New State Consumer Data Privacy Laws: Implications for Life Sciences and Medical Device Companies

Show Notes

Christine Moundas, Health Care and Data Partner at Ropes & Gray LLP and Co-Head of the firm’s Digital Health Initiative, discusses the new landscape of state consumer privacy laws and how life sciences and medical device companies can comply with these new requirements. Sponsored by Ropes & Gray.

Watch this episode: https://www.youtube.com/watch?v=wGUy4Bs72t4

Learn more about Ropes & Gray: https://www.ropesgray.com/en

Essential Legal Updates, Now in Audio

AHLA's popular Health Law Daily email newsletter is now a daily podcast, exclusively for AHLA Comprehensive members. Get all your health law news from the major media outlets on this podcast! To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org/dailypodcast.

Stay At the Forefront of Health Legal Education

Learn more about AHLA and the educational resources available to the health law community at https://www.americanhealthlaw.org/. 

Transcript

SPEAKER_00 0:04

This episode of AHLA Speaking of Health Law is sponsored by Ropes and Gray. For more information, visit ropesgray.com.

SPEAKER_01 0:17

Hello, everyone. Welcome to today's podcast. My name is Christine Moundis. I'm a partner at Ropes and Gray in the healthcare group, and I also participate in the data practice. I co-lead our digital health initiative, and today I'm going to talk about the new state consumer privacy laws and state consumer health privacy laws and how they impact healthcare and life sciences companies. So, you know, for today we're going to do first an overview of how these laws have come online over the past several years. Then we're going to talk a little bit about the business obligations that they entail. And then we'll talk about some of the detail around how they're defined, what the thresholds are, etc. So for anyone who's been paying attention to these laws, and Ropes and Gray actually has a summary of them on our website, over the past five years, there's been a proliferation of state consumer privacy laws that are stepping into a space that was really not regulated under HIPAA and was in a kind of no man's land of absence of regulation other than really some general FTC regulation. So really starting with the California Consumer Privacy Act, CCPA in California, but then soon thereafter, many, many states coming online to have their own variation around how they viewed organizations and companies as needing to actually secure, safeguard, and keep confidential consumer information. At this point, we're at a turning point where really about half of the states in the United States have their own state consumer privacy laws. Early on, you know, in 2000, 2020, 2021, 2022, it really wasn't clear that this was going to be a major trend. But then over the past two to three years, it really just picked up steam. And a ton of these laws came online last year in 2025. And now we're at the point where more are coming just came online in January 1st, 2026. And we're seeing a real watershed moment where we have a huge amount of these states having their own expectations around how consumer data is safeguarded. Generally, all of these states have their own versions of what the triggers are for actually even coming under these laws in the first instance. And that's something that I tell all of my clients to first look at. Generally, there are exemptions for not-for-profits. There are exemptions at different levels, either entity level or data level, for HIPAA-covered entities or data or entities handling HIPAA data. So that takes out a lot of our healthcare players. But for pharma, med device clients, or direct-to-consumer, like digital health type companies, these laws are really intended to directly regulate those organizations. So first and foremost, it's important to understand these thresholds and look at them and to get a better sense of okay, which state laws are actually being triggered by my organization? And that'll give you a really sense, a really good sense of then how to how to attack compliance in this area. Some states have revenue thresholds in terms of certain annual revenue per year, will then trigger it. CCPA is a good example of that. Other states actually have uh thresholds related to how many individuals' information is being processed from that state. And we look at not where the company is located, but actually where the individuals whose data is being processed, where those individuals reside. And that's sometimes a hard metric to actually measure is where are the individuals residing where the information originally came from, and how many are we processing per year. And then finally, for some companies, it's important to know that there's also thresholds around how many individuals information is being used for purposes of sale of information or other type of data broker activities. And that could be another threshold that then is triggered and puts a company under the auspices of these laws. So generally, then in addition to then understanding what are the different thresholds around these laws, it's important to really understand what are these laws seeking to actually govern. And it really is defining personal information and personal information of consumers very, very broadly. It's talking about any information about an individual, such as name, address, phone number, email, date of birth, online identifiers, which are really important, government or other unique identifiers. It could include location information. And then there's also a subset of information known as sensitive personal information that's also pulled out in some of these laws. And sensitive personal information can include health data, genetic data, biometrics, sexual orientation, precise geolocation, race or ethnic origin, or citizen and immigration status. So really, this is a huge broad array of data that's coming under the auspices of these state consumer privacy laws. And there are generally set expectations for what companies will do once they are under these laws. And in particular, the regulators are really concerned about making sure that there are consumer rights that are granted to individuals to actually know about and exercise some control over their personal information that is processed by companies. So depending on the different state laws, there could be a right to access the information that's collected about them, a right to know what information is collected about the individual, a right to correct information, to delete information, a right to opt out of certain processing, a right to opt out of certain sales. And in some states, there's actually now an affirmative right to opt in to the processing of sensitive personal information. So it's not just that by default, if you hand over your information to an entity, it