Listen to this post

In this third post in our ongoing series, we examine the scope of the consent requirements under the recently enacted My Health My Data Act. (Visit here for information about the scope of the law and here for information about consumer rights). The Act imposes consent requirements on a wide range of common processing activities.

What is “consent”?

Consent under the law must be affirmative, freely given, specific, and informed. For consent to be valid, it cannot be obtained by a consumer (1) accepting a general terms of use or similar agreement, (2) hovering over, muting, pausing, or closing a piece of content, or (3) agreeing where such agreement was obtained though deceptive design.

When is consent required?

Generally, the Act requires consent for any processing of consumer health data beyond what is necessary to provide a consumer-requested product or service. A separate consent is required for any “sharing” of consumer health data beyond what is necessary to provide a consumer-requested product or service. An “authorization” (a higher level of consent) is required for any disclosure of data that would be considered a “sale” of consumer health data under the Act. Any consent must be separate from other consents. Like CCPA, “sell” is defined broadly to mean exchange of consumer health data for monetary or other valuable consideration. Given the breadth of what constitutes a sale, the requirement could be interpreted as a complete prohibition on targeted advertising using any consumer health data.

What is an authorization?

While an authorization is a concept familiar to HIPAA-regulated entities, it is not a concept in most consumer privacy laws. Under this law, an authorization is a lengthy document that contains a long list of specific information and statements that must be signed and dated by the consumer. A copy of the signed authorization must be provided to the consumer and both the seller and the buyer of the data must retain a copy of the authorization for 6 years. Authorizations will expire after one year.

Putting it into practice. The heightened and broad scope of consent requirements under this law is likely to have the effect of chilling certain processing activities altogether. Organizations should carefully evaluate their activities and consider how it would obtain consent for any beyond what is necessary to provide the product or service. Companies will also need to keep in mind how to manage requests withdrawing consent.