Washington State’s New Data Privacy Law
On April 27, 2023, the Washington Governor Jay Inslee signed into law the My Health My Data Act[1] (MHMDA), a privacy framework for handling consumer health data in Washington state, which will take effect on March 31, 2024. A document[2] released by the Office of the Washington Attorney General, notes that MHMDA’s purpose is to “close the gap on health data privacy protections and provide Washingtonians concerned about their reproductive freedom more control of their data.”
MHMDA, which has been referenced as “expansive” by Bloomberg Law and “far-reaching” by JDSupra, is, per Cyberscoop, tied to a wave of legislation in the state that “that includes more than a dozen children’s online privacy bills as well as a growing number of bills modeled after the comprehensive privacy legislation that Congress introduced last year.”
Covered Entities
MHMDA applies to any legal entity that “(a) Conducts business in Washington or produces or provides products or services that are targeted to consumers in Washington; and (b) alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.” Notably, MHMDA excludes organizations that specialize in or provide healthcare services.
Due to a lack of any baseline thresholds, such as processing amounts or annual revenue derived from data processing, which are typically included in privacy legislations to narrow the application of the legislation, MHMDA will apply to small businesses and start-ups.
Definitions
A covered consumer under MHMDA is any Washington state resident, and any individual whose consumer health data is collected in Washington. This has been interpreted by JDSupra to include “out-of-state visitors and individuals who have never even stepped foot in Washington but whose health data is collected in Washington, e.g., via a health-related app.”
MHMDA defines “Consumer Health Data” to mean “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status.” The definition further provides several examples of “physical or mental health” which includes individual health conditions, any third-party interventions to those conditions, diagnoses, and biometric data.
According to Bloomberg, the inclusion of biometric data in this definition “positions the [Act] as a de facto biometric information privacy law that imposes obligations beyond Washington’s existing biometric privacy law, RCW 19.375[3].”
MHMDA defines biometric data as “data generated from the measurement or technological processing of an individual’s physiological, biological, or behavioral characteristics and that identifies a consumer, whether individually or in combination with other data.” In addition to the additional obligations imposed by MHMDA, Bloomberg notes that the definition of “biometric data” under MHMDA also differs from RCW 19.375 because it doesn’t require the use of the biometric data to identify specific individuals. Instead, MHMDA only requires that the data can identify a general consumer.
Additionally, MHMDA’s definition includes imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template can be extracted.” Bloomberg notes that the “inclusion of mere imagery and voice recordings means MHMDA ostensibly regulates the collection of photographs and videos, expanding the definition of biometric data far beyond the scope of other biometric privacy laws such as RCW 19.375, which explicitly excludes photographs, videos, and audio recordings from the definition of biometric data.”
Scope of MHMDA
According to Bloomberg, the expansive definition of biometric data under MHMDA “may implicate a wide variety of processing activities not contemplated by other laws.” That said, MHMDA grants several exemptions, including to any information governed by the Health Insurance Portability and Accountability Act (HIPPA), the Gramm-Leach-Bliley Act (GBLA), employee and business representative data, and information used for fraud prevention and other safety purposes.
Key Provisions
Notice
Businesses are required to maintain a privacy policy disclosing their collection, use and disclosure of a consumer’s biometric data and outlines the consumer’s rights under MHMDA.
Consumer Rights
Consumers are granted the right to:
Access their data
Delete their data
Withdraw their consent to the collection or processing of their information
Consent
Businesses are required to obtain a consumer’s affirmative, specific, informed, and freely-given “opt-in” consent to the collection of their biometric data, unless such collection is necessary to provide a product or service that the consumer has requested from that entity. Collection is broadly defined to include the “buying, renting, accessing, retaining, receiving, acquiring, inferring, deriving, or otherwise processing biometric data in any manner.”
Businesses are also required to obtain consent to share a consumer’s health data, unless sharing their data is necessary for the product or service requested by the consumer. MHMDA also includes a provision stating a Covered Entity cannot sell a consumer’s health data without first receiving a “valid authorization” signed by the consumer. Under MHMDA, a “valid authorization” consists of a document that prompts eight different required disclosures, including:
the categories consumer health data to be collected or shared,
the purpose of the collection or sharing,
the categories of entities with whom the consumer health data is shared; and
how the consumer can withdraw consent from future collection or sharing of the consumer's health data.
This authorization will be valid for 12 months. After that, the Covered Entities are required to seek an annual renewal to the authorization to continue to sell the consumer’s health data.
These requirements for businesses to obtain consent are likewise an expansion of RCW 19.375 as RCW 19.375 only requires consent when they are “enroll[ing] a biometric identifier in a database for a commercial purpose,” where “enroll” narrowly means to “convert [a biometric identifier] into a reference template that cannot be reconstructed into the original output image, and store it in a database that matches the biometric identifier to a specific individual.” Therefore, MHMDA will require consent for many more processing activities than RCW 19.375.
Enforcement
MHMDA will be enforced by the Washington AG and consumers will be able to establish private rights of action through the Washington Consumer Protection Act, which applies to any violation of MHMDA. According to Bloomberg, the inclusion of this broad private right of action is very rare. In fact, MHMDA is “[o]ne of few state laws that does contain a private right of action” and is likely to result in “significant litigation” and class action suits after its effective date — following the trend of Illinois’ existing privacy legislation.
MHMDA requires covered entities to comply with the provisions of MHMDA by March 31, 2024. However, MHMDA provides an extended compliance deadline for certain small businesses by three months, requiring compliance by June 30, 2024.
In preparation of the effective date of this regulation, Covered Entities should review and update their data collection, retention, and transfer policies to ensure that they are in compliance with MHMDA’s requirements. According to JDSupra, “[t]his sweeping Act is likely to pose compliance challenges to even those businesses who have taken measures to comply with the [California Consumer Privacy Act] (CCPA) and other comprehensive state laws.” As such, even Covered Entities who have previously undergone a policy and procedure review for other state legislative efforts should begin their review.