Washington’s My Health My Data Act (“MHMDA”) and Nevada’s SB 370 (“NV CHD Law”) (collectively, “CHD Laws”) went into effect at the end of last month, on March 31, 2024 (as many know, MHMDA’s geofencing prohibition went into effect last summer). Unlike the Health Insurance Portability and Accountability Act (“HIPAA”), a federal law which governs privacy and security in traditional healthcare settings, CHD Laws regulate “consumer health data” or “CHD”– a very broadly defined term as we discuss below and in a prior post – collected by companies in a broad swath of health and non-health related industries alike. Even ancillary purposes like providing accessibility accommodations and defending personal injury claims are enough to trigger the laws. CHD Laws impose restrictions and obligations on regulated entities far more burdensome than state consumer privacy laws, many of which already regulate some of the same health data, and unlike those general consumer privacy laws are not proposed to be preempted by the potential federal America Privacy Rights Act.

As such, compliance programs that businesses may have developed to comply with state consumer privacy laws, such as the California Privacy Protection Act (“CCPA”), will not be sufficient to address the requirements of the CHD Laws, though they can be leveraged such as for consumer rights request and processor management. There are some material differences beyond the scope of the data regulated. For example, businesses must add another website footer link (and potentially elsewhere, such as in mobile apps) and post a separate privacy policy applicable to the processing of CHD. The facilitation of consumer rights must be CHD-specific, for example providing the right to delete just CHD, rather than all personal information. Moreover, businesses that have CHD use cases not within narrow exceptions (e.g., as necessary to provide a requested product or service), which differ somewhat as between the two laws, will have to grapple with the foreboding consent and authorization requirements which, in some cases, could result in subjecting visitors or customers to a litany of notices and pop-ups in an environment already plagued by what some dub as “consent fatigue.”Continue Reading Are you Ready for Washington and Nevada’s Consumer Health Data Laws?

Our lawyers are well known for thought leadership across many platforms, and that tradition continues over the coming weeks. Please join us at these upcoming events to hear the latest trends, updates and insights within the global Data Privacy realm. For more information, contact the presenters or your relationship attorney.

“Best Practices to Leading Post-Cyber Incident Forensic Investigations and Understanding Litigation Implications Surrounding Forensic Reports”
Thursday, March 28 | 2:30 pm – 4:40 pm ET | Webinar

Given the proliferation of litigation stemming from cybersecurity incidents, organizations need to understand how legal teams direct forensic investigations in order must ensure forensic reports align with anticipated litigation scenarios. A forensic report is normally prepared by a cybersecurity firm following a thorough investigation into the nature and scope of a company’s cybersecurity incident. A report will generally identify areas in which a company’s IT infrastructure was not compliant with best practices, regulations and/or industry standards, or whether a third-party vendor is responsible for the gap in a company’s IT infrastructure – all evidence that could substantiate future legal claims, either if a company wants to go on the offensive or if the company must defend itself.

Join Colin Jennings, Katy Spicer and Meghan Quinn for this free CLE accredited webinar to better understand how to effectively lead a post-cyber incident forensic investigation and related discovery implications.

Register for free by using the promotional code “SquirePattonBoggs24”.Continue Reading Squire Patton Boggs Lawyers to Present on Several Upcoming Webinars and Events

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Never Beyond the Law – the Spanish AEPD’s Position on the Processing of Whistleblower Data | Privacy World

Singapore to

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Biden Budget Proposal Advances AI Priorities | Privacy World

US Regulators Lift the Curtain on Data Practices With Assessment, Reporting

Originally posted on Squire Patton Boggs’ Capital Thinking blog by David StewartLudmilla Kasulke and Dominic Braithwaite.

