To say there’s been a lot of new privacy law in the last decade is an understatement. For those of us who think we’ve “seen it all,” many of these new laws arrive and elicit a sense of challenge (for the optimists) or mild irritation and resignation (for the pessimists). But some new privacy laws are special. They arrive and, upon close reading, deliver a more notable emotional response from even a time-tested privacy lawyer. Disbelief when the first comprehensive GDPR draft emerged with a 72-hour breach notice requirement. Foreboding when Illinois delivered a private right of action with BIPA. Consternation when the California legislature dropped its problematic definition of “sale” in CCPA. Chagrin when California voters said, in effect, “hold my beer” and passed a ballot initiative with a definition of “share” that defies the dictionary.

The Washington My Health My Data Act, a new consumer privacy law passed by the Washington legislature last week and awaiting the governor’s signature, falls firmly in the “special” category. The Act is comprised of vague and broad terms tied to very challenging implementation requirements, and is capped off with a broadly-drafted  private right of action that includes statutory presumptions drafted in favor of prospective consumer litigants. This FAQ highlights critical aspects of the Act and explains why you would be right to peruse this law and feel an emotion resembling dread. Buckle up.

1. Aren’t you being a bit hyperbolic?

No. The My Health My Data Act is made up of vague and broad terms tied to very challenging implementation requirements, capped off with a comprehensive private right of action and statutory presumptions drafted in favor of prospective consumer litigants. The Act will apply to a wide variety of organizations, including HIPAA covered entities (see Section 5 below), small businesses (see Section 4 below), and organizations located entirely outside the state of Washington (see Section 2.c below). It also will apply to consumers residing outside Washington (see Section 2.i below).

2. Why is everyone freaking out about the Act?

Here we provide a (partial, because there’s only so much time in a day) list of causes for concern presented by the Act.  We dare you to read any item on this list and not freak out.

a. The Act is VERY broad. For example, it applies to data you probably don’t think of as “health data.”

Many of the core terms of the Act rely on broad conceptual language followed by a non-exclusive list of examples. For example, “consumer health data” is defined by first providing a broad concept: “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.” The definition then goes on to provide a non-exhaustive list of examples:

“For the purposes of this definition, physical or mental health status includes, but is not limited to:

• Individual health conditions, treatment, diseases, diagnosis;
• Social, psychological, behavioral, and medical interventions;
• Health-related surgeries or procedures;
• Use or purchase of prescribed medication;
• Bodily functions, vital signs, symptoms, or measurements of the information described in this [definition];
• Diagnoses or diagnostic testing, treatment, or medication;
• Gender-affirming care information;
• Reproductive or sexual health information;
• Biometric data;
• Genetic data;
• Precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies;
• Data that identifies a consumer seeking health care services; or
• Any information that a regulated entity or a small business, or their respective processor, processes to associate or identify a consumer with the data described in [the list above] that is derived or extrapolated from nonhealth information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning).”

Based on its plain language, that definition could capture data identifying a consumer as having purchased oil-free moisturizer or deodorant (the output of pores and sweat glands each qualifying as a “bodily function”), data regarding a consumer’s location or movement that could “reasonably” indicate he or she was in or near a place that offers vitamins or condoms for sale (a potential “attempt” to “acquire . . . health supplies”), and any information that is not independently indicative of health, but was processed to associate or identify a consumer in connection with any other covered health data.  This broad definition of the term “consumer health data,” along with similarly broad definitions of other key terms that include non-exhaustive lists of examples, such as  “personal information,” “health care services,” “reproductive or sexual health services,” “gender-affirming care,” “genetic data,” and “biometric data,” will make it perpetually difficult to set a clear scope for your organization’s compliance obligations.

b. The Act has a private right of action that applies to ANY violation. It is MUCH broader than the CCPA private right of action, which arises only from security breaches.

The Act provides that any violation of its requirements will constitute a violation of the Washington Consumer Protection Act. That statute is enforceable by the Attorney General and via private right of action. There is a $7,500 limit on damages awarded for a violation, but treble damages also are available up to $25,000. Class actions will multiply these caps.

