The Truth is Powerful
What Virginia’s New Privacy Law Means for Organizations in the Healthcare Industry
Virginia is now the second state, after California, to pass a comprehensive privacy law. The Consumer Data Protection Act (“CDPA”) will come into effect January 1, 2023 (the same time as the modification to California’s Consumer Privacy Act (“CCPA”), i.e., the California Privacy Rights Act (“CPRA”)). While CDPA has fairly broad exemptions for entities regulated by other laws, such as HIPAA, there is also a new “opt-in” requirement for collecting “sensitive data.”
Our sister blog goes into a more detailed discussion of the requirements under Virginia’s law. Here, we cover highlights of the law relevant to companies operating in the healthcare space. Requirements for Collecting “Sensitive Data”
The CDPA requires “freely given, specific, informed, and unambiguous” consent (i.e., an opt-in requirement) in order for any entity or person to collect or process “sensitive data.” Among other itemized examples, “sensitive data” includes information revealing a mental or physical health diagnosis, as well as genetic or biometric data processed for the purpose of uniquely identifying a natural person. The CDPA’s definition generally aligns with the definition of sensitive data in the CPRA, which will create an “opt-out” requirement for sensitive data uses when it comes into effect in 2023.
In addition, the […]