USA LAW AND PRACTICE Contributed by: Nancy Libin, David Rice, Spencer Persson, Michael Borgia, Robert Stankey, Kara Trowell and Alexander Sisto, Davis Wright Tremaine LLP
acteristics that can be used (not just data that is used) to identify an individual. • Consumer health data, which is also sensi - tive data, includes physical or mental health status (not just a diagnosis) and data related to gender-affirming care and reproductive or sexual health care. • The MODPA prohibits controllers, regardless of consumer consent, from: (a) processing sensitive data unless strictly necessary to provide a service or product requested by the consumer; (b) selling sensitive personal data (although consumer-directed disclosures are per - mitted); or (c) collecting personal data, unless neces - sary and proportionate for providing a product or service to the consumer. • The MODPA prohibits the use of personal information of anyone who the controller knew or should have known was under the age of 18 for sales or targeted advertising. Florida The Florida Digital Bill of Rights (FDBR) applies to only a few very large companies – ie, those that have USD1 billion or more in annual revenue and obtain at least 50% of their revenue from digital advertisement sales, operate an app store or other digital distribution platform with at least 250,000 applications, or operate a consumer smart speaker. Only a handful of companies meet these requirements. The FDBR otherwise has controller obligations and consumer rights that resemble those of the Virginia law, with some exceptions, including the following. • As under the Texas law, controllers that sell sensitive personal data or biometric data must provide consumers with these disclo -
sures: “NOTICE: We may sell your sensitive personal data”, or “NOTICE: We may sell your biometric personal data”. Both disclosures need to be prominent and in the same loca - tion as the controller’s privacy policy. • The FDBR also prohibits controllers and processors from collecting data when a voice-activated device is not in active use by a consumer, unless the consumer expressly authorises collection. Sector-Specific State Privacy Statutes: Health Data The Washington My Health My Data Act The Washington My Health My Data Act (MHMD) is not a generally applicable state privacy law but is broad enough to affect many companies that process data not typically regarded as health data. • The MHMD applies to consumer health data (CHD), which is personal information that is linked or reasonably linkable to and identifies a covered consumer’s past, present or future physical or mental health status. • Consumers are Washington residents and people whose data is “collected” – broadly defined to include data that is “processed” – in Washington. • Regulated entities must disclose their col - lection of CHD and must obtain consent before collecting, sharing or selling CHD. The process for obtaining consent for selling CHD is onerous. • Consumers have rights similar to those under the general state privacy laws, such as the right to access their CHD. • “Any violation” of the MHMD is a per se viola - tion of the Washington Consumer Protection Act and is enforced by attorney general and through a private right of action under the
530 CHAMBERS.COM
Powered by FlippingBook