New Washington consumer health privacy policy guidance may complicate broader compliance efforts

Mark Brennan, Alyssa Golay, Paige Papandrea, Marcy Wilder
Hogan Lovells
Contact
LinkedIn
Facebook
X
Send
Embed

Hogan Lovells

Adding to the growing list of heightened privacy and data protection requirements imposed on consumer health data and other categories of sensitive personal data, the Washington Attorney General recently updated its guidance on Washington’s My Health My Data Act’s notice requirements, explicitly requiring a standalone consumer health data privacy policy with its own link on websites and mobile apps.

Regulators and legislators are increasingly pursuing additional privacy and other protections for sensitive data, including consumer health data. Since Washington’s passage of its My Health My Data Act on April 27, 2023, Nevada also passed a consumer health data privacy law, and Connecticut amended its consumer data privacy act to impose similar transparency requirements and restrictions on the use and disclosure of consumer health data. Already this year, Vermont has proposed Vermont Senate Bill 173, which is largely aligned with the Washington law, and the Washington Attorney General’s Office updated its guidance on the notice requirement under Washington’s law (the “Guidance”). Washington’s requirements become effective on March 31, 2024, and violations of the Act are considered violations of the Washington Consumer Protection Act, which is enforceable by the Attorney General and private action.

A standalone consumer health data privacy policy that addresses only Washington’s requirements.

Washington’s My Health My Data Act requires that a regulated entity or small business maintain and prominently post on its homepage a consumer health data privacy policy that “clearly and conspicuously discloses” certain information about the consumer health data processed. This includes: (1) the categories of consumer health data collected and the purpose of such collection, including how such data will be used; (2) the categories of sources from which consumer health data is collected; (3) the categories of consumer health data shared; (4) the categories of third parties and affiliates with whom consumer health data is shared; and (5) how consumers can exercise their rights under the law. The Guidance clarifies that this consumer health data privacy policy must be a standalone policy as it “may not contain additional information not required” by the Act.

To compare, laws governing consumer health data in Connecticut and Nevada require clear disclosure of information about the consumer health data processed in a privacy policy. But these laws do not expressly require a separate privacy policy for consumer health data, and their definitions and content requirements differ. For example, Nevada’s law requires the consumer health data privacy policy to disclose third-party tracking on the regulated entity’s website and online services, and Connecticut’s law requires inclusion of an active email address or other online contact mechanism. Because Connecticut’s and Nevada’s laws require different disclosures and may have a different scope than those required in Washington’s law, entities subject to these laws will need to carefully evaluate what state consumer health privacy laws apply to their activities and develop the appropriate privacy policies—which may now include a standalone Washington consumer health data privacy policy.

Separate and distinct links on certain pages of websites and mobile apps.

Washington’s My Health My Data Act requires that a link to the consumer health data privacy policy appear: (1) on the introductory page of a website and any webpage where personal information is collected; and (2) on a mobile app’s platform or download page and as a link within the app (e.g., on an “about” or “settings” page). According to the Guidance, these must be “separate and distinct” links to the Washington consumer health data privacy policy.

Although Nevada’s law requires regulated entities to post a link to a consumer health data privacy policy on its “main” website, neither Connecticut nor Nevada’s laws expressly require their notice to be made available from a “separate and distinct” link.

Next steps

It appears the Washington Attorney General expects entities subject to Washington’s My Health My Data Act to develop and post a separate, Washington-only consumer health data privacy policy with distinct links to this policy on their websites and mobile apps by March 31, 2024. Companies will need to evaluate whether and how Washington’s My Health My Data Act applies to their operations and implement compliance measures, including publicly facing policies, accordingly.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Hogan Lovells | Attorney Advertising

Written by:

Hogan Lovells
Hogan Lovells
Contact
more
less

Hogan Lovells on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide