By Mike Hintze
This is Part 5 in a series of blog posts about the Washington My Health My Data Act. Previous parts include:
This part discusses the opt-in consent requirements for the collection, use, and disclosure of consumer health data under the Act.
When it comes into effect, the Washington My Health My Data Act will impose strict consent requirements on a wide range of common data collection and processing activities. In essence, the Act requires affirmative (opt-in) consent for any collection, use, disclosure, or other processing of consumer health data beyond what is necessary to provide a consumer-requested product or service.
The consent requirements of the Act are primarily set out in Section 5, but there are consent requirements also in Section 4 (Notice) and Section 9 (Authorization for Data “Sales”).
GDPR-Level (or Higher) Consent
The definition of “consent” establishes a requirement for GDPR-level consent:
"Consent" means a clear affirmative act that signifies a consumer's freely given, specific, informed, opt-in, voluntary, and unambiguous agreement, which may include written consent provided by electronic means.
That definition goes on to further require that for consent to be valid, it cannot be obtained by a consumer (i) accepting a general terms of use or similar agreement, (ii) hovering over, muting, pausing, or closing a piece of content, or (iii) agreeing where such agreement was obtained though deceptive design. This language mirrors that found in other state privacy laws, with a welcome difference being the use of the term “deceptive design” rather than the more ambiguous and problematic “dark patterns.”
As discussed below, an even higher level of consent (or “authorization”) is required for any disclosure of data that would be considered a “sale” of consumer health data under the Act.
It is worth noting that the consent requirements of the Act are opt-in requirements, unlike the opt-out requirements found in many privacy laws (such as the CCPA). And unlike other privacy laws that do have opt-in consent requirements for certain data uses, this Act has opt-in requirements that apply to any uses beyond what is necessary to provide a consumer-requested product or services (discussed in detail below). Further, unlike other privacy laws that have consent requirements, this Act does not have exceptions or alternatives to consent for common, expected, or benign data uses. There is a limited security-related exception discussed below, but that does not cover a number of common, and in some cases essential, data uses. As a result, it is likely that consumers will be faced with a growing number of disruptive consent requests for common and expected data uses.
Note also that the Act also gives consumers the right to withdraw consent. Thus, any processing that relies on consumer consent could be halted by the consumer at any time.
Consent for “Collection”
Section 5 requires an entity to get consent to “collect” consumer health data unless the collection is “necessary to provide a product or service that the consumer to whom such consumer health data relates has requested from” that entity.
This requirement is much broader than it appears on its face because of the odd and unexpected way “collect” is defined. As noted in Part 3 of this series, “collect” is much broader than its plain English meaning. In this Act, “collect” means: “to buy, rent, access, retain, receive, acquire, infer, derive, or otherwise process consumer health data in any manner” (emphasis added). So, “collect” includes any “processing.”
In turn, “process” means: “any operation or set of operations performed on consumer health data.” So, performing analytics on data is “collecting” that data. Sharing data is “collecting” that data. Deidentifying data is “collecting” that data. Disposing of data is “collecting” that data.
Editorial Note: As an aside, it is beyond frustrating when legislative drafters choose to use and define words in ways that are divorced from their usual meaning. It makes legislation needlessly opaque and puts those making good faith efforts to comply at increased risk of inadvertent mistakes. English is a rich language with plenty of perfectly precise and descriptive words avaialble to choose from that will foster transparency and understanding rather than the opposite. Please, legislative drafters, use them.
Given these definitions, this consent requirements should be thought of as consent for any “processing” of consumer health data beyond what is necessary to provide a consumer-requested product or service. Although the Act doesn’t use the term “secondary purpose,” this may be a useful shorthand for that processing which requires consent.
