BY NATHANIEL GALLEGOS
The Washington “My Health My Data Act” (WMHMDA)11 Chapter 19.373 RCW. was signed into law by Gov. Jay Inslee on April 27, 2023, and took effect on July 23, 2023. This consumer protection law creates extensive consumer data rights and obligations for regulated entities and small businesses as to how and when they can collect and share personal health-related data.
This article will give a brief overview of the WMHMDA with an emphasis on its novel geofencing provision, why it matters for privacy advocates, and what compliance will look like. Washington attorneys representing business clients that handle health-related data—regardless of whether they are in the health-care industry—need to be familiar with the WMHMDA—especially since the two largest cloud-based data process providers are domiciled in the state of Washington.
Overview
The WMHMDA should be thought of as a privacy law to protect Washington residents from misuse of wellness, nutrition, fitness, location, and other health-related data—and more specifically, as a privacy law with consumer protection teeth. Although some may assume that the federal Health Insurance Portability and Accountability Act (HIPAA) already provided these consumer protections, HIPAA only covers health data collected by specific health-care entities like hospitals or pharmacies. The Washington Legislature creatively included consumer protection in the WMHMDA and tucked it under Title 19 of the Revised Code of Washington (RCW) for business regulations.
The legislative intent was to make the WMHMDA broadly applicable, but there was notable health-care industry pushback. During the Jan. 24, 2023, hearings held before the House Civil Rights & Judiciary Committee, health-care industry advocates testified that they wanted a right to cure, which was not ultimately included in the Act. They were also concerned with the private right of action that ultimately was included in the legislation—the Legislature expressly made the Consumer Protection Act, Chapter 19.86 RCW, applicable to violations of the WMHMDA. RCW 19.373.090. The private right of action under the Consumer Protection Act enables plaintiffs to pursue entities with slight connections to Washington, even if their consumer health data is not processed in the state, and a prevailing plaintiff may recover attorney fees and treble damages of up to $25,000.
The WMHMDA applies to any entity that offers “health care services,” which are defined as “any service provided to a person to assess, measure, improve, or learn about a person’s mental or physical health.” RCW 19.373.010(15). This definition can apply broadly to grocery stores, gyms, health food stores, and traditional health-care facilities like hospitals and clinics. The WMHMDA applies not only to entities that gather information on an individual’s mental and physical health conditions, treatment, diseases, or diagnoses, but also to entities that gather data related to reproductive health, genetic data, gender-affirming care, and even biometric information.
The WMHMDA defines consumer broadly as “(a) a natural person who is a Washington resident; or (b) a natural person whose consumer health data is collected in Washington.” RCW 19.373.010(7).
These broad definitions present enormous potential for “unanticipated consequences,” according to one commentator.22 Allison Grande, “Wash. Health Data Protections Shake Up Privacy Law Debate,” Law 360, May 21, 2023. However, the Washington State Attorney General’s Office (AGO) has posted guidance33 www.atg.wa.gov/protecting-washingtonians-personal-health-data-and-privacy. that attempts to assuage confusion. Notably, the guidance states that information that does not identify a consumer’s past, present, or future physical or mental health status does not fall within the Act’s definition of consumer health data.44 “Protecting Washingtonians’ Personal
Health Data and Privacy,” Washington State Office of the Attorney General, www.atg.wa.gov/protecting-washingtonians-personal-health-data-and-privacy (last visited Feb. 25, 2024). However, the guidance from the AGO also affirms that the definition of consumer health data includes extrapolations from non-health data when that information is used by a regulated entity or their respective processor to associate or identify a consumer with consumer health data. The AGO provides the following example on this point:
Does the definition of consumer health data include the purchase of toiletry products (such as deodorant, mouthwash, and toilet paper) as these products relate to “bodily functions”?
Information that does not identify a consumer’s past, present, or future physical or mental health status does not fall within the Act’s definition of consumer health data. Ordinarily, information limited to the purchase of toiletry products would not be considered consumer health data. For example, while information about the purchase of toilet paper or deodorant is not consumer health data, an app that tracks someone’s digestion or perspiration is collecting consumer health data.
