collecting, disclosing and selling their personal data by requiring owners of business websites to transparently disclose these activities and honor opt-out requests.

The New Jersey Consumer Privacy Act is enforceable from January 15, 2025 and covered entities have six months to mid-July 2025 to ensure they honor opt-out requests signaled via universal opt-out mechanisms.

Key Dates: New Jersey Consumer Data Privacy Act

• January 11, 2022 – New Jersey Senators Troy Singleton, Richard Cody, Raj Mukherji, Daniel Benson and Paul Moriarty introduce Senate Bill 332: “An Act concerning online services, consumers and personal data”, which “requires commercial Internet websites and online services to notify consumers of collection and disclosure of personally identifiable information and allows consumers to opt out.” The Bill is referred to the Senate Commerce Committee;
• August 8, 2022 – New Jersey Senate adopts an amendment to SB332 proposed by Senator Troy Singleton: “This floor amendment provides that nothing in the bill is subject to, or to be construed as providing the basis for, a private right of action for a violation of the bill or any other law”;
• November 21, 2022 – Amendments to SB332 are reviewed by New Jersey senators, such as changing the definition of “consumer” to include individuals acting within a job-seeking context, clarifying methods for consumer rights requests and including third parties that track or collect information about consumers’ use of commercial websites in the definition of “operator”;
• December 19, 2022 – New Jersey Senate adopts several amendments to the text of SB332, most of which remove the amendments proposed in November 2022;
• February 2, 2023 – New Jersey senators pass Senate Bill 332 with a vote of 27–11;
• December 21, 2023 – New Jersey Senate adopts floor amendments in the equivalent Assembly Bill 1971 proposed by Assemblyman Raj Mukherji, which revise some definitions and clarify several requirements, including that “a consumer’s option to opt-out applies to the sale of data or targeted advertising,” and “a controller is not required to authenticate an opt-out request”;
• January 8, 2024 – New Jersey Assemblymen accept Senate Bill 332 substituting the equivalent Assembly bill (A1971) and pass SB 332 with a vote of 46–27;
• January 16, 2024 – State Governor Phil Murphy signs into law SB332/A1971, New Jersey’s legislation protecting consumer data. In a press release he says: “In a rapidly growing digital age, our society has become increasingly dependent on the internet to complete day-to-day tasks from shopping and working to deeply personal tasks such as managing finances and medical care. However, far too often consumer privacy is exploited without consumers knowing that their data is being shared and sold. This important legislation will help consumers reclaim control over their own personal data, and allow them the choice to share information that is personal to them”;
• January 15, 2025 – New Jersey’s comprehensive consumer data privacy legislation goes into effect;
• Mid-July 2025 – Within six months from the New Jersey Consumer Privacy Act being effective, covered entities must honor consumers’ right to signal their opt-out rights (via universal opt-out mechanisms) to prevent their personal data from being sold or used for targeted advertising.

New Jersey Consumer Data Privacy Act: Consumer Rights

A ‘consumer’ is defined in the New Jersey Consumer Privacy Act as “an identified person who is a resident of this state acting only in an individual or household context”. The definition excludes “a person acting in a commercial or employment context.”

The Act focuses on ‘personally identifiable information’ to set out consumers’ privacy rights. It defines ‘personal data’ as “any information that is linked or reasonably linkable to an identified or identifiable person” and excludes de-identified or publicly available information about a citizen of New Jersey in the definition. Personally identifiable information is defined the same.

New Jersey’s citizens now have the following consumer privacy rights:

• Right to confirm / right to know whether a controller processes their personal data, and gains access to it, with a caveat that controllers are not required to “provide the data to the consumer in a manner that would reveal the controller’s trade secret”;
• Right to correct inaccuracies in their personal data held by a controller, “taking into account the nature of the information and the purposes of the processing of the information”;
• Right to delete their personal data
  Note: this right also covers personal information the controller has lawfully obtained from a third-party, other than the consumer. In these cases, the controller must delete the consumer’s personal data when requested by them, keep a record of the consumer’s deletion request including the minimum data needed to ensure the consumer’s data from the controller’s records and ensure the consumer’s personal information is not used for any other purpose.
• Right to data portability / obtain a copy of their personal data held by a controller in a “readily usable format that allows the consumer to transmit the data to another entity without hindrance.” Again, this right includes the caveat about controllers not being required to “provide the data to the consumer in a manner that would reveal the controller’s trade secrets”;
• Right to opt-out of the processing of their personal data for the purposes of targeted advertising, sale or profiling (when that profiling is “in furtherance of decisions that produce legal or similarly significant effects concerning the consumer”);
• Right to designate an authorized agent to exercise opt-out requests on the consumer’s behalf, including via a user-selected universal opt-out mechanism (such as Global Privacy Control) designed to signal opt-out preferences;
• Right not to have sensitive personal data processed by a controller, without first providing consent to the controller. In the case of a known child, controllers must process personal data in compliance with the Children’s Online Privacy Protection Act 1998 (COPPA).

Sensitive Data Under New Jersey Privacy Law

The New Jersey Consumer Privacy Act defines ‘sensitive data’ as personal data revealing:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health condition, treatment or diagnosis
• Financial information – which includes “a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account”
• Sex life or sexual orientation
• Citizenship or immigration status
• Status as transgender or non-binary
• Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual
• Personal data collected from a known child
• Precise geolocation data within 1750 feet (Note: this definition excludes communications and other data generated by or connected to “advanced utility metering infrastructure systems or equipment for use by a utility”).

Covered Entities Under New Jersey Consumer Privacy Law

New Jersey’s consumer data privacy legislation applies to any controller who:

• Conducts business in New Jersey
  or
• Produces products or services that are targeted to residents of New Jersey.
  and

During a calendar year either:

• Control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction
  or
• Control or process the personal data of at least 25,000 consumers and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data.

The Act defines ‘sale’ as “the exchange of personally identifiable information for monetary consideration by the operator to a third party for purposes of licensing or selling personally identifiable information at the third party’s discretion to additional third parties.”

Note: As the New Jersey Consumer Privacy Act does not mention a revenue threshold, it applies to any small business or nonprofit organization which processes the personal data of enough consumers to pass the above thresholds.

Unlike several other U.S. states’ data privacy and protection laws, New Jersey’s privacy law does not exempt institutions of higher education or data subject to the federal Family Educational Rights and Privacy Act.

