The last 30 days in privacy have been critical with many states making movement, clarity on laws that have passed, and a new health law that could affect your business. In the last few weeks, we have seen rulemaking released by the CPPA and for the Colorado Privacy Act, Iowa passed a law, Washington passed a health-specific data act, and now Indiana has joined the list of states that have gotten a comprehensive bill through the state legislature.
Join us tomorrow April 20th for a webinar covering the topics below.
Let’s break down the new developments by territory.
California
- The CPPA provided updates to CPRA at the end of March.
- While it doesn’t provide complete clarity, it’s a step towards finalizing all rulemaking by later this year.
Colorado
- The recently released rulemaking underscored the emphasis on consent, DPAs, and privacy notices.
- The CPA has broader ramifications for business, even if compliant with CPRA and Virginia due to the emphasis on assessments and the absolute requirement to update policies
Iowa
- Data minimization, an opt-out option rather than opt-in mechanism, and non-discrimination are the crucial elements of Iowa’s new law.
- As of now, there is no private right of action, but there is a 90-day cure period for notices from AG starting January 1, 2025.
Indiana
- Indiana joins the list of states passing their own omnibus privacy law.
- This bill is business-friendly, doesn’t outline a sunset in the 30-day cure period, and does not require a universal opt-out. Additionally, sale is more clearly defined.
- Although this is the latest to pass, assuming Governor Holcomb signs despite pressure from Consumer Report to veto the bill, the law wouldn’t affect businesses until January 1, 2026.
Washington
- The My Health My Data Act (HB 1155) was approved by the Washington legislature on April 17th. Washington Governor Jay Inslee can now sign, veto, or allow the bill to become law without signature.
- Unlike the Washington Privacy Act which has failed due to the inclusion of a private right of action, MHMD passed with that element and has widespread applicability with a broad definition of “consumer health data.”
- Companies must get consent for the collection, sharing, and selling of consumer health data.
- Consumers will have the right to access, remove data consent, delete their information, and receive a list of entities with which their data has been shared.
- Companies will have to update privacy policies to include a “consumer health data privacy policy” with adequate disclosures.
- Many of the MHMD’s data privacy rules will take effect for regulated companies on March 31, 2024. Provisions will take effect for small enterprises on June 30, 2024.
On the Horizon
There’s a running list of states additional states with proposed bills likely to pass that would go into effect sooner than Indiana including:
- Texas (March 1, 2024)
- Washington (March 31, 2024)
- Montana (October 1, 2024)
- New Hampshire (January 1, 2025)
- Tennessee (July 1, 2025)
Montana’s third reading passed 96-0 on April 17th and returned to the senate for final concurrence, which we anticipate will be successful. Tennessee is anticipated to pass soon, but the bill vote has been delayed until this Thursday, April 20th.
Join us for our webinar tomorrow April 20th to hear about these updates in more detail and a recap of the highly attended 2023 IAPP Summit.