By Mike Hintze
This is Part 8 in a series of blog posts about the Washington My Health My Data Act. Previous parts include:
This part discusses the notice obligations under the Act, which seem to require an entirely separate notice rather than changes to an entity’s existing privacy statement or privacy policy.
When it comes into effect, the Washington My Health My Data Act (MHMDA or the Act) will impose new privacy notice obligations on regulated entities. The Act requires specific privacy disclosures relating to data that meets the very broad definition of “consumer health data.” It appears to require regulated entities to draft, post, link to, and maintain a separate “Consumer Health Data Privacy Policy” that will be largely, but not entirely, redundant of their existing privacy statement(s).
Because the Consumer Health Data Privacy Policy will be publicly available and easily scrutinized by plaintiffs’ lawyers and the Washington Attorney General, mistakes implementing this obligation are likely to be a key source of costly and disruptive litigation. Regulated entities will therefore need to take great care in meeting the Act’s notice requirements which are, in some respects, unusual and unexpected.
Required Disclosures
The Act requires regulated entities to develop and publicly post a “Consumer Health Data Privacy Policy.” This document must contain the following elements:
The categories of consumer health data collected;
The categories of sources from which consumer health data is collected;
The purposes for which consumer health data is collected and used;
The categories of consumer health data that is shared;
A list of the categories of third parties with which consumer health data is shared;
A list of the specific affiliates with which consumer health data is shared; and
A description of how a consumer can exercise the rights of access, deletion, and withdrawal of consent (as provided in section 6 of the Act).
As practitioners who have drafted or reviewed privacy statements (also referred to as privacy policies or privacy notices) required under other privacy laws will readily recognize, nearly everything on this list is commonly found in most organizations’ existing privacy statements.
For example, the CCPA requires that a business have a “privacy policy” that includes, among other things, disclosures that are substantively equivalent to every item on the above list, except #6. Likewise, the EU GDPR requires that data controllers provide notice that contains nearly all of the above elements. Moreover, those laws (and others) specifically categorize health data as a special category of sensitive data such that such data is typically specifically called out in the privacy statements of organizations that process such data.
The result is that because most organizations are subject to a number of privacy laws across jurisdictions that require privacy notices, nearly every organization already must have a comprehensive, general privacy statement that describes nearly everything that must also be in a MHMDA Consumer Health Data Privacy Policy.
A List of Specific Affiliates
The one outlier in the MHMDA list of required disclosures is the list of “specific affiliates” with which consumer health data is shared. The scope of the requirement turns on the definition of “affiliate”, which is, in relevant part, “a legal entity that shares common branding with another legal entity and controls, is controlled by, or is under common control with another legal entity.” Thus, while every other type of third party with which data may be shared should be listed at the category level, those entities that meet the “affiliate” definition must be specifically listed.
This one is just weird. It’s counterintuitive and counterproductive, imposing a more burdensome requirement and putting a heightened focus on sharing with the one category of third parties that is likely to raise the fewest privacy issues. There is good reason why it does not appear in other privacy laws.
First, in light of the definition of “affiliate,” the requirement applies only to those affiliated entities that share common branding. From a transparency perspective, this gets it exactly backwards. The common branding already signals to consumers that these entities are closely related and that data sharing among them is likely. It’s the affiliates that lack common branding where consumers might not understand the relationship between them and where heightened transparency may therefore be warranted. But that’s not required here.
Second, the “common control” element of the definition also suggests that data sharing with such affiliates present fewer privacy concerns than sharing with third parties where such control does not exist. Such entities often share common backend data systems and so “sharing” is indistinguishable from routine internal processing within a corporation. Often, such affiliates effectively operate as a single entity, under common policies and complaince programs. The fact that a corporation consists of multiple legal entities rather a single legal entity typically does not affect how data is processed and protected. The common control enables a level of assurance with respect to data protection that just does not and cannot exist when data is shared with other types of third parties.
Again, the requirements to hold this type of sharing to a higher transparency standard makes no sense and distracts from consumer disclosures that are more meaningful. Still, it is a requirement that regulated entities must now add to their notice obligations.
Categories of Consumer Health Data
One other required element of a Consumer Health Data Privacy Policy that potentially goes beyond what is currently required and common in privacy statements is the inclusion of “the categories of consumer health data collected.”
