Almost one year ago, Washington State passed the “My Health, My Data” Act (the Act), which aims to protect Washington consumer health data, particularly data related to reproductive healthcare. The Act is the first law in the country aimed at protecting the vast amount of health data that falls outside the protection of the Health Insurance Portability and Accountability Act (HIPAA), encompassing data collected by wearables, certain retail purchases, and non-HIPAA telehealth services. The Act takes effect at the end of this month.
In preparation for the effective date of 31 March 2024, one of the most burdensome proactive compliance requirements is that a regulated entity1 must publish a link to its consumer health data privacy policy on its homepage, which the Washington State Office of the Attorney General has clarified “must be a separate and distinct link on the regulated entity’s homepage and may not contain additional information not required under” the Act.2 This means that simply adding a provision to an existing privacy policy is not enough to comply with the Act; regulated entities and small businesses need a new, stand-alone consumer health data privacy policy. Small businesses3 under the Act have three additional months and must comply with this same requirement by 30 June 2024.
The consumer health data privacy policy must be published via a link on the website homepage and “clearly and conspicuously” disclose the following:
- The categories of consumer health data collected and the purpose for which the data is collected, including how the data will be used by the regulated entity or small business;
- The categories of sources from which the consumer health data is collected;
- The categories of consumer health data that is shared;
- A list of the categories of third parties and specific affiliates with whom the regulated entity or the small business shares the consumer health data; and
- How a consumer can exercise their rights provided under the Act, including revocation of consent and requests for deletion.4
Importantly, the Act states that a regulated entity or a small business cannot collect, use, or share consumer health data for any other purposes not specifically disclosed in the consumer health data privacy policy unless the regulated entity or small business first: (1) discloses those additional purposes; and (2) obtains the consumers’ affirmative consent for such collection, use, and disclosure.5
A violation of the Act is deemed a per se violation of the Washington Consumer Protection Act, subject to enforcement by the Washington Attorney General. The Act also permits enforcement through a private right action, with multiple questions as to the scope of such enforcement yet to be determined. Given that the Act is a landmark law with increased scrutiny over consumer data protection—as demonstrated by recent FTC enforcement actions and data privacy class actions—we anticipate active enforcement of the Act by the Washington Attorney General and plaintiffs’ class action bar.
1 A “regulated entity” is defined under the Act as “any legal entity that: (a) Conducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington; and (b) alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data” and “does not mean government agencies, tribal nations, or contracted service providers when processing consumer health data on behalf of the government agency.” RCW 19.373.010(23).
2 https://www.atg.wa.gov/protecting-washingtonians-personal-health-data-and-privacy.
3 A “small business” is defined under the Act as “a regulated entity that satisfies one or both of the following thresholds: (a) Collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers during a calendar year; or (b) Derives less than 50 percent of gross revenue from the collection, processing, selling, or sharing of consumer health data, and controls, processes, sells, or shares consumer health data of fewer than 25,000 consumers.” RCW 19.373.010(28).
4 RCW 19.373.020.
5 RCW 19.373.020.
