By Mike Hintze
This is the first in a series of blog posts about the Washington My Health My Data Act. It provides a high-level overview of the Act. Subsequent posts in the coming days will delve more deeply into individual aspects of the Act and the issues it raises.
Update: Here is a running list of each entry in the ongoing blog series:
Last week, the Washington State Senate voted to approve the “Washington My Health My Data Act,” a slightly modified version of the bill that was previously approved by the House. By all accounts, the Senate version of the Act will prevail through the reconciliation process and be signed by the Governor.
When signed, the Washington My Health My Data Act will become the most consequential privacy legislation enacted in 2023. And arguably, it will be the most consequential privacy legislation enacted since the original California Consumer Privacy Act (CCPA) was adopted in 2018.
The Act purports to be focused on filling a gap by protecting health data not covered by HIPAA, the federal law that protects the privacy and security of health data handled by hospitals, health care providers, and other enumerated “covered entities.” But the Act is very different from HIPAA, in many ways being broader and having more onerous requirements. Thus, the Act creates enormous disparities between how personal data must be handled between HIPAA covered entities and every other type of entity. As such, it does far more than filling gaps.
The sweeping scope and extreme substantive obligations, combined with vague terms and with a full private right of action, make this Act extraordinarily challenging and risky for entities seeking to comply with its requirements.
Key Elements of the “Washington My Health My Data Act”
Designed to protect the privacy of health data not covered by HIPAA, but is much broader
Covers a very wide (and ill defined) range of personal data, entities, and consumers
Opt-in consent for any collection, use, disclosure, or other processing of data beyond what is necessary to provide a consumer-requested product or service
Extremely onerous authorization requirement for data “sales” which creates, in effect, a prohibition on any activity that could constitute a “sale” including 3rd-party targeted ads
Data subject rights that go further than any other existing law in any jurisdiction, including a deletion right with virtually no exceptions
Unique notice requirements that seem to require separate and redundant privacy statements
A prohibition on geofencing around any facility that provides any services that meet a very broadly defined set of health care services
A private right of action, with presumptions benefiting plaintiffs, in addition to Attorney General enforcement
Comes into effect 31 March 2024 (for small businesses, 30 June 2024), or maybe sooner…
The Scope of the Act is Sweeping
The Act has a definition of “consumer health data” that could potentially capture virtually any type or category of personal data. The scope could encompass any data that could arguably be related to health, wellness, nutrition, fitness, or related topics. And because it includes data that could be used to infer such information, it may be hard to safely conclude that any personal data is out of scope.
There are a few narrow exceptions, primarily for data used for certain approved peer-reviewed research in the public interest, deidentified data (if all the requirements for deidentification are met), and certain publicly available data. There are also exceptions for data that is subject to certain enumerated privacy laws, most notably HIPAA, GLBA, FCRA, and FERPA.
The Act also captures a wide range of entities and consumers. It includes any entity doing business in Washington or that provides products or services that are “targeted” to consumers in Washington. Because “targeted” is undefined, it is an open question whether merely allowing consumers to access a website or online services that does not otherwise have any Washington-specific content or features will be enough. But it is likely that the scope will be interpreted broadly, capturing entities with little or no actual connection to Washington.
Likewise, with consumers, because of some odd and non-obvious definitions, the Act captures data about consumers who have no connection to Washington at all. The only connection need be that the data about them is merely processed in Washington. It is worth noting that some of the largest global cloud service providers are headquartered in Washington, with significant data center footprints in Washington. Thus, a huge amount of data about consumers outside of Washington is potentially processed in Washington.
Because of these provisions, this Act will have applicability that reaches far and wide beyond Washington State.
The Substantive Obligations of the Act are Extreme
The Act requires opt-in, GDPR-level consent for any collection, use, disclosure, or other processing of consumer health data beyond what is necessary to provide a consumer-requested product or service. There is also a requirement for a separate opt-in consent for any “sharing” of consumer health data beyond what is required for a consumer-requested product or service – including any sharing with corporate affiliates. Such consents cannot be inferred, bundled with other consents, obtained as part of a terms of use or other agreement, or obtained via deceptive design.