automatically means they have a right to it. There's actually now this concept of individuals needing to affirmatively opt in to the processing of their sensitive personal information and individuals getting notice about what actually is involved when they share their information. So these are rights that really did not exist before in any real way, and they're quite onerous for organizations to figure out how they're going to honor these rights. I'll say there's also some states have a right against automated decision-making technology. So we're seeing some overlap with how AI regulations might intersect with these. And many of these state laws have a private right of action. So they're giving individuals rights to take action against companies if they feel that their rights have been violated. Now, in addition to needing to provide individuals with these consumer rights, there also needs to be a mechanism by which you allow consumers to actually request these rights. So that's something that all my clients are really trying to think through. What's their digital front door? What are their various front doors to consumers, and how can they notify consumers of their rights and then notify them of how to invoke their rights when need be. Most pharmaceutical companies or direct-to-consumer companies in the digital health space, for instance, they will use their websites to have both their privacy policies or privacy notices, and they will also have a privacy rights center that allows individuals to invoke these rights. In addition, then a company needs to, you know, once you're receiving these rights requests, you need to do the analysis to figure out, okay, is this individual coming from a state that we view as triggering the laws in that state? And then are they requesting rights that actually are granted in that state? And do we have enough information to actually validate their identity, to actually grant the rights that have been requested? So that is actually a whole exercise in and of itself to figure out once you've received a rights request, whether and how it can be fulfilled, and making sure that you're really precise in how you're analyzing those things. Now, in addition to the concept of making sure that companies are actually granting these consumer rights that have been developed, there's also a whole host of compliance obligations that apply to businesses that are now subject to these laws. So, as I had mentioned, first and foremost, it's really important that companies review and refresh their external privacy notices and privacy policies. Those are really being viewed as by regulators as the public contract that companies are putting out there into the public domain to say to consumers, this is what we're doing with your data, this is what we're collecting, these are the third parties we're sending it to, and this is how long we retain the data, et cetera. So the process of updating these notices and keeping them fresh and also making sure they comply with all the different state law requirements is really, really much more involved than it used to be. So I would say all companies, if you have not reviewed your privacy policy in the past year, it's time to take it out again, review it, refresh it, and make sure you're aware of all the different states that you need to think about and requirements that need to be addressed. I'll also note that there's, you know, certain states like the Washington My Health, My Data Act, that's not just a general state consumer privacy law, but actually a state consumer health privacy law. That law is actually requiring a specific consumer health notice that's separate and apart from the general privacy notices. So some companies really need to, the the thresholds for laws like the Washington My Health, My Data Law are actually quite low in terms of the bar that's required to trip that law. So if a company, uh life sciences or digital health company does not have a consumer health privacy notice, it's probably something that is needed. Um, then in addition to looking at notices and policies that are available externally, a company really needs to look at what affirmative opt-in consents need to be rolled out, particularly for when there's processing of sensitive personal information. So really thinking through what are the different entry points for the data coming into the company and where can there be a point in time where those affirmative opt-in consents are received, particularly around the processing of sensitive personal information, is really important for pharmaceutical companies. Sometimes it's patient support program forms need to be updated or direct-to-consumer digital health companies. Sometimes the app flow needs to be updated to actually get that affirmative consent up front. So all those things really need to be analyzed and looked at. And then you need to really think about what specifically are we asking people to agree to. Then, further, most of these laws create an expectation that an organization will not just itself safeguard the information, keep it confidential, but that it will actually impose those requirements on downstream vendors. So just like under in HIPAA, there's a BAA construct. In these state consumer privacy laws, there's a concept of data processing addenda, where really the organization is telling its vendor these are the parameters by which you're allowed to process the personal information on our behalf. And this is how you're going to help us with responding to rights requests if we need to. And this is how you're not going to sell our data, et cetera, et cetera. So all those things are quite important to make sure that there's really an analysis of which vendors are receiving personal information that's in scope of these laws. And how do we make sure that those DPAs are put in place with those vendors? Then, you know, we have a few important new requirements coming out of California that are really important to take into account because I think they actually now are also setting a bar for the other the other states. So in particular, California now has a new data risk assessment process really focused on privacy impact assessments. And in other states, they're really called something like data, data impact assessments, et cetera. But in California, they'll actually now be moving forward an annual reporting requirement where companies will need to state that they've done particular impact assessments to determine what the privacy impact is on consumers for particular data processing activities. So this is really a new, a very new and very onerous requirement for companies to analyze when or is there a different processing activity, what data is involved in that processing activity, what's the ultimate intent, what's the benefit to the consumer, what's the benefit to the company, how do