By Mike Hintze
This is the third in a series of blog posts about the Washington My Health My Data Act. The first part provided a high-level overview of the Act. Part two discussed in detail the sweeping scope of “consumer health data” regulated by the Act. This part delves into other elements of the Act that determine its broad scope and impact: the range of entities and consumers that it captures. Future posts in the coming days will delve deeply into additional aspects of the Act and the issues it raises.
The Washington My Health My Data Act applies to “regulated entities” that collect or process “consumer health information” from “consumers.” Part two of this series addressed the definition of “consumer health data” and how that definition results in a scope of applicability that is far beyond what we might typically think of as sensitive health data. But the other two above-quoted defined terms – “regulated entity” and “consumer” also result in a very broad (and in some ways surprising) scope and impact.
What “Regulated Entities” are Covered by the Act?
The Act applies to “regulated entities” as defined in the Act. It is a sufficiently broad definition that most non-governmental entities may find themselves subject to the Act. The definition is as follows
"Regulated entity" means any legal entity that:
(a) Conducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington; and
(b) alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.
The definition goes on to specify that a regulated entity does not include “government agencies, tribal nations, or contracted service providers when processing consumer health data on behalf of the government agency.”
Small Businesses
The Act also defines the term “small business” as another type of entity subject to the Act. However, the term “small business” is a subset of the term “regulated entity” and all obligations under the Act apply equally to small businesses and other regulated entities. The only difference in the Act is that for some provisions, there is a different effective date for small businesses. So, while the statute unnecessarily and redundantly refers to “regulated entities and small businesses” throughout, I will refer only to regulated entities in this discussion, which should be read as including small businesses.
Some Nexus to Washington State
The first prong of the regulated entity definition requires some nexus to Washington. But it is likely that this requirement will be interpreted broadly. Certainly, having a physical retail storefront in Washington will be enough. Shipping goods to Washington, engaging in a financial transaction with a consumer in Washington, having sales personnel or other employees located in Washington, and other activities with a nexus to Washington will also likely subject the entity to the Act. For online services, it may be debatable whether merely allowing users to access a website or online service that does not otherwise have any Washington-specific content or features will be enough. But that is an open question that will certainly be tested in the courts.
It is also noteworthy that the first prong of the definition applies to any entity that “produces” products or services targeted to Washington consumers – so it could apply to developers, OEMs, manufacturers, etc. if they process consumer health data – even if they are not the entities offering or providing the services directly to Washington consumers.
A Possibility of Geo-Blocking Washington Consumers?
It will be interesting to see if certain online services choose to begin geo-blocking online visitors from Washington or taking other steps to exclude Washington residents as a strategy to minimize the likelihood of being subject class action claims under the Act – in much the same way some companies have blocked Illinois users from certain services (or at least the biometric features of their services) to avoid the litigation risk under Illinois’ Biometric Information Privacy Act (BIPA) because of that law’s private right of action.
Controllers and Processors
Although the Act does not use the term “data controllers,” the second prong of the regulated entity definition uses GDPR-like data controller language to limit the definition to an entity that “alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.”
This “data controller” part of the definition is important. All the obligations of the Act apply to regulated entities (controllers). But compared to most other modern privacy laws, the Act imposes relatively few obligations directly on processors (a term that is used in this Act).
A “processor” is defined as “a person that processes consumer health data on behalf of a regulated entity or a small business.” Processors are required to assist regulated entities in meeting their obligations. And processors’ use of consumer health data must be limited by the regulated entity’s instructions as set out in a contract. But the Act leaves quite a bit of wiggle room about how broad or narrow those instructions may be.
Large processors that use standard, non-negotiable contracts will likely impose “instructions” on their controller customers that give themselves sufficiently broad data use permissions. As a result, such processors may face significantly less impact (and risk) under this Act than those that act as “regulated entities.” However, processors should still pay close attention to the risks created by the Act.
