By Mike Hintze
This is Part 6 in a series of blog posts about the Washington My Health My Data Act. Previous parts include:
· Part 1: An Overview of the Act
· Part 2: The Scope of “Consumer Health Data”
· Part 3: The Scope of Entities & Consumers Captured by the Act
· Part 5: Consent Requirements
This part discusses the rights consumers have under this Act including a uniquely broad right of access, a right of deletion with few exceptions, a right to withdraw consent, and a right on non-discrimination.
The Washington My Health My Data Act provides consumers with several rights, including a right of access, a right to delete, a right to withdraw consent, and a right to not be discriminated against for exercising their rights. While each of these rights can be found in other privacy laws and so, at a high level, do not seem particularly surprising here, the ways they are included in this Act are unique, create uncertainty, and in some cases go well beyond what exists in any other privacy law. As a result, regulated entities seeking to comply with them will face difficult, costly, and disruptive implementation challenges (and with respect to the deletion right, the potential for catch-22 situations where full legal compliance may be impossible). These challenges, along with the Act’s private right of action, set up a significant risk of expensive legal claims and litigation.
For each of these consumer rights, regulated entities must keep in mind just how broadly they will apply in light of the broad scope of “consumer health data” as discussed in Part 2 of this series and the broad scope of consumers covered by the Act as discussed in Part 3. Also, as described in Part 4, some of these rights and obligations may come into effect much sooner than intended - as soon as late July of this year.
Right of Access / Right to Know
Like many privacy laws, this Act includes a right of access. Specifically, it gives consumers a right to confirm whether a regulated entity is collecting, sharing, or selling consumer health data about them. And it gives consumers a right to access such consumer health data in possession of the regulated entity.
But this right of access goes further, by also giving consumers a right to receive “a list of all third parties and affiliates with whom the regulated entity … has shared or sold the consumer health data and an active email address or other online mechanism that the consumer may use to contact these third parties.”
Because this additional element of the right, and corresponding obligation, is novel and goes beyond what other privacy laws require under a right of access or right to know, it will require regulated entities to develop and put in place new processes and tools to track data transfers in a way that such a list can be generated and provided to consumers who request it.
It is noteworthy that this requirement to provide a list and contact information includes affiliates as well as third parties. So, where a corporation consists of multiple legal entities that share common data systems, it is likely that the list to be provided to consumers will have to include the names and contact details of all such affiliates – even if those entities are not normally consumer facing (e.g., those established solely for purpose of internal operations, taxation, etc.) and do not normally provide a way for consumers to contact them.
Right to Delete
A right to delete is also a common element found in many privacy laws. And this Act gives consumers a right to have the consumer health data held by a regulated entity deleted upon request. But this deletion right goes well beyond what is found in any other privacy law, and as a result will create serious challenges and risks for regulated entities.
First, it is noteworthy that the federal HIPAA privacy rules do not include a right to delete, and this Act carves out data subject to HIPAA. So, health data held by hospitals, clinics, doctors’ offices, pharmacies, and other HIPAA covered entities does not need to be deleted when requested by a consumer. By contrast, subject to few exceptions, health data subject to this Act must be deleted upon request.
Further, the deletion right in this Act is unprecedented in two important ways.
First, it lacks the common sense exceptions found in virtually every other privacy law. There is a limited exception in Section 12(3) for data necessary for certain security-related purposes. But the Act does not include other common exceptions, including where the data may be required to defend against legal claims, to enforce agreements, or to comply with legal obligations.
The fact that there is no exception where retention is necessary to defend against claims means that a consumer wishing to make a legal claim against a regulated entity can first use the access right to circumvent normal discovery procedures and gather the relevant data. Then, once the consumer obtains that data, they can use the deletion right to force the regulated entity to delete it and thereby deprive the entity of the information it needs to defend itself.
The lack of an exception for where data retention is required to meet legal obligations will put regulated entities in catch-22 situations in which meeting all its legal obligations is impossible. A deletion request may require regulated entities to choose whether they violate a legal retention obligation or violate this Act’s deletion requirement. Consumer health data may appear in records that must be retained for tax purposes, accounting and auditing purposes, or other required recordkeeping purposes. As noted in Part 5 of this series, even this Act itself has a data retention obligation that can come into conflict with its own deletion right / obligation.
The second way in which the deletion right goes well beyond other privacy laws and will create major challenges for regulated entities is that it includes a “passthrough” obligation whereby when a consumer makes a deletion request, the regulated entity must notify “all affiliates, processors, contractors, and other third parties with whom the regulated entity … has shared consumer health data.” And the recipient of such notification must delete such data.
This passthrough obligation will obviously require regulated entities to put in place new procedures and mechanisms to be able to send such notifications of a deletion request. And entities that receive consumer health data will likewise need to develop and implement new policies, procedures and tools that will allow them to receive and validate such notifications; to track the sources of data to be able to identify which data is subject to the deletion request; and to be able to purge such data from their systems.