The Act also expressly states that “the practices covered by [the Act] are matters vitally affecting the public interest for the purpose of applying the consumer protection act” and that a violation “is not reasonable in relation to the development and preservation of business, and is an unfair or deceptive act in trade or commerce and an unfair method of competition for the purpose of applying the consumer protection act.” These statements appear to be intended to provide potential plaintiffs with presumptions in support of their lawsuit under the Washington Consumer Protection Act.

The presence of a private right of action, and the plaintiff-friendly statements regarding the Act’s purposes, will incentivize the plaintiffs’ bar to file suits testing every boundary and problematic interpretation we share in this post, and all the ones we didn’t share. As a result, conservative interpretations are warranted.

c. The Act applies to organizations outside Washington.

The Act applies to any “regulated entity,” defined as any legal entity that either “conducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington” (emphasis added) and “alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.” Governmental entities are excluded (of course).

As a result, an organization located entirely in New York that provides and advertises a consumer-facing app to Washingtonians could be covered by the Act if that app collects covered data as described in Section 2.a, such as step tracking and calorie counting features.

d. The Act applies to all “consumer health data” collected in Washington, regardless of the consumer’s residency.

Covered consumers include Washington residents, as well as “natural person[s] whose consumer health data is collected in Washington.” If the New York business described in preceding point collects the step and calorie counts of a North Carolinian roaming around Seattle, that data and associated identifiers would appear to fall in scope of the Act.

It gets worse. The Act defines “collect” to mean “buy, rent, access, retain, receive, acquire, infer, derive, or otherwise process consumer health data  in any manner.” So “collect” actually means “process.” Therefore, any organization processing consumer health data in Washington will be covered by the Act.

But don’t worry, not many businesses rely on Washington-based cloud providers for their data processing needs.

e. The Act requires specific, informed, voluntary, opt-in consent prior to any collection or sharing of consumer health data, unless the collection or sharing is “necessary” to deliver a product or service or service the consumer requested. That consent can be withdrawn at any time and may not be combined with other consents.

The impact of these consent requirements will be extensive. For example, a wellness app that supports weight loss may offer consumers an option to import data from other health apps on their phone. Is that data collection and sharing “necessary” to deliver a service the consumer requested? If not strictly necessary, then, under the Act, each participating app provider will need a specific, informed, voluntary opt-in consent from the consumer. Each of those consents must be presented separately since the Act explicitly prohibits combining them.

f. The Act also requires specific, informed, voluntary, opt-in consent prior to collecting, using, or sharing a type of consumer health data, or for a purpose, that was not disclosed by the required privacy policy. That consent can be withdrawn at any time.

The Act requires covered organizations to post a privacy policy linked to their home pages with specific disclosures somewhat reminiscent of CCPA. The Act prohibits collecting, using, or sharing additional categories of consumer health data that were not disclosed by that privacy policy, unless the consumer provides prior affirmative consent. The Act also prohibits collecting, using, or sharing consumer health data for purposes that were not disclosed by that privacy policy, unless the consumer provides prior affirmative consent.

Taken together with the requirements summarized the preceding point, prior opt-in consent will be required for:

• any collection or disclosure of consumer health data not strictly necessary to deliver requested products or services;
• collection of different consumer health data than was identified in the privacy policy;
• uses of consumer health data that are different than was identified in the privacy policy; and
• disclosures of consumer health data that were not identified in the privacy policy.

The Act therefore presents many opportunities for businesses to inadvertently fail to obtain timely or effective consent. And because consent can be withdrawn at any time, the Act also provides numerous opportunities to inadvertently continue processing data without consent.

It will thus be critical for covered organizations to develop an accurate, clear, and comprehensive privacy policy by the effective date (see Section 9 below) to mitigate the risk of triggering, or failing to abide by, these consent requirements.

g. The Act endows consumers with rights of access and deletion with virtually no exceptions, and a right of appeal.

