Adding to the ever increasing sea of state-sponsored privacy regulations, the state of Washington in April threw its hat in the privacy ring, or rather, its net in the water. Instead of a tailored regulation, however, Washington’s My Health My Data Act (“MHMDA”) is the legislative equivalent of bottom trawling—casting a net so wide that it threatens to engulf businesses from nearly every sector.
Supporters have billed MHMDA as providing necessary protection for health data not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) in the wake of the Supreme Court’s Dobbs v. Jackson Women’s Health Organization which overturned its ruling in Roe v. Wade. MHMDA’s broad scope and definitions, however, will undoubtedly expand its reach to data not normally considered health data and businesses who do not traditionally consider themselves to be health care providers or to be collecting consumer health data. And given the expansive private right of action given to consumers, MHMDA is sure to create a new wave of privacy class action litigations.
Broad definition of consumer health data
As an initial matter, MHMDA’s broad definition of “consumer health data” seeks to regulate many types of data not currently within HIPAA’s purview. MHMDA defines “consumer health data” generally as “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.” MHMDA specifies thirteen non-exclusive examples of “consumer health data” which include not only information like health conditions and medication prescriptions, but also, among other things, “[p]recise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies.”
The defined terms within the exemplars are similarly broad. For example, consumer health data is defined to include data that “identifies a consumer seeking health care services.” “Health care services” is, in turn, broadly defined to mean “any service provided to a person to assess, measure, improve or learn about a person’s mental or physical health.” This means that businesses that provide ancillary services to health care providers (like social services) would also be collecting “consumer health data.”
Consumer health data also includes data collected where health conditions or treatments might be “derived or extrapolated” from non-health information. This could include, for example, online browsing by a consumer on a website that could reflect a healthcare diagnosis or prescribed medication.
The breadth of “consumer health data” means that covered businesses operating in industries ranging from athletic or sports equipment; footwear and apparel; and over-the-counter skin or hair products to groceries, food, and beverages could all potentially be within the purview of MHMDA (indeed, an amendment to exclude information linked to these products—and more—from the definition of “consumer health data” was introduced and summarily rejected by the Washington legislature). Ultimately, the scope of “consumer health data” will likely be up to the courts to determine. MHMDA’s private right of action for violations will provide significant incentive for the plaintiffs’ bar to test expansive interpretations, creating risk for any covered business that interprets the provisions and definitions too narrowly.
Sweeping applicability
Other states that have passed comprehensive privacy laws use thresholds for applicability based on revenue (e.g., $25 million annual gross revenue), number of consumers’ whose data is processed (e.g., process or control personal data of 100,000 consumers), and/or revenue derived from the sale of personal data (e.g., derive over 50% of gross revenue from the sale of personal data). MHMDA, however, is not so self-limiting.
Rather than basing its applicability on the thresholds established by other states, MHMDA applies to any legal entity that (1) conducts business in Washington or produces or provides products or services that are targeted to Washington consumers, and (2) alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of “consumer health data.” While the definition excludes government agencies, tribal nations, or contracted service providers when processing consumer health data on behalf of the government agency, there is no exception for non-profit organizations.
Further, the term “consumer” is broader than the definition embraced by other states. MHMDA’s definition encompasses not only Washington residents, but also any person whose health data is “collected in Washington.” Further, “collect” doesn’t mean collect; it means “buy, rent, access, retain, receive, acquire, infer, derive, or otherwise process consumer health data in any manner.” So “collect” actually means “process.” Therefore, any organization processing consumer health data in Washington will be covered by MHMDA.
As an example of the breadth, let’s assume you are a businesses based in California that provides a fitness tracking app. The app is used by a resident of New York to count his steps while he is on vacation in Seattle. Under MHMDA, that New York resident is a Washington “consumer” and the data collected is subject to the requirements of MHMDA.
Strict restrictions for covered businesses
MHMDA places numerous restrictions and obligations on covered businesses. The impact of the opt-in consent, prohibition on sale, deletion requirements and geofencing ban, however, are likely to have the most significant impacts on a company’s data collection, processing, sharing and storage practices.
Opt-in consent
Organizations will need to obtain a consumer’s opt-in affirmative consent before collecting or sharing a consumer’s health data, unless such collection or sharing is necessary to provide a product or service requested by the consumer. Of note, the consent to share must be “separate and distinct from the consent obtained to collect consumer health data.”
Requiring the business to obtain affirmative consent prior to data collection is consistent with the EU’s General Data Protection Regulation’s requirement for enabling website cookies, but is a new requirement when compared to existing state privacy laws. As a result of this sea change, covered businesses will need to update policies and procedures to account for an opt-in requirement. This may require, for example, implementing opt-in consent for all website data collection if some of the consumer health data is collected through website cookies or pixels.
Prohibition on sale
MHMDA makes it unlawful for any person to sell consumer health data without a valid authorization signed by the consumer. This coupled with onerous requirements for the contents of the authorization. Under MHMDA, a valid authorization must be in writing and state: (1) what specific consumer health data is being sold, (2) the contact information of the seller, (3) the name and contact information of the purchaser, (4) the purpose of the sale including how the sold data will be gathered and used by the purchaser, (5) the fact that goods and services cannot be conditioned on the signing of the authorization, (6) the consumer’s right to revoke the authorization, (7) the fact that the consumer’s information may be re-disclosed by the purchaser and no longer be protected by MHMDA, and (8) an expiration date not more than one year from when the consumer signs the valid authorization. Further, the written authorization must be separate from consent obtained to collect or share consumer health data in the first place.
The prohibition on sale absent an written authorization may present challenges for digital marketing teams. In line with the California Consumer Privacy Act (“CCPA”), a “sale” is defined broadly as “the exchange of consumer health data for monetary or other valuable consideration.” Accordingly, the authorization requirement may be found to apply in a wide range of data transfers that would not normally be considered a data “sale” within the usual meaning of the word. For example, the California Attorney General has determined that the use of online analytics and advertising services may be a “sale” of personal data under the CCPA’s identically-defined term. Because consumer health data may also include data associated with a persistent unique identifier, such as a cookie ID, an IP address, a device identifier, or any other form of persistent unique identifier, covered businesses will need to carefully think through their collection of persistent unique identifiers from Washington residents and what consent and authorization obligations might be triggered.
Deletion right with virtually no exceptions
MHMDA provides consumers with the right to delete their consumer health data which is extremely far reaching. It requires not only that the covered business delete the consumer’s health data upon request, but that the company notify all processors, affiliates, and third parties with which the consumer health data has been shared—who must then also delete the data.
The deletion right conferred on consumers by MHMDA significantly expands the deletion rights granted by the privacy laws of California, Colorado, Connecticut, Iowa, Utah and Virginia. For example, MHMDA mandates that data on archived or backup systems must be deleted within six months of the deletion request (as opposed to the next time the backup is accessed or use as permitted by other state laws). MHMDA’s deletion right has virtually no exceptions, including where the retention of the data is required for compliance with the law.
The lack of exceptions for common preservation requirements (such as the obligation to preserve documents) could present a significant legal dilemma for organizations. It could also create a situation where a potential plaintiff would be able to request the deletion or alteration of all copies of evidence that would be harmful to his or her case prior to bringing a legal claim. In such situations, companies will be forced to choose between failing to meet their deletion obligations under MHMDA and violation other laws and legal duties.
Access rights
Under MHMDA, “a consumer has the right to confirm whether a regulated entity is collecting, sharing, or selling consumer health data.” In response to such a request, organizations must not only confirm their activity, they must also provide the consumer with “a list of all third parties and affiliates with whom the regulated entity or the small business has shared or sold the consumer health data and an active email address or other online mechanism that the consumer may use to contact these third parties.” This right is both broader and more burdensome than the access rights imposed by other state privacy laws.
