On June 22, Nevada Governor Joe Lombardo signed SB 370 (“SB 370” or the “Act”), a privacy law concerning consumer health data that closely resembles Washington State’s "My Health, My Data" (“MHMD”) Act. The Nevada law will go into effect on March 31, 2024, and while the bills are very similar, there are some key distinctions worth noting and some important takeaways that businesses should keep in mind heading into 2024.
SB 370 applies to any entity that conducts business in Nevada or produces or provides products or services targeted to consumers in Nevada and, alone or with another, determines the purpose and means of processing, sharing, or selling consumer health data. Like MHMD, there is no threshold for the number of users. All entities doing business in or directed at Nevadans are subject to the law, no matter how small they are.
SB 370 does, however, have some data-based exemptions, including data regulated by the federal Gramm-Leach-Bliley Act, Fair Credit Reporting Act, Administrative Simplification provisions of the Social Security Act, Family Educational Rights and Privacy Act, and Health Care Quality Improvement Act. Additionally, there are exemptions for specific data collected for clinical research, deidentified data, and Personal Health Information (“PHI”) governed by HIPAA. In addition, the Act has several entity-based exemptions, which are discussed below.
SB 370 regulates “consumer health data” (defined below), which includes information relating to:
- Any health condition or status, disease, or diagnosis
- Social, psychological, behavioral, or medical interventions
- Surgeries or other health-related procedures
- The use or acquisition of medication
- Bodily functions, vital signs or symptoms
- Reproductive or sexual health care
- Gender-affirming care
- Biometric data or genetic data related to the information listed above
- Information related to the precise geolocation information of a consumer that a regulated entity uses to indicate an attempt by a consumer to receive health care services or products; and
- any information that is derived or extrapolated from information that is not consumer health data, including, without limitation, proxy, derivative, inferred, or emergent data derived through an algorithm, machine learning, or any other means.
Obligations for Regulated Entities
SB 370 introduces the following obligations for regulated entities:
- Categories of consumer health data being collected
- The manner in which the consumer health data will be used
- Categories of sources from which consumer health data is collected
- Categories of consumer health data that are shared
- Categories of third parties and affiliates with whom consumer health data is shared
- Purposes of collecting, using, and sharing consumer health data
- The manner in which consumer health data will be processed
- Procedures for submitting a request to exercise consumer rights regarding consumer health data (see below)
- The process for a consumer to review and request changes to any of their consumer health data that is collected by the regulated entity
- Whether a third party may collect consumer health data over time and across different Internet websites or online services when the consumer uses any Internet website or online service of the regulated entity
- Consent Requirements: A regulated entity shall not collect consumer health data except with the affirmative, voluntary consent of the consumer or to the extent necessary to provide a product or service that the consumer to whom the consumer health data relates has requested from the regulated entity. Any consent must be obtained before the collection or sharing of consumer health data. Requests for consent must clearly and conspicuously disclose: (a) The categories of consumer health data to be collected or shared; (b) The purpose for collecting or sharing the consumer health data, including the manner in which the consumer health data will be used; (c) If the consumer health data will be shared, the categories of persons and entities with whom the consumer health data will be shared; and (d) The manner in which the consumer may withdraw consent for the collection or sharing of consumer health data relating to the consumer and request that the regulated entity cease such collection or sharing.
- Access Restrictions: Regulated entities must limit access to employees and processors for which access is necessary and establish, implement, and maintain policies and procedures to protect the security of consumer health data.
- Data Processing Agreements: A processor who processes consumer health data on behalf of a regulated entity may only process such data in accordance with a written contract between the processor and the regulated entity. This contract must set forth the applicable processing instructions and the specific actions the processor is authorized to take concerning consumer health data.
- Authorizations Prior to Consumer Health Data Sales: Regulated entities are prohibited from selling or offering to sell consumer health data without first obtaining authorization from the consumer. Authorizations must:
- Be written in plain language
- Specify the name and contact information of the person selling and the person purchasing the consumer health data
- Contain a description of the specific consumer health data that the person intends to sell
- Incorporate a description of the purpose of the sale, including the manner in which the consumer health data will be used
- State that the provision of goods or services may not be conditioned on the consumer’s authorization
- State that the consumer health data sold may be subject to redisclosure by the buyer and may no longer be protected by the Act
- State that the consumer may revoke the written authorization at any time
- Include the date on which authorization expires
- Be signed by the consumer
- Geofencing Restrictions: SB 370 prohibits a person from implementing a geofence within 1,750 feet of any medical facility, facility for the dependent, or any other person or entity that provides in-person health care services or products for the purpose of: (a) Identifying or tracking consumers seeking in-person health care services or products; (b) Collecting consumer health data; or (c) Sending notifications, messages or advertisements to consumers related to their consumer health data or health care services or product. SB 370 defines “geofencing” as technology that “uses coordinates for global positioning, connectivity to cellular towers, cellular data, radio frequency identification, wireless Internet data” or any other form of detection to “establish a virtual boundary with a radius of 1,750 feet or less around a specific physical location.” Interestingly, Nevada’s radius is 250 feet less than MHMD’s geofencing boundary.
Like other state privacy laws and MHMD, SB 370 establishes new privacy rights for consumers regarding their health data. The following are included rights:
- Confirm whether the regulated entity is collecting, sharing, or selling the consumer’s health data
- Provide the consumer with a list of all third parties with whom the regulated entity has shared or to whom the regulated entity has sold consumer health data relating to the consumer
- Cease collecting or sharing consumer health data relating to the consumer
- Delete consumer health data concerning the consumer
Notable Differences Between Washington’s MHMD & Nevada’s SB 370
(1) Entity Exemptions: SB 370’s entity exemptions are more expansive than those of MHMD. MHMD’s only entity-level exemptions are for government agencies, tribal nations, or contracted service providers when processing consumer health data on behalf of a government agency. SB 370 includes these exemptions and adds exemptions for financial institutions subject to the Gramm-Leach Bliley Act, entities subject to HIPAA, certain Nevada-licensed gaming entities, including casinos, and law enforcement agencies or contractors of law enforcement agencies.
(2) Consumer Health Data Definition: MHMD's definition of consumer health data focuses on a more personal approach, applying to personal information that "identifies" a consumer's health status, even if a regulated entity does not use that data to identify anything about a consumer's health. SB 370, on the other hand, is tailored to narrow business use, applying to personally "identifiable" information linked to a consumer and used by a regulated entity to identify the consumer's health status. Notably, SB 370's consumer health data definition expressly excludes information used to enable a consumer's videogame play or identify a consumer's shopping habits or interests, so long as such shopping data is not used to identify something about a consumer's health. The exclusion of shopping habits was part of a recent amendment to the bill before Nevada's legislature passed it. Neither of these specific exemptions are included in MHMD.
(3) No private right of action. Unlike MHMD, SB 370 does not include a private right of action. The Nevada Attorney General will enforce the law.
Nearly all entities of any size that do business in or directed at Nevada or Washington will be in dramatic new consumer health data privacy requirements in 2024. Unless a company is an explicitly exempted entity (like a casino), it should thoroughly review its data handling practices, privacy policies, consent requirements, data selling and sharing practices, and corporate policies. While the Nevada law does not include a private right of action, it signals an intense focus on the privacy of consumer health data and the appetite of regulators to significantly curtail the ability of entities to advertise to segments based on consumer health data. Companies that do any business in the health or wellness space should expect to undertake a significant overhaul of their privacy practices.