Nevada Senate Bill 370 is the third US state law passed this year with specific obligations related to consumer health privacy. Just as with most obligations under the similar Washington state My Health My Data Act (summary here), regulated entities are required to comply with the Nevada law from March 31, 2024. Obligations specific to entities processing consumer health data are already operative in Connecticut since July 1, 2023 (summary here).
The Nevada law is similar to the Washington law, but business should be aware of the following differences:
1. Consumer Health Data is more narrowly defined in the Nevada law and means “personally identifiable information that is linked or reasonably capable of being linked to a consumer and that a regulated entity uses to identify the past, present, or future health status of the consumer.” Compared to the definition in the Washington law of “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status”.
2. Biometric Data is more broadly defined in the Nevada law and means “data which is generated from the measurement or technical processing of the physiological, biological or behavioral characteristics of a person and, alone or in combination with other data, is capable of being used to identify the person”. Compared to the definition in the Washington law of “data that is generated from the measurement or technological processing of an individual’s physiological, biological, or behavioral characteristics and that identifies a consumer, whether individually or in combination with other data.”
3. Consumer is more narrowly defined in the Nevada law and means “a natural person who has requested a product or service from a regulated entity and who resides in” Nevada “or whose consumer health data is collected in” Nevada. Compared to the definition in the Washington law of “(a) a natural person who is a Washington resident; or (b) a natural person whose consumer health data is collected in Washington.” Both laws exclude those acting in an employment context. The Nevada law also excludes those acting as an agent of a governmental entity.
4. Exceptions are different and the Nevada law includes more exceptions that are not tied to another law applying. Consumer health data in the Nevada law does not include information that is used to (a) provide access to or enable gameplay by a person on a video game platform; or (b) identify the shopping habits or interests of a consumer, if that information is not used to identify the specific past, present or future health status of the consumer.
5. The online policy required under the Nevada law must only list categories of third parties and affiliates with whom the regulated entity shares consumer health data. Per the Washington law the policy must also list the specific affiliates with whom data is shared.
As businesses work to comply with the continuing patchwork of US state privacy and health privacy laws, the requirements in the Nevada law should be analyzed, incorporated into, and operationalized as part of privacy compliance programs. For most part, the Nevada is less burdensome to comply with and more business friendly compared to the Washington law, but certain prescriptive requirements are included in the Nevada law and not in the Washington law. As businesses prepare or update privacy policies, notices, protocols and processes they should carefully track the requirements of each of the US state privacy and consumer health privacy laws that apply to them.
Unlike the Washington state My Health My Data Act, and like the Connecticut Data Privacy Act, the Nevada Senate Bill 370 does not include a private right of action.