The only meaningful exception to these rights, if the Act applies, is the regulated entity’s inability to authenticate the requesting consumer. As for deletion requests, a covered organization must delete the consumer health data, including from back up media within six months, and notify all “affiliates, processors, contractors, and other third parties with whom [it] shared consumer health data of the deletion request.” Covered organizations must develop an appeal process and provide a written explanation to the consumer if his or her request is denied on appeal.

h. The Act endows consumers with something resembling CCPA’s “right to know,” but worse.

Under the Act, “a consumer has the right to confirm whether a regulated entity  is collecting, sharing, or selling consumer health data . . . including a list of all third parties and affiliates with whom the regulated entity or the small business has shared or sold the consumer health data and an active email address or other online mechanism that the consumer may use to contact these third parties.” Read that quote again, focusing on the emphasized portions. Take an aspirin and go to bed.

i. The Act has an absolute bar on geofencing that could prevent normal, unobtrusive business activities conducted with consumer consent.

The Act provides that “It is unlawful for any person to implement a geofence around an entity that provides in-person health care services where such geofence is used to: (1) Identify or track consumers seeking health care services; (2) collect consumer health data from consumers; or (3) send notifications, messages, or advertisements to consumers related to their consumer health data or health care services.”

There are multiple issues with this prohibition. First, there’s no consent exception, so covered organizations cannot rely on device-level opt ins to manage compliance—the typical method for managing consumer preferences related to location tracking. Without a consent exception, consumers cannot elect to participate in activities that would constitute geofencing, even with their full knowledge of and consent to its occurrence.

Second, the prohibition applies to “any person.” No organization or person, regardless of location or activity in Washington may geofence, so this prohibition purports to apply to parties located outside Washington. The bar will even apply to the entity that provides the health care services in question – such entities may not geofence their own premises.

Third, the prohibition applies to geofences “around an entity that provides in-person health care services” (emphasis added). The “entity,” apparently, need not even be located in Washington. As a result, the prohibition would appear to “follow” Washingtonians as they visit health care providers in any geographic location.

Obviously, the breadth and application of the prohibition is substantial. It will bar even useful, non-invasive services based on a consumer’s location in or near a facility providing health care services. For example, if a consumer has downloaded a health care provider’s app and arrives for an appointment, the Act would prohibit a provider from tracking the consumer’s location for the purpose of issuing a push notification once the consumer was on the provider’s property stating “You’ve arrived! Please visit Suite 300 for your appointment” merely to guide the consumer to the appropriate part of a mixed-use facility

j. Sales of consumer health data require a more robust authorization than HIPAA.

“Sale” is defined by the act much the same as in CCPA, but without the exceptions. For an organization to legally sell consumer health data, the consumer must provide a written, signed, dated authorization that includes several disclosures to the consumer, including the name and contact details of all the sellers and buyers of the data. So much for ad tech.

k. Other reasons we aren’t going to unpack in this already lengthy post.

Trust us, there’s more.

3. What about security and data breaches?

The law does not include a breach notification requirement, but other Washington laws do require breach notification and cover health information (using a different definition than this law, because of course they do).

Instead, the Act requires covered parties to implement security measures that “at a minimum, satisfy a reasonable standard of care within the regulated entity’s or the small business’s industry” considering the “volume and nature” of the data. It also requires need-to-know access for employees, processors, and contractors.

Those affirmative security obligations would not be the most worrisome part of this Act, until you consider their interaction with Washington laws that require proactive notification of data breaches and the Act’s private right of action.  The combination of those elements makes it likely that any breach notification sent under Washington’s breach notice law that even arguably involve health information  will kick off lawsuits alleging that the notifying organization violated the Act.

4. But surely there’s a threshold for the Act to apply, right?

Nope. The Act only provides a threshold to define “small business,” which delays most compliance obligations for those organizations until June 30, 2024. A small business is a regulated entity that either “[c]ollects, processes, sells, or shares consumer health data of fewer than 100,000 consumers during a calendar year; or…[d]erives less than 50 percent of gross revenue from the collection, processing, selling, or sharing of consumer health  data, and controls, processes, sells, or shares consumer health data of fewer than 25,000 consumers.”