On March 11, 2024, US President Joe Biden released his Fiscal Year (FY) 2025 budget request, which included proposals on U.S. Artificial Intelligence (AI) development and efforts to implement the Biden Administration’s Executive Order (EO) on AI. The budget identifies the National Science Foundation (NSF) as central to U.S. leadership in AI, requesting $10.2 billion in funding for the agency. $2 billion of that total would be dedicated to research and development (R&D) in accordance with CHIPS Act priorities, including AI, and $30 million would support the National AI Research Resource pilot program. The budget also requests $65 million for the Commerce Department “to safeguard, regulate, and promote AI, including protecting the American public against its societal risks.” This funding would include directing the National Institute of Standards and Technology (NIST) to establish the U.S. AI Safety Institute. The institute would be responsible for operationalizing “NIST’s AI Risk Management Framework by creating guidelines, tools, benchmarks, and best practices for evaluating and mitigating dangerous capabilities and conducting evaluations including red-teaming to identify and mitigate AI risk.” Further, the Department of Energy (DOE) Office of Science, which is responsible for implementing aspects of both the CHIPS Act and the AI EO, would receive $8.6 billion under the President’s proposed budget.Continue Reading Biden Budget Proposal Advances AI Priorities

Following the lead of Europe, four US states currently require businesses to conduct and document assessments to evaluate and mitigate risks in connection with new and ongoing personal data processing activities, and at least eight additional states will do so between now and the end of 2025. California, which applies its requirements beyond traditional consumers to human resources and business-to-business contexts, requires regulatory filings of assessments (which may end up being in abridged form). On March 8, draft California assessment regulations were moved forward toward preparation for public comment, as detailed here. All of the states give regulators the ability to inspect assessments, which must be retained for that purpose. These new obligations will raise the curtain on companies’ info governance practices for regulators, and thereby necessitate robust data protection programs that are more than “window dressing.” Regulators have been clear about their plans to move to more aggressive enforcement of new state privacy laws, as discussed here and here, and assessments will give them a roadmap to do so.Continue Reading US Regulators Lift the Curtain on Data Practices With Assessment, Reporting and Audit Requirements

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

In Narrow Vote California Moves Next Generation Privacy Regs Forward | Privacy World

EDPB Versus Ireland? Does the Opinion on

The staff and board of the California Privacy Protection Agency (“CPPA”) have been working for nearly two years on a new set of proposed rulemaking under the California Consumer Privacy Act, as amended by the California Privacy Rights Act  (“CCPA”).  A year ago the current CCPA regulations were finalized, but several complex issues where reserved for further consideration and some proposals were pulled back to ease initial implementation.  Their enforcement was initially enjoined and delayed by a trial court, but a California appeals court reversed that order, including any delay on the effectiveness of future regulations.  New draft regulations were proposed by the CPPA staff and considered but not approved by the CPPA board in Q4 of 2023.  In February 2024 further revised draft regulations were released and considered on March 8 by the CCPA board, which voted 5 to 0 to move forward amendments to the existing regulations and, after a spirited debate, 3 (Urban, Le and Worthe for) to 2 (de la Torre and Mactaggert against) to also move forward with new draft regulations on data risk assessments and data driven technologies, with a direction to staff to add to the requirements for filing abridged assessments with the CPPA a discussion on what safeguards were employed to mitigate risks (with an exception for when disclosure would be a security risk).  In each case the staff was authorized to prepare the materials necessary under administrative procedures laws and regulations to publish a notice of prepared rulemaking, the publication which will be subject to a further Board vote after reviewing the rule making package.  The staff was also authorized to make further edits to the draft regulations to clarify text or conform with law.  Although the motions did not set a firm date for staff to complete that work, the discussions contemplate that it would be done by the July 2024 Board meeting at the latest.  That could result in effective regulations in Q3, though given the complexity and lack of Board consensus year-end is optimistic.Continue Reading In Narrow Vote California Moves Next Generation Privacy Regs Forward

Scott Warren, a Partner in our Japan and China offices, will chair and speak at the Thailand & SE Asia 5th International Arbitration & Corporate Crime Summit on March 14, 2024 at the Rembrandt Hotel & Suites in Bangkok. 

Scott’s presentation is entitled Everything, Everywhere, All the Time: How Digital Data Regulations Affect

On February 28, 2024, President Biden issued a groundbreaking executive order (EO) establishing the framework for new restrictions on transactions involving US persons’ sensitive personal data and “countries of concern,” including China, or related parties.  Our Data and Public Policy teams break down what this will mean for companies here.  We will continue to