Exempted Entities and Data Under New Jersey Consumer Privacy Act

The requirements of New Jersey’s data privacy law do not apply to:

• Protected health information collected by a covered entity or business associate subject to the privacy, security and breach notification rules under Health Insurance Portability and Accountability Act (HIPAA), and Health Information Technology for Economic and Clinical Health Act (HITECH);
• Financial institutions or their affiliates subject to Title V of the federal Gramm-Leach-Bliley Act; and secondary market institutions identified in the privacy subchapters of the Gramm Leach-Bliley Act as well as regulations under 12 C.F.R. s.1016 (Privacy of Consumer Financial Information Regulation);
• Insurance institutions subject to New Jersey legislation on information sharing related to insurance fraud including P.L.1985, c.179 (C.17:23A-1 et seq.);
• The sale of a consumer’s personally identifiable information by the New Jersey Motor Vehicle Commission permitted by the federal Driver’s Privacy Protection Act;
• Personally identifiable information collected, processed, sold or disclosed by a consumer reporting agency subject to the federal Fair Credit Reporting Act;
• Any New Jersey State agency (“any political subdivision, and any division, board, bureau, office, commission, or other instrumentality created by a political subdivision”) or
• Personal data that is collected, processed or disclosed as part of research conducted in accordance with the Federal Policy for the protection of human subjects pursuant to 45 C.F.R. Part 46 or the protection of human subjects pursuant to 21 CFR 50 and 21 CFR 56.

New Jersey SB332 Privacy Law Compliance

Under the New Jersey Consumer Privacy Act controllers must meet the following requirements:

• Specify the express purposes for processing personal data (see New Jersey Privacy Notice Requirements below);
• Limit the collection of personal data to what is adequate, relevant and reasonably necessary to the purposes disclosed to the consumer; and if a controller wants to process data for any other purpose, they must first get consent from the consumer;
• Take reasonable measures to establish, implement and maintain administrative, technical and physical data security practices “to protect the confidentiality, integrity and accessibility of personal data and to secure personal data during both storage and use from unauthorized acquisition. The data security practices shall be appropriate to the volume and nature of the personal data at issue”;
• Not process sensitive personal information of a consumer without first obtaining the consumer’s consent, or in the case of personal data concerning a child, without processing the personal data in accordance with COPPA;
• Not process the personal information of a consumer aged 13–17 without their consent for the purposes of targeted advertising, sale or profiling – such processing is prohibited without consent if the controller has “actual knowledge, or willfully disregards, that the consumer is at least 13 years of age but younger than 17 years of age”;
• Not process personal data in violation of New Jersey state laws and federal laws that prohibit unlawful discrimination against consumers;
• Provide an effective mechanism for consumers to revoke their consent, and when consent is revoked by a consumer, stop processing their personal data as soon as practicable within 15 days of receiving the request – the mechanism for consumers to revoke their consent must be at least as easy to use as the mechanism they used to give consent in the first place; and
• Conduct and document a data protection assessment for processes that present a heightened risk of harm to the consumer – these assessments must be compliant with a controller’s duties under the New Jersey Consumer Privacy Act and other laws, and be made available to the Division of Consumer Affairs in the Department of Law and Public Safety upon request.

Any processor engaged by a controller must enter a binding contract with the controller, adhere to the controller’s instructions and meet compliance obligations under the New Jersey Privacy Act, such as security and confidentiality requirements.

New Jersey Privacy Notice Requirements

Controllers must provide consumers in New Jersey a reasonably accessible, clear and meaningful privacy notice that includes:

• Categories of personal data the controller processes;
• Purpose for processing personal data;
• Categories of all third parties which may have personal data disclosed to them by the controller;
• Categories of personal data the controller shares with third parties (if any);
• Information on how consumers may exercise their consumer rights under New Jersey’s privacy law, including contact information for the controller and instructions on how consumers may appeal the controller’s decision on their consumer rights requests;
• Process for notifying consumers of material changes to the privacy notice, along with effective date;
• Method consumers can use to contact the controller, such as an active email address or other online mechanism;
• Conspicuous disclosure if the controller sells personal data to third parties or processes personal data for the purposes of targeted advertising, sale or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer; and
• Conspicuous instructions on how a consumer can exercise their right to opt-out from the sale or processing of their personal data.

Responding To New Jersey Consumer Rights Requests

Controllers have 45 days to respond to an authenticated consumer privacy rights request with a decision. Controllers may extend this deadline by 45 days, provided they notify the consumer in the first 45 days about their reasons for needing the extra time.

If a controller cannot authenticate a consumer rights request, they must notify the consumer that they cannot initiate action until they receive additional information from the consumer needed to authenticate the consumer and the rights request.

Controllers do not need to authenticate opt-out requests but may deny them “if the controller has a good faith, reasonable and documented belief that such request is fraudulent,” though they must notify the consumer of their decision and provide an explanation.

Consumers can make one rights request in any 12 month period and not be charged by a controller.

If a controller decides a consumer rights request is unfounded or excessive, the controller can either decline to act on the request or charge a reasonable fee to the consumer to cover related administration costs of complying with the request.

In both scenarios, the controller must prove the request is unfounded or excessive. When refusing to act on a consumer request the controller must:

• Notify the consumer within 45 days from receipt of the request
• Explain the reason for inaction, and
• Provide instructions on how the consumer may appeal the decision.

Controllers cannot discriminate against New Jersey consumers for exercising their privacy rights under the Act.

New Jersey Privacy Law Enforcement

The state Attorney General has exclusive authority to enforce violations of the New Jersey Consumer Privacy Act. Consumers do not have a private right of action.

The Director of the Division of Consumer Affairs in the Department of Law and Public Safety has the authority to make rules and regulations pursuant to the Administrative Procedure Act necessary to effect the purposes of the privacy law.

In the first 18 months of the Privacy Act being in effect, controllers alleged to be in violation if a cure is deemed possible must be issued a notice by the Division of Consumer Affairs, which gives the controller 30 days to cure a violation before an enforcement action can be brought against them. After this sunset period enforcement action can begin immediately.

The scale of penalties is not mentioned in the text of the New Jersey Consumer Privacy Act.

The “Diamond State” has passed the Delaware Personal Data Privacy Act, a modern consumer privacy law that gives its residents some of the important data protection rights found in other states’ privacy regulations. Citizens are covered by the Act as individuals, but not in an employment or commercial context.

Delaware Governor John Carney signed the Act into law on September 11, 2023, and it will become effective on January 1, 2025. An additional rule requiring controllers to recognize and act on universal opt-out signals goes into force on January 1, 2026.

