On March 31, 2024, the My Health My Data Act (MHMDA or Act) will go into effect for most entities doing business or selling products in Washington state. The MHMDA is a comprehensive privacy bill that is expressly intended to supplement the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) by implementing "stronger privacy protections for all Washington consumers' health data," including restrictions on the collecting, processing, sharing, and selling of biometric data. The Act will make Washington the second state—after Illinois—to provide a private right of action for biometric data privacy claims. While nominally focused on health data, the data covered by MHMDA, particularly biometric data, is significantly broader than what might commonly be understood as "heath data," with the result that some businesses may be surprised to find themselves covered by the Act. In fact, the Washington Attorney General has touted MHMDA as "the first privacy-focused law in the country to protect personal health data that falls outside the ambit of HIPAA."

Who is Subject to the MHMDA?

Under the Act, a "regulated entity" includes any legal entity that "[c]onducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington" and "determines the purpose and means of collecting, processing, sharing, or selling of consumer health data." The Act does not exclude non-profit entities from regulation, but it does exclude government agencies, tribal nations, or contracted service providers when processing consumer health data on behalf of the government agency.

While regulated entities that are not small businesses must comply with the Act by March 31, 2024, small businesses, as defined in the Act, have until June 30, 2024 to comply.

Who Does the MHMDA Protect?

The Act protects the "consumer," defined as any natural person (1) who is a Washington resident or (2) whose consumer health data is collected in Washington. "Consumer" does not include an individual acting in an employment context.

The MHMDA defines "consumer health data" as "personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status," including biometric data. "Biometric data" is defined as "data that is generated from the measurement or technological processing of an individual's physiological, biological, or behavioral characteristics and that identifies a consumer, whether individually or in combination with other data." This includes, but is not limited to: "[i]magery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template can be extracted; or . . . [k]eystroke patterns or rhythms and gait patterns or rhythms that contain identifying information."

The Act provides the following rights for consumers:

  • Right to confirm whether a regulated entity is collecting, sharing, or selling consumer health data concerning the consumer.
  • Right to access any consumer health data collected, shared, or sold by a regulated entity.
  • Right to receive a list of all third parties and affiliates with whom the regulated entity has shared or sold the consumer health data, as well as an email address or other online mechanism for the consumer to contact these third parties.
  • Right to withdraw consent for the collection and sharing of consumer health data.
  • Right to deletion of consumer health data upon request.
  • Right to appeal any refusal by the regulated entity to act on a request.

What Must Regulated Entities Do to Comply with the MHMDA?

Notice

In addition to processing data requests from consumers, a regulated entity must "prominently publish a link to its consumer health data privacy policy on its homepage" that "clearly and conspicuously" discloses the following:

  • The categories of consumer health data collected and the purpose for which the data is collected, including how the data will be used.
  • The categories of sources from which the consumer health data is collected.
  • The categories of consumer health data that is shared.
  • A list of the categories of third parties and specific affiliates with whom the regulated entity or the small business shares the consumer health data.
  • How a consumer can exercise the rights provided by the Act.

Consent and Authorization

Regulated entities are also required to obtain consent to collect and share consumer health information prior to the collection or sharing of any consumer health data, and the request for consent must "clearly and conspicuously disclose" the following:

  • The categories of consumer health data collected or shared.
  • The purpose of the collection or sharing of the consumer health data, including the specific ways in which it will be used.
  • The categories of entities with whom the consumer health data is shared.
  • How the consumer can withdraw consent from future collection or sharing of the consumer's health data.

Consent obtained for sharing consumer health data must be "separate and distinct" from the consent obtained to collect consumer health data. Moreover, regulated entities "may not collect, use, or share additional categories of consumer health data not disclosed in the consumer health data privacy policy without first disclosing the additional categories and obtaining the consumer's affirmative consent prior to the collection, use, or sharing of such consumer health data." Relatedly, regulated entities "may not collect, use, or share consumer health data for additional purposes not disclosed in the consumer health data privacy policy without first disclosing the additional purposes and obtaining the consumer's affirmative consent prior to the collection, use, or sharing of such consumer health data."

Regulated entities are also required to obtain valid authorization to sell consumer health data that is "separate and distinct" from the consent obtained to collect or share consumer health data.

Data Security

Under the MHMDA, regulated entities must also:

  • Restrict access to consumer health data by the employees, processors, and contractors of such regulated entity or small business to only those employees, processors, and contractors for which access is necessary to further the purposes for which the consumer provided consent or where necessary to provide a product or service that the consumer to whom such consumer health data relates has requested from such regulated entity or small business.
  • Establish, implement, and maintain administrative, technical, and physical data security practices that, at a minimum, satisfy reasonable standard of care within the regulated entity's or the small business's industry to protect the confidentiality, integrity, and accessibility of consumer health data appropriate to the volume and nature of the consumer health data at issue.

Whereas the Illinois' Biometric Information Privacy Act (BIPA) has spawned thousands of private lawsuits; Washington's MHMDA may be less attractive to the plaintiffs' bar because unlike BIPA, which provides statutory damages of $1,000 or $5,000 depending on whether a violation is negligent or reckless, the MHMDA does not provide statutory damages for private actions. Under the MHMDA, private plaintiffs must prove actual damages, which courts have discretion to treble up to a $25,000 cap, plus the ability to recover costs and attorneys' fees. As data breach plaintiffs know, proving actual damages can be challenging. That challenge, though, may not dissuade aggressive plaintiffs' firms from leveraging the availability of a private right of action to extract settlements via demand letters. Moreover, a regulated entity may be subject to substantial exposure from public enforcement under the MHMDA, however, because the Washington Attorney General can issue statutory civil penalties up to $7,500 per violation, plus another $5,000 in enhanced penalties if the business targeted certain vulnerable populations. These civil penalties per violation could quickly add up to enormous sums depending on the nature of the violation.

As we've noted, increased regulation of biometric data at the state level coincides with increased Federal Trade Commission (FTC) enforcement against alleged of unfair and/or deceptive uses of biometric information and artificial intelligence technologies. Accordingly, businesses should continue to rigorously assess the purposes, necessity, and potential consumer impact of collecting, processing, sharing, and selling biometric data before engaging in such practices.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.