Minn. Bill Goes Beyond Wash. My Health My Data Act, Says Lawyer
Minnesota could add health information as a form of sensitive data and toughen limits for sensitive data more broadly under its comprehensive privacy law, a privacy attorney said Tuesday. Rep. Steve Elkins (D), author of the Minnesota Consumer Data Privacy Act, introduced HB-2700 Monday to amend the act before it takes effect in July. Sensitive data requires opt-in consent under the Minnesota law, unlike other personal data that carries an opt-out standard.
Sign up for a free preview to unlock the rest of this article
“As currently drafted, this bill would -- in some ways -- go quite a bit farther than My Health, My Data (MHMD)” in Washington state, Felicity Slater, a Hintze privacy attorney, said in an email. “It proposes to create MHMD-like restrictions that would cover not just health data, but all sensitive data.” The Washington state health law, and other states' bills that have followed its approach, have raised compliance concerns for businesses (see 2501280023).
For example, the amended bill “would require controllers to obtain specific, non-bundled consent for the processing and sharing (beyond sharing with processors) of sensitive data, as well as burdensome ‘authorization’ for sale of sensitive data.”
“In the MHMD-context, this authorization requirement has functioned as an effective ban, so this requirement could end up functioning as a de factoban on the sale of sensitive data in Minnesota,” warned Slater.
HB-2700 defines health data as “personal data that identifies a consumer's past, present, or future mental or physical health status.” It lists a dozen categories that definition might include, such as biometric data, genetic information, “individual health conditions, treatments, diseases, or diagnoses,” medicine use or purchase, “bodily functions, vital signs, symptoms, or measurements” and “specific geolocation data that could reasonably indicate a consumer's seeking or obtaining past, present, or future health care services or supplies.”
Sensitive health data would also include “any information that is derived or extrapolated from personal data, but that is not itself health data that a controller or processor uses by any means, including algorithms, machine learning, or profiling, to associate or identify a consumer with the data described … such as proxy, derivative, inferred, or emergent data.”
In addition, HB-2700 would add geofencing restrictions. “It is unlawful for any person to implement a geofence around an entity that provides in-person health care services or supplies where the geofence is used to: (1) identify or track a consumer seeking health care services or supplies; (2) collect health data from a consumer; or (3) send notifications, messages, or advertisements to a consumer related to the consumer's health data or health care services or supplies.”