Delaware Personal Data Privacy Act: Key dates

• May 12, 2023 – Following lobbying by consumer and privacy groups, and the growing trend across the U.S. to give consumers more protections in an increasingly data-driven business landscape, House Bill 154 is introduced by Rep. Krista Griffith with backing from several senators and representatives.
• May 15, 2023 – in a media release announcing the Delaware Personal Data Privacy Act Rep. Griffiths says: “The Delaware Personal Data Privacy Act is a critical step in safeguarding the privacy rights of Delawareans in our digital age. With the increasing collection and use of our sensitive personal data, it’s so important that we establish comprehensive rights for consumers and ensure that they have avenues to take control over their personal information. This legislation will give them that control and provide much-needed transparency and accountability in the use of personal data by companies.”
• June 8, 2023 – following two days of meetings to review amendments to the HB 154 the House votes 33-5 in favor.
• June 27, 2023 – amendments to the bill are tabled with the Banking, Insurance and Technology Committee in Delaware’s Senate, with exclusions for registered securities brokers and dealers alongside financial organizations covered under the Gramm-Leach-Bliley Act.
• June 29, 2023 – the Delaware Senate unanimously passes the amendments, then passes the bill with a 15-4 vote in favor.
• June 30, 2023 – the Delaware House votes 37-3 in favor of passing HB 154 to create the Delaware Personal Data Privacy Act.
• July 20, 2023 – Rep. Griffith tells the Delaware Business Times the compromises in Delaware’s data privacy law were to ‘get it over the line’, adding: “Banks and financial firms are subject to the [Gramm-Leach-Bliley Act] guidelines, so there wasn’t so much heartburn in that. And shortly after the bill passed the House, FINRA [Financial Industry Regulatory Authority] reached out to us to ask to be included in the exemptions. I’m pleased that it passed. I know this bill caught a lot of attention from several industries for its implications. But in practice, we wanted to give power back to our consumers on how their data is used.”
• September 11, 2023 – Delaware Governor John Carney signs the Delaware Personal Data Privacy Act into law.
• January 1, 2025 – Delaware’s privacy law goes into effect.
• January 1, 2026 – an additional requirement for controllers to honor universal opt-out signals goes into effect.

New data privacy rights for Delaware consumers

Delawareans gain new protections under the state’s data privacy law as consumers, but not as employees.

The Act defines a ‘consumer’ as “an individual who is a resident of this State. ‘Consumer’ does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit organization, or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit organization, or government agency.”

The definition for ‘personal data’ is very similar to that found in other states’ data privacy laws: “‘Personal data’ means any information that is linked or reasonably linkable to an identified or identifiable individual, and does not include de-identified data or publicly available information”.

Under the Delaware Personal Data Privacy Act Delawareans (as individual consumers) have gained the following data privacy rights:

• Right to confirm – consumers have a right to know whether a controller is processing their personal data, including the categories of data processed and the purposes for processing.
• Right to access and right to data portability – a consumer can request records of their personal data held by a controller “unless such confirmation or access would require the controller to reveal a trade secret”. Consumers also have the right to access a list of the categories of third parties to which the controller has disclosed their personal data. If this information isn’t available in a format specific to the consumer the controller can provide a list of specific third parties it has shared data with instead.
• Right to correct – consumers in Delaware can request a controller correct inaccuracies in records of their personal data, “taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data”.
• Right to delete – a consumer can ask a controller to delete personal data provided by or obtained about them.
• Right to opt-out – a consumer can tell a controller their personal data cannot be sold (see below for exceptions) or used for targeted advertising or profiling (when that profiling is “in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer”).
• Right to non-discrimination – Delawarean consumers exercising personal data privacy rights have a right not to be discriminated against, examples of discrimination listed in the Act include: “denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer”.
• Right not to have sensitive personal information processed – controllers must obtain consent from consumers first, through a clear and easy-to-understand consent form. Sensitive data is defined as personal information that could reveal a consumer’s:
  • racial or ethnic origin
  • religious beliefs
  • mental or physical health condition or diagnosis (including pregnancy)
  • sex life and sexual orientation
  • status as transgender or nonbinary
  • citizenship or immigration status
  • genetic or biometric information; or
  • precise geolocation.

Any personal data of a known child is also covered as sensitive personal data in the Act. Parents or legal guardians can exercise consumer rights on behalf of their child/ren aged under 13.

Until January 1, 2026, when the rule about universal opt-out signals applies, consumers (or parents/guardians acting on behalf of a child) will need to contact each controller and lodge requests to exercise any of these rights.

 From January 1, 2026: Universal Opt-Out Signals apply in Delaware

Section 12D-105 of the Delaware Personal Data Privacy Act gives consumers in the state the option of designating an authorized agent to exercise their rights on their behalf, including through universal opt-out mechanisms. This rule is effective from January 1, 2026.

This rule notes platforms, technologies, browser settings/extensions (e.g. Global Privacy Control), global device settings or mechanisms “may function as the agent for purposes of conveying the consumer’s decision to opt-out”.

Part (b) of the text in this section explaining controllers’ obligations is mostly identical to similar U.S. states’ data privacy laws:

“A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent’s authority to act on such consumer’s behalf.”

Does the Delaware Data Privacy Law apply to your organization?

Delaware’s privacy law is mostly like other states’ equivalent data privacy regulations enacted so far in that it applies to:

• Persons that conduct business in the state; or
• Produce products or services targeted to residents of the state.

And during the preceding calendar year did any of the following:

• Controlled or processed the personal data of not less than 35,000 consumers – excluding personal data controlled or processed solely for the purpose of completing a payment transaction. (This is the lowest threshold so far in any U.S. state privacy act); or
• Controlled or processed the personal data of not less than 10,000 consumers and derived more than 20% of their gross revenue from the sale of personal data.

Note: The Delaware Personal Data Privacy Act applies to any institute of higher education. It generally also applies to nonprofit organizations if they meet the above thresholds (so far the only other state privacy acts to also not exempt nonprofits are the Colorado Privacy Act and the Oregon Consumer Privacy Act).

Organizations exempt from Delaware’s Data Privacy Law

• Delaware state bodies (regulatory, administrative, advisory, executive, appointive, legislative or judicial) and state political subdivisions, including agencies, boards, bureaus and commissions of the state or its political subdivisions; and
• Financial institutions and their affiliates to the extent these organizations are subject to the Gramm-Leach-Bliley Act.

Personal data exempt from Delaware’s Data Privacy Law

• Personal information related to employment and business relationships (though only when used in context of that role).
• Emergency contact information when used for emergency contact purposes.
• Protected health information is defined under HIPAA (Health Insurance Portability and Accountability Act).
• Consumer credit reporting data under the Fair Credit Reporting Act, (note: this exemption covers nonprofits exclusively focused on identifying and preventing insurance crime).
• Personal data collected, processed or maintained by a nonprofit organization that provides services to victims of or witnesses to child abuse, domestic violence, human trafficking, sexual assault, violent felony or stalking.
• Patient-identifying information covered by U.S. Code 42 Section 290dd-2 (Public health and welfare – Confidentiality of records).
• Identifiable private information when used under federal regulations for the protection of human subjects in medical and scientific research (45 CFR 46, 21 CFR 50, and 21 CFR 56).
• Patient safety work product created and used to improve patient safety under the Patient Safety and Improvement Act.
• Personal data used in compliance with the Driver’s Privacy Protection Act, Farm Credit Act, Family Educational and Privacy Rights or Airline Deregulation Act.

Additionally, controllers and processors that comply with the verifiable parental consent requirements of Children’s Online Privacy Protection Act (COPPA) will be deemed compliant with obligations under Delaware privacy law to obtain parental consent concerning a consumer who is a child.

Delaware Privacy Law compliance obligations for controllers

Delaware’s privacy law defines a ‘controller’ as “a person that, alone or jointly with others, determines the purpose and means of processing personal data” and requires a controller to:

• Limit collection of personal data to what is “adequate, relevant and reasonably necessary” to the purposes disclosed to the consumer. Any other processing of personal data, including sensitive personal information, must be consented to by the consumer first, or in the case of a known child, consent must be obtained from their parent or guardian.
• Not process for the purposes of targeted advertising or sell the personal data of a young consumer aged between 13 and under 18 years old without their consent.
• Not process personal data in violation of Delaware state laws or federal laws prohibiting unlawful discrimination.
• Protect personal data with reasonable data security practices appropriate to the volume and nature of the personal data at issue.
• Provide an effective and easy-to-use mechanism for a consumer to revoke previously given consent and stop processing the data within 15 days. The mechanism for a consumer to revoke consent must be at least as easy as the consent mechanism they used previously.
• Not discriminate against a consumer for exercising their consumer privacy rights.
• Respond to a consumer’s request to exercise their consumer privacy rights within 45 days.
  The information given to the consumer in response shall be provided free of charge to the consumer – but controllers only need to make it free once per consumer in 12 months. A controller can charge a reasonable fee to cover administrative costs for excessive, repetitive or unfounded requests – or reject such requests – but the burden of proof is on the controller. Consumers may appeal.
  A controller may also extend the response period by another 45 days “when reasonably necessary, considering the complexity and number of the consumer’s requests” only if they notify the consumer about the need for this extension within the first 45-day response period. Consumers may appeal rejected requests and in turn controllers must respond to appeals within 60 days.
• Provide a clear and conspicuous link on the controller’s website to a webpage where a consumer (or their agent) can opt out of having their personal data sold or used for targeted advertising.
  Remember: universal opt-out signals must be acted on from January 1, 2026.
• Provide a privacy notice that is reasonably accessible, clear and meaningful that includes:
  • Categories of personal data processed
  • Categories of personal data shared with third parties (if any) and the categories of third parties with which the controller shares personal data
  • Purpose for processing personal information
  • Information on how consumers may exercise their consumer privacy rights, including how they can appeal a controller’s decision about a data rights request
  • One or more secure and reliable means for consumers to submit a request to exercise their consumer privacy rights, which takes into account the ways consumers normally interact with the controller; and
  • Online mechanism or active email address consumers can use to contact the controller.

Delaware Privacy Law compliance requirements for processors

Any processor engaged by a controller to process Delawareans’ personal information is required to enter a binding written contract governing the processor’s activities on behalf of the controller. The contract must set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties.

Data Protection Assessments

If a controller controls or processes the personal data of more than 100,000 Delaware consumers – excluding data that is only controlled or processed for payment transactions – they are also obliged to conduct and document a regular data protection assessment for each processing activity considered a heightened risk of harm to the consumer.

Data protection assessments must be performed for personal data that is intended to be sold or for processing for targeted advertising or profiling. Each assessment must consider the benefits of a processing activity versus the risk of harm to the consumer.

Enforcement for violations of the Delaware Personal Data Privacy Act

The Delaware Department of Justice (DDoJ) has exclusive authority to investigate and prosecute violations of the Act.

Delawareans do not have a private right of action.

Up until December 31, 2025, if the DDoJ issues a notice of violation it must give the accused party up to 60 days to cure the violation if it determines the violation is curable. Then from January 1, 2026, the DDoJ may choose to offer a cure period at its discretion.

The DDoJ can initiate court actions to pursue orders against any controller or processor found to have wilfully violated the Delaware Personal Data Privacy Act, with civil penalties of $10,000 for each deliberate violation.

TrustArc resources for compliance with U.S. State Privacy Laws

TrustArc offers several resources to help organizations keep up to date with existing and emerging state privacy laws in the U.S, including:

After many years of consumer data privacy advocacy campaigns, including by several senators, Oregon joined the growing list of U.S. states to introduce comprehensive consumer data rights and protections when Oregon Governor Tina Kotek signed into law the Oregon Consumer Privacy Act (OCPA) on July 18, 2023.

Most of its provisions are like those introduced in other states in recent years, though Oregon has joined California by not broadly exempting all organizations considered financial institutions under the U.S. federal Gramm-Leach-Bliley Act.

Oregon Privacy Law effective dates

For-profit organizations must comply with OCPA rules by July 1, 2024, while non-profit organizations must comply a year later, on July 1, 2025. All covered entities must also honor consumers’ opt-out preferences signaled via their browsers from January 1, 2026.

