Washington’s new data privacy statute, “My Health, My Data Act” (“MHMD” or the “Act”), officially became fully effective on March 31, 2024, for regulated entities under the Act, while small businesses have until June 30, 2024, to comply. The purpose of MHMD is to protect consumers’ personal health data not otherwise protected by federal regulation, such as HIPAA. Businesses should be familiar with Washington’s preexisting biometric privacy law, RCW 19.375, and recognize MHMD’s coverage is far more expansive. MHMD regulates the collection, sharing, selling, and processing of “consumer health data.” It applies to entities that conduct business in Washington as well as those that provide services or products to Washington.
Notably, the Act does not regulate the collection of employee data like other privacy statutes. However, the scope of MHMD’s regulation expands far beyond traditional health data and biometric data, which has been the focus of many other data privacy statutes throughout the country. Unlike Washinton’s biometric statute, MHMD can be enforced by private parties through a private right of action, in addition to the Attorney General. Consumers can sue for damages and other relief for violations of MHMD, which gives it the potential to spur class action litigation.
Who Is Covered?
The following key terms explain the scope of MHMD’s coverage:
Consumer: A “consumer” is defined to include Washington residents and any individual whose data is collected in Washington. These definitions mean MHMD seeks to regulate the collection of non-Washington residents’ data and businesses outside of Washington depending on the circumstances. It specifically excludes an individual acting in an employment context from the definition of a consumer.
Regulated Entities: MHMD applies to any entity conducting business in Washington and any entity that produces or provides products or services targeting consumers in Washington. MHMD also defines “small businesses” regulated by the act but other than the required implementation dates, the obligations imposed on small businesses appear the same as those subject to regulated entities. MHMD does not apply to government agencies or its service providers that process consumer health data. Unlike other data privacy statutes, entities are not excluded from the Act based on their revenue or non-profit status. “Exemptions” do exist under the Act based on the type of data collected. For example, deidentified data that cannot reasonably be linked to a particular individual and data protected by certain federal laws are excluded.
Collection and Processing: MHMD regulates the collection, sharing, selling, and processing of consumer health data. The terms “collect” and “process” are broadly defined. “Collect” means “to buy, rent, access, retain, receive, acquire, infer, derive, or otherwise process consumer health data in any manner.” Similarly, to “process” includes “any operation or set of operations performed on consumer health data.” Neither of these definitions identify the specific activities that are covered. Therefore, businesses should assume that any interaction with data regulated by the Act may be subject to its obligations until Washington’s Attorney General or its courts provide clarity. For example, the Attorney General’s office has clarified that the mere purchase of toiletries does not qualify as consumer health data but an application that tracks someone’s digestion does collect consumer health data.
What Does “Consumer Health Data” Mean?
The term “consumer health data” includes a broad swath of data, which is any “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.” Categories that qualify as “physical or mental health status” under MHMD include the following:
- An individual’s health conditions, treatment, diseases, and diagnoses;
- Social, psychological, behavioral, and medical interventions;
- Health-related surgeries or procedures and diagnostic testing;
- Use or purchase of prescribed medication;
- Bodily functions, vital signs, and symptoms;
- Gender-affirming care and sexual health information;
- Biometric data and genetic data;
- Precise location information reasonably indicating a consumer’s attempt to receive health services or supplies; and
- Data identifying a consumer as seeking health care services.
In addition, any information that an entity or its data processor uses to associate a consumer with the data described above that is derived from non-health information qualifies as consumer health data, such as data inferred from machine learning methods.
What Obligations Does MHMD Impose?
Notice, Consent, and Restricted Use of Data: Among other requirements, entities must (1) obtain separate consents from consumers prior to their collection, sharing, or selling of the data; (2) enact a mechanism by which consumers can access or request deletion of their data and delete the data from their records, archives, and backups; (3) restrict internal access to the data; and (4) maintain a data privacy policy linked to their homepage with disclosures required by the act, including disclosure of third parties or affiliates that will receive the data and how consumers can exercise their MHMD rights.