Geofence Regulation
The WMHMDA defines “geofence” as:
technology that uses global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, Wifi data, and/or any other form of spatial or location detection to establish a virtual boundary around a specific physical location, or to locate a consumer within a virtual boundary. For purposes of this definition, “geofence” means a virtual boundary that is 2,000 feet or less from the perimeter of the physical location.
RCW 19.373.010(14).
Geofencing technology can be used to create a perimeter around a predetermined area and prompt a device (smartphone, smartwatch, car, e-scooter, drone, etc.), through a mobile app, to take an action when it is inside or outside that area.55 Bradley Ryba, “iHeartgeo-Fencing?: The Section 114 Exemption That Illustrates Why Full Sound Recording Rights are the Sine Qua Non for a Vibrant Music Industry,” 20 Marq. Intell. Prop. L. Rev. 33, 35-36 (2016).
Individual users can set up geofencing on their office or home devices to do such things as turn off lights, adjust room temperature, or lock doors.6 Id. Musicians can use geofencing at concerts to greet fans, help locate seats, and offer discounts on merchandise. Geofencing can allow retailers to give customers the option to sign up to receive discounts or other personalized experiences when they enter a retail store.7 Id. Geofences can limit the area of use of e-scooter and e-bike rentals as well as limit the area where mobile gambling can occur. And perhaps most notably, geofencing can be used with location-based marketing (LBM) or location-based advertising (LBA) to send targeted advertisements to persons who are inside or outside of a geofenced perimeter.
The WMHMDA makes the use of a geofence around an entity that provides in-person health care services unlawful under specified circumstances:
where such geofence is used to: (1) Identify or track consumers seeking health care services; (2) collect consumer health data from consumers; or (3) send notifications, messages, or advertisements to consumers related to their consumer health data or health care services.
RCW 19.373.080.
Beyond marketing and advertising purposes, law enforcement agencies are also using the technology. Police have begun using “geofence warrants” at increasingly higher rates.68 Sidney Fussel, “An Explosion in Geofence Warrants Threatens Privacy Across the US,” Wired, Aug. 27, 2021, www.wired.com/story/geofence-warrants-google/. A single warrant in connection with a federal case resulted in nearly 1,500 device identifiers being sent to the Bureau of Alcohol, Tobacco, Firearms, and Explosives.79 Id. There are also “keyword search warrants,” where Google search history and location data can be examined to find anyone who did a particular keyword search.
Not surprisingly, geofencing technology is considered to be impermissibly intrusive by privacy advocates. Some fear this technology could aid in locating and prosecuting people who used Google to search for an abortion.810 Bobby Allyn, “Privacy advocates fear Google will be used to prosecute abortion seekers,” (Nat’l Pub. Radio broadcast July 11, 2022), www.npr.org/2022/07/11/1110391316/google-data-abortion-prosecutions. In December 2023, Google announced it would soon change the way it stores and accesses users’ opt-in “location history” in Google Maps, making the data retention period shorter, and making it impossible for the company to access it.911 Cyrus Farviar, “Google Just Killed Warrants That Give Police Access To Location Data,” ForbesDec. 14, 2023. The implication is that Google will no longer be able to respond to “geofence warrants” and hand over information about all users within a given location during a specific timeframe.
Thus, in the context of Washington and the WMHMDA, attorneys advising clients who deal with consumer health data and utilize geofencing technology should encourage a detailed review of the virtual geofence boundaries in place and the type of data being collected and/or sent.
Compliance
The WMHMDA requires regulated entities to implement a specific health-data policy that asks for explicit consent from consumers. Attorneys representing employers in Washington that deal in health data, foreign businesses with a presence in Washington, and/or entities that have cloud data processed with Amazon Web Services or Microsoft should consider the following three items related to compliance with the WMHMDA.
1. Consumer Health-Data Policy
Simple privacy policies will not ensure compliance with the WMHMDA. There must be a unique consumer health-data privacy policy that clearly and conspicuously addresses five requirements, as stated in the Act:
(i) The categories of consumer health data collected and the purpose for which the data is collected, including how the data will be used;
(ii) The categories of sources from which the consumer health data is collected;
(iii) The categories of consumer health data that is shared;
(iv) A list of the categories of third parties and specific affiliates with whom the regulated entity or the small business shares the consumer health data; and
(v) How a consumer can exercise the rights provided in RCW 19.373.040.
