On April 17, 2023, the Washington State Legislature passed the “My Health My Data Act” (WMHMDA or the Act), which took effect for most companies March 31, 2024. Unlike other modern state privacy laws that purport to regulate any collection of “personal data,” WMHMDA confers privacy protections only upon “consumer health data.” This term is defined to include any data that is linked (or linkable) to an individual and that identifies their “past, present, or future physical or mental health status.” As the statute is not intended to apply to HIPAA-regulated entities or employers, there is some confusion regarding its scope (i.e., which companies may be collecting consumer health data) as well as its requirements. Specifically, the Act refers to data that might “identify” a consumer seeking a service to improve or learn about a consumer’s mental or physical health as an example of consumer health data. As a result, organizations that traditionally do not consider themselves to be collecting health data, such as grocery stores, newspapers, dietary supplements providers, and even fitness clubs, are uncertain whether the Act may be interpreted to apply to them to the extent that someone seeks out such companies either for information about health or to improve their health.
While courts have not yet been presented with a case under the statute, and the Office of the Washington Attorney General has provided little guidance, plaintiff law firms have already begun seeking individuals who had visited pharmaceutical company websites as well as other medical related providers (e.g., testing companies) to serve as plaintiffs in litigation. While it remains unclear what substantive provision within the statute the law firms will allege was violated, the firms have signaled that pharmaceutical companies may be the first group of targets under the Act. As a result, pharmaceutical companies may want to ensure they are in full compliance with the Act.