New WA Consumer Health Law Drives Call to Action: Adopt Robust Standards in the Health B2C Marketplace

Apr 18, 2023 by Divya Sridhar, Ph.D., Director, Privacy Initiatives, BBB National Programs

Washington’s My Health, My Data Act is headed to  Governor Jay Inslee’s desk. This is the first U.S. state law that will regulate the consumer health information landscape – uncharted territory – placing guardrails on virtually all companies that “collect”, i.e., “process, access, derive, infer, share, or sell” consumer health data.  

The law would include all companies outside of those that strictly process patient-provider-protected health information (as defined under the federal Health Information Portability and Accountability Act (HIPAA)). The law takes effect in March 2024, with a delayed effective date of June 2024 for small businesses.  

Time is of the essence in supporting companies with robust compliance to the new law. A host of copycat bills across the states have cropped up modeled after it. So, this law is likely a harbinger of more legislative activity on the horizon, rather than a chance accident or a one-off. 

 

A Game Changer  

The My Health, My Data Act is an important step in the data privacy landscape, as it sets a precedent for protecting consumers’ most sensitive information and raises the bar for compliance in some important ways -- in the absence of a federal consumer privacy law, or a federal health law that captures non-HIPAA-regulated consumer health data. This new law will change the way data is processed for a wide array of fairly routine practices, from health and wellness apps, health information search sites, and reproductive health trackers and apps, to the use of retail apps and devices for shopping and online deliveries (including those that are not health-focused shopping and delivery sites).  

The legislation revamps expectations regarding the sensitivity of health and health-related data, including data used to compare the cost of medications, data used in wearables and fitness trackers, nonclinical information collected on websites that help consumers research medical conditions for themselves or loved ones, and even a host of biometric data used for authentication, identification, and facial recognition. The breadth of the law brings virtually all uses of consumer health data into focus, from every angle possible. 

In the absence of a consumer privacy law in the state, Washington’s health law empowers consumers with rights to withdraw consent, delete and port their data, and appeal the process when their data requests are rejected. Vigilant, engaged consumers will benefit from this enhanced transparency and decision-making regarding their data-related decisions. The law holds all consumer-facing companies processing a wide variety of health data and related inferences accountable and commits them to the same standard. 

On the one hand, consumers will benefit from a sense of heightened transparency, accountability, and autonomy over the type of consumer health information that is collected and shared about them. On the other, it is likely that, after the broad variety of changes to take effect in the ecosystem, consumer user experiences going forward may be fraught with additional consent fatigue, limitations on their user interface across devices, and a less personalized experience.  

Industry will also benefit from more standard measurement and uniformity regarding the rules and appropriate practices governing treatment of consumer health information. Industry could be faced with the challenge of greatly restricting targeted advertising in certain contexts, and the new product market and research ecosystem could see limitations because of the way the law treats all processing activities as subject to heightened standards for notice and consent. Further, a private right of action – a first of its kind – may lead to businesses being more cautious and more limited in the way they carry out routine data processing activities. 

Washington does have a much more narrowly tailored biometrics law, which could lead to interesting overlaps and potential conflicts in how regulators interpret the use of biometrics in the Act, versus the biometrics-specific statute – especially because the consumer health law’s inclusion of a broad private right of action. 

The breadth of this law brings digital consumer health protections into focus -- from every angle possible -- and will create important overlaps among existing consumer privacy laws, health and biometrics privacy laws, and this new standard for consumer health data in Washington.  

 

How can you prepare?  

Companies of all sizes and scopes that collect, process, share, and sell consumer health data can be early adopters of the Digital Health Privacy Program upon its launch. Through this cutting-edge, industry self-regulation compliance program, still in development, participants will demonstrate leadership as an entity that holds non-HIPAA-covered health data to the highest standard, aligned to existing laws and regulations – including facets of Washington’s law – and upholding best practices in the marketplace. 

Why choose to work with the BBB National Programs Digital Health Privacy Program?  

  1. Promote your identity as a trusted brand with digital health information to build consumer confidence.   
  2. Demonstrate accountability to lawmakers and regulators and mitigate risks associated with federal and state law enforcement action. 
  3. Ease the compliance burden of new and forward-looking laws regulating consumer health information not covered by HIPAA. 

Suggested Articles

Blog

Fifty Shades of Consumer Health Data: Unclear Expectations for Digital Privacy

While momentum continues to build around what a regulated consumer health privacy landscape looks like, the environment remains shrouded in shades of gray. To date, a risk-based approach to consumer health data does not exist, but we believe a sliding scale for the risks carried by consumer health data should.
Read more
Blog

Fifty Shades of Consumer Health Data: How a Risk-Based Approach Provides More Clarity

This piece includes a list of routine examples of consumer health information, that, at face value may have one level of risk. But, depending on the context and the risk associated with the use of that data, and whether it is combined with other data sources and data elements or made available in the public domain, it could lend itself to differing levels of regulation and enforcement activity.
Read more
Blog

California Privacy Enforcement: Whose Job Is It Anyway?

The California Privacy Rights Act of 2020 went into effect bringing new privacy rights to California consumers and created the California Privacy Protection Agency. CCPA will continue to be enforced by the California Office of the Attorney Genera. Which begs the question: Whose enforcement is it anyway?
Read more
Blog

Unsubstantiated Claims May Lead to Civil Penalties

The U.S. economy is built on a fair and transparent product marketplace. It is the responsibility of companies to have adequate substantiation for health and safety claims and to hold their competitors to the same standard.
Read more