US State Privacy Law Replay 2023

January 10, 2024

by Paul Rothermel and Theo Thompson 

2023 is finally in the books and so are many new privacy laws. 

Just in case you missed some of the numerous changes, this short article highlights several key US state privacy developments from 2023 that may impact drug and device manufacturers. These developments include some garden-fresh privacy laws, amendments du jour, and even new regulations. Read on for some noteworthy highlights and a brief informative chart.

State Privacy “Greatest Hits” of 2023

1. California brings the heat (and regulations)

The California Consumer Privacy Act (or “CCPA”) as amended has been around for some time. It limits the sale and sharing of personal data, grants numerous data subject rights, and requires that personal data processing involving “significant risk” must be assessed and submitted to the new California Privacy Protection Agency (CCPA enforcement agency). Enforcement actions are already well-documented, including one resulting in this settlement between the California Attorney General and Sephora, which specifically discussed failure to implement global privacy control (GPC) signal recognition on the company website. California has also promised further enforcement of the law and continues to issue new regulations, with some key provisions becoming effective on March 29, 2023. More regulatory activity continued in California as 2023 came to a close, with a focus on automated decision-making.

2. Colorado finalizes regulations

New regulations under the Colorado Privacy Act (“CPA”) have already been finalized with most provisions taking effect July 1, 2023. These regulations included restrictions on profiling and automated decision making, more clarity on data protection assessments, required “universal opt-out mechanisms”, and a “meaningful” standard for privacy notices delivered under the CPA.

3. Connecticut, Nevada, and Washington pass consumer health data laws

Both Nevada and Connecticut passed consumer health data protection laws, similar to the Washington “My Health My Data” Act we wrote about last year, designed to address health information not protected by the Health Insurance Portability and Accountability Act (“HIPAA”). The Connecticut Data Privacy Act (CTDPA) was amended in 2023 to include provisions specific to “consumer health data”, defined as “any personal data that a controller uses to identify a consumer's physical or mental health condition or diagnosis, and includes, but is not limited to, gender-affirming health data and reproductive or sexual health data.” The amendments also added consumer health data to the list of “sensitive data” types requiring risk assessment. This broadens the scope of the CTDPA significantly to include companies which process any consumer health data. Nevada’s law is further detailed in the chart below.

2023 State Privacy Law Chart

We close this brief privacy replay with a chart covering many key state privacy laws newly passed or amended in 2023, including many that didn’t make the ‘greatest hits’ above (but we think are likely to impact device and drug makers across the US). This is not an exhaustive list.

If you have any questions about privacy laws, contact the team at Gardner Law.