New WA Consumer Health Law Drives Call to Action: Adopt Robust Standards in the Health B2C Marketplace

Washington’s My Health, My Data Act is headed to  Governor Jay Inslee’s desk. This is the first U.S. state law that will regulate the consumer health information landscape – uncharted territory – placing guardrails on virtually all companies that “collect”, i.e., “process, access, derive, infer, share, or sell” consumer health data.  

The law would include all companies outside of those that strictly process patient-provider-protected health information (as defined under the federal Health Information Portability and Accountability Act (HIPAA)). The law takes effect in March 2024, with a delayed effective date of June 2024 for small businesses.  

Time is of the essence in supporting companies with robust compliance to the new law. A host of copycat bills across the states have cropped up modeled after it. So, this law is likely a harbinger of more legislative activity on the horizon, rather than a chance accident or a one-off. 

A Game Changer  

The My Health, My Data Act is an important step in the data privacy landscape, as it sets a precedent for protecting consumers’ most sensitive information and raises the bar for compliance in some important ways -- in the absence of a federal consumer privacy law, or a federal health law that captures non-HIPAA-regulated consumer health data. This new law will change the way data is processed for a wide array of fairly routine practices, from health and wellness apps, health information search sites, and reproductive health trackers and apps, to the use of retail apps and devices for shopping and online deliveries (including those that are not health-focused shopping and delivery sites).  

The legislation revamps expectations regarding the sensitivity of health and health-related data, including data used to compare the cost of medications, data used in wearables and fitness trackers, nonclinical information collected on websites that help consumers research medical conditions for themselves or loved ones, and even a host of biometric data used for authentication, identification, and facial recognition. The breadth of the law brings virtually all uses of consumer health data into focus, from every angle possible. 

In the absence of a consumer privacy law in the state, Washington’s health law empowers consumers with rights to withdraw consent, delete and port their data, and appeal the process when their data requests are rejected. Vigilant, engaged consumers will benefit from this enhanced transparency and decision-making regarding their data-related decisions. The law holds all consumer-facing companies processing a wide variety of health data and related inferences accountable and commits them to the same standard. 

On the one hand, consumers will benefit from a sense of heightened transparency, accountability, and autonomy over the type of consumer health information that is collected and shared about them. On the other, it is likely that, after the broad variety of changes to take effect in the ecosystem, consumer user experiences going forward may be fraught with additional consent fatigue, limitations on their user interface across devices, and a less personalized experience.  

Industry will also benefit from more standard measurement and uniformity regarding the rules and appropriate practices governing treatment of consumer health information. Industry could be faced with the challenge of greatly restricting targeted advertising in certain contexts, and the new product market and research ecosystem could see limitations because of the way the law treats all processing activities as subject to heightened standards for notice and consent. Further, a private right of action – a first of its kind – may lead to businesses being more cautious and more limited in the way they carry out routine data processing activities. 

Washington does have a much more narrowly tailored biometrics law, which could lead to interesting overlaps and potential conflicts in how regulators interpret the use of biometrics in the Act, versus the biometrics-specific statute – especially because the consumer health law’s inclusion of a broad private right of action. 

The breadth of this law brings digital consumer health protections into focus -- from every angle possible -- and will create important overlaps among existing consumer privacy laws, health and biometrics privacy laws, and this new standard for consumer health data in Washington.  

How can you prepare?  

Companies of all sizes and scopes that collect, process, share, and sell consumer health data can be early adopters of the Digital Health Privacy Program upon its launch. Through this cutting-edge, industry self-regulation compliance program, still in development, participants will demonstrate leadership as an entity that holds non-HIPAA-covered health data to the highest standard, aligned to existing laws and regulations – including facets of Washington’s law – and upholding best practices in the marketplace. 

Why choose to work with the BBB National Programs Digital Health Privacy Program?  

1. Promote your identity as a trusted brand with digital health information to build consumer confidence.   
2. Demonstrate accountability to lawmakers and regulators and mitigate risks associated with federal and state law enforcement action. 
3. Ease the compliance burden of new and forward-looking laws regulating consumer health information not covered by HIPAA.