A wave of state privacy bills targeting tech giants like Facebook and Google is prompting warnings that the measures could mire biomedical research in red tape and slow innovation.

Since California enacted its privacy law, which takes effect in January, several other states introduced similar consumer data protection bills earlier this year, potentially creating a patchwork of state privacy laws. A federal law that has been bandied about in Congress is unlikely to happen before the 2020 election.

The state laws come as studies increasingly harvest data from wearable devices like FitBits and federal regulators try to lessen the amount of time researchers spend on paperwork.

The state legislative proposals don’t specifically target biomedical sciences, but as clinical studies both handle and generate personal health data, researchers and their institutions would have to follow these state requirements.

The same study will often take place in multiple locations, such as a breast cancer clinical trial from Pfizer Inc. that’s recruiting volunteers from Los Angeles to Detroit to Charleston, S.C. If more state privacy bills become law, researchers could face inconsistent requirements that could make it more expensive and time-consuming to run these studies.

“It portends a mess, maybe even a bigger mess than we have now,” John M. Conley, an intellectual property and privacy attorney in North Carolina’s Research Triangle, told Bloomberg Law.

New Data Rules

Clinical research is subject to a federal human subject protection regulation known as the Common Rule. Any research done in a hospital, clinic, or other provider that’s covered by the Health Insurance Portability and Accountability Act also must follow federal rules for ensuring the privacy and security of health information.

Most companies and universities working with scientists in Europe also must follow the European General Data Protection Regulation, which went into effect about a year ago. It requires companies to get clear consent from all their customers to process data and carries hefty fines of up to $23 million or 4 percent of a company’s revenues.

“Those three sets of requirements are different, but the principles are generally the same,” said Conley, who’s counsel with the firm Robinson Bradshaw and a law professor at the University of North Carolina-Chapel Hill. “Now, if you start injecting potentially 50 state views on research into the mix, inevitably, life gets more complicated.”

Genomics and biotech company 23andMe also is monitoring the various state bills, Adriana Beach, who’s the company’s corporate counsel for privacy, told Bloomberg Law. “I think it will be an exciting time, and good things are hopefully to come as it relates to customers having control over their data and really exercising privacy rights—whether they’re customers of 23andMe or some other service,” she said.

Copying California

The California Consumer Privacy Act (AB 375) gives consumers the right to know how much of their personal data is being collected by companies as well as the right to have that data deleted upon request. The European and California laws are similar, so GDPR compliance “gets a lot of companies almost to where they need to be,” Beach said.

Mountain View, Calif.-based 23andMe is best known for its direct-to-consumer genetic testing kits, but it also conducts in-house research on anonymous data sets and has collaborations with universities and drug companies like GlaxoSmithKline PLC.

For multi-site studies, a research sponsor will often have a separate data use authorization to comply with the California law, David Peloquin, a clinical research and health data privacy attorney in Ropes & Gray LLP’s Boston office, said. “Right now it’s really just California that’s driving that today, but if we have a proliferation of other laws, there may be more variations and forms.”

CCPA

Since California passed its law in September, Hawaii, Maryland, Massachusetts, Mississippi, New Mexico, New York, North Dakota, and Rhode Island started exploring similar bills, Peloquin said.

Navigating the Patchwork

The patchwork could become complicated for a company headquartered in one state collecting patient data from residents of other states, Peloquin said. “Which laws do they need to comply with? That’s the analysis that would have to be done,” he said.

That will make it more challenging for these multi-state studies to obtain and process data from those studies, Peloquin said. While there is an exemption for information collected in the course of a clinical trial, California’s law doesn’t define what counts as a clinical trial. It likely would include new drug testing, but it’s less clear if it would cover observational studies.

Meanwhile, the Food and Drug Administration has been pushing for more studies that don’t fall into a traditional clinical trial, such as those generating evidence from real-world sources such as wearable devices and electronic health records.

“A lot of research is not a clinical trial,” Peloquin said. “With a push toward real world evidence, we see an increasing importance of non‑clinical trials.”

Many laws are trying to clone California’s to some extent he added. “Unless those laws do a better job of like defining terms like ‘clinical trial,’ I think there’s going to be a lot of confusion.”

Researchers already spend about 42 percent of their time on administrative tasks. Both the 21st Century Cures law and the revisions to the Common Rule that took effect in January set out to reduce administrative burden for scientists.

“Doing health-related research is a daunting, bureaucratic task. Are you going to make it even more daunting to the point of it just overwhelmingly complicated?” Conley said.