A key requirement is that consumers must opt-in to the collection of their health data prior to collection.
            Businesses must also obtain a separate opt-in prior to selling health data. The term health data is broadly
            defined to include any information related to an individual's physical or mental health condition.



            March 31: Nevada’s Consumer Health Data Privacy Law

            Nevada’s Consumer Health Data Privacy Law is similar to Washington’s in application, covering any
            entity doing business in Nevada that processes consumer data. The law has a set of common excluded
            entities, such as HIPAA-covered entities. Also, similar to Washington, a regulated entity must secure
            consents with respect to a number of operations related to an individual’s data. Both laws also have
            prohibitions on geofencing near certain facilities.

            Where the laws significantly differ is how each defines covered health data. Nevada’s law is narrower
            than  Washington’s  in  that  it  only  applies  to  health  data  actually  used  by  a  business  to  identify  a
            consumer’s health status versus Washington’s definition of including information that could be associated
            with someone’s “health” generally.



            July 1: Texas’ Data Privacy and Security Act

            Texas’ Data Privacy and Security Act (TDPSA) is likely to rope in those companies that have avoided
            operating in a state with comprehensive privacy laws. It applies to not only companies doing business in
            Texas  or  those  selling  Texas  consumer  data,  but  also  to  those  whose  products  and  services  are
            consumed by Texans.


            The definition of personal information has also been expanded to include pseudonymous data —or data
            points not directly associated with a specific person — when that data is applied with other information
            that reasonably links the pseudonymous data to an individual.

            TDPSA is similar to other state privacy laws in a few ways. It requires a privacy notice disclosing personal
            information practices and requires contracts with third parties prior to processing of personal information.
            However, TDPSA privacy notices must include an additional disclosure about the selling of sensitive or
            biometric data that requires consumers to opt in prior to processing. There is no private right of action
            under TDPSA.


            July 1: Oregon Consumer Privacy Act

            Oregon’s Consumer Privacy Act is similar to others in that it applies to companies conducting business
            in the state under certain situations such as if that company processes the personal data of more than
            100,000 residents or derives 25% of revenue from selling the data of more than 25,000 consumers. Like
            some of its predecessors, Oregon’s law grants residents certain rights with respect to their personal
            information,  requiring  entities  that  collect  Oregon  residents’  personal  information  to  make  certain
            disclosures in their privacy notice regarding processing activities and the use of reasonable safeguards
            to protect the personal information.





                                                                                                            265