New WA Consumer Health Law Drives Call to Action: Adopt Robust Standards in the Health B2C Marketplace

Apr 18, 2023 by Divya Sridhar, Ph.D., Director, Privacy Initiatives, BBB National Programs

Washington’s My Health, My Data Act is headed to  Governor Jay Inslee’s desk. This is the first U.S. state law that will regulate the consumer health information landscape – uncharted territory – placing guardrails on virtually all companies that “collect”, i.e., “process, access, derive, infer, share, or sell” consumer health data.  

The law would include all companies outside of those that strictly process patient-provider-protected health information (as defined under the federal Health Information Portability and Accountability Act (HIPAA)). The law takes effect in March 2024, with a delayed effective date of June 2024 for small businesses.  

Time is of the essence in supporting companies with robust compliance to the new law. A host of copycat bills across the states have cropped up modeled after it. So, this law is likely a harbinger of more legislative activity on the horizon, rather than a chance accident or a one-off. 

 

A Game Changer  

The My Health, My Data Act is an important step in the data privacy landscape, as it sets a precedent for protecting consumers’ most sensitive information and raises the bar for compliance in some important ways -- in the absence of a federal consumer privacy law, or a federal health law that captures non-HIPAA-regulated consumer health data. This new law will change the way data is processed for a wide array of fairly routine practices, from health and wellness apps, health information search sites, and reproductive health trackers and apps, to the use of retail apps and devices for shopping and online deliveries (including those that are not health-focused shopping and delivery sites).  

The legislation revamps expectations regarding the sensitivity of health and health-related data, including data used to compare the cost of medications, data used in wearables and fitness trackers, nonclinical information collected on websites that help consumers research medical conditions for themselves or loved ones, and even a host of biometric data used for authentication, identification, and facial recognition. The breadth of the law brings virtually all uses of consumer health data into focus, from every angle possible. 

In the absence of a consumer privacy law in the state, Washington’s health law empowers consumers with rights to withdraw consent, delete and port their data, and appeal the process when their data requests are rejected. Vigilant, engaged consumers will benefit from this enhanced transparency and decision-making regarding their data-related decisions. The law holds all consumer-facing companies processing a wide variety of health data and related inferences accountable and commits them to the same standard. 

On the one hand, consumers will benefit from a sense of heightened transparency, accountability, and autonomy over the type of consumer health information that is collected and shared about them. On the other, it is likely that, after the broad variety of changes to take effect in the ecosystem, consumer user experiences going forward may be fraught with additional consent fatigue, limitations on their user interface across devices, and a less personalized experience.  

Industry will also benefit from more standard measurement and uniformity regarding the rules and appropriate practices governing treatment of consumer health information. Industry could be faced with the challenge of greatly restricting targeted advertising in certain contexts, and the new product market and research ecosystem could see limitations because of the way the law treats all processing activities as subject to heightened standards for notice and consent. Further, a private right of action – a first of its kind – may lead to businesses being more cautious and more limited in the way they carry out routine data processing activities. 

Washington does have a much more narrowly tailored biometrics law, which could lead to interesting overlaps and potential conflicts in how regulators interpret the use of biometrics in the Act, versus the biometrics-specific statute – especially because the consumer health law’s inclusion of a broad private right of action. 

The breadth of this law brings digital consumer health protections into focus -- from every angle possible -- and will create important overlaps among existing consumer privacy laws, health and biometrics privacy laws, and this new standard for consumer health data in Washington.  

 

How can you prepare?  

Companies of all sizes and scopes that collect, process, share, and sell consumer health data can be early adopters of the Digital Health Privacy Program upon its launch. Through this cutting-edge, industry self-regulation compliance program, still in development, participants will demonstrate leadership as an entity that holds non-HIPAA-covered health data to the highest standard, aligned to existing laws and regulations – including facets of Washington’s law – and upholding best practices in the marketplace. 

Why choose to work with the BBB National Programs Digital Health Privacy Program?  

  1. Promote your identity as a trusted brand with digital health information to build consumer confidence.   
  2. Demonstrate accountability to lawmakers and regulators and mitigate risks associated with federal and state law enforcement action. 
  3. Ease the compliance burden of new and forward-looking laws regulating consumer health information not covered by HIPAA. 

Suggested Articles

Blog

American Privacy Rights Act: A Primer for Business

Was it the recent series of natural phenomena that prompted Congress to move on a bipartisan, bicameral federal privacy bill? We can’t say with certainty, but we can outline for you what we believe to be, at first glance, the most compelling elements of the American Privacy Rights Act of 2024 (APRA).
Read more
Blog

Take Care of Your “Health-Lite” Claims

Some advertisers believe they can avoid scrutiny when making health-related claims by making their claim “softer.” But context is key. Health benefit claims must comply with the FTC’s Health Products Compliance Guidance. The substantiation bar is not lowered by changing the approach to the health-related claim.
Read more
Blog

Bullish but Cautionary: A Balanced Way to Approach the Impact of AI

Business and nonprofit leaders in the U.S. may not feel so weighty a responsibility in assessing the global impact of AI, but we must realize AI’s power to impact our organizations, our local economies, our sectors, and our nation.
Read more
Blog

New Rules of the Road Can Sustain US Leadership on Interoperable Digital Data Flows

President Biden closed February 2024 with an EO that signaled an important development for how the U.S. plans to position and guard itself from global adversaries, and speaks volumes about how the U.S. views the next-generation impacts of data flows on the digital economy and how our nation can be better equipped as a global leader. Read our takeaways and future considerations.
Read more