On April 27, 2023, Washington State passed a new data privacy law that will affect organizations that conduct business or target consumers in Washington. Unlike other state privacy laws with defined consumer thresholds, the My Health My Data Act applies to businesses that control data from even a single Washington consumer. The law places obligations on data controllers to disclose their consumer health data privacy policy and restrict the use of data without affirmative consent, obtain consumer consent before selling or sharing data, and implement data security practices. Do you have to comply with the My Health My Data Act?

Which businesses are required to comply with the MHMD Act?

The law’s obligations fall primarily on data controllers, which are businesses that “determine the purpose and means” of collecting and processing personal data. In other words, Washington’s law primarily applies to businesses that make decisions about what personal data is collected and how it is used.

The law extends to “Regulated Entities,” which are those controllers that either “conduct business in Washington” or “produce or provide products or services that are targeted to consumers in Washington.” There is no explanation as to what “targeted” means in this context, so it is unclear whether businesses must take active steps to market their products to Washington consumers before they will be regulated, or whether simply offering goods to consumers at large will be enough to bring a business into the law’s scope if those goods are later purchased by Washington consumers. It is therefore possible that the law will encompass businesses with only tenuous connections to the state of Washington.

Further, unlike other state privacy laws, Washington has not implemented any thresholds that would restrict the application of its law based on the size of a business or the amount of personal data that it controls. This means the law will apply to small businesses that control the collection and processing of data from even a single Washington consumer.

The law does have a slight reprieve for small businesses, defined as businesses that meet the requirements to be a Regulated Entity and also either (1) collect, process, sell, or share the consumer health data of fewer than 100,000 consumers during a calendar year, or (2) derive less than 50% of their gross revenue from the collection, processing, sale, or sharing of consumer health data provided that they collect, process, sell, or share the consumer health data of fewer than 25,000 consumers. However, the only effect of qualifying as a “small business” is to delay the effective date of the law by three months as compared to other Regulated Entities (June 30, 2024, instead of March 31, 2024). Small businesses will have the exact same substantive obligations as the MHMDA places on all Regulated Entities.

The law also places some obligations on data processors, which are businesses that process personal data on behalf of a controller. In other words, processors are those businesses that work with personal data according to the instructions of the data’s controller. Every controller in modern business uses a number of processors in order to accomplish its work with data. Processors’ obligations under Washington’s law are relatively slight when compared to those of controllers, as discussed more fully below.

Controller obligations for the MHMD Act

Washington’s new law places the vast majority of its obligations on data controllers (also referred to as “Regulated Entities”), since they control the data collection process and are in a better position to implement safeguards around how data is used as compared to processors.

Controller obligations can be summarized as follows :

  • Disclosures: Controllers have to provide a “consumer health data privacy policy” that “clearly and conspicuously” discloses details of the controller’s privacy practices to consumers. The disclosures must include:
    • The categories of consumer health data collected by the controller;
    • The purpose for collecting the consumer health data;
    • A statement of how the consumer health data will be used;
    • The categories of sources from which the consumer health data is collected;
    • The categories of consumer health data that are “shared”;
      • The law defines “sharing” as releasing, disclosing, disseminating, divulging, making available, providing access to, licensing, or otherwise communicating orally, in writing, or by electronic or other means, consumer health data to a third party;
    • The “categories of third parties and specific affiliates” with whom the controller shares consumer health data; and
    • An explanation of how consumers can exercise the rights granted to them by Washington’s law (discussed in our Consumer Rights post).
  • Restrict Use of Data: Controllers cannot collect, use, or share any categories of consumer health data that are not disclosed in the consumer health data privacy policy without first obtaining the consumer’s affirmative consent, unless they are necessary to provide a good or service the consumer has requested.
  • Obtain Consumer Consent Before Selling or Sharing Data: Washington prohibits controllers from selling or sharing data unless they first obtain opt-in consent from each consumer whose data the controller wants to sell or share. Controllers must obtain consent to sell or share separately from any other consent they obtain (i.e., controllers can’t ask consumers to consent to sale and sharing at the same time). Moreover, a consumer’s consent to the sale of their data is only valid if the controller first provides them with a written document (1) identifying specifically what data is being sold in a given transaction, (2) providing the name and contact information for both the entity selling the data and the entity buying the data, (3) describing the purpose for the sale including how the data will be gathered and used, (4) stating that the provision of goods and services cannot be conditioned on the consumer’s consent, (5) stating that the consumer has the right to revoke consent at any time and describing how to do so, (6) stating that data that is sold after consent is given may be subject to redisclosure by the purchaser without additional consent, and (7) providing that the consumer’s consent expires after one year.
  • Security: Controllers must implement data security practices that, at minimum, “satisfy a reasonable standard of care in the [controller’s] industry to protect the confidentiality, integrity, and accessibility of consumer health data.” They must also restrict access to consumer health data to “only those employees, processors, and contractors for which access is necessary to further the purposes for which the consumer provided consent” or to provide a product or service that the consumer has requested.
  • Privacy Requests: Controllers must establish a secure and reliable method for consumers to submit privacy requests. The method should take into account the ways in which consumers interact with the business, the need for secure and reliable communication of requests, and the ability of the business to authenticate the identity of the consumer making the request.

One open question—from both a legal and a practical perspective—is whether the “consumer health data privacy policy” must or should be separate from a company’s existing privacy policy.

As part of these obligations, controllers are also required to enter into binding agreements with their processors that set out rules as to how data should be processed and for what purpose. These agreements are discussed below.

Processor obligations for the MHMDA

Following the lead of other state privacy laws, Washington’s My Health My Data Act requires controllers to enter into contracts with their processors before they can start processing consumer health data on behalf of the controller. The contract is intended to set the parameters for the processor’s handling of data and ensure they process data only according to the controller’s instructions and in compliance with applicable law.

Unlike some other state privacy laws, which go into considerable detail as to what provisions should be contained in the contracts between controllers and processors, Washington only requires that the contract “set forth the processing instructions and limit the actions the processor may take with respect to the consumer health data.” It therefore appears that any contract will be sufficient so long as it tells processors what they are and are not allowed to do with data.

Processors’ primary obligation under the law is to follow the instructions contained in the written contract and refrain from using data for any other purpose. Importantly, processors are required to assist controllers in fulfilling their obligations under the law, including responding to privacy rights requests.

SixFifty can help

SixFifty’s All-US Privacy helps organizations comply with every privacy law in the United States. Businesses that are required to comply with various privacy laws, including the My Health My Data Act, can easily and effectively generate customized legal documents written by top legal experts for a fraction of the cost of hiring a lawyer to write them. As new laws pass, we update our tools to include them so your documents are always up to date.

If you’d like to make informed decisions surrounding data privacy and ensure compliance in a rapidly changing landscape, schedule a demo with SixFifty today.