Sweating About Washington State’s "My Health, My Data" Act? That Might Be Consumer Health Data

Have you been talking about Washington’s My Health, My Data Act ad nauseam? Would that be health information? Given its name, the casual reader may think that MHMD would be limited to the medical space or close to it. But that would be a mistake, as the law – which went into effect on March 31 – could cost big dollars for companies or other organizations now subject to direct lawsuits from individuals for claims related to violations of its expansive requirements as well as enforcement via the state attorney general.

First, it’s important to know that the heart of MHMD is its definition of “consumer health data'' – a term that encompasses any data that could indicate “physical and mental health status.” The law itself sets out a non-exclusive list of examples of covered data, including information categories that are not typically treated as health information in legal spaces (ex., wellness data from step trackers).

Next is to understand the obligations for companies once it’s determined that consumer health data is implicated. For instance, businesses must now provide clear and comprehensive disclosures about health data collection, use, and sharing practices through a separate privacy policy. MHMD also requires both consent (unless it falls under the MHMD’s “necessity” exception) for the “collection” and “sharing” of consumer health data and independent “valid authorization” for its “sale,” which isn’t limited solely to monetary transactions but could also apply to any exchange of data for something of value, including a product or service. Finally, MHMD grants Washington residents a range of rights within their data, including a right to access and correct information businesses hold about them as well as a right to delete data held by either the company or any data processors and affiliates.?

Why all of this is particularly important is, as mentioned, violations of MHMD are enforceable under a private right of action. While this provides a stronger mechanism for individuals to act directly in their own self-interest without waiting for an investigation by a central regulator or enforcement officer, it also opens the door to opportunistic claims that are not part of the communicated priorities of MHMD – the protection of reproductive and gender-affirming care, privacy, and access. Given that several questions still remain about unclear or confusing provisions in MHMD and that many initial claims may be more likely to be settled than litigated, it may be a while before organizations have total clarity about the full scope of their obligations and required actions.?

The biggest question mark for many goes straight back to the central part of the law – what is consumer health data? While the definition is broad, it is also not entirely clear at first glance. For instance, because the definition includes data that isn’t facially health data but may provide an indication of health status, many organizations preparing for today’s deadline for compliance have been working to understand where the line may be drawn between what does and does not qualify. For instance, in an FAQ page, the Washington State Attorney General’s office stated that data such as toiletry purchasing does not “ordinarily” [emphasis added] constitute consumer health data, leaving much to the imagination about what does (or, more specifically, what does not).?

Even as a similar law passed in Nevada comes into effect, Washington’s My Health, My Data Act stands to have the most significant impact on business practices around personal data in the United States to date. Any company that hasn’t been paying attention may suddenly find themselves in the face of serious compliance issues. And while small businesses aren’t required to come into compliance until later in 2024, no organization should sleep (also possibly consumer health data) on MHMD and the work necessary to comply with its obligations.

On your way back from the International Association of Privacy Professionals’ 2024 Global Privacy Summit? Did you sweat less or more based on what you heard there about MHMD? Drop a comment but keep the health information to a minimum!

――

Jordan Wrigley is a Data and Policy Analyst for Health & Wellness at the Future of Privacy Forum and leads education and best practice development around health data privacy.