Key dates: Oregon Consumer Privacy Act

• June 2019 – Attorney General Rosenblum forms the Oregon Consumer Privacy Task Force, to address “the growing call for legislation that would give consumers more control over their online privacy and require businesses to adhere to basic standards when handling personal information”. The task force includes more than 150 participants, many from privacy and consumer rights advocacy backgrounds.
• Mid-2020 – in response to concerns about COVID-19 contact tracing, a subcommittee of the Oregon Consumer Privacy Task Force develops rules about the handling of personal health data during the COVID crisis.
• April 28, 2021 – Oregon House of Representatives passes a contract tracing privacy bill (HB 3284) to protect personal health data related to COVID-19. The bill does not apply to healthcare providers, the Oregon Health Authority, or public health agencies, who are already covered by separate health information privacy laws.
• November 14, 2022 – AG Rosenblum announces a $391.5 million consumer privacy settlement with Google over its location tracking practices. The settlement was led by AG Rosenblum and Nebraska AG Doug Peterson and involved Attorneys General from 38 other states.
• January 9, 2023 – Oregon Senate Bill 619 (titled ‘OCPA’) is introduced for a first reading, followed by public hearings in March.
• June 20, 2023 – Oregon Senate votes 23-2 to pass the text of the Oregon Consumer Privacy Act, referring it to the House of Representatives for a vote.
• June 22, 2023 – Oregon House of Representatives votes unanimously (54 in favor) to pass OCPA. “Passage of the bill by such wide margins demonstrates broad bipartisan support for greater privacy protections, and sends the bill to the Governor for signing,” says AG Rosenblum in a media release. “The Oregon Consumer Privacy Act defines personal and biometric data broadly, protects consumer data rights holistically, and holds companies that have access to our data to high standards. This is a huge win for Oregonians and sets a high-water mark for consumer data privacy nationwide.”
• July 18, 2023 – Oregon Governor Tina Kotek signs the Oregon Consumer Privacy Act into law.
• July 1, 2024 – for-profit organizations must comply with data privacy rules under OCPA.
• July 1, 2025 – non-profit organizations must comply with OCPA rules.
• January 1, 2026 – covered entities must recognize and honor consumers’ opt-out preference signals from their browsers.

Consumer rights under Oregon’s Data Privacy Law

The Oregon Consumer Privacy Act covers any consumer who is “a natural person who resides in this state and acts in any capacity other than in a commercial or employment context”.

The Act gives consumers rights over their personal data, which is defined in Section 1(13)(a) as meaning “data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household”.

The definition excludes ‘de-identified data’ which “cannot reasonably be used to infer information about or be linked to a consumer” (or their device/s), as well as other data that is legally in the public domain, data available lawfully through government records at all levels, and widely distributed media.

Note: the exclusion for deidentified data also includes anonymized patient information subject to the Health Insurance Portability and Accountability Act (HIPPA) and the Federal Policy for the Protection of Human Subjects.

Consumers in Oregon now have the following personal data privacy and protection rights:

1. Right of confirmation (Right to know) from a controller confirming whether the controller is processing (or has processed) their personal data, along with the categories of personal data. Consumers can also request (“at the controller’s option”) a list of specific third parties, other than natural persons, that have been given the consumer’s personal data or any personal data.
2. Right to data portability as part of their right to know. When a consumer requests a copy of all their personal data held by a controller for processing the controller must give them a copy of their personal data in a “readily usable format that allows the consumer to transmit the personal data to another person without hindrance”.
3. Right to correct inaccuracies in records of their personal data held by a controller. The text says this requirement must consider the nature of the personal data and the controller’s purpose for processing the data.
4. Right to delete their personal data held by a controller, including data the controller was given by the consumer or personal data collected from another source and any derived data (records created by collecting and analyzing existing raw data, such as observational data).
5. Right to opt-out from a controller’s processing of their personal data when the purposes of processing are selling the personal data, or using insights for targeted advertising or profiling. The text frames ‘profiling’ as the processing of data “in furtherance of decisions that produce legal effects or effects of similar significance”.
6. Right not to have sensitive personal data processed without consent – or if the controller knows the consumer is a child (under 13 years of age). Children under the age of 13 also have their sensitive personal data protected by the Children’s Online Privacy Protection Act of 1998. Older children between 13 and 15 years of age are protected under OCPA – when the controller knows their age – from having their personal data processed for the purposes of targeted advertising, profiling or sale.
   Sensitive data is defined in the OCPA text as personal data that “reveals a consumer’s racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, status as transgender or nonbinary, status as a victim of crime or citizenship or immigration status”. The definition also covers geolocation data that could be used to accurately identify the present or past location of a consumer or their device within a 1,750 feet radius; or genetic or biometric data.
7. Right not to be discriminated against for exercising OCPA consumer rights. Prohibited discrimination activities listed in the Act include: “denying goods or services, charging different prices or rates for goods or services or providing a different level of quality or selection of goods or services to the consumer”.

Coming in 2026: Opt-out preference signals must be honored

Consumers who want to exercise these rights will mainly need to submit requests to each controller individually, which can be time consuming. Parents and legal guardians can exercise these rights on behalf of their child/ren under the age of 13.

However, from January 1, 2026, the right to opt out will be easier for Oregon consumers, as from that date organizations must recognize and honor opt-out preferences sent via a universal opt-out signal.

The Oregon Consumer Privacy Act rules for opt-out signals state:

• “A consumer may designate another person to serve as the consumer’s authorized agent and act on the consumer ’s behalf to opt out of the processing of the consumer’s personal data.”
• “The consumer may designate an authorized agent using a technology, including a link to an Internet website, an Internet browser setting or extension, or a global setting on an electronic device, that allows the consumer to indicate the consumer ’s intent to opt out of the processing.”

By the time enforcement of this right begins there may be other methods alongside Global Privacy Control (GPC) for consumers to signal universal opt-out preferences.

Does the Oregon Consumer Privacy Act apply to your organization?

The OCPA applies to any person and organization that:

• Conducts business in Oregon; or
• Provides products and/or services to residents of Oregon;

AND

During a calendar year controls or processes the personal data of either:

• 100,000 or more consumers (excluding data controlled or processed solely for payment transactions; or
• 25,000 or more consumers if the person or organization derives 25% or more of their annual gross revenue from selling personal data.

Note: Most nonprofit organizations operating in Oregon or serving Oregon’s citizens must comply with OCPA rules after July 1, 2025, if they meet the thresholds above. There are a few exemptions – see below.

Organizations exempt from OCPA provisions

• Public corporations, including the Oregon Health and Science University and the Oregon State Bar.
• Some financial institutions – Unlike most other U.S. States that have introduced comprehensive consumer privacy laws – but like California – Oregon has a narrower exemption for financial institutions, which does not cover all organizations considered financial institutions under the U.S. federal Gramm-Leach-Bliley Act. Financial institutions defined in Oregon Revised Statute 706.008 are exempt, which mainly covers insured financial institutions, ‘extranational’ institutions (banks organized under the laws of a country other than the United States) and most types of credit unions. It also covers their affiliates or subsidiaries directly engaged in financial activities.
• Insurers and insurance consultants.
• Nonprofit organizations are established to detect and prevent insurance fraud.
• Non-commercial activity of media organizations – publications in general circulation and FCC-licensed radio and TV stations – and their employees (e.g. editors, publishers, reporters).