Other privacy laws require that privacy notices include the categories of “personal data” collected and processed, and organizations might list “health data” as one of those categories. However, given the very broad definition of “consumer health data” under the MHMDA, along with the implicit requirement that this broad category should be broken down into different subcategories in a Consumer Health Data Privacy Policy, regulated entities may have to rethink how they categorize the broad range of personal data that may qualify as consumer health data under the Act. At a minimum, they will likely need to describe health data both more broadly and more granularly than they currently do.
Fortunately, MHMDA seems to allow regulated entities significant flexibility in how they categorize and describe consumer health data. This flexibility is in contrast to California’s CCPA, which suggests that the categories of data listed should align with the statutory definition of “personal information” – constraining flexibility and leading to some very awkward descriptions. Nevertheless, while the MHMDA does not provide any similar direction on how consumer health data should be broken down into different categories, it may still be prudent to look to the definition of consumer health data for guidance. But regulated entities should be free to formulate and describe data categories in a sensible way that aligns with how it processes data and that will be understandable and meaningful to consumers.
A Separate Notice Document
Given that most organizations already have a privacy statement that contains most of what is required in this new Consumer Health Data Privacy Policy, can they just add the list of affiliates to their privacy statements, expand on the categories of health data, and then call it good? That approach would be the simplest for regulated entities, and likely best for consumers as well, but unfortunately, it is risky.
While not explicitly stated, the clear implication of the statutory language is that the Consumer Health Data Privacy Policy is a separate document from the regulated entity’s general privacy statement. Thus, it appears that the notice requirements of MHMDA cannot be met by simply incorporating the required elements into the entity’s existing privacy statement.
Update: As noted in the update above, subsequent to this post, in early January 2024, the Office of the Attorney General (OAG) updated its (non-binding) guidance to clarify its position on this point. Specifically, FAQ 4 was changed to state that the Consumer Health Data Privacy Policy "may not contain additional information not required under the My Health My Data Act," suggesting it must be a separate and distinct document from the company's main privacy notice. Part 9 of this blog series discusses in detail the OAG guidance and its likely impact. |
As a result, consumers are likely to be confronted with multiple, overlapping privacy notice documents when dealing with regulated entities. In addition to the Consumer Health Data Privacy Policy required by MHMDA, there will be a general privacy statement as s required by multiple other privacy laws. There may also be a “notice at collection” as required by CCPA (although this can be incorporated into the general privacy statement). If the entity has some part of its operations covered by HIPAA, there will likely be a separate HIPAA privacy notice. The addition of the Consumer Health Data Privacy Policy creates or contributes to a confusing web of notice documents for the consumer to navigate. Those consumers who want the “full picture” will have to read through two or more privacy notice documents that are largely, but not entirely, redundant. The practical impact will be to frustrate consumers and make it more difficult to find the information that is most relevant to them. This approach of a separate notice is more likely to undermine transparency rather than enhance it.
Companies that are committed to doing the right thing for consumers may have to get creative in how they meet these new requirements without burdening and confusing consumers. Unfortunately, with the private right of action under MHMDA, creativity and doing anything other than the literal requirements carries risk.
Link on the Homepage (and every other page)
The Act requires that there be a prominent link to the Consumer Health Data Privacy Policy on a regulated entity’s homepage. But “homepage” doesn’t just mean the main landing page of the regulated entity’s website. Like so many other terms in the Act, it is defined in a way that is much broader than its commonly understood meaning.
A “homepage” under the MHMDA is “the introductory page of an internet website and any internet webpage where personal information is collected” (emphasis added). Note that this definition says any page where “personal information” is collected – not just where consumer health data is collected. “Personal information,” in turn, is defined broadly to include, among other things, an IP address. Because an IP address is necessarily collected on each and every webpage (that whole “that’s how the Internet works” thing), under MHMDA, “homepage” means “every page.” Thus, the link to the Consumer Health Data Privacy Policy must appear on every page of a regulated entity’s website(s) – whether or not those pages have anything to do with the collection of consumer health data.
Further, the definition of “homepage” further specifies that for apps, the link must be on the application’s “platform page or download page” and within the app itself.
