Great news for Washington residents! On April 27, 2023, the state passed the My Health My Data Act, a law that gives individuals the power to sue companies for alleged privacy violations related to their personal health data. Organizations who do business with Washington residents are responsible to get their privacy programs in compliance before the March 31, 2024 deadline.
The My Health My Data Act grants consumers new rights, such as the right to confirm if their data is being collected or shared and the right to delete their data or withdraw consent. Overall, the MHMDA empowers Washington residents to take control of their personal health information.
Washington privacy law consumer rights
Washinton’s law grants consumers several new rights with respect to their consumer health data. These include (1) the right to confirm whether a controller is collecting, sharing, or selling their data and to access that data along with a list of all third parties and affiliates with whom the controller has shared or sold their data, (2) the right to delete their data, and (3) the right to withdraw consent for the collection, sharing, or sale of their data.
Washington’s rights are similar to those we have seen in the other states that have adopted consumer privacy laws in recent years, but it omits some that have become relatively common in other states. For instance, consumers do not have the right to correct their personal data or to receive their data in a portable form.
Perhaps the most unusual piece of Washington’s law is that there are virtually no exceptions to Washington consumers’ ability to exercise their rights. Most privacy laws contain a list of exceptions that controllers can use to deny consumer requests under certain circumstances, such as when complying with a request would interfere with a controller’s obligation to obey state or federal law, or to establish or defend against a legal claim. While Washington did include a few exceptions to the deletion right, such as the provision allowing controllers to deny requests they are unable to authenticate, they are fairly narrow in scope and will not provide much practical protection for businesses.
The right to access
Washington’s access right has three elements. Consumers have the right to (1) confirm whether a controller is collecting, sharing, or selling their health data; (2) access whatever data the controller has collected, shared, or sold; and (3) obtain a list of all third parties and affiliates with whom the controller has shared or sold the data along with online contact information for those entities.
It is unclear from the law’s text whether consumers will be able to exercise each element of this right separately or whether controllers must provide all three elements in response to each access request.
The right to delete
Consumers have the right to direct controllers to delete any of their health data that the controller maintains. Controllers that receive deletion requests must (1) delete the data from its records (including from all archived and backup systems, albeit with an extended deadline of 6 months), and (2) notify all entities with which it shared the consumer’s data of the deletion request; those entities must then also comply with the deletion request.
Notably, there is no exception to the deletion right that would allow controllers not to delete data they are legally obligated to maintain under other laws. This could place controllers in the unenviable position of having to choose between deleting the data in violation of the law that requires it to be maintained, or not deleting the data in violation of Washington’s law. The MHMDA also lacks an exception for establishing or defending against a legal claim, which could make it harder for controllers to fully litigate claims that relate to consumer health data.
The right to withdraw consent
The right to withdraw functions as an opt-out right in practice whereby a consumer can direct a controller to stop collecting, sharing, or selling data in a manner the consumer previously consented to. Controllers are then required to stop using the data for those purposes within 45 days of receipt.
Unlike deletion requests, controllers are not required to forward opt-out requests to the entities with which it had already shared the consumer’s data.
The right to appeal
As with several other state privacy laws, Washington consumers have the right to appeal if a controller denies one of their privacy requests. Controllers are required to establish a method for submitting appeals that is “similar to the process for submitting [privacy] requests” and make that method “conspicuously available to consumers.” Consumers are required to submit appeals “within a reasonable period of time” after receiving the denial.
Controllers have 45 days to consider an appeal, at which time they must inform the consumer of the final decision in writing, along with a “written explanation of the reasons for the decision.” If the controller denies the appeal, it is required to provide the consumer with contact information they can use to submit a complaint to the Washington Attorney General.
SixFifty can help
SixFifty’s All-US Privacy helps organizations generate top-tier, customized legal documents that comply with every privacy law in the United States. The state privacy laws in California, Virginia, Connecticut, Colorado, and Utah are already included in the toolset, and Washington will soon be added at no extra cost. For more information and to see the document generator in action, schedule a demo with SixFifty today.