RCW 19.373.020.
2. Placement of the Link to the Policy
The WMHMDA requires that an entity’s consumer health-data privacy policy be published on its own unique webpage. A link to the consumer health-data privacy policy must appear “prominently” on the entity’s homepage and on any webpage where personal information, not just health data, is collected. “Personal information” is defined as any information that “identifies or is reasonably capable of being associated or linked, directly or indirectly, with a particular consumer.” RCW 19.373.010(18)(a).
That includes cookie IDs, IP addresses, device identifiers, or any other form of persistent unique identifier. This could mean that the link is required to appear on every single page of a business’s website.
3. Consent
The consumer consent required by the WMHMDA is defined as “a clear affirmative act that signifies a consumer’s freely given, specific, informed, opt-in, voluntary, and unambiguous agreement.”RCW 19.373.010(6)(a). It cannot be buried in any other consent or policy. In addition, consent cannot be given by “hovering over, muting, pausing, or closing a given piece of content.” RCW 19.373(6)(b)(ii).
Conclusion
The WMHMDA is legally novel and technologically current and protects privacy in a way that is not being done in other states. The need for such protection is clear: As just one example, in 2012, Target knew when a teenage girl was pregnant before her family did.1012 Kashmir Hill, “How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did,” Forbes, Feb. 16, 2012, www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/?sh=2d7077256668. That was 12 years ago, and now predictive AI can take all our digital clues to find our locations, signatures, and biometric and health data and use it in ways that none of us may know about or consent to. The European Union has extensive privacy laws as part of its General Data Protection Regulation (GDPR) laws1113 https://gdpr-info.eu/.; the WMHMDA gives Washington residents a little more control over our digital clues and moves us closer to the GDPR.
Enforcement under the WMHMDA began on March 31 for all regulated entities that are not small businesses. Enforcement begins on June 30 for small businesses, as defined by the WMHMDA. RCW 19.373.010(28). Washington attorneys representing businesses handling health data need to consider compliance. Compliance is not onerous, but it does require businesses to be aware of how consumers’ health-related data is being used, to give notice to consumers of that use, and, most importantly, to ask for consumers’ consent.
About the author
Nathaniel Gallegos primarily works in business law in Washington and Utah. He also teaches as an adjunct professor in business and contract law at the University of Utah S.J. Quinney College of Law. He can be reached at:
NOTES
1. Chapter 19.373 RCW.
2. Allison Grande, “Wash. Health Data Protections Shake Up Privacy Law Debate,” Law 360, May 21, 2023.
3. www.atg.wa.gov/protecting-washingtonians-personal-health-data-and-privacy.
4. “Protecting Washingtonians’ Personal
Health Data and Privacy,” Washington State Office of the Attorney General, www.atg.wa.gov/protecting-washingtonians-personal-health-data-and-privacy (last visited Feb. 25, 2024).
5. Bradley Ryba, “iHeartgeo-Fencing?: The Section 114 Exemption That Illustrates Why Full Sound Recording Rights are the Sine Qua Non for a Vibrant Music Industry,” 20 Marq. Intell. Prop. L. Rev. 33, 35-36 (2016).
6. Id.
7. Id.
8. Sidney Fussel, “An Explosion in Geofence Warrants Threatens Privacy Across the US,” Wired, Aug. 27, 2021, www.wired.com/story/geofence-warrants-google/.
9. Id.
10. Bobby Allyn, “Privacy advocates fear Google will be used to prosecute abortion seekers,” (Nat’l Pub. Radio broadcast July 11, 2022), www.npr.org/2022/07/11/1110391316/google-data-abortion-prosecutions.
11. Cyrus Farviar, “Google Just Killed Warrants That Give Police Access To Location Data,” ForbesDec. 14, 2023.
12. Kashmir Hill, “How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did,” Forbes, Feb. 16, 2012, www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/?sh=2d7077256668.