By Mike Hintze
This is Part 4 in a series of blog posts about the Washington My Health My Data Act. Previous parts include:
· Part 1: An Overview of the Act
· Part 2: The Scope of “Consumer Health Data”
· Part 3: The Scope of Entities & Consumers Captured by the Act
This part discusses the effective dates of the Act. Spoiler alert: due to what one can only conclude is, at least in part, a drafting error, some of the substantive provisions of the Act may come into effect much sooner than expected.
Yesterday the amended Senate version of the Washington My Health My Data Act was approved by the Washington State House, completing the legislative process and sending the Act to the Governor for signature (which is widely expected to happen). Now that it is a near certainty the Act will become law in its current form, entities subject to the Act need to start preparing to comply. The key factor in determining deadlines for having compliance measures in place is the effective date of the Act.
In a rational universe, this would be a straightforward question, the answer to which would be simply stated in the legislation and easily determined by the reader. But that is, unfortunately, not the case here. In fact, although the Act purports to come into effect on March 31, 2024 (and for small businesses, three months later on June 30, 2024) many provisions could come into effect in July 2023.
In Washington, if legislation does not specify an effective date, the requirements of that legislation come into effect 90 days after the end of the session. The current legislative session is scheduled to end in just a few days – on 23 April 2023. As a result, if the session ends on time, in the absence of a specified effective date, the requirements of the Act would come into effect on July 22, 2023.
The original House bill did not specify effective dates. The Senate striker amendment stated an intent to add “an effective date of March 31, 2024, for regulated entities and an effective date of June 30, 2024, for small businesses.” That quoted language is taken directly from the summary of the effect of the amendment, which is found at the bottom of the amendment document. However, the way those effective dates were added is problematic.
In particular, the effective dates were added on a section-by-section basis, rather than as a separate section that applies to the entire bill. Specifically, effective date language was added to sections 4 through 9.
Notably, effective date language was not added to Section 10 – the geofencing prohibition. That means that the geofencing prohibition takes effect 90 days after the session, contrary to the stated intent of the amendment. It appears that this result, however, may have been deliberate.
Further, even in those sections where effective dates were added, the way dates were added in most sections makes the March 31, 2024 date seemingly apply to only the first paragraph of each section. For example, Section 5(1) is illustrative of how the effective dates were added:
(a) Except as provided in subsection (2) of this section, beginning March 31, 2024, a regulated entity or a small business may not collect any consumer health data except:
(i) With consent from the consumer for such collection for a specified purpose; or
(ii) To the extent necessary to provide a product or service that the consumer to whom such consumer health data relates has requested from such regulated entity or small business.
(b) A regulated entity or a small business may not share any consumer health data except:
(i) With consent from the consumer for such sharing that is separate and distinct from the consent obtained to collect consumer health data; or
(ii) To the extent necessary to provide a product or service that the consumer to whom such consumer health data relates has requested from such regulated entity or small business.
(c) Consent required under this section must be obtained prior to the collection or sharing, as applicable, of any consumer health data, and the request for consent must clearly and conspicuously disclose:
(i) The categories of consumer health data collected or shared;
(ii) the purpose of the collection or sharing of the consumer health data, including the specific ways in which it will be used;
(iii) the categories of entities with whom the consumer health data is shared; and
(iv) how the consumer can withdraw consent from future collection or sharing of the consumer's health data.
(d) A regulated entity or a small business may not unlawfully discriminate against a consumer for exercising any rights included in this chapter.
Because the effective date language is part of subsection (a) and forms part of the sentence that sets out the substantive requirement of (a), if read literally, that effective date applies only to subsection (a) and does not apply to subsections (b), (c), or (d). That means that the requirement of Section 5(1)(a) to obtain consent for “collection” comes into effect March 31, 2024; but the requirement of Section 5(1)(b) to obtain consent for “sharing” may come into effect late July 2023. Again, this is contrary to the stated intent of the amendment that added the effective dates, but it is what a literal reading of the section seems to require.
It is worth noting that after setting out parts (a)-(d) of subsection 5(1), subsection 5(2) then states: “A small business must comply with this section beginning June 30, 2024.” By placing the effective date for small businesses at the end, it is clear that this effective date does apply to the entire section. Thus, the discrepancy noted above affect only regulated entities that do not meet the definition of a “small business.”
Section 6, which creates consumer rights, also has the same discrepancy. As drafted, the right to access consumer health data does not come into effect until March 31, 2024. But it appears that the extremely onerous right to delete that data could be read as coming into effect much sooner – in late July 2023.
And there is a comparable problem in Section 4 (notice requirements) that creates an even more nonsensical result. The effective date language is similarly part of subsection 4(1)(a) – the section that requires regulated entities to have a “consumer health data privacy policy.” Thus, the requirement to have such a document does not come into effect until March 31, 2024. But subsection 4(1)(b), which requires regulated entities to post a link to the consumer health data privacy policy on the entity’s homepage, does not have an effective date and therefore seemingly comes into effect in late July 2023. Thus, between July 2023 and March 31, 2024, the Act appears to require regulated entities to post a homepage link to a document that need not yet exist. That creates an absurd result that seems to clearly indicate a drafting oversight.
