ADCG’s Explainer: Washington State’s New Data Privacy Law

health dataHealthcareWashington
Written By Jason Shoup

On April 27, 2023, Washington Governor Jay Inslee signed into law the My Health My Data Act (MHMDA), a privacy framework for handling consumer health data in Washington state, which will take effect on March 31, 2024. A document released by the Office of the Washington Attorney General, notes that MHMDA’s purpose is to “close the gap on health data privacy protections and provide Washingtonians concerned about their reproductive freedom more control of their data.”

MHMDA, which has been referenced as “expansive” by Bloomberg Law and “far-reaching” by JDSupra, is, per Cyberscoop, tied to a wave of legislation in the state that “includes more than a dozen children’s online privacy bills as well as a growing number of bills modeled after the comprehensive privacy legislation that Congress introduced last year.”

Covered Entities

MDMHA applies to any legal entity that “(a) Conducts business in Washington or produces or provides products or services that are targeted to consumers in Washington; and (b) alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.” Notably, MDMHA excludes organizations that specialize in or provide healthcare services.

Due to a lack of any baseline thresholds, such as processing amounts or annual revenue derived from data processing, which are typically included in privacy legislation to narrow the application of the legislation, MDMHA will apply to small businesses and start-ups.

Definitions

A covered consumer under MDMHA is any Washington state resident, and any individual whose consumer health data is collected in Washington. This has been interpreted by JDSupra to include “out-of-state visitors and individuals who have never even stepped foot in Washington but whose health data is collected in Washington, e.g., via a health-related app.”

MDMHA defines “Consumer Health Data” to mean “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.” The definition further provides several examples of “physical or mental health” which includes individual health conditions, any third-party interventions to those conditions, diagnoses, and biometric data.

According to Bloomberg, the inclusion of biometric data in this definition “positions the [Act] as a de facto biometric information privacy law that imposes obligations beyond Washington’s existing biometric privacy law, RCW 19.375.”

MDMHA defines biometric data as “data generated from the measurement or technological processing of an individual’s physiological, biological, or behavioral characteristics and that identifies a consumer, whether individually or in combination with other data.” In addition to the additional obligations imposed by MDMHA, Bloomberg notes that the definition of “biometric data” under MDMHA also differs from RCW 19.375 because it doesn’t require the use of the biometric data to identify specific individuals. Instead, MDMHA only requires that the data can identify a general consumer.

Additionally, MDMHA’s definition includes imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template can be extracted.” Bloomberg notes that the “inclusion of mere imagery and voice recordings means MDMHA ostensibly regulates the collection of photographs and videos, expanding the definition of biometric data far beyond the scope of other biometric privacy laws such as RCW 19.375, which explicitly excludes photographs, videos, and audio recordings from the definition of biometric data.”

Scope of MDMHA

According to Bloomberg, the expansive definition of biometric data under MDMHA “may implicate a wide variety of processing activities not contemplated by other laws.” That said, MDMHA grants several exemptions, including to any information governed by the Health Insurance Portability and Accountability Act (HIPPA), the Gramm-Leach-Bliley Act (GBLA), employee and business representative data, and information used for fraud prevention and other safety purposes.

Key Provisions

Notice

Businesses are required to maintain a privacy policy disclosing their collection, use and disclosure of a consumer’s biometric data and outlines the consumer’s rights under MDMHA.

Consumer Rights

Consumers are granted the right to:

  • Access their data;

  • Delete their data; and

  • Withdraw their consent to the collection or processing of their information.

Consent

Businesses are required to obtain a consumer’s affirmative, specific, informed, and freely-given “opt-in” consent to the collection of their biometric data, unless such collection is necessary to provide a product or service that the consumer has requested from that entity. Collection is broadly defined to include the “buying, renting, accessing, retaining, receiving, acquiring, inferring, deriving, or otherwise processing biometric data in any manner.”

Businesses are also required to obtain consent to share a consumer’s health data, unless sharing their data is necessary for the product or service requested by the consumer. MDMHA also includes a provision stating a Covered Entity cannot sell a consumer’s health data without first receiving a “valid authorization” signed by the consumer. Under MDMHA, a “valid authorization” consists of a document that prompts eight different required disclosures, including:

  • the categories consumer health data to be collected or shared,

  • the purpose of the collection or sharing,

  • the categories of entities with whom the consumer health data is shared; and

  • how the consumer can withdraw consent from future collection or sharing of the consumer’s health data.

This authorization will be valid for 12 months. After that, the Covered Entities are required to seek an annual renewal to the authorization to continue to sell the consumer’s health data. 

These requirements for businesses to obtain consent are likewise an expansion of RCW 19.375 as RCW 19.375 only requires consent when they are “enroll[ing] a biometric identifier in a database for a commercial purpose,” where “enroll” narrowly means to “convert [a biometric identifier] into a reference template that cannot be reconstructed into the original output image, and store it in a database that matches the biometric identifier to a specific individual.” Therefore, MDMHA will require consent for many more processing activities than RCW 19.375.

Enforcement

MDMHA will be enforced by the Washington AG and consumers will be able to establish private rights of action through the Washington Consumer Protection Act, which applies to any violation of MDMHA. According to Bloomberg, the inclusion of this broad private right of action is very rare. In fact, MDMHA is “[o]ne of few state laws that does contain a private right of action” and is likely to result in “significant litigation” and class action suits after its effective date — following the trend of Illinois’ existing privacy legislation.

MDMHA requires covered entities to comply with the provisions of MDMHA by March 31, 2024. However, MDMHA provides an extended compliance deadline for certain small businesses by three months, requiring compliance by June 30, 2024.

In preparation for the effective date of this regulation, Covered Entities should review and update their data collection, retention, and transfer policies to ensure that they are in compliance with MDMHA’s requirements. According to JDSupra, “[t]his sweeping Act is likely to pose compliance challenges to even those businesses who have taken measures to comply with the [California Consumer Privacy Act](CCPA) and other comprehensive state laws.” As such, even Covered Entities who have previously undergone a policy and procedure review for other state legislative efforts should begin their review. 

* * * * * * *

To read our news alerts discussing Twitter’s data privacy hurdles, new privacy laws in Texas and Florida, updates on impending laws in Colorado and Connecticut, and the FTC’s settlement with Amazon, click here.

This week’s breach report covers the following organizations: Toyota, Zellis, University of Rochester, the BBC, British Airways, and Zellis. Click here to find out more.

Jody Westby hosts our podcast, ADCG on Privacy & Cybersecurity, bringing together leaders in the privacy and cybersecurity arenas to discuss a wide range of issues ranging from the proposed federal and state regulations to best practices and standards for compliance. Episodes can be enjoyed on many platforms including Spotify and Apple Podcasts. Don’t forget to subscribe!

Our most recently released episodes:

92 | Interview With Tom Kemp, Silicon Valley Privacy Advocate and Author of Containing Big Tech

91 | Managed Detection & Response; The Path Forward (with Guest Sam DeNormandie)

90 | AdTech Meets Privacy Laws (with Guest Susan Israel)

To browse our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.

Jason Shoup
Previous

News and Alerts for Week of June 12, 2023
Next

News Alerts and Breach Report for Week of June 5, 2023