Still without comprehensive federal data privacy laws, every state in the country is on a path to write its own. For any business conducting interstate commerce, this means the states with the toughest data privacy laws could bind everyone.
Washington State is the latest, with a bill called "My Health, My Data," or MHMD, that is causing a commotion because of its wide-reaching language. MHMD is sweeping in scope, extending beyond the traditional reach of the federal Health Insurance Portability and Accountability Act (HIPAA) that so many have come to know.
The bill, if signed into law by the Washington State Governor, would apply to any legal entity that conducts business in Washington state or targets Washington state residents with its products or services, without regard to the volume of the entity's data or its revenue, or size. This would regulate not just health care providers, plans, and business associates, but any business that would collect nearly any data from a Washington State customer.
The definition of protected "consumer health data" under the MHMD could potentially mean anything from which a consumer's past, present, or future physical or mental condition or "bodily functions" might be “derived or extrapolated,” even from non-health information. This could include browsing an article on a health issue, or a buying a product such as diapers.
This broad definition could include data on specific medical conditions and diagnoses, but also geolocation data, health risks, websites, apps, biometric information in consumer products like wearable devices, and other IoT items.
Like the latest privacy law out of Virginia, and recent FTC settlements, the MHMD requires businesses targeting Washington State residents to have a clear website option, in unambiguous language, requiring consumers to affirmatively opt-in to consent to any collection, use, disclosure, or other processing of their data. The MHMD consent can be revoked at any time.
"The MHMD also prohibits implementing a geofence around a business that provides in-person health services when the geofence is used to collect or track data from consumers or to send advertisements related to consumer health data. This blanket prohibition means that covered businesses cannot obtain consumer consent for such activities."
Almost all sharing of data with third parties would require written authorization from the consumer, in an affirmative opt-in action. In this way, MHMD goes beyond even the strict California Consumer Privacy Act (CCPA).
Like California and the EU, the MHMD would also allow consumers to access, opt-out, or revoke consent. But it also allows a nearly complete consumer right to deletion of their data on their terms, no matter whether the business would prefer to decline because it needs the data for its own record-keeping and retention requirements.
Enforcement of the MHMD would include state attorney general actions, and civil claims under the Washington Consumer Protection Act, allowing a private right of action by citizens to directly sue violators of the MHMD.
Even if this bill is modified before being finalized and signed into law, it does appear to mark a turning point in privacy law in favor of broad consumer rights and powers over any entity, in any line of business or of any size, that houses consumer data.
"The My Health, My Data Bill is... sweeping in scope... requires opt-in consent...imposes potentially insurmountable restrictions on most 3rd party sharing...grants additional privacy rights familiar and unfamiliar, and welcomes private lawsuits."