A kinder, gentler consumer health data bill: Nevada’s SB 370

On June 16, 2023, Nevada Governor Joe Lombardo signed SB 370 into law. This new law is a consumer health data bill that is similar in many ways to Washington’s My Health My Data Act (MHMDA). SB 370, like most provisions of the MHMDA, will come into force on March 31, 2024.  Also like the MHMDA, SB 370 provides specific rights for consumers whose “consumer health data” is collected or processed by regulated entities, defined as “any person who

1. conducts business in this State or produces or provides products or services that are targeted to consumers in this State; and
2. alone or with other persons, determines the purpose and means of processing, sharing, or selling consumer health data.”^[1]

However, the bill differs from the MHMDA in some important ways, making it more business-friendly than its Washington counterpart. In addition, although SB 370 initially contained numerous subsections related to biometric information, leading some analysts to compare SB 370 to Illinois’ Biometric Information Privacy Act (BIPA), those sections have since been deleted by amendment. To help companies navigate the new requirements of SB 370 and consolidate compliance steps with broader efforts to comply with the MHMDA, we have summarized below key similarities and differences between SB 370 and the MHMDA. You can read our insight regarding the health data amendments to Connecticut’s Data Privacy Act.

What Do the Laws Have in Common?

Both SB 370 and the MHMDA require a privacy policy or notice that discloses the types of consumer health data collected, with whom it is shared, the purposes of processing, and how to submit a data subject request, among other disclosures.^[2] Both laws also require the “affirmative, voluntary consent” of the consumer for the collection of consumer health data, unless the purpose of collection is to provide the product or service requested by the consumer,^[3]and both laws require the written and detailed authorization of the consumer in the event that the regulated entity engages in the sale of consumer health data.^[4] The MHMDA requires such written authorization to include: “(a) the specific consumer health data concerning the consumer that the person intends to sell; (b) the name and contact information of the person selling the consumer health data; (c) the name and contact information of  the person purchasing the consumer health data… (d) a description of the purpose of the sale, including, how the consumer health data will be gathered and how it will be used by the purchaser… (e) a statement that the provision of goods or services may not be conditioned on the consumer signing the valid authorization; (f) a statement that the consumer has a right to revoke the valid authorization at any time and a description of how to submit a revocation of the valid authorization; (g) a statement that any consumer health data sold pursuant to the valid authorization may be subject to redisclosure by the purchaser and may no longer be protected… (h) an expiration date for the valid authorization that expires one year from when the consumer signs the valid authorization; and (i) the signature of the consumer and date.”^[5]SB 370 has almost identical requirements for the “written authorization.”^[6]

In addition, both the MHMDA and SB 370 require that regulated entities that engage other companies to process consumer health data on their behalf enter into a contract setting forth applicable processing instructions.^[7]Both provide an array of consumer rights, including the right to confirm whether a regulated entity is collecting, sharing, or selling consumer health data; the right to receive a list of all third parties with whom the regulated entity has shared or sold consumer health data; the right to withdraw consent for the collection and processing of consumer health data; and the right to request that the regulated entity delete consumer health data.^[8] Finally, both the MHMDA and SB 370 prohibit “geofencing” around an facility that provides in-person health care services where such geofence is used to:

1. identify or track consumers seeking in-person health care services or products;
2. collect consumer health data from consumers; or
3. send notifications, messages, or advertisements to consumers related to their consumer health data or health care services.^[9]

Where Do the Laws Diverge?

Narrower Definitions

One of the most significant differences between the MHMDA and SB 370 is that SB 370 defines “consumer health data” more narrowly than the MHMDA. Specifically, “consumer health data” is defined under the MHMDA as “personal information that is linked or reasonably linkable to a consumer and identifies the consumer's past, present, or future physical or mental health status” with “health status” pulling in a range of data, including biometric data and/or certain precise geolocation data.^[10] Washington’s broad definition means that nearly any type of information that could be associated with a consumer’s health – from purchases at a supermarket to membership at a fitness club – could be considered “consumer health data,” no matter how the regulated business uses the data.

In contrast, SB 370 defines “consumer health data” as “personally identifiable information that is linked or reasonably capable of being linked to a consumer and that a regulated entity uses to identify the past, present or future health status of the consumer.”^[11]This definition narrows the types of data within its scope to data that is actually used to determine health status. Moreover, Nevada explicitly carves out from SB 370’s purview “information that is used to… identify the shopping habits or interests of a consumer, if that information is not used to identify the specific past, present, or future health status of the consumer,”^[12]effectively exempting the supermarket or fitness club’s use of the data.

No Private Right of Action

Unlike the MHMDA and perhaps most importantly, the Nevada bill does not provide for a private right of action.^[13] Violations of SB 370 are deemed a deceptive trade practice under Nevada law, which can be enforced only by the Nevada Attorney General rather than a private citizen. As a result, while companies will need to prepare for and take seriously this new law, they will be able to focus on more meaningful compliance and track guidance issued by Nevada’s Attorney General rather than trying to prepare for the threat of impending class action lawsuits for even minor or technical violations.

Takeaways

Nevada’s SB 370 creates new privacy rights for consumers in relation to consumer health data. While more business-friendly than Washington’s MHMDA, the Nevada bill, when effective, will certainly introduce some compliance obligations for entities that conduct business in Nevada. Companies should review the types of data that they collect regarding Nevada consumers, and begin to build out their compliance efforts to fold in the requirements of this new law. A combined effort for Washington, Connecticut, and Nevada will likely make sense for at least portions of the laws.