Privacy Law
THE WASHINGTON MY HEALTH MY DATA ACT: NOT JUST WASHINGTON (OR HEALTH)
VOLUME 1, 2024, PRIVACY LAW SECTION JOURNAL
Written by Mike Hintze*
Over the past several years, we’ve become accustomed to a rapid pace of change in the privacy law landscape— particularly at the U.S. state level. While there have been state privacy laws on the books for decades, the current era of seemingly weekly developments in state privacy law kicked off in 2018 with the adoption of the original California Consumer Privacy Act (CCPA). Since then, more than a dozen other states have enacted other comprehensive privacy laws, typically with broad similarities between them, but with enough significant differences to keep things interesting. Further amendments and/or rulemaking related to those laws creates what feels like a constantly moving target that is extremely challenging for those seeking to track, reconcile, and comply with them.
Earlier this year, a major development in Washington State further complicated this growing patchwork of state privacy laws. The passage of the Washington My Health My Data Act (MHMDA) is easily the most significant development in privacy law of 2023 and may be the most consequential privacy legislation enacted since the original CCPA.
The Act purports to be focused on filling a gap by protecting health data not covered by HIPAA, the federal law that protects the privacy and security health data handled by hospitals, health care providers, and other enumerated “covered entities.” But the Act is very different from HIPAA, and it does far more than just filling gaps.
Further, the Act is extremely broad in terms of the types of data covered and the entities that are subject to it. As a result, many companies (and nonprofits) that don’t think of themselves as handling health data are surprised when they learn that they may be subject to the Act’s obligations.
Those obligations are extensive, in several cases going well beyond what we have seen with any other privacy law. The sweeping scope and extreme substantive obligations, combined with vague terms and a private right of action, make this Act extraordinarily challenging and risky for a very wide range of organizations.
This Act is a privacy law for which perfect, risk-free compliance may be impossible. As entities that are potentially covered by the Act prepare for the March 31, 2024, effective date (June 30 for small businesses), they will need to carefully consider those risks as they determine and prioritize their compliance steps and investments.
PRIVATE RIGHT OF ACTION
In addition to Attorney General enforcement, the Act includes a private right or action, enforceable as a violation of the Washington Consumer Protection Act. The presence of a private right of action is significant, particularly in light of the Act’s vague and open-ended language and near-impossible compliance standards.
Nevertheless, it is important to note that the Washington Consumer Protection Act does not include statutory damages, and to recover actual damages, a plaintiff needs to show both causation and an injury to the plaintiff’s “business or property.” However, the plaintiffs’ bar is nothing if not creative and aggressive, and it is highly likely we will see a wave of costly and disruptive lawsuits.
It remains to be seen whether Washington courts will start interpreting the “injury” requirement more permissively in light of the legislative intent behind My Health My Data Act. In the meantime, companies will have to take this possibility into account in determining their compliance strategies to mitigate the risk of litigation and nuisance claims.
THE SCOPE OF THE ACT IS SWEEPING
The Act’s definition of “consumer health data” can be interpreted to capture virtually any type or category of personal data about health, wellness, nutrition, fitness, or related topics–or that is used to infer such information. To give just one example, the definition includes “data that identifies a consumer seeking health care services.” Health care services means “any service provided to a person to assess, measure, improve, or learn about a person’s health.” One could argue that a wide range of data processed by search engines, grocery stores and other retailers, gyms, advertisers, and any number of other businesses could fall into this sweeping scope. There are also several other parts of the definition that are similarly broad and open-ended.
There are a few narrow exceptions, primarily for data used for certain approved peer-reviewed research in the public interest, deidentified data (if all the requirements for deidentification are met), and certain publicly available data. There are also exceptions for data that is subject to enumerated privacy laws, most notably HIPAA, GLBA, FCRA, and FERPA.
The Act also captures a wide range of entities. It includes any entity (including nonprofits) doing business in Washington or that provides products or services that are targeted to consumers in Washington. An FAQ on the Act published by the Office of the Attorney General suggests that “targeted” can mean merely being available in Washington. As such, in the absence of geo-blocking, it could capture a wide range of entities with little or no actual connection to Washington.
Likewise, the scope of consumers whose data is subject to the law is expansive—potentially global. Because of some odd and non-obvious definitions, the Act captures data about consumers who have no meaningful connection to Washington at all. The only connection need be that the data about them is merely processed in Washington. It is worth noting that some of the largest global cloud service providers are headquartered in Washington, with significant data center footprints in Washington. Thus, a huge amount of data about consumers located outside of Washington is potentially processed in Washington. In light of the private right of action, this factor can dramatically affect the size of a potential class.
