Washington State Imposes Far-Reaching Privacy Obligations for Consumer Health Data
Highlights
- Washington state's newly enacted My Health My Data Act regulates businesses that process "consumer health data." The broad definition of this term could cause numerous businesses to be impacted, such as retailers that offer over-the-counter medical products, as well as fitness studios and health tracking wearables and apps.
- The new law requires businesses to obtain consent to process consumer health data, unless it is necessary to provide a product or service, as well as an extra consent to sell or share the information. This could curtail the ability of businesses to use certain consumer information for advertising.
- The new law imposes an aggressive timeline for implementation of less than one year.
- There is a private right of action for violations of the new law, but litigants must show actual damages.
The Washington My Health My Data Act (the MHMD Act) was signed into law on April 27, 2023, creating new restrictions on the collection and disclosure of "consumer health data" by companies in Washington or that is related to Washington residents. Though billed as a law focused on a specific type of potentially highly personal information, the MHMD Act defines "consumer health data" (Health Data) broadly to regulate an array of businesses that will be subject to requirements similar to those in the California Consumer Privacy Act (CCPA). Arguably, the MHMD Act's requirements are more stringent in certain ways than any other existing state privacy law.
The MHMD Act also provides individual consumers with a private right of action to bring a claim against a business directly to recover any actual damages sustained, including reasonable attorney's fees. A court may triple the actual damages sustained, capped at $25,000.
Overview and Applicability
The MHMD Act applies to any entity that conducts business in Washington or that targets products or services to Washington consumers and makes decisions about the processing of Health Data. There is no minimum number of consumers whose data is processed or any revenue thresholds that trigger applicability; the scope includes small businesses and nonprofit organizations. "Consumer" includes both Washington residents whose Health Data is collected and any other individual whose Health Data is collected in Washington – but not individuals acting in an employment context.
The MHMD Act focuses on information not covered under the Health Insurance Portability and Accountability Act (HIPAA). Health Data under the MHMD Act means personal information that is "linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status." The MHMD Act specifies that this definition includes:
- "Biometric data," which itself is defined broadly and includes voice recordings if an identifier template could be extracted
- "Social, psychological, behavioral, and medical interventions"
- "Reproductive or sexual health information"
- "Bodily functions, vital signs, symptoms, or measurements of" Health Data
Though the MHMD Act is thought to have been enacted to protect data related to reproductive health, the far-reaching applicability combined with broad definitions mean that the MHMD Act could apply in ways with little nexus to the law's intent. Some examples of businesses potentially covered by the MHMD Act include:
- a retailer that sells products such as over-the-counter medications, first aid items, feminine products or birth control – even if these sales are a small part of their business (such as hotel gift shops, the corner store, the grocery store)
- a fitness studio that collects information about injuries experienced by participants in a class or tracks individuals' fitness progress
- a business that collects any Health Data on its website and allows adtech companies to embed pixels that track engagement for the ads
- a mobile app business that facilitates tasking third parties to shop for and deliver products from the above-mentioned retailer
- a business that sells a wearable fitness product (e.g., a watch or ring)
Requirements and Restrictions
The aim of the MHMD Act is to provide consumers with a choice regarding the disclosure of their Health Data, and thus, restrict access to such data by entities or individuals who may use it to try to target or profile the consumer. The MHMD Act uses similar concepts as the new U.S. state comprehensive consumer privacy laws, but in more restrictive ways and with fewer exceptions:
- Consumer Health Data Privacy Policy: Entities must create a Health Data privacy policy (presumably, one that is separate from their existing privacy policy).
- Consent for Collection and Sharing: Unless the collection is necessary for the provision of a product or service, opt-in consent for collection of Health Data is required. Health Data may not be "shared" with a third party or without a separate and distinct consent, unless necessary to provide the product or service. Sharing is a disclosure to a third party, but not for valuable consideration, and a third party does not include a processor who acts on behalf of the business.
- Valid Authorization for Selling: Entities must obtain a separate and distinct "valid authorization" from the consumer to "sell" Health Data for monetary or other valuable consideration. The authorization must contain very specific elements, including the specific Health Data to be sold, the name and contact information of the entity purchasing the Heath Data, and an expiration date for the authorization that expires one year from when it is signed.
- Geofencing Prohibited: The MHMD Act strictly prohibits the use of geofencing – a practice which identifies whether a particular device is in a certain geographic area – if it is used to "identify or track consumers seeking health care services; collect [Health Data] from consumers; or send notifications, messages, or advertisements to consumers related to their [Health Data] or health care services." There is no option to allow consumers to opt in.
- Restricted Access: Access to Health Data must be limited to those who need access to enable the lawful processing.
- Vendor Management: If a vendor will process the Health Data on behalf of a business, a written contract must be in place that sets forth data use limitations.
- Access, Deletion and Correction Rights: Consumers have the right to request access to or deletion of their Health Data. In response to an access request, businesses must provide a list of all third parties and affiliates who receive the Health Data from the regulated entity, including a valid email address or other online mechanism to contact such third parties. There are no exceptions to deletion requests for circumstances under which other laws or regulations require records to be retained – creating tension where data may be subject to a retention obligation or legal hold.
The law goes into effect on March 31, 2024, but small businesses have three additional months to comply (by June 30, 2024).
Enforcement
The Washington Attorney General has the authority to enforce the MHMD Act as a violation of the Washington Consumer Protection Act (CPA), with monetary penalties of up to $7,500 per violation. Consumers can also bring a direct action for actual damages under the CPA with the possibility of treble damages, capped at $25,000; however, there are no set statutory damages.
Potential Impact
The inclusion of a private right of action in the MHMD Act will put pressure on businesses to take a conservative approach on what they consider Health Data to be – otherwise they could face a class action lawsuit for violation of the law.
Though the MHMD Act pulls concepts from state consumer privacy laws, such as the CCPA, it may actually be more similar in practice to the Video Privacy Protection Act (VPPA) – which requires consent for the disclosure of information that identifies an individual as having requested access to a video product and has a private right of action. The VPPA has recently spawned a number of class actions over how pixels are used to collect information on webpages where video content is viewed. Analogous suits could be brought where pixels are used to collect information on webpages that advertise consumer health products. The FTC has similarly emphasized that the use of cookies and pixels to collect data for target advertising for health products and services requires opt-in consent in its complaint and consent decree against BetterHelp. (See Holland & Knight's previous alert, "Lessons Learned from FTC Enforcement Action Against BetterHelp," March 6, 2023.)
Moreover, similar legislation is currently being considered in Nevada, Illinois, Massachusetts and New York. These other state bills have nuances that would create a new patchwork of state laws for Health Data and non-HIPAA regulated entities.
For more information or questions on the MHMD Act and its impact on businesses and consumers, contact the authors or another member of Holland & Knight's Data Strategy, Security & Privacy Team.
Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.