Companies need to be more careful than ever when handling sensitive data. U.S. state privacy laws are multiplying, and both regulatory action and class action lawsuits have put companies collecting or sharing sensitive data without consent in the spotlight.
But what is “sensitive data,” actually? Privacy teams are facing a conundrum as there isn’t a single comprehensive U.S. privacy law or single agency responsible for its enforcement. Rather, privacy in the U.S. is regulated through a patchwork of legislation that includes 12 (active or pending) comprehensive state privacy laws and the Federal Trade Commission (FTC) Act. Beyond that, U.S. privacy laws are mostly sectoral, often addressing specific higher risk industries like health care, finance or education – for example, Children’s Online Privacy Protection Act (COPPA) or Health Insurance Portability and Accountability Act (HIPAA) at the federal level or Washington, Nevada and Illinois legislation governing health data or biometric data at the state level.
For senior governance, risk management and compliance (GRC) practitioners navigating this complex landscape, it’s important to understand the various definitions and requirements of U.S. sensitive data laws and recent examples of enforcement to operationalize practical approaches to sensitive data management. Follow these three steps to guide your organization’s data privacy strategy and document all the efforts you’re taking along the way.
1. Identify.
To help your company first define sensitive data, start with the definitions that overlap across the comprehensive state privacy laws. While there are some nuances from state to state, most of these privacy laws use similar categories to define sensitive data (racial or ethnic origin, citizenship or immigration status, etc.), which helps build a common language.
Once you’ve defined how sensitive data applies to your company, you’ll need to understand what is required if you are processing it. Under some state laws, the mere processing of sensitive personal information is enough to trigger the need to conduct a Data Protection Impact Assessment (DPIA), or other requirements like enhanced safeguards, enhanced disclosures and breach notifications if the data is exposed or shared without consent. Sometimes there are contractual requirements or consent rights to consider, and in other cases, there are outright bans or restrictions on processing entirely.
With those definitions and requirements in mind, you’ll then need to take inventory of the data you and your third-party partners are collecting. What types of data are you requesting, and from what sources? How are you using that data once it’s been collected? Who is it shared with and for what purposes? How long is it being retained? Do all of these practices align with what you’re telling customers? Simultaneously, ask the same questions of your third-party partners.
2. Assess.
Next, evaluate if the data you collect is sensitive or could trigger sensitive data laws and what level of risk you face. Which state, federal and/or sectoral laws do you need to make sure you’re complying with, given the kinds of data you collect and process?
Most state privacy laws require opt-in consent to process sensitive data, though a few like Iowa, Utah and California only require an option to opt-out. Consent is also required under several sectoral laws, which creates more challenges. For example, the Washington “My Health, My Data” Act, effective in March 2024, has many strict requirements that go above and beyond most state privacy laws, requiring granular consent to process sensitive data and written authorization if processing constitutes a sale. Because the law includes a private right of action, companies will need to be cautious about the possibility of litigation.
This Washington health-specific law also expands the definition of consumer health data to include health-related inferences derived or extrapolated from non-health data, such as bodily functions, vital signs and data identifying social and behavioral interventions. Since laws like this as well as Nevada SB 730 require consent for sensitive data inferences, it’s important to remember that what may not appear to be sensitive data on its face could still trigger the law. For example, the Washington attorney general’s office FAQs identify that assigning shoppers with a “pregnancy prediction score” based on purchasing certain products is considered sensitive data.
From that perspective, is your company combining data it collects with anything else that could reveal sensitive information, or can the data be used to generate sensitive inferences? If the answer is yes, you’ll want to determine whether collecting this type of data is necessary. Do the practical benefits outweigh the risks? Are there other ways you can achieve the same benefit without collecting sensitive data?
3. Take action.
Depending on what you find in your assessment, you can then implement strategies to reduce your level of risk and maintain transparency. For example, determine if you can make the data not identifiable or sensitive by utilizing Privacy Enhancing Technologies (PETs). You can also adjust your disclosures in public-facing documents to be upfront about your data collection and processing practices. In some cases, you may find it necessary to obtain consent before collecting further data, and that will require clearly communicating to users and ultimately respecting each user’s choice.
Being compliant comes with high stakes – an alleged violation can put your organization at risk for penalties ranging from monetary fines, bans from disclosing data for advertising purposes and instruction to delete all previously collected information, not to mention a tarnished brand reputation. Recent enforcement of sensitive data privacy sheds a whole new light on what even constitutes a privacy violation.
For example, the FTC has recently enforced the Health Breach Notification Rule (HBNR) against health apps like BetterHelp, GoodRx and Premom that weren’t getting consent for sharing health data with third parties for marketing and advertising purposes. Under the FTC Act, five tax prep companies have also been warned that they could incur civil penalties up to $50,120 per violation if they “misuse” personal data – using it for purposes other than what it was collected for without first obtaining consent.
Sensitive data has also generated heightened enforcement under some more general privacy laws. For instance, WebMD has been accused of violating the Video Privacy Protection Act by disclosing a plaintiff’s Facebook ID, email address, video detail and other information to Facebook when she watched videos on WebMD.com. In addition, a class action lawsuit alleged that Google “wiretapped” online tax preparation providers where the Google Analytics tracking pixel was installed and collected sensitive financial information like income, refund amounts, filing status and scholarship information.
While U.S. data privacy laws can be complex and nuanced, it’s important to have a foundational understanding of the various definitions, requirements and enforcements to stay in control of your data processing practices. As more states consider comprehensive privacy legislation, make sure to take a deeper look at how sensitive data applies to your organization.
