On April 27, 2023, Washington State passed a new privacy law called the My Health My Data Act, which focuses on personal health data. This law is unique among US consumer privacy laws because it allows individual consumers to sue companies for alleged violations. This means that all organizations will need to take the Washington My Health My Data Act seriously. How will the My Health My Data Act be enforced?
Businesses will also need to act fast to be ready to comply with the new law because the compliance deadline of March 31, 2024—June 30 for small businesses—is not far away. There is also some uncertainty around how to fully comply with the law, which may not be answered without litigation.
How will the Washington privacy law be enforced?
Violations of the new My Health My Data Act constitute unfair business practices under Washington’s Consumer Protection Act. This means both that the Attorney General and private citizens are empowered to sue businesses to remedy violations.
The Attorney General may bring actions on behalf of the state to enjoin prohibited behavior and private citizens may bring actions to recover damages if they are harmed by a controller’s violation of the statute. Statutory damages can be as high as $7,500 per violation.
Washington’s Consumer Protection Act also allows citizens to recover treble damages, which means controllers could theoretically be liable for up to three times the actual damages if they lose a suit under the MHMDA.
To date, no other states have included a private right of action (the right for a private individual to bring a lawsuit or sue someone in court) in their privacy laws, so this addition represents a significant escalation in the risk that businesses could face under the law.
What does the Washington privacy law mean for my business?
Washington’s My Health My Data Act is similar to other state laws in many ways, but it also departs from the norm in several key areas. Its definitions of “consumer” and “regulated entity” mean that the law could encompass individuals and small businesses with only a tenuous connection to Washington state, which is a significant expansion in scope from what we have seen in other laws.
The MHMDA’s failure to provide explicit exceptions to consumer rights that would enable controllers to deny requests when it is necessary to comply with other laws is perplexing, and could raise the burden of compliance significantly. In other words, the law doesn’t always say businesses can say “no” to requests from consumers in situations where that might be reasonable, which can make it harder for businesses to follow the law.
Because the MHMDA does not provide for any regulations, the statutory text will stand on its own, and there will not be an opportunity for a state agency to clarify the law’s more ambiguous provisions. This means there will be significant uncertainty around exactly what businesses have to do to comply until courts flesh out the law via rulings in individual cases.
With all this in mind, we anticipate that adding Washington to a business’ privacy operations will be difficult and risky since businesses will face the threat of significant liability via private lawsuits, and it may be difficult to know whether the claims against them are valid until they are sued.
SixFifty can help
SixFifty’s All-US Privacy helps organizations comply with every privacy law in the United States. Businesses can easily and effectively generate the customized legal documents written by top legal experts and required by varying privacy laws around the country. As new laws pass, we update our tools to include them so your documents are always up to date.
If you’d like to make informed decisions surrounding data privacy and ensure compliance in a rapidly changing landscape, schedule a demo with SixFifty today.