The State of Washington has introduced the 'My Health, My Data Act,' which addresses the complexities surrounding consumer health data and its implications for privacy outside of existing federal laws such as HIPAA. The legislation sets forth novel expectations for businesses concerning data privacy and management that companies would do well to begin preparing for.
Key Takeaways
- The law covers all businesses (including non-profits) that handle ‘consumer health data’ and that target users in Washington State;
- Most businesses must comply by one of two deadlines: March 31, 2024 or June 30, 2024;
- The scope of implicated consumer health data is broad and includes ordinary data that can be used to derive health inferences, such as purchase data for health products; and
- Class action lawsuits are a real possibility.
Mandated Compliance Deadlines and Affected Entities
All businesses, inclusive of non-profits, that process or come in contact with ‘consumer health data’ of consumers located in Washington State are mandated to comply with the statute. The term ‘consumer health data’ is comprehensive, covering not just direct health data but also data from which health inferences can be made, including records of health product purchases. Compliance for most entities is required by either March 31, 2024, or June 30, 2024.
Legal Risk and 'My Health, My Data': An Examination
‘My Health, My Data’ is set to pose its own category of legal risk. Conventionally, privacy regulations like the EU’s General Data Protection Regulation ("GDPR") and California’s Consumer Privacy Act ("CCPA") have a wide applicability but are predominantly enforced by regulatory bodies rather than through private legal actions. In contrast, activity specific acts such as Illinois’s Biometric Information Privacy ("BIPA") might have a narrower application but permit more extensive enforcement options, including private actions. This is why we have seen class action settlements under BIPA for figures such as Facebook’s $650,000,000, TikTok’s $92,000,000, and Google’s $100,000,000 compared to a fine of only a $2,000,000 under CCPA. ‘My Health, My Data’ is distinct in that it provides a combination of both expansive scope and private enforcement.
'My Health, My Data': Key Provisions and Considerations
Washington’s legislation fuses the all-encompassing nature of GDPR with a private claims enforcement structure similar to BIPA. The term 'consumer health data' is broad, encapsulating not just direct consumer health data but also data from which health inferences might be derived. The enforcement provisions are multi-faceted, permitting actions by both the Attorney General and individual consumers. Notably, under the Consumer Protection Act, consumers from outside Washington can also initiate legal actions, inclusive of class actions. Companies should begin to position themselves to ensure that they are properly protected against any future claims.
Companies must ensure compliance by either March 31, 2024, or June 30, 2024. Prior to these dates, businesses are recommended to:
- Review and categorize the consumer health data they handle;
- Construct or revise internal guidelines detailing the management and protection of such data;
- Begin establishing operational mechanisms as required by the legislation, potentially including a distinct consumer health data privacy policy; and
- Examine and modify current business operations and third-party agreements.
For more guidance on this legislative development, please contact the authors.