At the end of 2020, we predicted that growing concern about privacy issues and the increased adoption of technology during the coronavirus pandemic would lead to more data privacy/security legislation in the US. More than halfway through 2021, a bevy of state laws addressing the collection and use of consumer data has proved us right. In our last blog, we discussed two new consumer privacy laws which create a comprehensive framework of rights to control and limit how personal data is used. In addition, several states have also passed targeted legislation to address issues like COVID and HIPAA, or to expand on existing consumer protection measures.
Here’s what you need to know about Oregon and Nevada’s new consumer privacy laws:
OREGON’S NEW CONSUMER PRIVACY LAW
Earlier this year, Gazelle Consulting founder Christina Glabas joined a policy work group to address businesses’ usage of the COVID data that was collected for the purposes of contact tracing. This led to the passage of Oregon’s HB3284, which went into effect immediately upon passage and will expire 270 days after Oregon ends its state of emergency declaration.
The Oregon privacy law prohibits covered organizations from collecting, using, or disclosing personal health data about an Oregon resident without explicit affirmative consent. “Personal health data” is defined as information related to monitoring or tracking infections by or exposure to SARS-CoV-2 or COVID-19 which can reasonably be used to identify a resident individual.
Organizations covered by the law consist of any person that “collects, uses, or discloses personal health data,” including developers of websites or applications which a person may use to collect, use, or disclose personal health data. This does not include a member of the resident individual’s household, a government agent or contractor who collects data for public health purposes, a health provider, or an entity which is engaged in activities regulated by HIPAA.
Oregon’s HB3284 aims to regulate non-health care businesses that perform contact tracing, like grocery stores, venues, or restaurants.
Covered organizations must provide information to the consumer about the data that is collected and establish means for individuals to revoke their consent. Businesses are also prohibited from using the collected data for commercial advertising or marketing algorithms. Additionally, covered organizations are required to establish data security safeguards to protect the data, and must delete personal health data 65 days after it has been collected.
The law does not apply to information collected within an employment context or under requirement for federal law.
NEVADA’S NEW CONSUMER PRIVACY LAW
Nevada’s new consumer privacy law, which goes into effect on October 1, 2021, is less comprehensive than the others passed this year, but still expands the responsibilities of some businesses. In 2020, an amendment to the Nevada Privacy of Information Collected on the Internet from Consumers Act (NPICICA) went into effect, requiring businesses that own or operate a website or online service which collects personal information from consumers to provide resident consumers with the ability to opt-out of sales of specified personal information.
Nevada’s new law, SB 260, further amends NPICICA by broadening the definition of “sale” so that it applies to any “exchange of covered information for monetary consideration…to another person.” Previously, the law applied only in cases where the person buying the information also intended to license or sell the information to additional persons.
The law also creates new obligations for “data brokers” whose primary business is “purchasing covered information about consumers”. Data brokers resident within the state are required to establish a designated address through which consumers can opt-out of having their information sold.
With each amendment to Nevada privacy laws, the state’s legislators signal a growing need to close loopholes in existing law and increase accountability in the technology supply chain. With this change, intermediary data sellers will be more closely regulated and Nevada consumers will have more control over the sale of their personal data.
PREPARING FOR NEW CONSUMER PRIVACY LAWS
We’re likely to see many more new consumer privacy laws in the coming years. These will impact how businesses can use or collect personal information, on both the state and municipal level. Most recently, New York City passed an ordinance requiring commercial establishments that collect biometric data to inform customers of their collection activity, as well as placing limitations on the use and sale of collected data.
Businesses and industries affected by these laws will need new solutions to ensure that they’re in compliance, especially if they operate in multiple locations governed by consumer privacy laws. As more states address consumer rights, we will continue to monitor how businesses will be affected and the services they need to address compliance responsibilities.
Are you wondering how this wave of new consumer privacy laws will affect your business? Do you need guidance on your general data security practices? Contact us for a free consultation to see if Gazelle Consulting’s customized compliance services are right for you.