There is an even more onerous authorization requirement for data “sales.” “Sale” is defined in the way it is defined under the CCPA, which has been interpreted to include a wide range of data transfers that would not normally be thought of as a data “sale” given the usual meaning of that word – including nearly all third-party online targeted advertising. There is no reason to think that it will be interpreted any more narrowly here. The authorization requirement is so onerous (and includes a provision that sets up a near certainty of non-compliance) that it creates, in effect, a prohibition on any activity that could constitute a “sale” including nearly all third-party targeted advertising.
Data subject rights include a right to know / right of access similar to that in CCPA and other laws. And there is a right of non-discrimination for consumers who request to exercise their rights.
But the deletion right is sweeping and goes well beyond what is required by any other privacy law on the planet. Specifically, the deletion right has virtually no exceptions. It lacks the common exceptions found in every other law with a deletion right. There is not even an exception for situations where retention of the data is required for compliance with law. This will put companies in an impossible position of determining which law they must violate when a consumer makes a deletion request.
The deletion right also includes a passthrough requirement to send a notification of the consumer’s request to all processors, affiliates, and third parties with which the consumer health data has been shared. And those processors, affiliates, and third parties have an absolute obligation to also delete the data. This is the case even if one or more third parties are providing a service to the consumer that the consumer wishes to continue and the deletion would be contrary to the consumer’s wishes and interests.
The Act includes a notice obligation which requires the posting of a “Consumer Health Data Privacy Policy.” This notice must contain a list of enumerated disclosures, most of which will be redundant of the organization’s general privacy statement. And there is nothing in the Act that suggests it can be combined with the organization’s general statement, creating a requirement of duplicate and redundant privacy notices. And with the requirement to include a link to the Consumer Health Data Privacy Policy on the company’s website homepage, that homepage will be getting awfully crowded with this link added to the multiple privacy links required by other privacy laws.
The Act includes a geofencing prohibition around any facility that provides in person health care services where the geofence is used to (1) identify or track consumers seeking health care services, (2) collect consumer health data, or (3) send notifications, messages, or advertisements to consumers related to their consumer health data or health care services. As already noted, the definition of “consumer health data” is broad such that it potentially includes virtually any personal data. Likewise, the definition of “health care services” is broad and includes any services “to assess, measure, improve, or learn about a person’s mental or physical health.”
As such, the prohibition on geofencing could apply to a very wide range of businesses and common business activities. For example, given such a broad definition, a grocery store that offers nutrition tips could be providing “health care services” and that store’s loyalty club app that offers coupons when entering the store could, therefore, be seen as violating this prohibition. And remember, this is an absolute prohibition – there is no provision allowing the business to obtain consent from the consumer for such activity.
The Act also includes fairly standard requirements for reasonable data security measures. The most noteworthy provision related to that is a very strict internal access control provision. Regulated entities must restrict access to consumer health data by employees, processors, and contractors to that which is necessary to provide the consumer-requested product or service or for the purposes for which the consumer provided consent.
Finally, the Act includes a number of provisions related to contracts between regulated entities and processors. The required terms do not seem incompatible with what is typically in data processor / service provider contracts today – terms designed to meet the requirements of GDPR, CCPA, and other privacy laws. But it may warrant another look, and possibly some modest updates, to processor agreements to make sure those contracts are sufficient for the purposes of this Act.
Private Right of Action
The Act includes a full private right or action, with presumptions benefiting plaintiffs, in addition to Attorney General enforcement. These enforcement provisions, combined with the vague and opened-ended language and near-impossible compliance standards, will inevitability result in a wave of “gotcha” lawsuits that will be enormously costly and disruptive. Companies will have to take this risk into account in determining their compliance strategies to mitigate the risk of litigation and nuisance claims.
Effective Date
The Act purports to come into effect on 31 March 2024 for most regulated entities, and three months later, on 30 June 2024, for small businesses. However, due to what may be drafting errors in the version of the Act passed by the Senate, the Act could be read such that a number of the substantive provisions might come into effect much sooner. Unless fixed, there is a risk that these provisions – including the prohibition on geofencing, the right to delete, the opt-in consent for sharing, and others – will come into effect 90 days after the end of the current legislative session. Given the session is scheduled to end on 23 April 2023, this would mean these provisions could come into effect 22 July 2023. That conclusion is contrary to the stated legislative intent, but it is foreseeable that aggressive plaintiffs’ lawyers will not hesitate to test and exploit it.
As noted above, we will dive deeper into each of these areas and issues – and others – in the coming days. Watch for the next posts in this series.