Privacy Update for Drug & Device Makers

Recent US Privacy Legislation Developments

Privacy legislation remains a hot issue at the state-level while the federal privacy law discussion continues. Recent privacy laws generally require that impacted drug and device makers implement compliance plans, carefully consider how they collect and use personal information, revisit privacy policies, and use reasonable security practices.

Reading this Alert will help you stay up-to-speed on state (CA, VA, NY, & WA) and federal privacy laws. What follows is a report on significant U.S. privacy developments from the past year.

California Consumer Privacy Act 

The California Consumer Privacy Act (“CCPA”) became effective on January 1, 2020 and applies to businesses that either: (1) reached $25 million in gross revenue in the previous year; (2) annually buy, receive, or sell personal information of 50,000 individuals or households; or (3) derive 50% or more of annual revenues from selling personal consumer information. The CCPA provides oversight to data use and sharing by businesses.

CCPA impacts drug and device manufacturers that collect information from 50,000 California residents (which will change to 100,000 as amendments take effect in 2023, as explained below) or have annual revenue exceeding $25 million.

The law also offers consumers several privacy rights, including access to personal information, and requires businesses to provide privacy notices, offer opt-out for certain data sharing, and use reasonable security measures.

California Privacy Rights Act

The CCPA was amended by the California Privacy Rights Act (“CPRA”) which passed in November 2020 and made key updates to the CCPA, including clarifying how the CCPA applies to health information by expanding the exception for health information to more clearly align with HIPAA (including de-identified health information) and broadening the exceptions for clinical research. It expands the scope to include businesses that “share” personal information and increases the threshold to 100,000 California residents or households.

It also adds an entirely new enforcement agency–the California Privacy Protection Agency, which will collaborate with the California Attorney General to enforce the law, and requires cybersecurity risk assessments for high–risk processing of personal information. “High-risk processing” will be defined in regulations adopted by January 1, 2022.

CPRA impacts drug and device manufacturers that collect information from 100,000 California residents or have annual revenue exceeding $25 million. The CPRA will take effect on January 1, 2023. Here is the CCPA as amended by the CPRA.

Impacted manufacturers should complete a gap assessment and build privacy and security programs that comply with the new Californian requirements.

New York SHIELD Act

The New York Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) became effective in March 2020. It adds data breach notification requirements and requires impacted businesses to implement “reasonable data security” including specified administrative, technical, and physical safeguards, with some flexibility for small businesses that have less than $5 million in total assets and under $3 million in revenue over each of the preceding three years.

The law applies to businesses that process personal information about New York residents, with some exceptions for companies that are compliant with HIPAA and similar laws. The SHIELD Act is enforced by the New York Attorney General and does not include a private right of action.

The SHIELD Act impacts drug and device manufacturers that collect information from any number of New York residents by adding further notification requirements for data breaches and requiring reasonable data security. Covered entities under the Health Insurance Portability and Accountability Act (“HIPAA”), such as a durable medical equipment (“DME”) maker, if compliant with HIPAA, are considered compliant with the SHIELD Act’s “reasonable security” provision.

Those impacted by the law should complete a gap assessment and build privacy and security programs that comply with standards outlined in the SHIELD Act.

Virginia Consumer Data Protection Act

The Virginia Consumer Data Protection Act (“CDPA”) was passed and signed into law on March 2, 2021. The CDPA includes some patchwork exemptions for entities regulated by HIPAA (including for de-identified health information), employee data, and other federal privacy laws. The CDPA applies to businesses that collect personal information of 100,000 Virginia residents annually, or only 25,000 individuals if the majority of company gross revenue is generated from data sales.

The CDPA has requirements that will be familiar to many organizations, including: data subject rights, security requirements, privacy assessments, contracting terms, privacy notices, and consent requirements. The CDPA will be enforced by the Virginia Attorney General and does not include a private right of action.

CDPA impacts drug and device manufacturers who operate websites and services and have 25,000 or more visitors or users annually from Virginia. Applicable manufacturers will need to evaluate whether they “sell” personal data and consider how to comply with the new law.

Washington Privacy Act

The State of Washington is making another attempt to pass a privacy law called the Washington Privacy Act (“WPA”). The WPA passed the Senate in a 48-1 vote on March 3, 2021 and was referred to house committee review. This is the third time in recent years a version of this comprehensive privacy bill has been introduced. The last proposal stalled when a private right of action was added late in the process.

With some similarities to the Virginia law, which was modeled after earlier versions of the Washington bill, the WPA would apply to businesses that control or process data of 100,000 or more Washington residents, or of 25,000 residents for businesses that derive 25% of gross revenue from the sale of personal data.

If the WPA passes, drug and device manufacturers who annually collect personal information from 25,000 or more Washington residents will need to evaluate whether they “sell” personal data and consider how to comply.

Other Proposed State Privacy Laws

Over 20 other states have proposed privacy laws. Most proposed legislation is in early stages of committee review, or was recently introduced. Many bills will not pass due to disagreement on key issues. However, here are some common themes we are picking up on:

  • Right of access to personal information
  • Right to rectify or request correction
  • Right to delete personal information
  • Right to transfer personal information (data portability)
  • Right to opt-out of certain data use and sharing
  • Age-dependent opt-in provisions
  • Privacy notices and transparency requirements
  • Limitations on how information is used
  • Contract terms between data “controllers” and “processors”

These provisions echo many requirements in the California Consumer Privacy Act as well as the General Data Protection Regulation (“GDPR”) in Europe.

For affected device and drug manufacturers, the explosion of legislative activity and new laws highlights the importance of developing a privacy program now to ensure privacy rights are addressed effectively and that personal information is handled appropriately throughout the data lifecycle.

Federal Privacy Law

Although the state legislative activity is putting pressure on Congress to pass federal legislation, no comprehensive privacy laws have been passed to-date at the federal level. However, it is certainly a matter of when, not if, the U.S. will pass comprehensive federal privacy legislation. Over the years, bills have been introduced by both parties, including a bi-partisan draft that stalled in 2020.

In 2021, a bi-partisan effort will be needed for comprehensive privacy legislation to pass given the slim Democratic majority in the Senate. However, some key obstacles to bi-partisan agreement remain, including whether federal law should preempt more stringent state laws and if individuals should be allowed to sue entities that violate federal law through a private right of action.

With these obstacles, it seems unlikely that a bill will pass in 2021, but there is certainly interest across the political spectrum in moving forward on a federal privacy law. Any bill that does pass in 2021 would almost certainly include a compromise on both preemption, i.e., permitting some state-specific requirements, and private right of action, e.g., limiting such actions to certain violations.

Prospective legislation may provide some exceptions for small businesses and for data that are already regulated by a federal privacy law, such as HIPAA. It would also likely include opt-out rights for consumers and require further transparency by organizations that collect and use personal information.

When federal privacy legislation is passed, affected organizations will need to: (1) revisit privacy policies; (2) start investing, or continue to invest, in data security; (3) review data practices; and (4) evaluate data sharing and vendor relationships.

Need assistance? 

Contact the Gardner Law Privacy team, led by Paul Rothermel, JD, CIPM, to assist your organization with privacy program implementation, auditing, and monitoring, including compliance with GDPR, HIPAA, CCPA, CPRA, SHIELD Act, CDPA, Federal Trade Commission Act, and other privacy laws.