Nevada Data Privacy Bill
On June 16, 2023, the Nevada Governor, Joe Lombardo signed into law the amended version of Senate Bill 370, a health data privacy bill which imposes requirements on the collection, use, and sale of consumer health data. Here’s how to navigate the law:
Applicability
SB 370 applies to regulated entities— any organization that conducts business in Nevada or produces/provides products or services targeted to consumers in Nevada.
A consumer under the Bill is any “natural person who has requested a product or service from a regulated entity and who resides in [Nevada] or whose consumer health data is collected in [Nevada].” Notably, the definition of consumer excludes any person who is “acting in an employment context or as an agent of a governmental entity.”
Consumer health data is defined under the Bill as “personally identifiable information that is linked or reasonably capable of being linked to a consumer and that a regulated entity uses to identify the past, present or future health status of the consumer.” This includes information that relates to:
Any health condition or status, disease or diagnosis
Social, psychological, behavioral or medical interventions
Surgeries or other health-related procedures
The use or acquisition of medication
Bodily functions, vital signs or symptoms
Reproductive or sexual health care
Gender-affirming care
Geolocation data that a regulated entity would use to determine whether a consumer has attempted to obtain goods and services
Biometric data or genetic data
Health-related information that is derived from non-health data, including data derived through an algorithm, machine learning or any other means
The definition of consumer health data does not, however, include information that is used to:
● “Provide access to or enable gameplay by a person on a video game platform”
● “Identify the shopping habits or interests of a consumer, if that information is not used to identify the specific past, present or future health status of the consumer.”
This definition of consumer health data is comparable to that contained in the Washington My Health My Data Act. Similar to Nevada’s SB 370, the My Health My Data Act only applies to data which “identifies the consumer's past, present, or future physical or mental health status. However, SB 370 focuses on data which “a regulated entity uses to identify the past, present or future health status of the consumer” (emphasis added).
Regulated Entity Requirements
SB 370 requires regulated entities to develop and maintain a privacy policy governing consumer health data that “clearly and conspicuously” establishes:
a) The categories of:
Consumer health data that they will collect and the way it will be used
Sources from which consumer health data is collected
Consumer health data that they will share
Third parties and affiliates who will receive the consumer health data
b) The purpose for “collecting, using and sharing” the consumer health data
c) The processing manner
d) The procedure for submitting a consumer request under SB 370
e) The process, if established by the organization, for a consumer to review and request changes to consumer health data maintained by the Regulated Entity
f) The notification process for material changes to the privacy policy
g) If “a third party may collect consumer health data over time and across different Internet websites or online services when the consumer uses any Internet website or online service of the regulated entity”
h) The effective date of the privacy policy
Importantly, a regulated entity may not collect or share a consumer’s consumer health data without first receiving “affirmative, voluntary consent” from the consumer, unless the collection or sharing is necessary to provide the consumer with the product or service requested. Additionally, consent for collection and sharing must be “separate and distinct” for each processing activity.
Further, upon a request from a consumer, a regulated entity may be required to:
● Confirm whether they’re “collecting, sharing or selling” the consumer’s consumer health data
● Provide the consumer with a list of all third-parties who have received the consumer’s consumer health data
● Stop “collecting, sharing or selling” the consumer’s consumer health data
● Delete a consumer’s consumer health data
Regulated entities are also required to implement various protections to protect a consumer’s consumer health data, such as:
● Limiting which persons in the organization can access the data by those who are necessary to provide the requested product or service
● Implementing complying “policies and practices for the administrative, technical and physical security of consumer health data”
● Limiting data processor access to those who have entered into a contract with the regulated entity
● Refusing to implement a “geofence” near healthcare-related facilities to identify or track “consumers seeking in-person health care services or products,” to identify or track consumers, collect consumer health data, or send notifications, messages, or advertisements to consumers
Enforcement
Violations of SB 370 will be deemed a “deceptive trade practice” under Nevada law. Unlike the My Health My Data Act, there is no private right of action given to consumers under SB 370.
SB 370 will go into effect on March 31, 2024, which is also the effective date of many of the provisions of the My Health My Data Act. As such, organizations who would be covered under SB 370 should begin reviewing their privacy policies and considering necessary steps to achieve compliance with the bill.