Perhaps in an effort to be compliant, companies will add a homepage link which will take users to a page that says “coming soon.” Or, perhaps courts will interpret subsection (b) to require that the link go to the actual policy, thereby nullifying the effective date set out in subsection (a) and requiring that all of Section 4 come into effect in July 2023. Or, perhaps courts will recognize this as a drafting error and defer to the stated legislative intent, concluding that all of Section 4 comes into effect in March 2024. Of course, this uncertainty puts regulated entities in a very difficult situation of guessing how these discrepancies will be interpreted and gauging risks associated with the different possibilities.
There are similar drafting issues in Sections 8 and 9. Only Section 7 has added the effective date in a way that makes it clear that it applies to each subsection.
The following chart sets out the key substantive requirements of the Act and the effective dates that seem to apply to them.
Substantive Requirement | Effective Date for Most Regulated Entities | Effective Date for Small Businesses |
§4(1)(a) Obligation to maintain a “consumer health data privacy policy” | March 31, 2024 | June 30, 2024 |
§4(1)(b) Obligations to publish a homepage link to the consumer health data privacy policy | Late July 2023 | June 30, 2024 |
§4(1)(c) Consent for collection, use, or sharing categories of data not disclosed in consumer health data privacy policy | Late July 2023 | June 30, 2024 |
§4(1)(d) Consent for collection, use, or sharing for purposes not disclosed in consumer health data privacy policy | Late July 2023 | June 30, 2024 |
§4(1)(e) Prohibition on contracting with a processor to process in manner inconsistent with consumer health data privacy policy | Late July 2023 | June 30, 2024 |
§5(1)(a) Consent for collection of consumer health data for a secondary purpose | March 31, 2024 | June 30, 2024 |
§5(1)(b) Consent for sharing consumer health data for a secondary purpose | Late July 2023 | June 30, 2024 |
§5(1)(d) Prohibition on unlawful discrimination | Late July 2023 | June 30, 2024 |
§6(1)(a) Right to know / right of access | March 31, 2024 | June 30, 2024 |
§6(1)(b) Right to withdraw consent | Late July 2023 | June 30, 2024 |
§6(1)(c) Right of deletion | Late July 2023 | June 30, 2024 |
§6(1)(d)-(h) Procedural requirements related to consumer requests to exercise rights | Late July 2023 | June 30, 2024 |
§7 Data Security | March 31, 2024 | June 30, 2024 |
§8(1)(a)(i) Requirement for processor contract | March 31, 2024 | June 30, 2024 |
§8(1)(a)(ii) Processor limit to processing consistent with contractual instructions | Late July 2023 | June 30, 2024 |
§8(1)(b) Processor obligation to assist regulated entity in meeting its obligations | Late July 2023 | June 30, 2024 |
§9 Consumer Authorization for Data “Sale” | March 31, 2024 | June 30, 2024 |
§10 Geofencing Prohibition | Late July 2023 | Late July 2023 |
It would have been far cleaner and clearer if there were a separate section that simply stated that the effective dates of March 31, 2024 (for regulated entities) and June 30, 2024 (for small businesses) apply to each of the substantive sections of the Act (i.e., sections 4-10). Further, even if there had been an unstated legislative intent to have some sections come into effect sooner than others, the effective dates could have been added on a section-by-section basis in a much more straightforward way. For example, the last subsection of each section could have simply stated: “A regulated entity must comply with this section beginning March 31, 2024, except that small business must comply with this section beginning June 30, 2024.”
Unfortunately, the drafters instead added the dates in a way that seemingly creates a patchwork of effective dates that is contrary to the stated legislative intent and in some cases creates absurd results.
Further, because of Washington’s limited legislative schedule, there is no longer time in this session introduce a new “clean up” bill to correct these (and other) drafting problems, leaving few avenues for a fix. And the next legislative session will not begin until January 2024 – too late to fix these issues with the effective dates.
This unfortunate approach to drafting leaves companies seeking to comply with the Act scrambling to comply with several highly onerous and costly obligations on a very short timeframe. The only alternative is to hope that they can fend off aggressive plaintiffs’ lawyers seeking to exploit this drafting issue and that the courts will ultimately conclude that the stated legislative intent should prevail. But that could prove to be a risky and costly gamble.
Update: Subsequent to this post, the Act was signed by the Governor with the effective date problems discussed here remaining. However, on June 30, the Office of the Attorney General (OAG) published important (albeit non-binding) guidance addressing the effective date issue. As expected, the OAG takes the position that only the geofencing prohibition takes effect in late July 2023, whereas all the other substantive requirements take effect on March 31, 2024 (except for small businesses which must comply beginning June 30, 2024). Part 9 of this blog series discusses this guidance and its likely impact. |
In the coming days we will discuss other aspects of the Act and the issues it raises. In upcoming posts, we will look at consumer consent and authorization requirements, data subject rights, notice obligations, geofencing restrictions, and other topics raised by the Act.