Prohibition on geofencing
Geofencing is, in essence, the process of establishing a virtual geographic boundary around a specified location. Often the technology uses Global Positioning Systems (GPS), however, it can also use other data signals including cellular, wi-fi, and radio frequency identification (RFID). Once the geographic boundary is established, the entity running the marketing campaign can set “triggers” that will result in a certain action occurring when a mobile device enters the identified area. In many instances, MHMDAion is to push an advertisement when a web browser is opened or to otherwise generate targeted ads determined by the entity running the campaign. Geofencing allows for broad marketing because the service of the advertisement does not rely on personal information currently held by the entity. Geofencing is the virtual equivalent to distributing pamphlets to anyone walking by on the street. As a result, geofencing can be a powerful tool for marketing campaigns since it can be hyper-localized and capture a broad audience.
It is, however, not without controversy, particularly in the context of women’s reproductive rights. Take, for example, the Massachusetts Attorney General’s April 2017 settlement with Copley Advertising LLC. After setting up geofencing around women’s reproductive healthcare clinics, Copley sent women who crossed the virtual fence targeted ads and messages such a “You Have Choices,” “You’re Not Alone,” and links to websites regarding alternatives to abortion. The ads were pushed for thirty days to the targeted device. Ultimately, the Attorney General determined this violated the Massachusetts Consumer Protection Act because Copley sent the location information to third-party advertisers to target the consumers with “potentially unwanted advertising based on inferences about [their] private, sensitive, and intimate medical or physical condition.” As part of the settlement, Copley agreed to neither directly nor indirectly geofence “the [v]icinity of any Medical Center located in Massachusetts to infer the health status, medical condition or medical treatment of any person.”[1]
Along the same lines as the Copley settlement, MHMDA, prohibits any person (not only regulated businesses subject to MHMDA’s requirements) from implementing geofencing around any entity that provides in-person health care services when the geofence is used to (1) identify or track consumers seeking health care services; (2) collect consumer health data from consumers; or (3) send notifications, messages, or advertisements to the consumers related to their consumer health data or health care services. This prohibition will prevent covered companies from using geofencing to target consumers seeking medical care.
Dual enforcement
Unlike California’s limited private right of action for data breaches, MHMDA provides that any violation of its requirements will constitute a violation of the Washington Consumer Protection Act. However, it is important to note that consumers must allege actual damages under the MHMDA to bring suit. As a result, consumers may seek injunctive relief and/or recover actual damages for any violation of MHMDA. These damages can include treble damages, capped at $25,000, as well as reasonable attorney’s fees. In addition to enforcement through private litigation, MHMDA also allows the Washington attorney general to enforce violations and impose additional civil penalties of up to $7,500 per violation. The presence of a private right of action for any violation and the ability to recovery attorney’s fees, will undoubtedly prompt a flurry of class action lawsuits for any potential violations – no matter how minor. As such, organizations will necessarily need to consider very conservative interpretations of MHMDA’s provisions if they hope to stave off future action by the plaintiffs’ bar as well as potential enforcement action.
Ultimately, the passage of the My Health My Data Act transforms how covered businesses across all sectors, both inside and outside the state of Washington, treat consumer health data. The majority of MHMDA’s provisions will take effect on March 31, 2024, providing companies with less than a year to prepare to meet their obligations and brace for oncoming wave of class action litigation. Small businesses[2] will receive a brief extension and must comply with MHMDA beginning June 30, 2024. Nonetheless, given MHMDA’s broad scope, confusing and onerous obligations and the potential risks posed by non-compliance, organizations should not put compliance MHMDA on the back burner.
[1] Assurance of Discontinuance Pursuant to G.L. 93A § 5, In the Matter of Copley Advertising, LLC & John F. Flynn (Mass. Super. April 4, 2017).
[2] As defined in the Act, a small business is a covered business that satisfies one or more of the following criteria: (1) it collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers during a calendar year; or (2) it derives less than 50 percent of gross revenue from the collection, processing, selling, or sharing of consumer health data, and controls, processes, sells, or shares consumer health data of fewer than 25,000 consumers.