5. Could the Act apply to HIPAA covered entities and business associates?

Yes. The Act includes an exception for “protected health information for purposes of [HIPAA] and related regulations.” “For purposes of” and “related regulations” are a bit imprecise, but more importantly, any information a covered entity processes about a covered consumer that is not PHI subject to HIPAA could be in-scope. Examples may include personal information pertaining to users who browse a website or app (but keep in mind DHHS OCR’s guidance on HIPAA’s application in the context of websites and related tracking), on-premises visitors, donors, and other persons who a covered entity properly treats as out of scope for HIPAA compliance.

Also worth contemplating: the Act’s applicability to PHI received pursuant to a HIPAA authorization. HIPAA authorizations are required to state that PHI may be redisclosed and is no longer protected by HIPAA. The Act’s drafters have evidenced a clear intent for the Act to apply to data that is not subject to HIPAA’s protections, so it follows they intended to cover PHI disclosed based on a HIPAA authorization and no longer subject to HIPAA. (Other exceptions in the Act may apply in narrow circumstances, such as PHI received in the context of certain clinical trials.) 

6. My business operates only as a service provider/processor. Do we have requirements?

Yes. And significant risk. Processors are required to limit their processing of consumer health data in a manner consistent with instructions in their contracts, and they must help fulfill a covered organization’s obligations under the Act (all of them) by “appropriate technical and organizational measures insofar as this is possible.”

If a processor processes data outside the scope of its instructions, the Act provides that the processor will be considered a regulated entity “subject to all the requirements of [the Act].” Presumably, a processor will not have presented the requisite privacy policy nor gathered the consents required of regulated entities, so failing to follow instructions in contracts, whether purposeful or inadvertent, will immediately expose the processor to liability and private rights of action.

7. Will I have to revise all my vendor contracts…again?(!!!)

Probably not, as the Act does not prescribe in detail the terms that must be included in those contracts, instead just requiring that  processors act pursuant to a “binding contract” that “sets forth the processing instructions” and meets other general requirements of the Act.

You might nevertheless  want to consider contract amendments given the Act’s flow down requirements associated with individual rights (see Sections 2.g and 6 above), the requirements that will be triggered if either party starts processing consumer health data for purposes not notified to consumers (see Sections 2.e, 2.f and 6 above), and the looming prospect of private rights of action propelling lawsuits.

8. Are nonprofits exempt?

No, at least not based solely on their nonprofit status.

9. What is the effective date?

The ban on geofencing (see Section 2.i above) will become effective for all regulated entities and small businesses in July 2023 (assuming the Washington legislature ends its session in April as scheduled). The effective date for the other provisions is March 31, 2024 for regulated entities other than small businesses, for whom the effective date is extended to  June 30, 2024,.

Those dates come with a caveat, however: The sections of the Act that specify a March 31, 2024, compliance date for regulated entities often associate that date to only the first provision of the section. That (we hope) drafting error could be interpreted to cause the provisions without a specified effective date to become effective 90 days from the close of the legislative session (expected to close in April, resulting in a July 2023 effective date). We have chosen to assume, however, the law will not be interpreted this way since concluding otherwise could lead to the mass resignation of privacy professionals everywhere.

10. Is there a cure period?

No.

11. Is there any good news?

Some, but it’s sparse. For example:

• “Consumers” entitled to the protection of the Act are natural persons who are Washington residents, or whose data is collected in Washington, “who act[] only in an individual or household context” and not “an individual acting in an employment context.” The Act therefore does extend to employees, and probably does not include people acting in a business capacity or as job applicants. But watch this space for clarification as inevitable lawsuits influence our understanding and interpretation of the scope and application of the Act.
• Small businesses get a little more time to comply (see Section 4 above).
• The Act does not create a new privacy agency, nor endow any existing agency with the power to implement regulations under the Act.
• There are several exemptions in the Act, such as the aforementioned exemption for PHI (see Section 5 above). These exemptions are usually tied to data types, rather than applying at the entity level, and so businesses that can take advantage of an exemption for some or most of the data they process (such as a university subject to FERPA) will still need to evaluate whether any parts of their operations handle data that is not subject to the exemption and therefore subject to the Act.