In this second post in our ongoing series, we examine the scope of rights given to consumers under the recently enacted My Health My Data Act. (Visit here for information on the scope of the law). The law provides consumers several rights, all of which are in other privacy laws. However, the requirements associated with some of these rights create some unique challenges.
Under this law, consumers have a right of access, a right to delete, a right to withdraw consent, and a right to not be discriminated against for exercising their rights.
- Right to access. This gives consumers the right to confirm whether a regulated entity is collecting, sharing, or selling consumer health data about them. It also gives them a right to access such data. It goes further than other privacy laws by also giving consumers a right to receive a list of all third parties and affiliates with whom the regulated entity has shared or sold the consumer health data and an active email address or other online mechanism for contacting these third parties.
- Right to delete. Most privacy laws (except for HIPAA) create a right to delete. However unlike other laws, this Act is missing common exceptions to the right to delete. For example, an exception for when data may be required to defend against legal claims or to comply with legal obligations. There is also a passthrough obligation to this right. If a deletion right is exercised, regulated entities must also notify all affiliates, processors, and other third parties with whom the data was shared. The recipient must also delete the data. The deletion requirement also applies to data archives and backups, though there is a 6 month deadline to complete.
- Right to withdraw consent. The Act gives consumers the right to withdraw consent for the “collection and sharing” of consumer health data. Because the Act requires consent for processing beyond what is necessary to provide the requested product or service there could be a wide range of data subject to withdrawal.
- Right of non-discrimination. The Act also provides that regulated entities “may not unlawfully discriminate against a consumer for exercising any rights” under the Act. Unlike the CCPA non-discrimination right, however, this provision does not specify any details about what kind of discriminatory practices are prohibited.
The procedure aspects for responding to rights requests borrow from other privacy laws. Specifically, organizations must have a secure and reliable means for consumers to submit requests and need to authenticate the consumer making the request. Companies are prohibited from charging a fee for up to two requests annually. Responses should be provided within 45 days (which can be extended another 45 days). Companies must also offer an appeal process denied requests.
Putting it into practice. While companies subject to other privacy laws will be familiar with the type of consumer rights and procedural requirements, there are several notable differences in handling rights requests under this Act. These challenges, along with the law’s private right of action, will increase risk for companies that receive requests. In our next post we will examine the obstacles created by the broad consent requirements.