The unusual way “collect” is defined, combined with these strict opt-in consent requirements, can also lead to some harmful or absurd results. For example, because “collect” includes any “processing,” and “processing” includes any “operation” performed on consumer health data, as noted above, the act of deleting or disposing of data is an “operation” on that data and therefore a “collection.” So, unless deleting data is necessary to provide a consumer-requested service, it cannot be done without consumer consent. A specific request to delete data would constitute consent. But absent a specific consumer request to delete, this Act would seem to require regulated entities to retain consumer health data forever, even if they no longer have any use for it. A regulated entity might be able to argue that proactive deletion of data falls within the “security exception” (discussed below), but the burden is on the entity to justify that interpretation, so the safer course might just be to keep the data indefinitely. Of course, this result is contrary to privacy-protective principles such as data minimization and retention limitation. But it’s what a strict reading of the Act seems to require.
Finally, how narrowly or broadly the term “necessary” is interpreted will have an enormous impact on the scope of processing that may be permitted without affirmative, opt-in consent (i.e., what is considered a secondary purpose). The Act does not say “strictly necessary,” so there may be some leeway for reasonableness here. But that will surely be tested through litigation, and many regulated entities may not want to take that risk. At the very least, regulated entities will need to carefully consider their justification for any processing for which they do not obtain affirmative opt-in consent.
Separate Consent for Sharing
Section 5 of the Act goes on to require a separate consent for any “sharing” of consumer health data beyond what beyond what is necessary to provide a consumer-requested product or service.
Although, given the odd definition of “collect” described above, sharing is actually a subset of collection. Nevertheless, the Act specifies that consent for “sharing” must be “separate and distinct from the consent obtained to collect consumer health data.” So, if a regulated entity is sharing data for a secondary purpose, there may be a need for two separate consent experiences – one for collection / processing and one for sharing.
To understand the scope and applicability of this separate consent for sharing, it is important to note the definition of “share.” Under the Act, “share” means to:
release, disclose, disseminate, divulge, make available, provide access to, license, or otherwise communicate orally, in writing, or by electronic or other means, consumer health data by a regulated entity or a small business to a third party or affiliate.
There are several elements of this definition that make the scope of “sharing” very broad. For example, it includes “make available.” So, for example, allowing third-party cookies or pixels on a website could constitute sharing, requiring opt-in consent. Note also that if such access could constitute a data “sale,” an even higher level of consent may be required, as discussed below.
The definition of “share” also includes disclosures to affiliates. So, within a large corporation that includes a number of distinct legal entities, access to common data systems or other routine data operations that involve sharing data among different subsidiaries could potentially require the opt-in consent of the consumer.
The definition of “share” does include some notable exceptions, such that disclosures to “processors” acting on behalf of the regulated entity is not sharing, nor are certain disclosures in the context of a merger, acquisition, bankruptcy, or similar corporate transaction. There is also a narrow exception for disclosures to third parties with which the consumer has a direct relationship where the disclosure is for the purpose of providing a consumer-requested product or service; but the narrowness of this exception along with certain other requirements make it unlikely to particularly useful.
There is also a general exception in the Act for security and related purposes, noted below, that may allow for certain data disclosures without consumer consent.
Consent for Collection or Processing Beyond What is Described in the Notice
Section 4 of the Act sets out requirements for a notice, referred to as the “Consumer Health Data Privacy Policy.” Among the requirements of that section are that a regulated entity must get consumer consent for any:
collection, use, or sharing additional categories of data not disclosed in the notice, and
collection, use, or sharing of data for additional purposes not disclosed in the notice.
Given that these consent requirements are tied to what is disclosed in the notice, regulated entities can mitigate the risk by making sure that their notices are sufficiently broad up front. And given the breadth of the consent requirements in section 5, it is unlikely in practice that these Section 4 consent requirements would trigger consent obligations beyond what would be required in any event.
Heightened Consent for “Sale” of Consumer Health Data
Finally, Section 9 of the Act requires an extreme level of opt-in consent for any “sale” of consumer health data. As with the consent to “share,” the consent to “sell” must also be separate from any other consents. Also, this consent requirement applies to any “person” and not just to “regulated entities,” which means it could potentially apply to an even broader range of companies, organizations, and even individuals.