Section 8 of the Act provides that if a processor exceeds the regulated entity's instructions “or processes consumer health data in a manner that is outside the scope of the processor's contract with the regulated entity,” the processor will become a regulated entity subject to all the obligations of the Act with respect to that data. Relatedly, because the Act borrows GDPR-like controller / processor language, it is possible that courts will look to GDPR interpretations as guidance. And, increasingly, there is a recognition in Europe that there is no such thing as an entity that operates purely as a data processor because even where a processor is mainly processing data on behalf of another entity, the processor inevitably uses such data for its own purposes, including meeting its own legal obligations – thereby making it a controller with respect to such activities. If such an interpretation is adopted under this Act, even those entities that mainly meet the “processor” definition and have broad contractual “instructions” may find themselves considered a regulated entity for at least some uses of consumer health data.
Entities Covered By Certain Other Privacy Laws
There are a number of exclusions in Section 12 of the Act, primarily for data covered by other enumerated privacy laws, including HIPAA, GLBA, and FERPA (and certain existing Washington state laws related to health care and insurance). And, as explained in part two of this series, while these are data-level exclusions rather than entity-level exclusions, certain types of entities regulated by these sector-specific laws (health care providers, financial services, and schools, for example) will find some or all of their data processing outside the scope of the Act.
What “Consumers” are Covered by the Act?
The second post in this series described the broad range of data types included, or potentially included, within the scope of “consumer health data”. Inherent in that term and its definition is that it is limited to personal information data about a “consumer.”
Consumer is defined by Act, as follows:
"Consumer" means (a) a natural person who is a Washington resident; or (b) a natural person whose consumer health data is collected in Washington. "Consumer" means a natural person who acts only in an individual or household context, however identified, including by any unique identifier. "Consumer" does not include an individual acting in an employment context.
Employee Data and B2B Data Excluded
The last two sentences of this definition seem to exclude employees and B2B data. So, unlike the scope of “consumers” covered by the California Consumer Privacy Act, in this Act “consumer” actually means consumers as that term is typically understood, and not employees or business contacts.
Mere Processing in Washington is Enough
But unfortunately, not all terms in this definition are what they seem. In particular, the first sentence, which sets geographic boundaries on the scope of consumers covered, seems straightforward and unsurprising; but the scope of individuals this definition captures is much broader than it appears on its face.
The second prong of that first sentence captures any person “whose consumer health data is collected in Washington” (emphasis added). The non-obvious scope of the “consumer” definition is due to the Act confusingly defining “collect” as including any data “processing.”
"Collect" means to buy, rent, access, retain, receive, acquire, infer, derive, or otherwise process consumer health data in any manner.
Thus, personal data of individuals with no connection to Washington could be captured by this law if that data in some way is processed in Washington. In other words, it is possible that if a resident of Florida makes a purchase at a store in New York owned by a company based in Texas, the information related to that purchase would be subject to the Act if that data is processed in a cloud server located in Washington.
Data Localization Implications?
It is noteworthy that some of the largest global cloud service providers are headquartered in Washington, with significant data center footprints in Washington. Does this mean that customers of cloud service providers need to start worrying about data location and transfers of data across state lines within the United States, with an aim of limiting the scope of potential liability by avoiding data processing in Washington? Such data localization measures may be advisable as a way to limit potential legal exposure under this Act. Will cloud service providers respond by offering an option to process data in data centers outside Washington state? Such actions results are certainly foreseeable and may be one of the stranger outcomes of this Act.
Likewise, will companies avoid hiring vendors, contractors, or remote employees in Washington state in order to avoid personal data processing in Washington that might not otherwise occur? That would be unfortunate, but again, is a foreseeable outcome of the risks and costs created by this Act.
As noted above, in the coming days we will discuss other aspects of the Act and the issues it raises. In upcoming posts, we will look at consumer consent and authorization requirements, data subject rights, notice obligations, geofencing restrictions, and other topics raised by the Act.