Limitations on Regulated Entities’ Data Processors: To the extent an entity utilizes a third party to process data, MHMD requires a binding contract between the entity and its data processor detailing various obligations and limitations. If the processor fails to comply, it becomes a subject to all the requirements in the Act. Notably, these obligations apply regardless of the location of the data processor.
Prohibitions on Geofencing: Beyond the requirements above, MHMD outright bansthe use of a “geofence” around an entity that provides in-person healthcare services if the geofence does any of the following:
- Tracks consumers seeking healthcare services;
- Collects health data from consumers; or
- Sends messaging or advertisements to consumers related to health data or services.
A “geofence” within the meaning of MHMD includes technology that creates a virtual boundary within 2,000 feet of a physical location or locates a consumer within a virtual boundary using data such as GPS, cell tower, and Wi-Fi data. This ban has been in effect since July 23, 2023.
What Happens if an Entity or Data Processor Does Not Comply?
Washington’s Attorney General has already clarified that any violation of MHMD is considered a “per se” violation of the Washington Consumer Protection Act, RCW 19.86. Both Washington’s Attorney General and consumers can enforce violations of Washington’s Consumer Protection Act. Unlike Washington’s preexisting biometric act, MHMD does not include language limiting its enforcement to the Attorney General. Therefore, consumers can seek injunctive relief, damages, and attorneys’ fees. If MHMD follows Illinois’ Biometric Information Privacy Act (“BIPA”), then MHMD could lead to a wave of class action litigation. BIPA likewise allows a private right of action but differs from MHMD in that an individual can obtain statutory damages per violation of BIPA without showing actual harm. In contrast, Washington’s Consumer Protection Act requires consumers to show they suffered an injury to their businesses or property. The interpretation of an injury with respect to MHMD remains to be seen and will likely be the subject of litigation.
What Should I Do Next?
If your business has not done so already, there are various considerations any entity handling or utilizing personal data should make.
Compliance: Any entity that believes it may collect or use a technology that collects any of the types of data qualifying as “consumer health data” should immediately review its policies and procedures and consult legal counsel. As discussed above, some of MHMD’s obligations may require a business to establish new methods for the handling and use of data, better understand the technologies it may be using, and revisit its relationship with certain vendors. Any entity that processes data regulated by the Act should determine whether it is processing the data of Washington residents or individuals in Washington. Regulated entities and data processors should also review their service contracts to determine whether additional terms should be included in order to comply with the Act. There are various exemptions under MHMD but regulated entities have the burden to show they are entitled to the exemption. Businesses should understand the requirements for exemption and the risk of non-compliance should they not qualify.
Litigation: If the Act follows the development of Illinois’ BIPA or the California Consumer Privacy Act (allowing a private right of action for data breaches), plaintiffs will test the boundaries of the private right of action through a nearly limitless number of theories. For example, BIPA has been permeating court dockets for more than five years with no end in sight as plaintiffs continue to test new theories and technologies. Businesses can expect that litigants raising claims under MHMD will test the bounds of who may be sued for a violation regardless of whether the entity initially collects the data, such as technology companies that host, store, and process data in Washington; companies advertising certain products and services nationally; and various online advertising tools. It will take time for various theories to be interpreted by courts. Lastly, if faced with litigation, business should be mindful of their potential insurance coverage and consult coverage counsel in the event their insurer denies coverage. Coverage disputes under BIPA continue to be heavily litigated, including many favorable results for the insured.
Stay Informed: The MHMD should also serve as a reminder that the collection and use of personal data will remain a focal point for regulation and litigation for the foreseeable future at state and federal levels. States are continuing to enact differing data privacy statutes with unique obligations and some states like Illinois, California, and now Washington, have enacted laws that allow a private right of action in certain instances. Staying apprised of emerging privacy laws has become critical. Businesses should also be cautious when implementing new technologies that collect or use personal data and consider legal counsel prior to such implementations.