THE SUBSTANTIVE OBLIGATIONS OF THE ACT ARE EXTREME
The Act requires opt-in, GDPR-level consent for any collection, use, disclosure, or other processing of consumer health data beyond what is necessary to provide a consumer-requested product or service. There is also a requirement for a separate opt-in consent for any “sharing” of consumer health data beyond what is required for a consumer-requested product or service—including any sharing with corporate affiliates. Note that “sharing” here has a normal English meaning of the word—not the odd advertising-specific definition found in the CCPA. Such consents cannot be inferred, bundled with other consents, obtained as part of a terms of use or other agreement, or obtained via deceptive design.
There is an even more onerous “authorization” requirement for data “sales.” Here, “sale” is defined in the way it is defined under the CCPA, which has been interpreted to include a wide range of data transfers—including nearly all thirdparty online targeted advertising. There is no reason to think that it will be interpreted any more narrowly here. The authorization requirement is extremely onerous, requiring a written and signed document including specific details of the data to be sold, the selling and purchasing parties, the use of the data by the purchaser, and several additional terms. The authorization lasts for only one year and is revocable by the consumer at any time. These requirements and limitations create such burden that it is unlikely many companies will even attempt to seek an authorization to sell, resulting in a de facto prohibition on most activities that could constitute a “sale” including much third-party targeted advertising.
Data subject rights include a right to know / right of access similar to that in CCPA and other laws. But the access right also includes a right to receive a list of all third parties and affiliates with which consumer health data has been shared, along with online contact information for each, which will likely require entities to create new processes to track, compile, and provide this information.
The deletion right is sweeping and goes well beyond what is required by any other privacy law on the planet. Specifically, the deletion right in the Act lacks the common exceptions found in every other privacy law that gives consumers a right to delete personal data. There is not even an exception for situations where retention of the data is required for compliance with law. This will put companies in an impossible position of determining which law they must violate when a consumer makes a deletion request.
The deletion right also includes a passthrough requirement to send a notification of the consumer’s request to all processors, affiliates, and third parties with which the consumer health data has been shared. And those processors, affiliates, and third parties have an absolute obligation to also delete the data (which goes much further than the similar passthrough notification in the CCPA).
The Act includes a notice obligation which requires the posting of a “Consumer Health Data Privacy Policy.” This notice must contain a list of enumerated disclosures, most of which will be redundant of the organization’s general privacy statement. One aspect that goes beyond what other privacy laws require is that the notice must include a list of specific affiliates with which consumer health data is shared. There is nothing in the Act that indicates it can be combined with the organization’s general statement. This could be interpreted to mean there must be a separate notice even if that is largely redundant of existing privacy notices. And with the requirement to include a link to the Consumer Health Data Privacy Policy from apps and every page on the entity’s website(s), the number of separate privacy links that may be required by different privacy laws continues to increase.
The Act includes a geofencing prohibition around any facility that provides “in-person health care services” where the geofence is used to (1) identify or track consumers seeking health care services, (2) collect consumer health data, or (3) send notifications, messages, or advertisements to consumers related to their consumer health data or health care services. As already noted, the definition of “consumer health data” is broad such that it potentially includes virtually any personal data. Likewise, the definition of “health care services” is broad and includes any services “to assess, measure, improve, or learn about a person’s mental or physical health.”
As such, the prohibition on geofencing could apply to a very wide range of businesses and common business activities. For example, given such a broad definition, a grocery store that has in-store signage with nutrition tips could be seen as providing “in-person health care services.” So, if that grocery store uses a geofence to offer coupons through its app when a consumer enters the store, it could, depending on the facts, be seen as violating this prohibition. This is an absolute prohibition—there is no provision allowing the business to obtain consent from the consumer for such activity.
There are other requirements that are somewhat less noteworthy in that they more or less align with requirements found in other privacy laws that most entities must also comply with. Nevertheless, entities that may be subject to the Act should review all the substantive obligations to ensure they have considered and addressed how they will comply.
CONCLUSION
As with any new law, there are number of unknowns about how this Act will be interpreted and enforced. However that uncertainty is even greater here as the Act breaks new ground by diverging dramatically from any other privacy law on the books, including adding new obligations that go beyond what any other privacy law requires and key definitions and terms that are ambiguous as to scope and requirements.
We will certainly learn more in the coming year as the Attorney General begins enforcement and plaintiffs bring cases. But in the meantime, companies and other entities subject to the law will need to make difficult decisions and investments in compliance.
In light of the uncertainties, there are a number of compliance options and strategies that entities may consider for this Act. Each entity will need to review the law and its data practices and put in place a plan based on its own assessment of risk, taking into account the nature of the data it processes, how it uses and shares it, the impact different compliance options will have on its operations and business objectives, its overall risk tolerance, and many other factors.
ENDNOTES
Mike Hintze is a partner at Hintze Law PLLC, a part-time instructor at the University of Washington School of Law, and a recognized leader in privacy and data protection law, policy, and strategy. You can read more of his writing on the Washington My Health My Data Act on the Hintze Law website at https://hintzelaw.com/MHMDA.