Data exempted from OCPA rules

• Protected health information processed or documented by a covered entity under the Health Insurance Portability and Accountability Act (HIPAA), including information used only for public health activities; and data protected under the Federal Policy for the Protection of Human Subjects.
• Employment and business relationship information about a person, when the personal information is solely processed or maintained for enabling employment or business relationships, such as employment applications, contracts with a business, receipts of benefits from an employer, business ownership or directorship.
• Credit reporting data covered by the Fair Credit Reporting Act.
• Data provided to comply with requests from federal, state or local law enforcement and legal authorities.

Compliance with Oregon Data Privacy Law

The Oregon Consumer Privacy Act requires controllers and processors to meet several shared obligations towards consumers’ personal information, including:

• Responding within 45 days to consumers’ privacy requests to exercise their rights under OCPA.
• Protecting consumers’ personal information with appropriate security measures to ensure confidentiality and integrity, and only allow access by authorized people for acceptable purposes.
• Conducting and documenting data protection assessments for processing activities that present a heightened risk of harm to a consumer, such as processing sensitive data or selling personal data. Documents of these assessments must be kept for at least five years.

A processor must enter a contract with a controller to follow the controller’s instructions on the processing of personal information and to assist the controller in meeting its OCPA compliance requirements.

Controllers are also required under OCPA to provide a reasonably accessible, clear and easy-to-understand Privacy Notice that describes:

• Categories of personal information it processes, including sensitive data;
• Express purposes for which the controller is collecting and processing personal information;
• Consumers’ privacy rights and how they can exercise those privacy rights, including descriptions of the method/s for submitting requests;
• Method (via conspicuous link) a consumer can exercise their right to opt-out from having their personal data processed for sale, targeted advertising or profiling;
• The appeal process if the controller refuses to act on a request;
• All categories of third parties with which the controller shares personal data, with enough detail that a consumer can understand the type of entity for each third party, and how each third party may process personal data;

From July 1, 2026, controllers must also include information in their privacy notices about universal opt-out signal methods, such as a Global Privacy Control signal.

Penalties for non-compliance with OCPA

The Oregon Attorney General has the exclusive authority to enforce OCPA compliance and can serve investigative demands on people and organizations it determines are in violation of the Act.

The AG can begin these investigations for violations up to five years after the date of the last alleged violation.

Controllers served with notices of alleged violations will be allowed a 30-day cure period during the first two years of the Act being in effect (from July 1, 2024, if they are for profit; or July 1, 2025, if they are nonprofit).

Note: The cure period is due to expire on January 1, 2026.

If a controller fails to cure a violation within 30 days, the Attorney General can then bring an action seeking a civil penalty of up to $7,500 per violation.

TrustArc U.S. State data privacy resources

TrustArc is committed to helping organizations understand and manage their compliance obligations for all existing and emerging U.S. state privacy laws.

Washington’s My Health My Data Act was signed into law on April 27, 2023, by Governor Jay Inslee.

The Act is designed to deliver stronger protections of personal information in health data and close a gap for health data not covered by HIPAA.

The effective dates for the Act are based on the size of an organization:

• March 31, 2024 – large businesses
• June 30, 2024 – small businesses (see below for more information on the thresholds for organizations to be defined as ‘small businesses’)

As the Act includes broad definitions for ‘consumer,’ ‘regulated entity,’ and ‘consumer health data,’ its impact will expand well beyond Washington State.

Which Organizations Are Covered by the Washington My Health My Data Act?

Some of the definitions in the Act are so broad they could cover a wide range of organizations well beyond the traditional healthcare sector.

The text specifically calls out organizations that aren’t already covered entities or business associates under HIPAA in Section 2, noting that while “Washingtonians expect their health data to be protected by privacy laws such as HIPAA,” the legislature in the State has deemed some personal health information isn’t adequately protected due to HIPAA’s definitions of health data and covered entities:

“However, HIPAA only covers health data collected by specific health care entities, including most health care providers. Health data collected by noncovered entities, including certain apps and websites, are not afforded the same protections.”

Arguably, the Washington My Health My Data Act is effectively a wide-reaching data privacy act in all but name, as the very next section in the text – Section 3(23) – broadly defines a “Regulated entity” as any legal entity that:

• (a) Conducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington; and
• (b) Alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.

By the definitions above, some small businesses are defined as ‘regulated entities’ if they collect, process, sell or share consumer health data. The thresholds allowing them to be defined as ‘small businesses’ are determined by the number of consumers they deal with:

• less than 100,000 consumers’ personal health information collected, processed, sold or shared in a calendar year; or
• less than 25,000 consumers’ personal health information controlled, processed, sold or shared – and the organization derives less than 50 per cent of its gross revenue from collecting, processing, selling or sharing consumer health information.

Which Organizations Are Excluded?

The exclusions are outlined in Sec 3 (23, b): “Regulated entity” does not mean government agencies, tribal nations, or contracted service providers when processing consumer health data on behalf of the government agency.

Although it is clear the intent of Washington’s My Health My Data Act is to target “certain apps and websites”, it is not clear which other kinds of organizations might be in scope further along the data collection chain.

The text contains multiple mentions of “affiliates, processors, contractors and third parties with whom the regulated entity or the small business has shared consumer health data”, which suggests organizations processing consumer health data at any stage could be in scope. But this could also cover the Washington presences of cloud hosting providers like Amazon and Microsoft, which deliver online services on behalf of a huge range of health-related websites, apps and devices. It could also cover a big range of other technology vendors with a Washington presence.

Therefore, we strongly recommend your organization gets advice on how the Act might apply to your data management activities.