While this requirement is not as technically difficult to implement as many of the other requirements under the Act, it will contribute to an increasingly cluttered list of privacy links that will be unnecessarily confusing for consumers. As discussed above, the growing number of privacy laws that require their own special privacy notices and links will create more consumer confusion and frustration, ultimately undermining the goals of transparency and consumer empowerment.
There may be some alternative approaches that regulated entities might want to consider, which may assume some risk by relying on the fact that the statutory language does not explicitly say that it must link “directly” to the privacy policy. Regulated entities must evaluate the operational and consumer benefits of such alternatives against the risk if not taking the safest route of a dedicated, direct link to a consumer health data privacy policy.
Update: As noted in the update above, subsequent to this post, in early January 2024, the Office of the Attorney General (OAG) updated its (non-binding) guidance to clarify its position on this point. Specifically, FAQ 4 was changed to state that there must be a “separate and distinct link” on the “homepage” (which is defined broadly to mean, in effect, every page). Thus, the more practical alternative suggested above would, at least in the view of the OAG, be noncompliant. Part 9 of this blog series discusses in detail the OAG guidance and its likely impact. |
Go Broad and Future Proof
The Act includes other requirements that are tied to, and dependent upon, the content of the Consumer Health Data Privacy Policy.
Specifically, the Act requires regulated entities to obtain opt-in consent for any collection, use, or sharing of additional categories of consumer health data not disclosed in the policy and for any collection, use, or sharing of consumer health data for additional purposes not disclosed in the policy. Further, regulated entities cannot contract with a processor for any processing of consumer health data inconsistent with the Consumer Health Data Privacy Policy.
The implication of these two provisions is that regulated entities should make sure that the Consumer Health Data Privacy Policy is thorough, accurate, and broad enough to cover all current and anticipated data collection, use, and disclosure. Describing the data categories and purposes in broad, general terms, in addition to providing specific examples and details, may be one useful approach to help ensure that regulated entities are not later facing the need to get new consents and/or limit their use of processors.
Timing
As discussed in Part 4 of this series, the way effective dates were incorporated into the Act has created confusion and uncertainty. In particular, for certain sections of the Act, including Section 4, which sets out these notice requirements, the effective date of March 31, 2024, was added to only the first subsection of the section. The subsequent substantive subsections are silent as to effective dates. And under Washington law, when legislation is silent on effective dates, the requirements come into effect 90 days after the end of the legislative session. In this case, that would be late July 2023.
Thus, when read literally, it appears that the first subsection will come into effect March 31, 2024, but the subsequent substantive subsections will come into effect late July 2023. But for the notice requirements of Section 4, such a literal reading leads to absurd results. For example, the requirement to have a consumer health data privacy notice is in the first subsection, with an effective date. Thus, the Act states that regulated entities need not publish a Consumer Health Data Privacy Policy until March 31, 2024. However, other requirements in that section, including the requirement to have a homepage link to the Consumer Health Data Privacy Policy are silent on effective dates, and therefore could come into effect in late July 2023.
Does this mean that companies should post a link that goes to a page that says “coming soon”? Well, that might be the safest approach. But I suspect few companies will. The result of the literal reading of effective dates in this section is so ridiculous that it is likely courts confronting this issue would adopt a more sensible reading that is more aligned with what is the clear legislative intent to have the notice obligation – and those requirements that flow from it – come into effect next year. Further, plaintiffs would have a very hard time demonstrating any harm resulting from not having a link to nowhere.
Similarly, the other obligations under Section 4 are closely tied to the requirement to post the Consumer Health Data Privacy Policy, and it would be equally absurd to interpret those as coming into effect before the requirement to post the policy is in effect.
That’s not to say that plaintiffs’ counsel won’t try to argue an earlier effective date applies to some aspects of the Section 4 notice requirements. But in terms of risk-based compliance planning and prioritization, regulated entities may conclude that in light of the many other challenges with this law, rushing to get notice requirements implemented by July of this year need not be the top priority. Nevertheless, regulated entities should begin this and other compliance tasks as soon as possible because even a March 31, 2024, effective date does not provide a lot of time.
As noted above, future posts will discuss other aspects of the Act and the issues it raises.