Reflections on A New Consumer Privacy Health Standard in Washington

Apr 27, 2023 by Divya Sridhar, Ph.D., Director, Privacy Initiatives, BBB National Programs

Today, Governor Jay Inslee signed the My Health, My Data Act in the state of Washington. As I recently wrote, this law sets an important precedent about how to legislate consumer health data in the U.S., given the lack of a federal data privacy law and a Washington state consumer privacy law.

If you haven’t had a chance yet to review the bill, I am sharing some components of this legislation that are worth your attention.

 

Narrower Focus, Wide Reach

After years of failure in trying to pass a broader consumer privacy bill – favored by industry and consumer groups alike – at the federal level, last year saw judicial and regulatory actions, from the overturning of Roe v. Wade to new enforcement action taken by the FTC toward health companies inappropriately sharing or selling health data, that have led to the development of a much different consumer privacy law at the state level. 

While some Washington State lawmakers initially assumed the bill would focus strictly on sensitive health data, it could be argued that Washington’s new consumer health law actually has a wider reach than many expected, enveloping broader considerations for consumer privacy and sensitive health data protections under one big umbrella (for better or for worse).

 

Policy Overlap

And, though some aspects of the consumer rights, controls, and industry obligations to restrict access to consumer-sensitive health data in this new law overlap with state consumer privacy laws (six enacted and three soon to be signed into law) on the books, a few key areas, such as data minimization and purpose limitation, take divergent approaches. The definitions in the My Health, My Data law also create nuances that may lead to different interpretations about how and whether to carry out targeted advertising and how to obtain consent in various instances of collection, sharing, and sale.

 

Broader Healthcare Impacts

Several subcategories within the healthcare space may be impacted by the new Washington law – including biometrics and genetics information and derivatives of consumer health information. 

 

A New Flavor

The My Health, My Data law adds new meaning to the private right of action that surfaced in ADPPA last Congress and incorporates broad definitions for collection of data, sharing, and sale that may be viewed as a potential avenue for federal legislators to take in either federal consumer privacy legislation or standalone federal consumer health legislation. Given the activity underway with the HHS Office of Civil Rights in its plan to develop a proposed rule to expand the processing activities and locations of reproductive services related to HIPAA, we may see more noteworthy overlaps between federal and state activities going forward.

 

Business Leader Considerations Spurred by the New Washington Privacy Law

  • Broad, expansive definitions for “consumer health data” and “regulated entity” capture a broader sweep of companies than those strictly processing or sharing consumer health data in a tailored sense. Any companies accessing, retaining, receiving, acquiring, inferring, deriving, or otherwise processing consumer health data in any manner in a first-party capacity are required to comply. 
  • Vague expectations on the processing of inferences and derived data used to identify the processing activities and the type of health services consumers typically use mean that any form of specific consumer health data or derived/inferred data – even general searches consumers may run about a health condition, diagnosis, status, treatment, or location – even if it isn’t about the consumer themselves, is now in scope.
  • The law requires businesses to obtain additional notice and consent, which companies could align to industry self-regulation digital advertising principles for the sharing and sale of consumer health data.
  • Limitations through additional obligations on first- and third-party advertising, tracking, and marketing. Heightened expectations around additional consent at each point in the collection, sharing, and sale process and the broad scope of the definition of “consumer health data” and “regulated entity” makes the law relevant to a broad range of consumer health products and services that will require additional notice and consent to bring them into compliance.
  • Businesses must develop a separate privacy policy focused on consumer health data establishing clear information about the sources and types of data collected and the reason for the collection.
  • New prohibitions are introduced on the collection of data about an individual’s location in relation to health care services.
  • There are new restrictions on using “geofencing” technologies to locate consumers accessing health services within a virtual boundary.
  • Security standards have been heightened regarding consumer health data.
  • Clear health-related data minimization and purpose limitation obligations on collecting, sharing, and sale of consumer health data by data controllers, processors, and third parties.

 

The Consumer Experience Will Be Transformed by the Washington Law

The My Health, My Data law will transform the consumer experience regarding non-HIPAA-regulated health data.

  • Consumers will have the right to sue when there is a violation of the law. 
  • Consumers will be privy to a distinct, public-facing consumer health privacy policy on a website’s home page.
  • Consumers will have more transparency over how a regulated entity collects, shares, or sells their data. 
  • Consumers will have more autonomy with the right to opt-in every time companies collect, sell, and/or share their sensitive health data.
  • Consumers can submit a request to withdraw consent, delete their data, and can engage in an appeals process when data access requests are denied.
  • Consumers will need to be made aware when their data is used for a purpose outside of the primary purpose – the use of their data for the specific product or service the consumer requested.
  • Consumers will have additional protections regarding their location data and how it is used to generate health-related decisions and tracking.

Suggested Articles

Blog

Industry Self-Regulation Will Shine Post-Chevron

In its landmark decision in Relentless Inc. v. U.S. Department of Commerce and Loper Bright Enterprises v. Raimondo, the U.S. Supreme Court has fundamentally reshaped the landscape of regulatory governance in the U.S. And in the wake of the ruling, the implications for industry self-regulation loom large.
Read more
Blog

What to Know About New Jersey’s Lemon Law

While most cars run smoothly off the lot, it’s important to understand your rights if you find yourself with a potential “lemon” parked in your driveway. New Jersey's Lemon Law protects consumers of new vehicles from persistent defects.
Read more
Blog

U.S. Supreme Court Impact: Judicial Power at Work, Industry Self-Regulation in Play

The U.S. Supreme Court decision, Loper Bright Enterprises v. Raimondo, marked a pivotal shift in administrative law by overturning the Chevron deference doctrine and will have a long-term impact. The ruling also presents a unique opportunity for industries to fill regulatory gaps in a manner that enhances consumer trust.
Read more
Blog

Solving Shared Challenges: A Global Approach to Advertising Self-Regulation

Recognizing the shared challenges society and marketers are facing while reckoning with declining levels of trust, advertising standards authorities are uniting to help ensure responsible marketing across all media channels through the new ICAS Global Think Tank, creating a space for academic, business, and policy leaders to engage in candid discussion, research, and collaboration on the biggest challenges facing the advertising industry.
Read more