Commentary: My Health My Data Could Trigger Waves of Litigation

TrustArc lawyer Andrew Scott notes Washington’s My Health My Data Act has profound implications for organizations of all sizes, particularly those that have not had to comply with HIPAA:

• Do not assume the Act does not apply to your organization – “In an effort to protect non-HIPAA-covered consumer health data (such as data from popular apps and wearable devices) and reproductive health care data, the law will impact a very wide range of companies and consumers within and outside Washington State – consumers in any State or even in the EU could have rights under the Act.”
• The definition of ‘consumer health data’ is very broad – “Consumer health data under the Act is personal information that identifies the consumer’s past, present, or future physical or mental health status – and though it excludes data collected by HIPAA, it includes 13 non-exhaustive categories of health and health-related data, with specific callouts for cookies, IP addresses, device IDs and other types of unique identifiers. It is much more than a health law: it’s arguably more sweeping and prescriptive, which makes it the most consequential State law since CCPA.”
• Get compliance and legal advice well before the Act takes effect – “A Private Right of Action is provided by Washington’s Consumer Protection Act for any violation of the My Health My Data Act. This makes it scope much broader than CCPA, which only provides a Private Right of Action for individuals after a data breach. The people of Washington see privacy as a fundamental right – and unlike some other State laws, My Health My Data is very plaintiff friendly.”

Washington’s My Health My Data Act was signed into law on April 27, 2023, by Governor Jay Inslee and comes into effect on two key dates:

• March 31, 2024 – large businesses
• June 30, 2024 – small businesses

The Act requires all organizations defined as a ‘Regulated Entity’ to meet extensive obligations including a new privacy notice and processes for managing consumer consent (opt-in).

Consumer Health Data Privacy Notice

A major obligation under Washington’s My Health My Data law is for organizations to update their privacy policies and notices before the Act comes into effect. A separate Consumer Health Data Privacy Notice must be published by the effective dates of the Act (above).

The text of the Act does not give much guidance on how organizations should manage a distinct Consumer Health Privacy Policy, though the Consumer Health Data Privacy Notice must be separate from the standard Privacy Notice and a link clearly and prominently displayed on an organization’s website homepage.

This new privacy notice must state:

• categories of consumer health data collected – and the purposes for collection;
• categories of consumer health data shared – and the purposes for sharing, accompanied by a list of third parties and affiliates with whom the regulated
• entity shares consumer health data;
• data sources from which consumer health data is collected – categorized extensively, including by type and location; and
• information on how consumers can exercise their privacy rights – including legal requirements for organizations to get their opt-in consent for collection, sharing and/or sale of their consumer health data outside what is strictly necessary to deliver a product or service (and act on withdrawal of consent); and the right to know, access, correct or delete their personal health information.

Addressing Consumer Requests

Regulated entities must comply with consumer requests to exercise any or all of their privacy rights. The only delay accepted is when a consumer requests deletion of their health data stored in a backup system, and the delay must not exceed six months from the date of the request’s authentication.

TrustArc Lawyer, Andrew Scott, warns the right to delete is all-encompassing:

“We should interpret the right to deletion is absolute and an organization must delete the data even if they would violate tax reporting obligations (for example) and except for security. The right to delete covers all copies of data stored in backups, archives and third parties – there is no common exception to comply with consumers’ right to delete beyond a normal basis. Organizations will be required to make modifications to compliance programs and decide which law will be violated.”

Consumer Health Data Opt-In Consents for Collection and Sharing

Regulated entities must get separate opt-in consents from consumers before collecting or sharing any consumer health data for any purpose not directly related to providing a product or service requested by a consumer – these consents must be separate.

Organizations are allowed to collect and share some consumer health data without consent, but only what is strictly necessary to deliver a service or product – not any extra data for other purposes.

The My Health My Data Act text in Sec 2 (27 a) defines “share or sharing” as meaning: “to release, disclose, disseminate, divulge, make available, provide access to, license, or otherwise communicate orally, in writing, or by electronic or other means, consumer health data by a regulated entity or a small business to a third party or affiliate.”

Exclusions apply for some sharing of consumer health data:

• disclosure to a processor when the data shared is necessary to provide the goods or services requested by the consumer, in a manner consistent with the purpose of collecting the data that was disclosed to the consumer;
• disclosure to a third party with whom the consumer has a direct relationship – and only when:
  (a) the consumer health data disclosed is for purposes of providing the product or service requested by the consumer;
  (b) the regulated entity/small business maintains control and ownership of the consumer health data; and
  (c) the third party uses the consumer health data only at the direction of the regulated entity/small business and consistent with the purpose for which the data was collected and consented to by the consumer;
• disclosure or transfer of personal data to a third party as an asset in a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the regulated entity’s/small business’s assets and complies with the requirements and obligations for consumer health data in the Act.

Valid Authorization to Sell Consumer Health Data

Regulated entities must also get a more detailed form of consent – valid authorization – before selling (or making available for sale) any consumer health data.

A valid authorization must include:

• details of the consumer health data intended for sale;
• consumer’s signature (authorizing the sale);
• date the consumer authorized the sale – and a one-year expiration date; and
• contact information for each of the organization/s or person/s collecting, selling or buying the consumer health data.

The My Health My Data Act text in Sec 2 (26 a) defines “sell or sale” as meaning: “the exchange of consumer health data for monetary or other valuable consideration”.

Exclusions apply for consumer health data sold to:

• a third party as an asset in a merger, acquisition, bankruptcy or other transaction (and the same requirements and obligations for third parties as those for shared data in such cases); or
• a processor when the exchange is consistent with the purpose for which the data was collected and consented to by the consumer.

Binding Contracts with Service Providers

Regulated entities under the Act must enter binding contracts with any service providers, which must include:

• instructions for how a provider can process consumer health data consistent with the contract;
• limits on what actions a provider may take with the consumer health data; and
• a requirement for the processor to help fulfill the regulated entity’s obligations under the Act.

Note: Sec 8 (1 c) warns that if a service provider fails to correctly follow a regulated entity’s instructions in their contract, or processes data in a manner outside the scope of their contract, the service provider will be considered a regulated entity/small business under the Act and subject to the same obligations.

Prohibits on The Use of Geofences

The Act states in Sec 10: “It is unlawful for any person to implement a geofence around an entity that provides in-person health care services where such geofence is used to:

• identify or track consumers seeking health care services;
• collect consumer health data from consumers; or
• send notifications, messages, or advertisements to consumers.”

Data Security Measures

The Act requires regulated entities to “preserve the integrity or security of systems” and “protect against or respond to security incidents, identify theft, fraud, harassment, malicious or deceptive activities,” or any illegal activity under Washington state of federal law.

Data security policies, practices, and processes must be established and maintained to restrict access to consumer health data so it can only be used by employees, processors, or contractors for intended and declared purposes which the consumer has requested and consented to – or for purposes strictly necessary to provide a requested service or product.