“Sell” is defined under the Act in a way similar to CCPA definition of that term. The Act defines “sell” as “the exchange of consumer health data for monetary or other valuable consideration.” Note that under CCPA, the “other valuable consideration” phrase has been interpreted broadly so as to cover many activities not traditionally thought of as a sale of data – including nearly all third-party online targeted advertising. There is no reason to think that it will be interpreted any more narrowly here.
Any activity that could constitute a “sale” of consumer health data requires an “authorization” by the consumer. An authorization is a lengthy document that contains a long list of enumerated information and statements that must be signed and dated by the consumer. And such authorizations expire after one year. The written authorization must contain:
The specific consumer health data to be sold
The name and contact information of the seller
The name and contact information of the buyer
The purpose of sale
How the data will be gathered
How the data will be used by the buyer
Statements that:
The provision of goods or services may not be conditioned on data sale authorization
The consumer has right to revoke the authorization at any time
The data sold may be subject to redisclosure and may no longer be protected by the Act
How the consumer may submit a revocation
The date of signing
An expiration data that is 1 year from the date of signing.
The signature of consumer
A copy of the signed authorization must be provided to the consumer and both the seller and the buyer of the data must retain a copy of the authorization for 6 years.
Obviously, such a consent requirement is incredibly onerous – to such an extent that it is unlikely business would regularly seek such authorizations.
There is also a conflict within the Act that makes it even less likely any business would or should seek an authorization to sell consumer health data. Specifically, note that the authorization document must contain “the specific consumer health data concerning the consumer that the person intends to sell.” Thus, the authorization document will contain consumer health data. Further, the Act requires both the seller and purchaser of consumer health data to retain a copy of the authorization for 6 years.
However, Section 6 of the Act includes a consumer right to delete consumer health data which, as discussed in Part 1 of this series, does not have the common exceptions that deletion rights have in other privacy laws. In particular, there is no exception for where retention of the data is required by law. So, if a consumer, after signing the authorization, makes a deletion request, the business would be required to delete all consumer health data, which would include the authorization since it necessarily includes the relevant consumer health data. So, does the company violate section 6 by refusing to delete the authorization, or does it violate section 9 by failing to retain the authorization? It is impossible to comply with both.
For a plaintiffs’ lawyer, this would be an easy trap to spring – simply find a company that seeks authorization to sell consumer health data, provide such an authorization, then a few days later, make a deletion request … then just wait to see which provision of the Act the company violates.
For these reasons – both the burden of seeking such an onerous authorization and the litigation trap it creates – this authorization requirement is, in effect, a prohibition on data sales.
Further, given the breadth of what constitutes a “sale” (and taking into account the influence of CCPA precedent interpreting the similarly-defined term) this may, in effect, be a prohibition on targeted advertising using any data that could arguably constitute “consumer health data” – which as described in Part 2 of this series, is potentially a very, very broad range of data.
General Exception for Security-Related Purposes
The Act includes a relatively broad exception for any processing for certain security-related activities. Specifically, Section 12(3) provides that nothing in the Act restricts a regulated entity’s ability to:
collection, use, or disclosure of consumer health data to prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any activity that is illegal under Washington state law or federal law; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action that is illegal under Washington state law or federal law.
This exemption presumably means that even if some data processing activity would otherwise require consent under the Act, a regulated entity can collect, use, or disclose that data without consent if it falls into one of these security-related purposes. However, this section goes on to state that if a regulated entity is relying on this exemption, “such entity bears the burden of demonstrating that such processing qualifies for the exemption…”
As a result of this and the other provisions addressing consent under the Act, regulated entities should carefully evaluate their justifications for any processing not relying on consumer consent.
As noted above, future posts will discuss other aspects of the Act and the issues it raises, including data subject rights and notice obligations.