Beyond the operational challenges, this passthrough deletion requirement may result in deletion of data that the consumer neither intended nor desired, and/or that is contrary to the interests of the consumer. Imagine that a consumer affirmatively asks Company A (a regulated entity) to transfer consumer health data to another service, operated by Company B (an independent third party) with which the consumer has a direct relationship. The consumer may later decide that it no longer wants Company A to retain the consumer health data, but it does want to continue to use Company B’s service which depends on having the consumer health data. When the consumer sends a deletion request to Company A, Company A has no option but to send a notification to Company B, and Company B has no option but to delete the data. Depending on the circumstances, this result could range from annoying to even dangerous and harmful for the consumer.
Finally, the deletion requirement under the Act also applies to data archives and backups. However, there is a longer deadline of 6 months to complete such a request.
Right to Withdraw Consent
The Act gives consumers the right to withdraw consent for the “collection and sharing” of consumer health data. But this right is broader than it appears on its face because, as described in Part 5 of this series, the term “collect” is defined to include any “processing.” Thus, the right to withdraw consent also applies to any use or other processing of consumer health data for which consent was provided.
As also discussed in Part 5 of this series, the Act requires consent for any collection, sharing, or other processing of consumer health data beyond what is necessary to provide a consumer-requested product or service. As a result, many routine and benign data processing purposes may be based on consumer consent. Given the wide range of data processing that is potentially subject to consent, regulated entities will have to develop and put in place new mechanisms to receive and respond to such requests with respect to types of data processing that are not subject to such a right under other privacy laws. Thus, complaince with this obligation is likely to be costly and enormously disruptive to the operations of a regulated entity.
The right to withdraw consent also raises a number of questions that are unanswered in the text of the statute. Typically, a right to withdraw consent of forward looking, and does not apply to processing that occurred prior to the withdrawal. So, for example, if consent for sharing is withdrawn, the regulated entity should not share the data any further, but it does not affect previously-shared data. That would seem the be the most sensible interpretation, but the private right of action may incentivize plaintiffs’ lawyers to argue otherwise.
Further, if consent for collection is withdrawn, does that require the regulated entity to delete the data – or just stop using it for non-exempted purposes? Certainly, if the data is still needed to provide a consumer-requested product or service, a withdrawal of consent for other processing would not require deletion. But if it is no longer necessary, must a regulated entity delete the data? If so, it would seem to render the deletion right redundant and superfluous since these two rights would have precisely the same effect. And courts often will gravitate towards interpretations that avoid determining that a provision of a law is superfluous.
So, there is significant uncertainty about the impact of this right. The full consequence of a right to withdraw consent is likely to be a question addressed in future litigation.
Right of Non-Discrimination
The Act also provides for a right of non-discrimination by specifying that regulated entities “may not unlawfully discriminate against a consumer for exercising any rights” under the Act. Curiously, this provision is in Section 5, which otherwise deals with consent requirements, rather than in Section 6 which sets out the consumer rights and how consumers can exercise them.
Unlike the CCPA non-discrimination right, however, this provision does not specify any details about what kind of discriminatory practices are prohibited. For example, under the CCPA, a business cannot deny goods or services, charge a different price, offer different discounts, or provide a different level of service in response to a consumer exercising rights such as opt-out or data deletion rights. Those examples caused a great deal of debate about whether the CCPA non-discrimination provisions would prohibit loyalty programs, club cards, etc. which necessarily involve different pricing or discounts. CCPA was amended to clarify that such programs, including financial incentive programs, are permitted subject to certain requirements. With this Act, there is no such specification of the kinds of differential treatment that may be prohibited.
Importantly, this provision prohibits regulated entities from “unlawfully” discriminating. Arguably, the inclusion of that word makes this provision superfluous given that “unlawful discrimination” is already, well … unlawful.
However, there is a risk that courts may be inclined to avoid interpretations that give a provision of an Act no effect, and therefore may seek to give this provision some impact beyond prohibiting discriminatory contact that is already unlawful. Will courts look to CCPA or other laws as a guide for the scope of this Act’s non-discrimination provision? Will they come up with something new? Or will they conclude that the inclusion of “unlawfully” really does mean that this provision has no substantive effect?
Procedural Requirements For Consumer Rights
Finally, the Act also sets out several procedural requirements that regulated entities must follow in receiving and responding to consumer requests to exercise their rights. Most are borrowed from other privacy laws and are not particularly noteworthy. These provisions address the need for a secure and reliable means for consumers to submit requests, the need to authenticate the consumer making the request, a prohibition on charging a fee for up to two requests annually, a 45-day deadline to comply with requests (which may be extended for up to another 45 days if reasonably necessary), and an appeal process for consumers whose request was denied. Regulated entities will need to ensure that their processes for receiving and responding to consumer requests to exercise their rights complies with each of these requirements.
As noted above, future posts will discuss other aspects of the Act and the issues it raises, including biometric data, notice obligations, and geofencing restrictions.