My Health My Data Act (Sec 7 (1 b) states data security must “at a minimum, satisfy reasonable standard of care within the regulated entity’s/small business’s industry to protect the confidentiality, integrity, and accessibility of consumer health data appropriate to the volume and nature of the consumer health data at issue.”

Washington State has enacted wide reaching privacy rules in its My Health, My Data Act (House Bill 1155), signed into law on April 27, 2023, by Governor Jay Inslee.

Most of the rules described in the Act will be effective in 2024, though applied at different times for covered entities:

• March 31, 2024 – large businesses; and
• June 30, 2024 – small-to-medium businesses.

The Act was explicitly introduced to give Washingtonians greater protections of their personal health information and more control over personal data usage than those provided by the federal Health Insurance Portability and Accountability Act (HIPAA).

It’s also widely known that the My Health, My Data Act was an implicit and rapid response to the Supreme Court decision on June 24, 2022, in Dobbs v. Jackson Women’s Health Organization. The Dobbs decision removed the federal right for US citizens to access abortions and other reproductive services by overturning Roe v. Wade (1973) and Planned Parenthood v. Casey (1992).

By design, My Health, My Data protects Washingtonians’ confidentiality when making decisions about their health and accessing healthcare services. It also offers protections for people who seek access to healthcare services for reproductive and gender-affirming care at clinics in Washington.

My Health, My Data: Summary of Consumer Privacy Rights

Washingtonians’ privacy rights were asserted in a new section (Sec. 2) to the text of House Bill 1155 (My Health, My Data), when it was sent for vote by the legislature in April 2023:

• The people of Washington regard their privacy as a fundamental right and an essential element of their individual freedom
• Washington’s Constitution explicitly provides the right to privacy
• Information related to an individual’s health conditions or attempts to obtain healthcare services is among the most personal and sensitive categories of data collected.

Health information privacy rights were spelled out in a new section (Sec. 3), which sets out the intent of the Act to “provide heightened protections for Washingtonian’s health data”:

• Right to opt-in or withdraw consent and right to know – “requiring additional disclosures and consumer consent regarding the collection, sharing, and use of such information”
• Right to delete – “empowering consumers with the right to have their health data deleted”
• Right to opt-out of sale – “prohibiting the selling of consumer health data without valid authorization signed by the consumer”
• Right not to be located or identified/tracked at a location – “making it unlawful to utilize a geofence around a facility that provides health care services”; and in Sec 10: “It is unlawful for any person to implement a geofence around an entity that provides in-person health care services where such geofence is used to: (1) Identify or track consumers seeking health care services; (2) collect consumer health data from consumers; or (3) send notifications, messages, or advertisements to consumers related to their consumer health data or health care services”.

These privacy rights are further strengthened in other sections which describe similar rights to those spelled out in the California Consumer Privacy Act (CCPA), including:

• Right not to be discriminated against/non-retaliation – “A regulated entity or a small business may not unlawfully discriminate against a consumer for exercising any rights included in this chapter” (Sec. 5 1d)
• Right of private action – consumers along with the Attorney General can initiate enforcement actions for any violation deemed an unfair or deceptive act in trade or commerce. The My Health, My Data Act adds to the huge list of activities enforced under Washington’s Unfair Business Practices–Consumer Protection laws, with health data violations overseen by a joint committee (detailed in Sec. 13 of My Health, My Data text).

Whose personal health information is covered by the Act?

The definition of a “Consumer” in Washington’s My Health, My Data Act is very broad. A new section (Sec. 3. (7)) in the text states “Consumer” means:

• (a) a natural person who is a Washington resident; or
• (b) a natural person whose consumer health data is collected in Washington. “Consumer” means a natural person who acts only in an individual or household context, however identified, including by any unique identifier.

The one exclusion noted is: Consumer does not include an individual acting in an employment context.

So, while the overall stated intention of the Act is to “provide heightened protections for Washingtonian’s health data,” it could potentially also cover people living elsewhere if their personal health information is collected at any point by any organization in Washington.

What Personal Information is Covered by the Act’s Definition of Consumer Health Data?

The authors of the My Health, My Data text have seemingly aimed to cover as many data categories as possible under the Act.

An incredibly broad definition appears in Section 3, (8)(a): “Consumer Health Data” means personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.

This definition is followed in Section 3, (8)(b) by a long list of 13 examples of how consumers’ physical or mental health statuses could be identified, several of which are further defined elsewhere in the text.

But the list is not exhaustive – the authors have included a strong qualifier that it is not limited by these examples.

The main categories of data considered to be health data are:

• Data collected through health assessments – (i) individual health conditions, treatment, diseases, or diagnosis; (v) bodily functions, vital signs, symptoms, or measurements of information described in the list; (vi) diagnoses or diagnostic testing, treatment, or medication; (xii) data that identifies a consumer seeking health care services
• Data collected during management of health concerns – (iii) health-related surgeries or procedures; (ii) social, psychological, behavioral, and medical interventions; (iv) use or purchase of prescribed medication; (xii) data that identifies a consumer seeking health care services Data collected at any stage of gender-affirmation – (iii) health-related surgeries or procedures; (vii) gender-affirming care information; (xi) precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies; (xii) data that identifies a consumer seeking health care services; (xiii) any data derived or extrapolated from nonhealth information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning)
• Data related to reproductive and sexual health (including information related to abortion) – (iii) health-related surgeries or procedures; (viii) reproductive or sexual health information; (xi) precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies; (xiii) any data derived or extrapolated from nonhealth information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning)
• Data collected that contains unique biological identifiers such as genetic data (x) and biometric data (ix) – biometric data is further defined in Sec. 3 (4) as data that is generated from the measurement or technological processing of an individual’s physiological, biological, or behavioral characteristics and that identifies a consumer, whether individually or in combination with other data. Among common biometrics such as iris/retina, fingerprint and face imagery the definition also includes measures of movement that contain identifying information, such as human interaction with computer systems (keystroke patterns or rhythms) and walking (gait patterns or rhythms)
• Data collected about activities related to health – this definition may raise some major concerns as it mentions user experience tracking data: (xiii) any data derived or extrapolated from nonhealth information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning).

Exceptions for health information under HIPAA and other laws

The main exceptions are for health data covered by other laws. Section 3 (c) notes “Consumer health data” does not include:

• Protected health information that is subject to HIPAA
• Personal health information used to engage in public or peer-reviewed scientific, historical, or statistical research in the public interest (provided it meets other ethics, privacy and government oversight laws)
• Clinical trial information (provided it meets all applicable laws for clinical trials).