(1)(a) Except as provided in subsection (2) of this section, beginning March 31, 2024, a consumer has the right to confirm whether a regulated entity or a small business is collecting, sharing, or selling consumer health data concerning the consumer and to access such data, including a list of all third parties and affiliates with whom the regulated entity or the small business has shared or sold the consumer health data and an active email address or other online mechanism that the consumer may use to contact these third parties.
(b) A consumer has the right to withdraw consent from the regulated entity's or the small business's collection and sharing of consumer health data concerning the consumer.
(c) A consumer has the right to have consumer health data concerning the consumer deleted and may exercise that right by informing the regulated entity or the small business of the consumer's request for deletion.
(i) A regulated entity or a small business that receives a consumer's request to delete any consumer health data concerning the consumer shall:
(A) Delete the consumer health data from its records, including from all parts of the regulated entity's or the small business's network, including archived or backup systems pursuant to (c)(iii) of this subsection; and
(B) Notify all affiliates, processors, contractors, and other third parties with whom the regulated entity or the small business has shared consumer health data of the deletion request.
(ii) All affiliates, processors, contractors, and other third parties that receive notice of a consumer's deletion request shall honor the consumer's deletion request and delete the consumer health data from its records, subject to the same requirements of this chapter.
(iii) If consumer health data that a consumer requests to be deleted is stored on archived or backup systems, then the request for deletion may be delayed to enable restoration of the archived or backup systems and such delay may not exceed six months from authenticating the deletion request.
(d) A consumer may exercise the rights set forth in this chapter by submitting a request, at any time, to a regulated entity or a small business. Such a request may be made by a secure and reliable means established by the regulated entity or the small business and described in its consumer health data privacy policy. The method must take into account the ways in which consumers normally interact with the regulated entity or the small business, the need for secure and reliable communication of such requests, and the ability of the regulated entity or the small business to authenticate the identity of the consumer making the request. A regulated entity or a small business may not require a consumer to create a new account in order to exercise consumer rights pursuant to this chapter but may require a consumer to use an existing account.
(e) If a regulated entity or a small business is unable to authenticate the request using commercially reasonable efforts, the regulated entity or the small business is not required to comply with a request to initiate an action under this section and may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer's request.
(f) Information provided in response to a consumer request must be provided by a regulated entity and a small business free of charge, up to twice annually per consumer. If requests from a consumer are manifestly unfounded, excessive, or repetitive, the regulated entity or the small business may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The regulated entity and the small business bear the burden of demonstrating the manifestly unfounded, excessive, or repetitive nature of the request.
(g) A regulated entity and a small business shall comply with the consumer's requests under subsection (1)(a) through (c) of this section [(a) through (c) of this subsection] without undue delay, but in all cases within 45 days of receipt of the request submitted pursuant to the methods described in this section. A regulated entity and a small business must promptly take steps to authenticate a consumer request but this does not extend the regulated entity's and the small business's duty to comply with the consumer's request within 45 days of receipt of the consumer's request. The response period may be extended once by 45 additional days when reasonably necessary, taking into account the complexity and number of the consumer's requests, so long as the regulated entity or the small business informs the consumer of any such extension within the initial 45-day response period, together with the reason for the extension.
(h) A regulated entity and a small business shall establish a process for a consumer to appeal the regulated entity's or the small business's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision. The appeal process must be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within 45 days of receipt of an appeal, a regulated entity or a small business shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the regulated entity or the small business shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the attorney general to submit a complaint.
(2) A small business must comply with this section beginning June 30, 2024.