Nevada SB 370 vs Washington My Health My Data Act: Three crucial differences

Nevada’s state governor has signed SB 370 (NV Rev. Stat. § 598.0977), a health privacy law similar to Washington’s recently-enacted My Health Data Act (MHMDA).

But while it’s fair to describe Nevada’s new law as an MHMDA “copycat”, there are some important differences—some of which make Nevada’s law somewhat less demanding than its notoriously broad Washingtonian counterpart.

We explore the three key differences between Washington’s MHMDA and Nevada’s SB 370.

‘Consumer health data’ definition: Emphasis on ‘use’

Washington’s MHMDA has compliance teams scrambling to map their data flows, partly due to its broad definition of “consumer health data”.

But Nevada’s SB 370 is a little less daunting in this regard.

• The MHMDA defines “consumer health data” as including personal information that is “reasonably capable of being linked” to a consumer’s health status.
• Under SB 370, personal information is only “consumer health data” when a regulated entity actually uses it to identify the consumer’s health status.

In addition to the distinction above, Nevada specifically exempts data used to facilitate video gameplay and information about a consumer’s shopping habits.

This narrower scope makes it more obvious whether a company needs to comply with SB 370.

You might not even know whether you’re processing consumer health data under Washington’s definition—but you should certainly know what you’re using data for, per Nevada’s new law.

No ‘consent’ definition

One reason Washington’s MHMDA will hit certain companies so hard is the law’s “consent” definition.

Washington’s legislators clearly intended to provide a stricter consent standard than exists even under the EU General Data Protection Regulation (GDPR). But Nevada has taken the opposite approach.

• Washington’s MHMDA:
  • Requires consent to be a “freely given, specific, informed, opt-in, voluntary, and unambiguous agreement”.
  • Explicitly states that accepting “broad terms of use” does not count as consent
  • Prohibits reliance on implied consent or “dark patterns”.
• Nevada’s SB 370 does not define consent.

So while Nevada’s law dictates when to get consent, the law does not specify how to get consent.

If the law is interpreted to allow manipulative or ambiguous requests to collect or share consumer health data, this might not be great news for Nevada consumers.

Private right of action

Both laws provide for enforcement by each state’s Attorney General. But one important enforcement aspect of Washington’s MHMDA is missing from its Nevada counterpart.

• Washington’s MHMDA provides a “private right of action”, enabling consumers to sue a company that violates the law under certain conditions.
• Nevada’s SB 370 does not have a private right of action, handing enforcement powers exclusively to the state’s Attorney General.

Together with its broad application and somewhat ambiguous definitions, the MHMDA’s private right of action should have in-house legal teams working some late nights to ensure they can stave off the inevitable class action claims from Washington consumers.

Some plucky law firms might try to sue under Nevada’s SB 370, but the law’s lack of a private right of action means such cases are unlikely to succeed.

But note that neither law provides a “notice and cure” period, so enforcement action under either state’s Attorney General is still a crucial consideration.