those things match up, what data impact mitigation steps have been taken, et cetera, and to determine whether the proposed data processing is appropriate. And there's now going to be a requirement that companies on an annual basis tell the California regulators how many data impact assessments they've done, keep them on file, and there could even be requests to review those data impact assessments. There are analogs in many other states around uh similar um activities. And I'll note many of them, there's different in different states, there's different thresholds for when an impact assessment needs to occur. I'd say what's um important to note about California is that it's triggered anytime there's processing of sensitive personal information, and sensitive personal information is includes health information. So for a lot of our clients in the healthcare or pharma or you know, direct-to-consumer digital help space, they're triggering that threshold all of the time. So this is really going to be a a bear to take on and something trying to advise uh my clients to really take seriously. Relatedly, California is also going to require a security risk assessment where there is a review and an audit of a company's cybersecurity controls. And then similarly, there'll be annual reporting around whether that has been completed. I mean trying to make sure my clients are in touch, you know, to the extent they're in the legal or compliance or privacy side of the house, that they are in touch with their IT security and cybersecurity colleagues to make sure that they are aware of this new requirement, to make sure there's clarity around who's taking ownership for filling this requirement, and then to make sure that it's carried out in an appropriate manner, because this will be another one where it's not just an internal exercise, but it's something that will have to be reported out in terms of its completion status. Then in addition to those things, I try to make sure that folks understand there's all these new requirements here and there, all these new expectations. It's really important that a company zooms out and makes sure that its internal data privacy and data security policies are all updated to reflect these new requirements. And in fact, to make sure that those policies are flexible enough to be updated over time as these requirements will continue to expand. So if a company's policies are stale, they likely need to really be looked at and updated again. If they haven't been looked at in the past year or so, it you know likely needs to be, uh it's likely time to look at them and update them. And then part and parcel of the updating of policies and procedures is then also updating training for staff. And obviously, not every employee in a company is going to need to know all the details of these laws, but it's really important that at very least there is awareness within legal privacy and IT security around these requirements, and then key other groups that might have a role to play in informing how these laws will roll out. So you can see procurement, other IT functions besides IT security. Um, marketing and digital marketing is a huge area because there's a lot of restrictions around those activities under these laws. So it's important to have very detailed training for the core set of folks in a company, and then at very least, have some lighter version of that training for the workforce more generally, so that it builds up that institutional awareness of what all these new laws are and what the company's obligations are. So we try to take really a two-tier approach for folks that need that higher level of training, so because they're the ones actually really helping to meet the compliance obligations, as well as just the workforce members more generally who need an awareness of it so that they can raise issues when they need to. Then, you know, in addition to undertaking all of these activities, I think it's really important that in the process of developing these compliance programs, um, the legal or compliance folks that are, you know, taking the lead on this, keep in touch with all their business owners. Because I'd say what's become very clear with all these laws is regulators expect companies to be on top of their own processing activities and analyzing things up front. So if there's not appropriate connectivity between the data, legal, or compliance teams and the business, things can really be missed all the time. So there has to be, you know, a new process of ensuring that there's more connectivity on the front end when there's new types of processing activities being contemplated, new vendors, new strategies, new data deals, et cetera, and making sure that those proposals are analyzing the front end against these laws to make sure that the company is prepared to configure it in the appropriate manner or to update the policies in the appropriate manner, et cetera, to make sure that those new ideas are actually implemented in a compliant manner and that there's no surprises. So, besides that, you know, overall I know it can be actually quite overwhelming to take on all these new laws, but I've been telling my clients do not make the perfect the enemy of good here. It's really important to try to create a reasonable work plan that helps the company move towards, you know, defensible compliance with these laws rather than perfect compliance. So it's really important that at least some momentum is made towards having a defensible compliance program in this area, and then refinements can be rolled out over time. So I try to tell my clients really first work on the big things, work on the notices, work on the DPAs, work on some of these initial assessments, and then keep layering on and improving as time goes on. And I think that approach has been uh really, really the best way to go about this because we can't go from zero to 60 on these laws. So we're trying to make sure that organizations come along and make good as good progress as they can with the internal resources that are available and just with the capacity of the company. So that's my overview for today of the state consumer privacy laws. I appreciate all of you listening. If you have any questions, please do feel free to reach out. And again, that's Christine Moundis at Ropes and Cray. Thank you.

SPEAKER_00 21:08

If you enjoyed this episode, be sure to subscribe to AHLA Speaking of Health Law wherever you get your podcast. For more information about AHLA and the educational resources available to the health law community, visit AmericanHealth Law.org and stay updated on working healthcare industries from the major media outlets of AHLA's Health Law Daily Podcast, exclusively for AHLA comprehensive members. To subscribe and at this private podcast podcast.com, go to americanhealth law.org slash daily podcast comes.