Expansive Health Data Privacy Law for Washington State

On Monday, 17 April, the Washington State Legislature passed the My Health My Data Act. The bill, HB 1155, currently sitting on Governor Jay Inslee’s desk after passing both state houses by considerable margins (57-39 House; 27-21 Senate), restricts what can be done with personal health data collected from anyone in Washington. The bill also provides individuals with the right to delete any health data collected from them and stored by the entities collecting or processing that data.

The My Health My Data Act, sponsored by Representative Vandana Slatter, offers Washingtonians a considerable degree of control over data collected from them related to their health and well-being. The bill prevents a company–referred to therein as a “regulated entity”–from collecting any personal health data in ways that are not explicitly consented to by consumers. The bill also prevents those regulated entities from sharing or selling access to that data unless opt-in consent is provided from users.

The bill defines consumer health data as “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.” This definition is wide and comprehensive, including data directly related to a person’s health like biometric signals such as ECG, blood oxygen levels, body weight, movement, and menstrual activity collected from personal devices like smartphones, smartwatches, and fitness trackers. It also covers data used to indirectly infer aspects of a person’s health or that could be used to identify a person when combined with other data types. This definition is more comprehensive than those used in other health-related data-protection laws like Illinois’s Biometric Information Privacy Act (BIPA)and Texas’s Capture or Use of Biometric Identifier act.

The bill was written to cover a wide range of consumer data types to prevent entities from inferring aspects of consumer health in ways that are not made explicitly clear to those consumers. This sort of indirect inference was made in a now-infamous incident reported in 2012 in which the retail chain Target began marketing pregnancy-related products to a woman who did not yet know she was pregnant. Target had developed machine-learning models that estimate information about their customers, including aspects of their reproductive health.

“We are at the point where a particular business model is impacting people’s privacy,” said Representative Slatter. The bill was specifically created to cover the gaps in current data-privacy protections resulting from an inability to account for what may be done with health data after it is collected, either in inference or brokerage. Inferences made from unprotected data can be used to discriminate against individuals seeking health care, as health insurance companies and government agencies increasingly incorporate available data into their investigations and decision making.

Unprotected health data may affect one’s access to reproductive health care at a time when that access is increasingly being restricted. The U.S. Supreme Court’s Dobbs v. Jackson ruling and multiple subsequent state laws limiting access to reproductive and gender-affirming health care have made health-data privacy protections more important, says Representative Slatter: “It’s the fact that you missed a period on a period-tracking app, it’s the fact that you crossed a geofencing line into a space that could be a crisis pregnancy center or an abortion care clinic. Women are being criminally prosecuted, as are providers and their families. We found a balance between not completely disrupting a business model while also protecting people from harm.”

Another aspect of the bill, its inclusion of an individual right to action, gives it an extra degree of protection that several existing data-protection laws do not. This right, present in BIPA but not a part of other biometric and health-data privacy laws, allows any individual within Washington state, not just the state attorney general, to sue a regulated entity or any other company handling health data if those entities act outside the restrictions laid out in the bill. Washington state’s consumer privacy act also enables state judges to triple damages and legal fees resulting from such a lawsuit. “That is a significant risk,” says Jevan Hutson, a legal associate and data-privacy expert in Washington. “The penalties for noncompliance could be impactful.” Given enterprise-scale data processing’s heavy reliance on cloud-computing infrastructure provided by Washington-based companies like Amazon and Microsoft, the effects of these protections could extend even beyond data collected from within Washington state borders.

The expansive scope of data covered under this bill and its provision for an individual right to action were points of contention for industry lobbyists. “There’s been a huge effort by the tech industry to push back on and to weaken this bill,” said Jennifer Lee, a technology and liberty project manager with the Washington ACLU. “They wanted to weaken the enforcement mechanisms and narrow the definitions of consumer health data.”