Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
In the U.S., one in three Americans use a wearable like an Apple Watch, Oura ring or other device promising better health, fitness or lifestyle. These devices collect a user's sensitive physical and mental health data such as heart rate variability, blood oxygen level, fall detection, wrist temperature, sleep patterns, respiration rate, VO2 max level, and depending on the device, EEG and ECG data.
These consumer-facing devices, typically referred to as "wearables," are not regulated by the U.S. Health Insurance Portability and Accountability Act as the consumer technology companies developing and marketing them are not considered "covered entities" under the law. If they were, these companies would be required to de-identify the protected health information before selling or sharing it with third parties such as adtech partners.
Congress has failed to pass a federal law closing this gap, but Sen. Bill Cassidy, R-La., recently proposed such legislation specifically focused on the consumer wearables market.
In the meantime, U.S. states are stepping in to fill the void, often in response to events like bankruptcies, data breaches and reports of tracking of individuals' sensitive health data. Data incidents can lead to bankruptcies, like at 23&me, with the risk of consumers' sensitive personal data being acquired by third parties unknown to the consumer.
All 19 states with U.S. privacy laws include consumer health personal data as "sensitive" with additional compliance obligations. These laws fall into two broad categories: nine states adopted a narrow definition of consumer health personal data, while 10 adopted a broader definition, which has significant compliance implications for businesses operating in this space. In addition, Washington state passed its own stand-alone privacy law focused solely on consumer health personal data.
On the most business favorable end of the regulatory spectrum, consumer privacy laws in several U.S. states — Indiana, Iowa, Kentucky, Minnesota, Montana, Nebraska, Tennessee, Texas and Virginia — define consumer health data narrowly as limited to a health diagnosis. To the extent the consumer wearable business can successfully argue the device does not provide a health diagnosis, then the consumers' health data is likely not considered sensitive data under those state laws. It is worth noting that the health data would still be considered personal data and the consumer would have rights to access, delete and opt-out of targeted advertising based on such personal data under the applicable laws.
The states with a broader definition of sensitive health data — California, Colorado, Connecticut, Delaware, Maryland, New Hampshire, New Jersey, Oregon, Rhode Island and Utah — include not only diagnosis, but status, condition or information related to the consumer's health. They would likely consider the consumer data collected by the device, such as heart rate, as sensitive personal data. All of these states except California would require opt-in consent to the processing of such personal data. An unanswered question is whether neural data, like EEG data collected by certain sleep wearables, would be covered by these consumer privacy laws.
California, Colorado and Connecticut have added neural data specifically to their definition of consumer health personal data, while Montana has added neural data to its Genetic Information Privacy Act. According to Jameson Spivak's article, The "'Neural Data' Goldilocks Problem: Defining Neural Data in U.S. State Privacy Laws," Colorado's law only applies if the consumer device is used to identify an individual — in line with its definition of biometric data — and Montana's law likely only applies to businesses in the genetics field.
An open question with respect to neural data like EEG data is whether attorneys general in the states with the broader definition of sensitive consumer health personal data would consider a business collecting EEG data for a consumer wearable to be covered by their consumer health definition, which would mean the business must obtain opt-in consent to the collection and processing of consumers' neural data in those states.
At the far end of spectrum, and the least business-favorable, are Washington's stand-alone My Health My Data Act and Maryland's more recent Online Data Privacy Act. Washington's law has the broadest definition of consumer health data. Maryland's law is the strictest with respect to permissible collection of such sensitive data. Most critically, Maryland prohibits the sale — defined to include targeted advertising — of sensitive personal data including consumer health data, even with consent. It is also likely that the attorneys general of these states would consider neural data, like EEG data, to be covered by their laws.
Nipping at the heels of Washington and Maryland are pending laws in Massachusetts and New York. Massachusetts may pass its first general consumer privacy law in the near future, patterned on the Maryland law with strict restrictions on any sale or sharing of personal data. In New York, a stand-alone consumer health bill similar to Washington's MHMDA, Senate Bill 929, the Health Information Privacy Act, passed the legislature, and is waiting to be sent to the governor's office for signature.
For businesses employing targeted advertising, compliance across the country may require a de-identification strategy similar to HIPAA. In the U.S., all consumer privacy laws, so far, exempt de-identified personal data from their scope. This is different from the EU General Data Protection Regulation, which does not exempt de-identified personal data or pseudonymized personal data but considers it lower risk. Only anonymized personal data is exempt under the GDPR.
In the health sector, privacy professionals are familiar with the HIPAA standard for de-identification, which includes either the safe harbor method or the expert determination method. For companies operating nationally, the highest standard for consumer health data would be the Washington and Maryland standard, with New York and Massachusetts close behind.
These states are moving the nation closer to HIPAA-style protections for consumers where businesses would be wise to de-identify sensitive consumer health data before sharing or selling it.
Jennifer Sheridan, AIGP, CIPP/E, CIPP/US, is principal at JLSheridan Law.
