To date, there is no general comprehensive Washington state privacy law or Washinton biometric privacy law. However, although there are no active comprehensive privacy laws in Washington state, there was a prominent comprehensive health-sector-specific privacy law passed this year.
My Health My Data
On April 27, 2023, Washington My Health My Data Act (the MHMD Act) was ratified into law, imposing new limitations on the gathering and distribution of “consumer health data” by businesses based in Washington or connected to people of Washington. The MHMD Act, a Washington state privacy act, defines “consumer health data” (also known as “Health Data”) broadly to govern a variety of businesses that will be subject to rules comparable to those in the California Consumer Privacy Act (CCPA), despite being touted as a law focusing on a specific sort of potentially highly personal information. The MHMD Act’s standards may in some cases be stricter than those of any other state privacy statute now in effect.
The Washington privacy act also gives individual customers a private right of action to file a lawsuit against a company directly to seek compensation for any genuine losses incurred, including reasonable legal costs. Up to $25,000 in actual damages can be tripled by the court.
Overview of the Law
Any organization that conducts business in Washington, markets goods or services to residents of Washington or makes choices regarding the processing of health data must comply with the MHMD Act. The scope encompasses small enterprises and nonprofit organizations; there is no minimum number of consumers whose data is handled or any revenue criteria that trigger applicability. The term “consumer” refers to anyone with health data obtained in Washington, including residents of Washington but excluding those operating in an employment capacity.
The MHMD Act focuses on information not covered under the Health Insurance Portability and Accountability Act (HIPAA). Health Data under the MHMD Act means personal information that is “linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.” The MHMD Act specifies that this definition includes:
- “Biometric data,” which itself is defined broadly and includes voice recordings if an identifier template could be extracted
- “Social, psychological, behavioral, and medical interventions”
- “Reproductive or sexual health information”
- “Bodily functions, vital signs, symptoms, or measurements of” Health Data
Though the MHMD Act is thought to have been enacted to protect data related to reproductive health, the far-reaching applicability combined with broad definitions means that the MHMD Act could apply in ways with little nexus to the law’s intent. Some examples of businesses potentially covered by the MHMD Act include:
- a retailer that sells products such as over-the-counter medications, first aid items, feminine products, or birth control – even if these sales are a small part of their business
- a fitness studio that collects information about injuries experienced by participants in a class or tracks individuals’ fitness progress
- a business that collects any Health Data on its website and allows adtech companies to embed pixels that track engagement for the ads
- a mobile app business that facilitates tasking third parties to shop for and deliver products from the above-mentioned retailer
- a business that sells a wearable fitness product (e.g., a watch or ring)
The law goes into effect on March 31, 2024, but small businesses have three additional months to comply (by June 30, 2024).