Skip to Main Content
Our Commitment to Diversity

The Countdown to Complete Your Consumer Health Data Privacy Policy Under the Washington My Health My Data Act

Date: 19 March 2024
US Intellectual Property Alert

Almost one year ago, Washington State passed the “My Health, My Data” Act (the Act), which aims to protect Washington consumer health data, particularly data related to reproductive health care. The Act is the first law in the country aimed at protecting the vast amount of health data that falls outside the protection of the Health Insurance Portability and Accountability Act (HIPAA), encompassing data collected by wearables, certain retail purchases, and non-HIPAA telehealth services. The Act takes effect at the end of this month.

In preparation for the effective date of 31 March 2024, one of the most burdensome proactive compliance requirements is that a regulated entitymust publish a link to its consumer health data privacy policy on its homepage, which the Washington State Office of the Attorney General has clarified “must be a separate and distinct link on the regulated entity’s homepage and may not contain additional information not required under” the Act.This means that simply adding a provision to an existing privacy policy is not enough to comply with the Act; regulated entities and small businesses need a new, stand-alone consumer health data privacy policy. Small businessesunder the Act have three additional months and must comply with this same requirement by 30 June 2024.

The consumer health data privacy policy must be published via a link on the website homepage and “clearly and conspicuously” disclose the following:

  • The categories of consumer health data collected and the purpose for which the data is collected, including how the data will be used by the regulated entity or small business;
  • The categories of sources from which the consumer health data is collected;
  • The categories of consumer health data that is shared;
  • A list of the categories of third parties and specific affiliates with whom the regulated entity or the small business shares the consumer health data; and
  • How a consumer can exercise their rights provided under the Act, including revocation of consent and requests for deletion.

Importantly, the Act states that a regulated entity or a small business cannot collect, use, or share consumer health data for any other purposes not specifically disclosed in the consumer health data privacy policy unless the regulated entity or small business first: (1) discloses those additional purposes; and (2) obtains the consumers’ affirmative consent for such collection, use, and disclosure.

A violation of the Act is deemed a per se violation of the Washington Consumer Protection Act, subject to enforcement by the Washington Attorney General. The Act also permits enforcement through a private right action, with multiple questions as to the scope of such enforcement yet to be determined. Given that the Act is a landmark law with increased scrutiny over consumer data protection—as demonstrated by recent FTC enforcement actions and data privacy class actions—we anticipate active enforcement of the Act by the Washington Attorney General and plaintiffs’ class action bar.

A “regulated entity” is defined under the Act as “any legal entity that: (a) Conducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington; and (b) alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data” and “does not mean government agencies, tribal nations, or contracted service providers when processing consumer health data on behalf of the government agency.” RCW 19.373.010(23).

A “small business” is defined under the Act as “a regulated entity that satisfies one or both of the following thresholds: (a) Collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers during a calendar year; or (b) Derives less than 50 percent of gross revenue from the collection, processing, selling, or sharing of consumer health data, and controls, processes, sells, or shares consumer health data of fewer than 25,000 consumers.” RCW 19.373.010(28).

RCW 19.373.020.

RCW 19.373.020.

Gina L. Bertolini
Gina L. Bertolini
Research Triangle Park
Whitney E. McCollum
Whitney E. McCollum
San Francisco

This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm's clients.

Return to top of page

Email Disclaimer

We welcome your email, but please understand that if you are not already a client of K&L Gates LLP, we cannot represent you until we confirm that doing so would not create a conflict of interest and is otherwise consistent with the policies of our firm. Accordingly, please do not include any confidential information until we verify that the firm is in a position to represent you and our engagement is confirmed in a letter. Prior to that time, there is no assurance that information you send us will be maintained as confidential. Thank you for your consideration.

Accept Cancel